Introducing Strong Customer Authentication (SCA)

What is SCA?

↑ Nach oben

Strong Customer Authentication (SCA)* is a regulation that took effect on September 14, 2019 that requires merchants to use multiple methods of verifying a customer’s identity. To comply with new requirements and make sure your sales don’t take an unnecessary hit, you need to lay the groundwork.

Merchants accepting online payments need to use two independent authentication methods to verify that a customer is who they say they are.

Woman looking shopping on her mobile phone, carrying a few shopping bags. Strong Customer Authentication (SCA) will require a second form of authenticating online purchases.
Authentication methods may be a password, Face ID, or a push notification.

What kinds of authentication are acceptable?

↑ Nach oben

SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction needs to use two of the three.

What does that mean in practice?

  • Asking for a piece of information only the customer knows — their password or the answer to a security question.
  • Sending verifying information to something the customer controls — a hardware token or a push notification on their phone.
  • Using a physical identifier unique to the customer — a fingerprint or Face ID.

What do I need to do to prepare?

↑ Nach oben

Most payment gateways use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway prompts the customer to provide the additional authentication elements, and the order is only completed once they do that successfully.

Some payment methods, such as Apple Pay, already incorporate these elements and should be unaffected by SCA.

Visual of the intersection of online shopping, security, and technology.
How to prepare your store for Strong Customer Authentication

FAQ

↑ Nach oben

Does SCA apply to merchants outside of the European Economic Area?

Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.

What’s different on/after September 14, 2019?

The requirement for SCA took effect on September 14, 2019. Many regulators in the EEA have granted banks in their respective countries additional time to implement and require SCA. Although this has taken some pressure off, merchants are still advised to update to SCA-ready payment methods as they become available.

If your online store’s payment gateway has an EEA presence but is not SCA ready, declines for EEA-issued payment methods can be expected to gradually increase over the year ahead.

Are any transactions exempt?

Yes. Transactions below € 30 will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.

What about subscriptions?

SCA applies to subscriptions, too. On and after September 14, 2019, your customers need to authenticate the first payment on their subscription. Exemptions are granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.

What Payment Gateways offered by WooCommerce.com are SCA ready? **

What about Payment Gateways offered by others?

Please contact your payment gateway’s developer directly to inquire about SCA readiness.

*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.

**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, feel free to contact WooCommerce.com Support.

header-v1_2x
Kevin Bates Avatar

About

42 comments

  1. What support is available with the ‘PayPal Standard’ gateway for Woo? thanks Colin

    colin froggatt
    June 12, 2019
  2. Will these changes affect New Zealand based eCommerce sites?

    bdurston
    June 13, 2019
    • Does SCA apply to merchants outside of the European Economic Area?
      Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA.

      I believe so – if the customer is based in the EU or is using an SCA bank/card, then SCA will apply.

      haszari
      June 28, 2019
      • That’s correct. Merchants worldwide that sell to EEA buyers are likely to be impacted by SCA. PSD2/SCA applies when the acquiring bank is in the EEA AND the buyer’s payment instrument is issued in the EEA.

        Allen Snook
        July 1, 2019
  3. I am really excited about the 3D Secure 2.0 which is, in turn, a major overhauled version of the existing 3-D Secure (3DS) technology. It will not only boost security manifolds but also provide a better user experience.

    The 3DS 2.0 is supposed to make the customer authentication process faster and accurate than 3DS 1.0. It will put an end to the concept of a static password and will ease the process with biometrics and one-time passwords.

    You’ve outlined the importance in a very comprehensive manner. A great post for those who are often worried about their security.

    A great feed of knowledge indeed!

    Ketanmishra
    June 13, 2019
  4. One thing that is not clear anywhere is whether the stripe gateway plugin – developed by woocommerce – will have the ability to use the new stripe hosted checkout which is sca ready and also a better design than existing woocommerce checkout templates.

    Please can you confirm?

    John
    June 14, 2019
    • Yep, I’m assuming there will either be an update for the plugin or it’ll all be down from redirects on Stripe’s end but it would be nice to have confirmation

      Adam
      June 19, 2019
    • Hi John!

