Theme Launch – Threads

Introducing Strong Customer Authentication (SCA)

Written by Allen Snook on June 10, 2019 Blog, Security, Taking payments.

What is SCA?

Strong Customer Authentication (SCA)* is a new regulation taking effect on September 14, 2019 that requires merchants to use multiple methods of verifying customers’ identities. To help you comply with the new requirements — and make sure your sales don’t take an unnecessary hit — you can lay the groundwork now.

Starting in September, merchants accepting online payments will need to use two independent authentication methods to verify that a customer is who they say they are.

Woman looking shopping on her mobile phone, carrying a few shopping bags. Strong Customer Authentication (SCA) will require a second form of authenticating online purchases.
Authentication methods may be a password, Face ID, or a push notification.

What kinds of authentication are acceptable?

SCA allows for three different authentication methods — something the customer knows, something the customer has, and something the customer is. To succeed, a transaction has to use two of the three.

What does that mean in practice?

  • Asking for a piece of information only the customer knows, like their password or the answer to a security question.
  • Sending verifying information to something the customer controls, like a hardware token or a push notification sent to their phone.
  • Using a physical identifier unique to the customer, like a fingerprint or Face ID.

What do I need to do to prepare?

Most payment gateways will use 3D Secure 2 – an update to the 3D Secure system – as their main method of complying with SCA. During checkout, the payment gateway will prompt the customer to provide the additional authentication elements, and the order will only be completed once they do that successfully.

Some payment methods, like Apple Pay, already incorporate these elements and should be unaffected by SCA.

Visual of the intersection of online shopping, security, and technology.
How to prepare your store for Strong Customer Authentication

FAQ

Does SCA apply to merchants outside of the European Economic Area?

Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.

What happens on/after September 14, 2019?

If your online store’s payment gateway has an EEA presence and is not SCA ready, EEA issued payment methods are likely to be declined during checkout.

Are any transactions exempt?

Yes: Low value transactions (below € 30) will usually not require SCA. However, SCA will be required after five exempt transactions or if the total amount spent by the customer exceeds € 100.

What about subscriptions?

SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription. Exemptions will be granted for recurring charges in many cases, including those that began before September 14, though it is the customer’s bank that determines whether to require SCA or accept the exemption.

What Payment Gateways offered by WooCommerce.com are SCA ready today? **

What about Payment Gateways offered by others?

Please contact your payment gateway’s developer directly to inquire about SCA readiness.

*Note that this article should not be considered legal advice. Should you have questions or concerns about how your business is impacted by regulations and laws, we strongly recommend consulting with a legal professional.

**This post will be updated as Strong Customer Authentication (SCA) support is extended to additional Payment Gateway Extensions. If you have any questions, please feel free to contact WooCommerce.com Support.

header-v1_2x

42 Responses

  1. colin froggatt
    June 12, 2019 at 1:30 pm #

    What support is available with the ‘PayPal Standard’ gateway for Woo? thanks Colin

  2. bdurston
    June 13, 2019 at 6:53 am #

    Will these changes affect New Zealand based eCommerce sites?

    • haszari
      June 28, 2019 at 6:03 am #

      Does SCA apply to merchants outside of the European Economic Area?
      Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA.

      I believe so – if the customer is based in the EU or is using an SCA bank/card, then SCA will apply.

      • Allen Snook
        July 1, 2019 at 10:57 pm #

        That’s correct. Merchants worldwide that sell to EEA buyers are likely to be impacted by SCA. PSD2/SCA applies when the acquiring bank is in the EEA AND the buyer’s payment instrument is issued in the EEA.

  3. Ketanmishra
    June 13, 2019 at 7:53 am #

    I am really excited about the 3D Secure 2.0 which is, in turn, a major overhauled version of the existing 3-D Secure (3DS) technology. It will not only boost security manifolds but also provide a better user experience.

    The 3DS 2.0 is supposed to make the customer authentication process faster and accurate than 3DS 1.0. It will put an end to the concept of a static password and will ease the process with biometrics and one-time passwords.

    You’ve outlined the importance in a very comprehensive manner. A great post for those who are often worried about their security.

    A great feed of knowledge indeed!

  4. John
    June 14, 2019 at 1:31 pm #

    One thing that is not clear anywhere is whether the stripe gateway plugin – developed by woocommerce – will have the ability to use the new stripe hosted checkout which is sca ready and also a better design than existing woocommerce checkout templates.

    Please can you confirm?

    • Adam
      June 19, 2019 at 12:11 pm #

      Yep, I’m assuming there will either be an update for the plugin or it’ll all be down from redirects on Stripe’s end but it would be nice to have confirmation

    • Allen Snook
      July 1, 2019 at 11:00 pm #

      Hi John!

      Version 4.2 of our Stripe extension added support for SCA for non-recurring payments using existing WooCommerce checkout templates. As you have probably noticed, we have not incorporated Stripe’s new hosted checkout at this time.

