Strong Customer Authentication Guide

Strong Customer Authentication (SCA) is a European regulatory requirement under the Second Payment Services Directive (PSD2) which enhances payment security and protects cardholders from fraud.  The SCA security process applies to electronic payments, including in-person payments and e-commerce online purchases, within the European Economic Area (EEA).  Payment transactions without SCA verification will be declined unless the transaction qualifies for an exemption.  This process applies to all Bank of America branded Commercial Cards issued in Europe.

 

Electronic payments require that the cardholder verify their identity using elements that fulfil SCA requirements.

 

  • For in-person payments:  The cardholder completes the verification by inserting the card into the merchant’s POS terminal and entering their PIN. 
  • For e-commerce online purchases:  The cardholder completes the verification process using one of the methods illustrated below. 

 

Note:  Verification processes may vary differ by Card Issuer. This guide outlines the process used by Bank of America.

 

1. Strong Customer Authentication via the Global Card Access app (recommended)1

2. Strong Customer Authentication via merchant website

 

1 Cardholders without the Global Card Access app can complete authentication at checkout on the merchant website.

2 Cardholder must have the Global Card Access app installed. Upon login into the app, EMEA commercial cards will be auto-enabled for the SCA app notification and verification process.

 

Please note the following as not all online purchases will require SCA:

·         When the booking is made via the online booking tool provided by the Travel Management Company (TMC), SCA is generally not required as the booking process is completed via Global Distribution Systems (GDS) and not directly via the merchant’s website.

·         There are a number of exemptions for SCA based on the nature and risk of the transaction, for example lodge card and virtual card fall under the secure corporate payment exemption. Please refer to the Frequently Asked Questions for further details.

 

Option 1 (recommended): Strong Customer Authentication via Global Card Access app

 

Cardholders with the Global Card Access app can complete payment verification using biometrics or a password, making the SCA process faster and easier.

 

This process is applicable for cardholders with the Global Card Access app installed on their mobile phone.

 

During e-commerce checkout, the cardholder will be asked to enter the card credentials and to confirm the payment on the merchant’s website. This will trigger a push notification to appear on the cardholder’s mobile phone.

 

Note: If the push notification does not appear, please launch the Global Card Access app

 

 

 

 

 

By clicking the push notification, the Global Card Access app will launch. The cardholder will be prompted to sign in using biometrics or password.

 

Upon sign in, the payment details will be shown. The cardholder can review the payment details and click Approve or Decline.

 

This completes the SCA verification. The cardholder will need to return to the merchant’s website to confirm the payment is successful.

New Trusted Beneficiary Feature

After completing payment verification, cardholders will be given the option to add that business to the Trusted Merchant List.  By trusting a merchant, cardholders can complete future online purchases from the same merchant without the need to go through Strong Customer Authentication3.  This creates a seamless payment experience when paying familiar businesses.  In addition, cardholders can review and remove businesses that have previously been added to the Trusted Merchant List. 

 

 

3 Merchants in the Trusted Merchant List are less likely to require Strong Customer Authentication, however for security purposes Bank of America may still request payment verification from time to time.

 

Option 2: Strong customer authentication via merchant website

Cardholders without the Global Card Access app can complete payment verification following the 3D Secure process on the merchant’s website.

 

During the checkout process, where payment verification is required cardholders will be asked to provide their one-time passcode and answer their BofA Global Card Access security question.  Cardholders will need to answer both correctly to complete the payment. This process is completed directly on the merchant’s website.

 

One-time passcode (OTP) validation

The OTP is a 6-digit numeric code unique for that online purchase.  It is sent via SMS or email to the cardholder’s registered mobile phone number or email address.  Each OTP is valid for 10 minutes and cardholders can request a new OTP if the old one expired.

 

BofA Global Card Access security question validation

When cardholders register their cards on Global Card Access, they are asked to answer three security questions.  Cardholders can login to Global Card Access to view or update their security question.

 

New Trusted Beneficiary Feature

After completing payment verification, cardholders will be given the option to add that business to the Trusted Merchant List.  By trusting a merchant, cardholders can complete future online purchases from the same merchant without the need to go through Strong Customer Authentication3.  This creates a seamless payment experience when paying familiar businesses.  In addition, cardholders can review and remove businesses that have previously been added to the Trusted Merchant List. 

 

 

3 Merchants in the Trusted Merchant List are less likely to require Strong Customer Authentication, however for security purposes Bank of America may still request payment verification from time to time.

 

Frequently Asked Questions