      Version 4.2 of our Stripe extension added support for SCA for non-recurring payments using existing WooCommerce checkout templates. As you have probably noticed, we have not incorporated Stripe’s new hosted checkout at this time.

      Version 4.3 will add support for SCA for recurring payments this summer.

      We are considering if and when to add support for Stripe’s new hosted checkout, depending on merchant demand.

      Allen Snook
      July 1, 2019
      • Hello Allen, thanks for the info.
        Regarding v4.3. What will happen with existing customers with monthly subscriptions, when they sign up e.g. today on 4.2, but then their subscription/monthly-payment go past September 14. For example, on implementing 4.3 or on Sept 14 would they then have to re-authenticate the payments using SCA somehow on the site? (we have some customers who’s subscription are essentially perpetual until they cancel)

        Neil L
        July 2, 2019
        • I’ve emailed Stripe with this question.

          I asked them if we’ll need to re-authenticate existing active subscription customers after September 14, 2019.

          Here’s their response:

          >… the subscriptions should be gated into the new flow without you having to do anything.

          > So no, you won’t have to re-authenticate existing active subscription customers after September 14, 2019.

          Luke
          July 4, 2019
  5. Great, I’m excited.

    It will be mandatory to use sca? Or there will be an option to enable and disable?

    Rifat
    June 15, 2019
    • Hi Rifat!

      PSD2/SCA applies when the acquiring bank is in the EEA and the payment instrument is issued in the EEA, however not all banks will require PSD2/SCA right away as they have to update their systems as well.

      In the meantime, some gateways like Stripe allow you to control whether or not SCA techniques like 3D Secure 2 are required all the time or not. In the case of Stripe, these settings can be found in Radar Rules.

      Hope this helps.

      Allen Snook
      July 1, 2019
  6. Is it just for European Union?

    Max
    June 15, 2019
    • PSD2/SCA applies when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA. This means that non EU and non EEA sellers with EEA buyers can expect to be affected at least on some fraction of their transactions.

      Allen Snook
      July 1, 2019
  7. Great to see further security is being introduced as per in person transactions. Hopefully all areas and payment gateways will get on board to make things easy for everyone.

    Brad D
    June 18, 2019
  8. *Sigh* for the greater good I guess. But all these eu regulations do is make it harder for businesses to do business stuff and it’s a hassle for customers, too. As usual…

    Arnan
    June 21, 2019
  9. Hello, Allen;

    The nub of my last comment on this platform was that Woocommerce is active. Given this upcoming update, I guess I didn’t even know the full implication of my previous comment. Go Woocommerce!

    Warm regards,
    Emmanuel Obarhua

    Emmanuel Obarhua
    June 21, 2019
  10. I assume that the PayPal by Braintree gateway will be SCA-ready by September too?

    https://wordpress.org/plugins/woocommerce-gateway-paypal-powered-by-braintree/

    David Wang
    June 26, 2019
    • We are working on PayPal Powered by Braintree right now to get it ready for SCA.

      Allen Snook
      July 1, 2019
  11. What is worrying as both a customer and a seller…

    what happens if one party does NOT use a mobile device (I don’t). Although a password is fine, I’ve no way of doing either of the latter two parts. Does this mean I can no longer buy online??

    Sarah Paine
    June 26, 2019
    • Great question! EEA buyers without mobile devices should contact their bank to inquire about SCA options for them.

      Allen Snook
      July 1, 2019
  12. Paypal is pretty big for most of us. What’s the update on them?

    Johnny Ringo
    June 26, 2019
    • We (and PayPal) are working on changes to PayPal Powered by Braintree and on PayPal Pro right now to get it ready for SCA. The other PayPal extensions rely on changes on PayPal’s end. We will keep you updated on our (and PayPal’s) progress.

      Allen Snook
      July 1, 2019
  13. And will WooCommerce First Data Payeezy Gateway
    be SCA-ready by September too?

    https://woocommerce.com/products/firstdata/

    Thank you for your reply!

    praline2013
    June 26, 2019
    • Hi!

      Some changes are likely required for this extension for SCA readiness. We are looking into it.

