What is SCA?
↑ Torna in cimaStrong Customer Authentication (SCA)* is a regulation that took effect on September 14, 2019 that requires merchants to use multiple methods of verifying a customer’s identity. To comply with new requirements and make sure your sales don’t take an unnecessary hit, you need to lay the groundwork.
Merchants accepting online payments need to use two independent authentication methods to verify that a customer is who they say they are.
What kinds of authentication are acceptable?
↑ Torna in cimaSCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction needs to use two of the three.
What does that mean in practice?
- Asking for a piece of information only the customer knows — their password or the answer to a security question.
- Sending verifying information to something the customer controls — a hardware token or a push notification on their phone.
- Using a physical identifier unique to the customer — a fingerprint or Face ID.
What do I need to do to prepare?
↑ Torna in cimaMost payment gateways use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway prompts the customer to provide the additional authentication elements, and the order is only completed once they do that successfully.
Some payment methods, such as Apple Pay, already incorporate these elements and should be unaffected by SCA.
FAQ
↑ Torna in cimaDoes SCA apply to merchants outside of the European Economic Area?
Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
What’s different on/after September 14, 2019?
The requirement for SCA took effect on September 14, 2019. Many regulators in the EEA have granted banks in their respective countries additional time to implement and require SCA. Although this has taken some pressure off, merchants are still advised to update to SCA-ready payment methods as they become available.
If your online store’s payment gateway has an EEA presence but is not SCA ready, declines for EEA-issued payment methods can be expected to gradually increase over the year ahead.
Are any transactions exempt?
Yes. Transactions below € 30 will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.
What about subscriptions?
SCA applies to subscriptions, too. On and after September 14, 2019, your customers need to authenticate the first payment on their subscription. Exemptions are granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.
What Payment Gateways offered by WooCommerce.com are SCA ready? **
- Stripe
- Amazon Pay
- Global Payments Gateway (formerly Realex)
- PayPal
- PayPal powered by Braintree
- Sage Pay
- Sofort
- Klarna Payments
- Klarna Checkout
What about Payment Gateways offered by others?
Please contact your payment gateway’s developer directly to inquire about SCA readiness.
*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.
**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, feel free to contact WooCommerce.com Support.
About
What support is available with the ‘PayPal Standard’ gateway for Woo? thanks Colin
It looks like PayPal is taking care of this on their side.
A note from their developer website:
Note: PayPal Payments Pro, PayPal-branded transactions, and their funding may be subject to SCA, but PayPal handles the authentication request and processing for you.
More Info: https://developer.paypal.com/docs/psd2-compliance/strong-customer-authentication/
Will these changes affect New Zealand based eCommerce sites?
I believe so – if the customer is based in the EU or is using an SCA bank/card, then SCA will apply.
That’s correct. Merchants worldwide that sell to EEA buyers are likely to be impacted by SCA. PSD2/SCA applies when the acquiring bank is in the EEA AND the buyer’s payment instrument is issued in the EEA.
I am really excited about the 3D Secure 2.0 which is, in turn, a major overhauled version of the existing 3-D Secure (3DS) technology. It will not only boost security manifolds but also provide a better user experience.
The 3DS 2.0 is supposed to make the customer authentication process faster and accurate than 3DS 1.0. It will put an end to the concept of a static password and will ease the process with biometrics and one-time passwords.
You’ve outlined the importance in a very comprehensive manner. A great post for those who are often worried about their security.
A great feed of knowledge indeed!
One thing that is not clear anywhere is whether the stripe gateway plugin – developed by woocommerce – will have the ability to use the new stripe hosted checkout which is sca ready and also a better design than existing woocommerce checkout templates.
Please can you confirm?
Yep, I’m assuming there will either be an update for the plugin or it’ll all be down from redirects on Stripe’s end but it would be nice to have confirmation
Hi John!
Version 4.2 of our Stripe extension added support for SCA for non-recurring payments using existing WooCommerce checkout templates. As you have probably noticed, we have not incorporated Stripe’s new hosted checkout at this time.
Version 4.3 will add support for SCA for recurring payments this summer.
We are considering if and when to add support for Stripe’s new hosted checkout, depending on merchant demand.
Hello Allen, thanks for the info.
Regarding v4.3. What will happen with existing customers with monthly subscriptions, when they sign up e.g. today on 4.2, but then their subscription/monthly-payment go past September 14. For example, on implementing 4.3 or on Sept 14 would they then have to re-authenticate the payments using SCA somehow on the site? (we have some customers who’s subscription are essentially perpetual until they cancel)
I’ve emailed Stripe with this question.
I asked them if we’ll need to re-authenticate existing active subscription customers after September 14, 2019.
Here’s their response:
>… the subscriptions should be gated into the new flow without you having to do anything.
> So no, you won’t have to re-authenticate existing active subscription customers after September 14, 2019.
Great, I’m excited.
It will be mandatory to use sca? Or there will be an option to enable and disable?
Hi Rifat!
