I don’t believe SCA is enforced by the bank. It’s voluntary by the merchant. It acts as a liability shift but won’t save you from someone not caring about it and emptying your account (temporarily until the chargeback goes though). I don’t think any bank offers an option of “allow SCA-only transactions” and I don’t think it would be even possible (I’m not sure there is any token/session identifier to tie the SCA request and the actual subsequent transaction even).
When adding a card to a taxi app for example I get SCA prompt for a zero amount, but then they can charge me for any amount without subsequent SCA flows.
Presumably those subsequent transactions wouldn’t have a liability shift to the issuer but it still means that they can at least temporarily steal all your money until your chargeback claim goes through.
The whole concept of “card number” is rotten. What’s needed is an oAuth2-type system where every payment needs to redirect to the bank (actual redirect, no stupid hacky iframe like SCA/3DSecure is) and where you can see the merchant and set the max amount (and whether one-off or recurring) and the bank records that and keeps a list of authorized merchants so you can revoke them at any time. The merchant then must use this token to pull money, and can't pull more than what the token allows - just like your usual oAuth2 scopes.
This is not right at all (it's mandatory fo all banks and merchants in the EEA), although you're correct that SCA still has loopholes (like a US merchant... just trying, although a bank could just mandate 3DS to solve that).
How do you explain the example I gave where the taxi app only has to SCA me once and not upon every transaction? This is in the EU.
What I suspect is that the "mandatory" bit is by law (and the law has flexibility, which covers this taxi app scenario) but there is no technical solution to make it mandatory, thus a non-compliant merchant can still drain your account until your chargeback claim goes through.
You're right that it's not fully enforced technically. It's complicated, and I don't think that's really solvable by technology (being that this scenario is roughly equivalent to direct debiting). Banks can validate if a particular merchant has already been used by a customer and blocking them from debiting your account, but since that SCA has exceptions for recurring debiting, this is not really enforcable once the customer has authorized the merchant for any debiting.
> If you attempt an exemption and the bank returns a decline code indicating that the payment failed due to missing authentication, you’ll have to reattempt the payment with your customer but this time utilizing SCA.
When adding a card to a taxi app for example I get SCA prompt for a zero amount, but then they can charge me for any amount without subsequent SCA flows.
Presumably those subsequent transactions wouldn’t have a liability shift to the issuer but it still means that they can at least temporarily steal all your money until your chargeback claim goes through.
The whole concept of “card number” is rotten. What’s needed is an oAuth2-type system where every payment needs to redirect to the bank (actual redirect, no stupid hacky iframe like SCA/3DSecure is) and where you can see the merchant and set the max amount (and whether one-off or recurring) and the bank records that and keeps a list of authorized merchants so you can revoke them at any time. The merchant then must use this token to pull money, and can't pull more than what the token allows - just like your usual oAuth2 scopes.