      Allen Snook
      July 1, 2019
  14. This article is somewhat confusing/misleading on re-reading it. In the FAQ it states,

    Does SCA apply to merchants outside of the European Economic Area?

    Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
    ———–

    Does this mean SCA is *only* applicable to EU EEA countries? If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

    Second, how does this align with GDPR?

    Thirdly, is this a PCI-compliant method if required in the U.S.?

    Efrem R. Jasso
    June 26, 2019
    • As I read it if you sell to customers in the eu then that customer will go via a 3d v2 process. I also think that the payment issuers will handle this so providing the relevent plugins are updated you will be covered wherever you are in the world. I also expect other countries to follow this process as security with payment is something that is beneficial to customers and businesses right?

      Craig
      June 27, 2019
    • > If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

      No.

      > Second, how does this align with GDPR?

      Sellers should review the privacy policies of the payment providers they are using and ensure that their own store’s privacy policies are up to date and in-line with local laws.

      > Thirdly, is this a PCI-compliant method if required in the U.S.?

      PSD2/SCA readiness should not affect PCI compliance. Did you have a specific concern?

      Allen Snook
      July 1, 2019
  15. Is this something that’s going to be automatically implemented somehow in a Woocommerce update?
    If not, how are we expected to implement it?
    How will the gateway “know” if the customer is answering correctly?

    wolfemacleod
    June 26, 2019
    • > Is this something that’s going to be automatically implemented somehow in a Woocommerce update?

      If changes are needed to your payment gateway extension, the update would be to the payment gateway extension itself, not the WooCommerce plugin.

      > How will the gateway “know” if the customer is answering correctly?

      The payment gateway will be told by the payment processor that they declined the sale for buyers who fail to pass any required authentication.

      Allen Snook
      July 1, 2019
  16. This does not affect USA customers purchasing in the USA within the European Economic Area, it would have been nice for the author to have made it clearer for the readers.

    Nick
    June 27, 2019
  17. Hi Team

    What’s the implication for eCommerce sites based in Australia, and utilising the PayPal Payment Gateway?

    I note Stripe is already SCA ready.

    Cheers,
    Futr Online

    Futr Online
    June 27, 2019
    • Like all sellers, Australian sellers can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

      Separately, Australia is also soon to require similar authentication for Australian buyers’ protection.

      Allen Snook
      July 1, 2019
  18. Will it gonna affect in Asian countries like India ?

    Abhay
    June 27, 2019
    • Like all sellers, sellers in India can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

      Allen Snook
      July 1, 2019
  19. Hi, Do you have a solution for PayPal?

    Noor Alam
    June 27, 2019
    • We (and PayPal) are working on it. Stay tuned!

      Allen Snook
      July 1, 2019
  20. “SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription.”

    Does this mean for all new subscriptions, or existing subscriptions as well? This could be hugely costly for existing subscription businesses which have many existing subscribers!

    John Asbury
    July 1, 2019
  21. 2 questions:

    1. Are there any parts of the theme that requires updating to support SCA? From my personal experience of using SCA there seems to be a very different workflow.

    2. How do we test SCA on our staging sites? Is there a way to force it in test mode?

    Luke
    July 2, 2019
  22. Thanks for the information. PayPal does not yet accept SCA this would be any issue. how would we comply?

    Also how would woocommerce have the system in place.

    Thank you

    John
    July 5, 2019
  23. I’m looking forward to the new revolution of storing and using customer I’d and payment information. In this day and age it is an unnecessary hassle for us merchants to have to worry about keeping customer personal and payment info safe when this can be done by the customers themselves using new generation mobile apps such as Nuggets Pay and Id, where I thankfully will have no access to the buyers info but their purchase and payment will go through regardless. And they are SCA compliant. My current payment gateway is nowhere near being compliant to the new standard, as hinted by one of their representatives.

    Chloe
    July 5, 2019

Stay up to date with WooCommerce emails

View our privacy policy. You can unsubscribe anytime.

Subscribing...

There was an error subscribing; please try again later.

Thanks for subscribing!
Emails will be sent to

You're already subscribed!
Emails are sent to

Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.