PSD2/SCA applies when the acquiring bank is in the EEA and the payment instrument is issued in the EEA, however not all banks will require PSD2/SCA right away as they have to update their systems as well.
In the meantime, some gateways like Stripe allow you to control whether or not SCA techniques like 3D Secure 2 are required all the time or not. In the case of Stripe, these settings can be found in Radar Rules.
Hope this helps.
Is it just for European Union?
PSD2/SCA applies when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA. This means that non EU and non EEA sellers with EEA buyers can expect to be affected at least on some fraction of their transactions.
Great to see further security is being introduced as per in person transactions. Hopefully all areas and payment gateways will get on board to make things easy for everyone.
*Sigh* for the greater good I guess. But all these eu regulations do is make it harder for businesses to do business stuff and it’s a hassle for customers, too. As usual…
Hello, Allen;
The nub of my last comment on this platform was that Woocommerce is active. Given this upcoming update, I guess I didn’t even know the full implication of my previous comment. Go Woocommerce!
Warm regards,
Emmanuel Obarhua
I assume that the PayPal by Braintree gateway will be SCA-ready by September too?
https://wordpress.org/plugins/woocommerce-gateway-paypal-powered-by-braintree/
We are working on PayPal Powered by Braintree right now to get it ready for SCA.
What is worrying as both a customer and a seller…
what happens if one party does NOT use a mobile device (I don’t). Although a password is fine, I’ve no way of doing either of the latter two parts. Does this mean I can no longer buy online??
Great question! EEA buyers without mobile devices should contact their bank to inquire about SCA options for them.
Paypal is pretty big for most of us. What’s the update on them?
We (and PayPal) are working on changes to PayPal Powered by Braintree and on PayPal Pro right now to get it ready for SCA. The other PayPal extensions rely on changes on PayPal’s end. We will keep you updated on our (and PayPal’s) progress.
And will WooCommerce First Data Payeezy Gateway
be SCA-ready by September too?
https://woocommerce.com/products/firstdata/
Thank you for your reply!
Hi!
Some changes are likely required for this extension for SCA readiness. We are looking into it.
This article is somewhat confusing/misleading on re-reading it. In the FAQ it states,
Does SCA apply to merchants outside of the European Economic Area?
Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
———–
Does this mean SCA is *only* applicable to EU EEA countries? If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?
Second, how does this align with GDPR?
Thirdly, is this a PCI-compliant method if required in the U.S.?
As I read it if you sell to customers in the eu then that customer will go via a 3d v2 process. I also think that the payment issuers will handle this so providing the relevent plugins are updated you will be covered wherever you are in the world. I also expect other countries to follow this process as security with payment is something that is beneficial to customers and businesses right?
> If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?
No.
> Second, how does this align with GDPR?
Sellers should review the privacy policies of the payment providers they are using and ensure that their own store’s privacy policies are up to date and in-line with local laws.
> Thirdly, is this a PCI-compliant method if required in the U.S.?
PSD2/SCA readiness should not affect PCI compliance. Did you have a specific concern?
Is this something that’s going to be automatically implemented somehow in a Woocommerce update?
If not, how are we expected to implement it?
How will the gateway “know” if the customer is answering correctly?
> Is this something that’s going to be automatically implemented somehow in a Woocommerce update?
If changes are needed to your payment gateway extension, the update would be to the payment gateway extension itself, not the WooCommerce plugin.
> How will the gateway “know” if the customer is answering correctly?
The payment gateway will be told by the payment processor that they declined the sale for buyers who fail to pass any required authentication.
This does not affect USA customers purchasing in the USA within the European Economic Area, it would have been nice for the author to have made it clearer for the readers.
Hi Team
What’s the implication for eCommerce sites based in Australia, and utilising the PayPal Payment Gateway?
I note Stripe is already SCA ready.
Cheers,
Futr Online
Like all sellers, Australian sellers can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.
Separately, Australia is also soon to require similar authentication for Australian buyers’ protection.
Will it gonna affect in Asian countries like India ?
Like all sellers, sellers in India can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.
Hi, Do you have a solution for PayPal?
We (and PayPal) are working on it. Stay tuned!
“SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription.”
Does this mean for all new subscriptions, or existing subscriptions as well? This could be hugely costly for existing subscription businesses which have many existing subscribers!
2 questions:
1. Are there any parts of the theme that requires updating to support SCA? From my personal experience of using SCA there seems to be a very different workflow.
2. How do we test SCA on our staging sites? Is there a way to force it in test mode?
Thanks for the information. PayPal does not yet accept SCA this would be any issue. how would we comply?
Also how would woocommerce have the system in place.
Thank you
I’m looking forward to the new revolution of storing and using customer I’d and payment information. In this day and age it is an unnecessary hassle for us merchants to have to worry about keeping customer personal and payment info safe when this can be done by the customers themselves using new generation mobile apps such as Nuggets Pay and Id, where I thankfully will have no access to the buyers info but their purchase and payment will go through regardless. And they are SCA compliant. My current payment gateway is nowhere near being compliant to the new standard, as hinted by one of their representatives.