On 14 September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, additional authentication will be required into checkout (or payment charge) flow on your website. SCA requires authentication to use at least two of the following three elements. Starting 14 September 2019, banks will decline payments that require SCA and don’t meet these criteria.
- Something the customer knows (e.g., password or PIN)
- Something the customer has (e.g., phone or hardware token)
- Something the customer is (e.g., fingerprint or face recognition)
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe.
- Most card payments and all bank transfers will require SCA
- Recurring direct debits will be an exception
- In-person card payments (with the exception of contact-less) are not affected by this
- This will apply to online payment transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA) (UK Expected to comply regardless of Brexit)
How to authenticate a payment
- Apple Pay and Google Pay already support this payment flow and don't require any changes
- Card payments require the implementation of 3D Secure 2 (new version of authentication protocol rolling out in 2019)
Exemptions to SCA
- Low-risk transactions (depends on fraud transaction percentage for the seller)
- Payments below 30 EUR are considered low value. (It will be required if an exemption has been used 5 times or previous payment sum exceeds 100 EUR)
- Fixed amount subscriptions - authorization will be taken on first payment, subsequent charges may be exempted from SCA
- Merchant-initiated transactions (including variable subscriptions) - may work, will depend on the bank. Requires user to authenticate card + agreement from the customer (mandate) in order to charge them
How does it affect my site?
The impact of changes required depends based on the payment processor and integration type.
Sagepay has advised that they are undertaking these changes on their end for the Form (redirect to Sagepay) and Server (embedded window) integrations and changes on site would not be necessary. There are changes required for SagePay Direct integration, however, this is not an integration we would normally recommend.
Stripe payments do require changes to the API version to ensure compliance. We have evaluated the changes required and are ready to upgrade your site. The cost will depend on the site:
- £250 ex vat for payments on orders or one-off invoice payments
- £300 ex vat for subscription payments
- If you have more than one payment type (i.e. orders + one-off invoices) there will be additional £50 ex vat per each additional payment type
For Stripe Connect please get in touch with us and we will advise you on the costs
PayPal will undertake the changes on their end for PayPal button, Express Checkout or PayPal Pro Hosted. Some changes might be required in your PayPal panel but no integration changes should be required
Worldpay, BarclayCard, Elavon, Adyen, PaymentSense and other payment gateways
Please get in touch by emailing firstname.lastname@example.org and we will advise you individually in regards to these payment providers.