PSD2 and Strong Customer Authentication
July 31, 2019 - Product Updates・Security
If you have a gateway that supports customers from the European Union, chances are that you’ve received an email from your gateway lately talking about the second Payment Services Directive (PSD2) and Strong Customer Authentication (SCA).
These are new regulations coming into effect on the 14th of September 2019, that are designed to help make online payments more secure and keep customer payment information safe.
UPDATE: As of 2019-09-13, there still exists tremendous uncertainty about what, if anything, will happen on the 14th. Some countries have officially postponed their own requirements for SCA, while others are in various stages of allowing delays. Stripe has a fantastic status update on PSD2 / SCA requirements by country.
What is PSD2 and SCA?
If you’re not familiar with these changes, the European Union previously announced PSD2, which includes a number of new requirements for entities within the payments industry.
One aspect which affects Foxy is SCA, which is aimed to reduce fraud and make online payments more secure. After PSD2 comes into effect, online payments within Europe will need to complete additional authentication. If authentication is required, the customer will need to provide at least two of these three elements:
something the customer knows (like a password)
something the customer has (like a phone)
something the customer is (like a fingerprint)
It’s not too different from two-factor authentication, which you can often experience when logging in to online services.
What will the customer see?
If a customer needs to provide this extra authentication, when they attempt to complete the purchase, they will be shown a prompt to provide additional details, such as an sms code sent to their phone.
This has previously been implemented for some of our gateways with 3D Secure v1, which usually required redirecting the customer to a separate page hosted by the bank, and was not really a great user experience. In fact it sometimes didn’t work at all – here’s a screenshot of the last time one of our team experienced 3D Secure v1 in the wild:
(You might be wondering what the domain is in that popup. It’s not the cardholder’s issuing bank, or anything else a customer would know to be real and not phishing. Enough about v1, though…)
To support the new requirements for SCA, 3D Secure v2 has been developed, and is what we are implementing into the checkout. It provides a more user friendly approach for customers, and allows for more varied authentication methods. Here’s what 3D Secure v2 looks like in Foxy:
Much, much better. So that’s good.
Exceptions to SCA
SCA won’t always be required, though. There are different conditions that allow for a “frictionless flow” where the customer would purchase as normal, such as lower cost transactions. Recurring transactions (and other “merchant initiated transactions”) are also considered exempt from SCA, as the customer is not present. Transactions where either the customer’s card issuer or merchant’s payment acquirer are outside of the European Economic Area (EEA) are also exempt.
What changes do I need to make?
Foxy version 2.0
If your store is already on Foxy version 2.0, at this stage there are not any changes that you need to make. We’re continuing to work towards implementing 3D Secure for all relevant gateways that we support as the gateways add support themselves.
If any additional configuration is needed for stores, we’ll be sure to reach out as that information comes to light.
Foxy version 1.0 & 1.1
If you’re on version 1.1 or older though, as we will only be implementing 3D Secure v2 in Foxy version 2.0, you will need to upgrade your store to our latest version before September 14, 2019. For a lot of stores, this upgrade isn’t too involved, and we can provide an upgrade plan to assist you with the changes that would be necessary. You can request a free store upgrade evaluation from our website here.
If you’re currently on a gateway that supports 3D Secure v1, then you can stay on your existing version and gateway, as that version of 3D Secure does meet the requirements for SCA. 3D Secure v1 is set to be phased out in 2020 though, so you should work towards upgrading your store to version 2.0 as you can.
We’re here to help
We will continue to be working through our many different gateway integrations to implement the necessary changes for SCA for our users. If you have any questions about any of the changes for your specific store, please don’t hesitate to get in touch.