GC Logo Dark
Developer Docs

Guides

Bank Payments
Overview
Setting up mandatesDirect Debit Mandates Verified Mandates PayTo Agreements and Payments Build a client to create mandates offline Supporting mandates set up outside of your product Importing Mandates Blocking mandates
One-off paymentsTaking an Instant Bank Payment Taking a one off payment
Recurring paymentsTaking Subscription payments Taking Instalment payments Variable Recurring Payments
Combining one-off and recurring paymentsTake a first Instant Payment with mandate
 set up
Responding to eventsResponding to Mandate Events Responding to Billing Requests Events
FX Payments Reconciling Payouts ACH and PAD Consent Types
Send money
Introduction to Outbound Payments Payment Account API request signing
Send an outbound paymentAdding a new recipient Initiate an outbound payment Approve an outbound payment Cancel an outbound payment
Tracking outbound payments Bank Account Holder Verification Strong Customer Authentication
Optimise and increase revenue
Prevent fraud with Protect+ Retain customers with fallbacks Reduced failed payments with Success+
Prefill customer detailsNew customer record Existing customer record Populate Billing Request Flow
Tutorials
Taking Direct Debit payments using Billing Requests and Custom Payment Pages Handling tax Handling Customer Notifications
GoCardless Embed
Introduction Creating a creditor Adding a creditor bank account OptionalSetting a scheme identifer Optional
Setting up mandates / collecting paymentsBilling Request with Actions: Setting up a Direct Debit mandate Collecting a Direct Debit payment Billing Request with Actions: Taking an Instant Bank Payment Billing Request with Actions Dual Flow: Taking an Instant Bank Payment and setting up a Direct Debit mandate
Handling webhooks
Reconciling payoutsPayout Items API Automated Payout Reporting Optional
Setting Up Branding OptionalAPI request signing OptionalBank Details Access Optional
Bank Account Data
Overview Quickstart Guide Endpoints Bank Selection UI Sandbox Statuses and Error code Output: Account Details Output: Balances Output: Transaction Details Postman Collection FAQs

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a regulatory requirement under the Payment Services Regulations 2017 in the UK and PSD2 in the EEA. It is designed to verify your identity in order to provide protection against fraud.

The regulation requires SCA when you make a payment or access your account. You will need to verify your identity using at least two of the following three factors:

  • Something you know (e.g a password, PIN, or security question)

  • Something you possess (e.g. a mobile phone, hardware token, or a smart card)

  • Something you are (e.g. fingerprint, facial recognition, or other biometric data)

When you make a payment through our dashboard

If you make a payment from the dashboard, you will receive an SMS with an authentication code that is dynamically linked to the details of the payment amount and payee, making it difficult for the code to be manipulated or used for another payment.

1. You first log in with your password (something you know).

2. You will be able to create the payment by inputting the amount and recipient.

3. After reviewing your payment details, you'll be asked to enter a code sent to your phone (something you have).

Important Points to Keep in Mind

  1. Make sure SMS 2FA is enabled: You need to have SMS-based 2FA turned on for your account. If it’s not, your payment won’t go through because we can’t send you the code, and the process will fail.

  2. Approve within 5 minutes: After you initiate a payment, you have 5 minutes to enter the authentication code. If you do not provide a valid code in time, the payment will be canceled. You have 5 attempts to authenticate the payment. If you make 5 failed attempts, your account will be blocked from making outbound payments or withdrawals for 15 minutes.

  3. Resend the authentication code: You can request to resend the authentication code up to two times. But if you still don’t approve the payment after the retries, it will be canceled after 5 minutes.

Exemptions to SCA

The regulations provide a few exemptions from SCA for outbound payments. At GoCardless, we support and apply the “Trusted Beneficiary”.  When you make a payment to a recipient and SCA is applied, they are added to a trusted list, so that subsequent payments can proceed without requiring authentication.

GoCardless automatically maintains a list of trusted beneficiaries and you cannot manage or edit this list. A recipient is automatically marked as trusted after the first successful payment sent to them that includes a completed SCA and passes the Confirmation of Payee (CoP) check with FULL_MATCH results.

Once trusted, the recipient remains on the list unless there is no payment made for 13 months. If no further payments are made to the recipient within that 13 month period, they will be removed from the list and SCA will be triggered if a new payment is initiated.

What do you need to do if you don’t use GoCardless Dashboard?

If you’re building your own API integration, you must include your organisation’s authorisation token in every request (something you know). You should also sign your API requests with your organisation’s certificate (something you own) to verify their authenticity. Following these steps helps ensure security and compliance with PSD2 regulations.

Need help?
Connect as a partner