riverty logo

Docs
Get Started Login

Strong Customer Authentication (SCA)

Strong Customer Authentication (also known as SCA) fulfills a set of regulatory requirements, designed to reduce fraud, making online payments more secure while establishing trust with consumers. SCA adds an extra layer of security by using a third party like a bank to verify the end-customer prior or during an online payment. Riverty currently offers this functionality in Sweden, Norway, Denmark, Finland, Germany, Austria, Switzerland and the Netherlands.

Practical Use

SCA is used for risk handling (consumer ratings and fraud risk). For Norway and Sweden SCA is almost always mandatory as it is a key element of fraud prevention and it is a known process for online shoppers. In Sweden SCA is used by 98% of the population between 18-67 years of age.

Country Specifics

Country Sweden Norway Finland Denmark Netherlands Germany and Austria
Name of eID method BankID (SE) BankID (NO) FTN (Finnish Trust Network) MitID (replaces NemID) iDIN One Time Password (SMS/Email)
Required field(s) Identification number Identification number Identification number Identification number Date of birth, first name, last name Phone Number, Email Address
Country specific restrictions Only for customers using the following banks: ABN AMRO, ASN Bank, Bunq, ING, Rabobank, RegioBank, SNS. More info: https://www.idin.nl/en/can-i-use-idin/
To trigger on test environment First item description has to be SCAHigh First item description has to be SCAHigh First item description has to be SCAHigh First item description has to be SCAHigh First item description has to be SCAHigh

The last name has to be Vries and date of birth has to be 1975-07-25		 First item description has to be:

For SMS:
OTP_REQUIRED_SMS
For Email:
OTP_REQUIRED_EMAIL
For both SMS or Email:
OTP_REQUIRED_SMS_OR_EMAIL
For Date of Birth:
OTP_REQUIRED_DoB
For SMS and Date of Birth:
OTP_REQUIRED_SMS_AND_DoB
For Email and Date of Birth:
OTP_REQUIRED_EMAIL_AND_DoB

Strong Customer Authentication (SCA) and for fraud prevention

SCA offers your customers an easy and convenient way to verify their identity and access Riverty’spayment methods.

By implementing SCA, we prioritize customer interests, ensuring protection against non-compliant practices.

iDIN flow_redirect2.png

Implementation

The SCA and OTP implementation use the Redirect Flow which requires the end-customer to be redirected to the secure login URL that was provided by Riverty API during the Authorize Payment or Verify request. The end-customer will be presented with a page with further instructions. After the verification process is completed the end-customer is redirected back to merchant’s web page.

Riverty will decide for which orders and customers SCA or OTP will be triggered. This decision is based on a number of parameters, such as order amount, shipping address and other fraud and risk related variables.

RedirectFlow.png

  1. The customer selects Riverty at the merchant's checkout and clicks ‘Pay’ to finalize the purchase.
  2. The merchant sends an authorization request to the Riverty API with customer and order details, including the 'merchantUrl' where the customer will be redirected after completing or canceling the Strong Customer Authentication (SCA or OTP) process.
  3. Based on the merchant's configuration, the Riverty API determines if SCA or OTP is required. If SCA or OTP is needed, the API responds with "outcome": "Pending".
  4. The authorize payment response contains a “secureLoginUrl”
  5. The merchant redirects the customer to the “secureLoginUrl”
  6. The customer completes identity verification using their country-specific eID method.
  7. After successful authentication, Riverty redirects the customer to the merchant's return URL provided in step 2.
  8. Upon the customer’s return, the merchant must make a GetOrder request to the Riverty API to check the order status:
    • If the order is accepted, the purchase is finalized.
    • If the order is canceled, expired, or pending, the purchase is not finalized. A pending order will time out after 15 minutes, requiring the customer to try again with a new order number.

Timing of the GetOrder Request:

  • Trigger the GetOrder request as soon as the customer is redirected to the merchant's return URL.
  • If the customer hasn't returned within one minute, initiate the GetOrder request automatically.
  • While the order status is "Pending", continue sending GetOrder requests at 30-second intervals.
  • Stop sending requests after 15 minutes, as the order status will automatically change to "Expired" at that point.

Mobile APP & IOS compatibility

When initiating the SCA process within a mobile app, it is crucial to open the Secure Login URL in the native or system browser. If the SCA flow is opened via a WebView integration, particularly on iOS devices, users may encounter difficulties when attempting to return to the merchant URL to complete the process.

Do you find this page helpful?