A simple guide to Strong Customer Authentication for website owners
The Strong Customer Authentication directive, part of the European Unions' Payment Services Directive 2, aims to make online transactions more secure and to reduce fraud, coming into effect in September 14th 2019.
Strong Customer Authentication (SCA) affects online payments. If you accept online payments you will need to update your website to ensure credit card payments are continued to be processed successfully on your website before full enforcement comes into effect.
Online payments company Stripe, issued a report in mid 2019 which stated that Europe's online economy risked losing up to €57 billion due to companies not being prepared for SCA. This guide will provide you with the steps you will need to take to ensure your website will be ready to accept payments successfully and meet the requirements of SCA.
What is Strong Customer Authentication?
When a credit card is used online to make a payment, the transaction is sent via a payment gateway provider to the card holders bank. The bank will then process the payment.
The Strong Customer Authentication will mean that the bank will need to verify the user by another method using one of the three verification methods:
- Something only the user knows, e.g. a password or pin number
- Something only the user possesses, e.g. their phone
- Something the user is e.g. a fingerprint or facial recognition.
So when a customer enters their credit card details, their bank may send them an SMS with a pin code and they will use this to verify and complete the transaction successfully.
SMS is one example of many possibilities for verifying transactions by more than 6000 banks across the EU.
What is '3D Secure' and what does it have to do with SCA?
Previously when making a payment on a website, after entering your credit card details you were sometimes presented with a new form to enter a password for your credit card to complete the transaction. This protocol was called 3D Secure (version 1).
The next version of the protocol 3D Secure (version 2) is being used by many banks to meet the requirements of SCA. Version 2 of the protocol will be more customer friendly, and when the customer is completing a payment they will be presented with an additional screen to enter further information as supplied by the verification methods.
How will SCA affect me?
If you accept online payments or subscriptions through your website from customers using credit cards issued by European banks, you will need to be SCA compliant from September 14th.
Failure to do so will mean you will have an increase in failed payments processed from your site.
How will SCA affect my customers?
If your website is fully compliant with SCA when a customer makes a payment or subscription they will be required to complete an additional step to complete the purchase. This step may include:
- Entering a PIN code on your website sent by the issuing bank *
- Entering a code generated by phone app *
* The method to authenticate the purchase will vary from bank to bank.
Are there any situations where SCA will not apply?
There are a number of payment transactions that are exempt from SCA. These include:
Payments below €30 may be exempt from SCA.
- If the card holder has used this exemption 5 times in a row they will need to use SCA to verify the next transaction.
Fixed Amount Subscriptions
- A recurring monthly payment the customer will verify their first payment via SCA and then all subsequent payments will not require SCA.
Trusted Payee Exemption
- Your payment provider will carry out a risk analysis depending on the total of the transaction and they may decide to exempt the payment from SCA. They will present the payment to the bank without SCA. They bank may still require authentication.
- Some banks will allow customers to white list companies to take payments so SCA will not apply to future transactions
The customer's bank will ultimately decide to apply the exemption. In the event they decline the exemption the customer will have to go through the SCA process.
What about "customer not present" transactions?
Merchant Initiated or "customer not present" transactions via phone sales are not within the scope of SCA. If you are processing the payments for these types of transactions via your website or payment provider you need to ensure the website and payment provider are able to mark them as merchant initiated to the customers bank. Otherwise they will be subjected to SCA.
If you process merchant initiated transactions for a customer not present using a saved card, for example delayed payments, subscriptions, or additional bill items,these may be exempt or considered low risk to apply SCA, but the customers bank will decide whether or not to initiate an SCA process for that transaction.
What happens to my current recurring payments?
Check with your payment provider to see if the are marking current recurring payments as Merchant Initiated Transactions, these may 'grandfathered' with the bank and will not require authentication. Banks will have final say on whether to require authentication or not and can require SCA on any transaction.
Does SCA apply to Apple Pay and Google Pay?
Apple Pay and Google Pay already have payment flows that are SCA compliant.
How do I ensure my website is SCA ready?
For a website to process credit card payments it usually involves:
- User enters payment details on the website *
- The website interacts with the payment gateway provider *
- The payment gateway provider interacts with the bank or card issuer
*The website and payment gateway provider can be the same party in some cases.
The customer enters their details on the website which is sent to the payment gateway provider. The payment gateway provider then interacts with the bank or card issuer who will authorise or decline the payment. The banks decision is then sent back to the website via the payment gateway provider. The website then acts on that decision.
To ensure that your website is SCA ready you will need to look at the two areas:
- That your payment provider supports SCA, e.g. PayPal, Stripe, Amazon Pay etc.
- That your website software or software provider supports SCA e.g. Woocommerce, Shopify.
Every website and application is different, to ensure continued service you should engage your development team, technical resource, consultant, payment gateway provider or platform provider to ensure your configuration is SCA ready.
Payment gateway providers
This section outlines a selection of payment gateway providers and their current SCA readiness and implementation.
The majority of payment providers operating in the EU will be SCA ready. If you are using a provider outside of the EU you will need to check directly with them.
The payment providers will be working directly with the banks to implement SCA. Your website will need to be updated to work inline with your payment providers own implementation for handling SCA.
