If you accept payments online or develop web apps that do, you may have noticed some new acronyms like “SCA”, “PSD2”, and “3DS2.0” floating around. As the world of online payments continues to evolve, new regulations and new technologies to support these regulations, become necessary to understand and comply with. This article aims to clarify what is changing with how you accept payments online.
If you’re reading this, the first thing you might be thinking is, “Ugh, what do I have to do now?”, or maybe, “Ugh, now I need to pay a developer more money…”, or maybe even something worse.
First of all, you do not need to take any other action to make sure your site complies with PSD2 and SCA regulations. Our core payment gateway integrations will be updated before PSD2 fully takes effect on September 14, 2019. As long as you keep Paid Memberships Pro updated, you’re good to go.
IMPORTANT UPDATE: While we initially thought that you wouldn’t need to take any action besides updating your software, with some gateways you may need to sign up for a Cardinal Commerce account and copy over some settings and API keys. With other gateways, you may just need to enable the feature from the gateway settings. Contact your gateway or us or stay tuned to our blog for updates.
New regulations, New technology.
The European Union (EU) has a set of regulations called the Payment Services Directive (PSD). These regulations govern how online payments are to be conducted. The PSD, first introduced in 2007, was recently revised to adopt modern security standards and take advantage of recent advances in mobile payment technology. This updated version of the directive, more commonly known as PSD2, aims to improve the EU economy by reducing fraud and increasing innovation in the financial technology industry.
PSD2 adds new rules for how online payments must be conducted, including the implementation of Strong Customer Authentication (SCA). This is essentially 2-factor authentication for “high-risk” online payments. Integrating SCA into payment gateways allows banks and card issuers to provide a security challenge to users if the transaction is determined to have a higher risk for fraud. Some transactions are exempt from SCA requirements, such as fixed-price automated recurring payments and transactions under €30, but most will require the user’s card issuer to determine whether or not a security challenge is required for the transaction.
3D Secure 2.0 (3DS2.0) is the new authentication protocol which makes SCA possible. 3DS2.0 allows more information to be provided to issuers when determining a transaction’s risk, such as device information and payment history, This means fewer “false-positive” declined transactions by the bank and an overall smoother checkout experience for you and your customers.
Effective September 14, 2019, banks and card issuers in the EU will begin declining payments for most transactions through payment gateways which do not implement SCA.
Frequently Asked Questions
- Q: Do I have to do anything to comply with the new regulations?
- A: Just keep Paid Memberships Pro updated. Our core payment gateway integrations will be updated before PSD2 fully takes effect on September 14, 2019. As long as you keep Paid Memberships Pro updated, you’re good to go.
- Q: What will happen if I don’t upgrade?
- A: Starting September 14, 2019, banks in Europe will begin declining non-exempt transactions which don’t meet the SCA requirements. Many customers with card issuers in the EU will be declined at checkout if SCA isn’t integrated into the payment gateway.
- Q: What if I’m not in the EU?
- A: PSD2 only affects customers with card issuers in the EU. If you don’t have customers in the EU, you won’t have any issues when PSD2 takes effect in September. However, many other regulatory bodies all over the world are considering similar legislation to enforce SCA as well, so it’s a good idea to upgrade now.
- Q: How will the checkout process change for my users?
- A: SCA will add additional verification steps during the checkout process for some transactions which are determined to have a higher risk of fraud. This will typically look very similar to many login processes which require 2-factor authentication you may already be familiar with, such as logging into a social media account on an “unrecognized” device.
For example, a user may check out on your website on their laptop and be required to confirm their identity through their bank’s mobile app on their smartphone. The actual experience will vary depending on the customer’s card issuer, but they will generally be required to authorize the checkout using 2 of the following if SCA is required for the transaction:
- Something you know such as a password
- Something you own such as a mobile phone
- Something you are such as a fingerprint
- Q: Will this affect conversions?
- A: Additional steps in the checkout process can cause friction with the checkout experience for your users, so there is a possibility that SCA can affect conversions negatively. However, 3DS2.0 allows banks to determine a transaction’s risk more accurately than before, based on many factors such as a user’s payment history and device. Typically, 95% of transactions are determined to be low-risk and do not require the extra verification step.
- Q: I have another question not answered here.
- A: Please post a comment below or reach out to us in the Support Area. We will do our best to assist you with your query.