- Stripe https://stripe.com/ie/guides/strong-customer-authentication
- Amazon Pay https://pay.amazon.ie/blog/psd2-and-strong-customer-authentication
- Global Payments Gateway (formerly Realex) https://www.globalpaymentsinc.com/en-ie/accept-payments/online/3d-secure/customer-authentication
- PayPal https://developer.paypal.com/docs/psd2-compliance/strong-customer-authentication/
- Braintree by PayPal https://www.braintreepayments.com/ie/resources/psd2-strong-customer-authentication-explained
- Sage Pay https://get.sage.com/PAY_19Q3_C4L_GBIE_DGEE_GLPAYM_PSD2InformationLandingPage
- Elavon https://www.elavon.ie/perspectives/PSD2.html
- World Pay https://www.worldpay.com/en-gb/merchants/psd2
Depending on how your website or application is built, there are different steps required to check you are SCA ready. Some possible types of setups might be:
- Self hosted eCommerce website or subscription service(e.g. Woocommerce)
- Third party platform (e.g. Shopify)
- Custom website or software application
Self hosted eCommerce Website or Subscription Service
You are running a self hosted eCommerce website or Subscription Service accepting credit card payments on the site for goods, services or subscriptions. For example Woocommerce, Magento Open Source, PrestaShop.
If a user completes their transaction on the website you will need to check that your payment service provider supports SCA. You will also need to ensure that the software, plugin or extension providing the integration with the payment provider is up to date and works with that provider.
If a user completes their transaction off site or the payment window is via an 'iframe' directly on your website, for example on checkout they are brought to PayPal, you need to confirm with the payment provider they support SCA. You also need to confirm with your website developer that do not need to make any changes to your software for this integration to work.
Woocommerce is a Wordpress plugin and one of the most popular eCommerce platforms on the web.
Woocommerce accepts payments through a number of available extensions for each type of payment provider.
Woocommerce integrations with the following payment gateway providers are all SCA ready:
- Amazon Pay
- Global Payments Gateway (formerly Realex)
- PayPal powered by Braintree
- Sage Pay
If you are integrated with another payment provider you need to check with them if they are SCA ready.
You will need to ensure you are running the latest versions of the payment gateway extensions in your Woocommerce install.
More information https://woocommerce.com/posts/introducing-strong-customer-authentication-sca/
Magento Open Source
Magento Open Source is the self host version of the Magento eCommerce Platform.
Magento have announced that they are removing their core integrations with payment providers ( https://community.magento.com/t5/Magento-DevBlog/3D-Secure-2-0-changes/ba-p/136460 ) and you should move to using the marketplace extensions for payment provider integration.https://marketplace.magento.com/extensions/payments-security/payment-integration.html
You need to ensure that your payment provider supports SCA. And that the extension developer has updated their software to work with the payment provider.
Outside of Woocommerce, there are numerous plugins available to offer eCommerce and membership subscription support.
Ensure that the plugins payment gateways and the payment provider support SCA. And ensure you are running the latest versions of the plugin to support it.
Prestashop is an open source self hosted eCommerce platform.
To ensure your Prestashop install is SCA ready ensure that:
- Your payment provider supports SCA implementation
- The payment module from the Prestashop addons Market Place is installed
Third party platform
If you are using a third party platform like Shopify or 3Dcart there should be no action required other than confirming that they support SCA. Platforms will either have their own solution such as Shopify Payments or use a third party payment provider such as Stripe, PayPal or SagePay.
In each case you will need to ensure that the payment provider and the platform both support SCA.
Below are a list of some platforms and their readiness for SCA.
If you are using Shopify Payments or Stripe for payments you will automatically be switched to SCA in time for the deadline. https://www.shopify.ie/blog/strong-customer-authentication
If you are using another third party provider you will need to check with them and ensure they are SCA ready.
Squarespace use Stripe and PayPal for payment providers. There's no official announcement yet from Squarespace to say they'll support SCA. They do say they support all functionality from Stripe and PayPal https://support.squarespace.com/hc/en-us/articles/206540917-Accepting-credit-cards-with-Stripe , and as both payment gateway providers support SCA, it would be reasonable to assume Squarespace will support it.
If you are selling on Etsy, they have implemented SCA as outlined on their Credit Card Security Information page. https://help.etsy.com/hc/en-us/articles/115015569847-Credit-Card-Security-Information?segment=shopping
3D Cart is an online eCommerce platform that has SCA enabled. https://blog.3dcart.com/3d-secure-2-0-strong-customer-authentication-and-psd2
If you are using other platforms such as Volusion or Corecommerce you will need to check directly with them to ensure their payment gateways are SCA enabled. Some platforms have their own payment gateway which may not be SCA enabled if their core business is not European based.
Some platforms like Volusion have third party gateway integration with SagePay and Stripe, you will need to check to ensure that their software will be SCA enabled.
Custom website or software application
You may be running bespoke built website or a software application, accepting credit card payment that is not built on a third party platform or an off the shelf software platform.
If you accept payments within your website or application you will need to consult with your development team or technical consult to confirm that your software and payment provider are SCA ready. This process will include:
- Checking with your payment provider that they support SCA.
- Checking with your developers that the software has implemented
If you accept payments via a third party like PayPal then you will need to check if they are SCA ready. And that your software doesn't require any updating.
SCA will introduce additional steps for a customer to complete during an online payment process. While adding additional steps to this process has been shown to decrease completion of transactions, the SCA will increase security and lower fraudulent transactions.
In August the Central Bank has stated that there will be limited time period after the 14th September to allow retailers complete full migration. https://centralbank.ie/regulation/psd2-overview> You should still aim for your website to be compliant by 14th September.