      Version 4.3 will add support for SCA for recurring payments this summer.

      We are considering if and when to add support for Stripe’s new hosted checkout, depending on merchant demand.

      • Neil L
        July 2, 2019 at 11:06 am #

        Hello Allen, thanks for the info.
        Regarding v4.3. What will happen with existing customers with monthly subscriptions, when they sign up e.g. today on 4.2, but then their subscription/monthly-payment go past September 14. For example, on implementing 4.3 or on Sept 14 would they then have to re-authenticate the payments using SCA somehow on the site? (we have some customers who’s subscription are essentially perpetual until they cancel)

        • Luke
          July 4, 2019 at 3:53 pm #

          I’ve emailed Stripe with this question.

          I asked them if we’ll need to re-authenticate existing active subscription customers after September 14, 2019.

          Here’s their response:

          >… the subscriptions should be gated into the new flow without you having to do anything.

          > So no, you won’t have to re-authenticate existing active subscription customers after September 14, 2019.

  5. Rifat
    June 15, 2019 at 3:45 am #

    Great, I’m excited.

    It will be mandatory to use sca? Or there will be an option to enable and disable?

    • Allen Snook
      July 1, 2019 at 11:03 pm #

      Hi Rifat!

      PSD2/SCA applies when the acquiring bank is in the EEA and the payment instrument is issued in the EEA, however not all banks will require PSD2/SCA right away as they have to update their systems as well.

      In the meantime, some gateways like Stripe allow you to control whether or not SCA techniques like 3D Secure 2 are required all the time or not. In the case of Stripe, these settings can be found in Radar Rules.

      Hope this helps.

  6. Max
    June 15, 2019 at 10:02 am #

    Is it just for European Union?

    • Allen Snook
      July 1, 2019 at 11:04 pm #

      PSD2/SCA applies when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA. This means that non EU and non EEA sellers with EEA buyers can expect to be affected at least on some fraction of their transactions.

  7. Brad D
    June 18, 2019 at 11:43 pm #

    Great to see further security is being introduced as per in person transactions. Hopefully all areas and payment gateways will get on board to make things easy for everyone.

  8. Arnan
    June 21, 2019 at 9:10 am #

    *Sigh* for the greater good I guess. But all these eu regulations do is make it harder for businesses to do business stuff and it’s a hassle for customers, too. As usual…

  9. Emmanuel Obarhua
    June 21, 2019 at 4:58 pm #

    Hello, Allen;

    The nub of my last comment on this platform was that Woocommerce is active. Given this upcoming update, I guess I didn’t even know the full implication of my previous comment. Go Woocommerce!

    Warm regards,
    Emmanuel Obarhua

  10. David Wang
    June 26, 2019 at 4:26 am #

    I assume that the PayPal by Braintree gateway will be SCA-ready by September too?

    https://wordpress.org/plugins/woocommerce-gateway-paypal-powered-by-braintree/

    • Allen Snook
      July 1, 2019 at 11:05 pm #

      We are working on PayPal Powered by Braintree right now to get it ready for SCA.

  11. Sarah Paine
    June 26, 2019 at 7:28 pm #

    What is worrying as both a customer and a seller…

    what happens if one party does NOT use a mobile device (I don’t). Although a password is fine, I’ve no way of doing either of the latter two parts. Does this mean I can no longer buy online??

    • Allen Snook
      July 1, 2019 at 11:06 pm #

      Great question! EEA buyers without mobile devices should contact their bank to inquire about SCA options for them.

  12. Johnny Ringo
    June 26, 2019 at 7:54 pm #

    Paypal is pretty big for most of us. What’s the update on them?

    • Allen Snook
      July 1, 2019 at 11:07 pm #

      We (and PayPal) are working on changes to PayPal Powered by Braintree and on PayPal Pro right now to get it ready for SCA. The other PayPal extensions rely on changes on PayPal’s end. We will keep you updated on our (and PayPal’s) progress.

  13. praline2013
    June 26, 2019 at 7:59 pm #

    And will WooCommerce First Data Payeezy Gateway
    be SCA-ready by September too?

    https://woocommerce.com/products/firstdata/

    Thank you for your reply!

    • Allen Snook
      July 1, 2019 at 11:38 pm #

      Hi!

      Some changes are likely required for this extension for SCA readiness. We are looking into it.

  14. Efrem R. Jasso
    June 26, 2019 at 8:18 pm #

    This article is somewhat confusing/misleading on re-reading it. In the FAQ it states,

    Does SCA apply to merchants outside of the European Economic Area?

    Yes. SCA applies when the acquiring bank or processor is in the European Economic Area (EEA) and the customer’s payment instrument is issued in the EEA. The EEA includes all 27 European Union member states as well as Iceland, Liechtenstein, and Norway. The location of the merchant does not matter.
    ———–

    Does this mean SCA is *only* applicable to EU EEA countries? If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

    Second, how does this align with GDPR?

    Thirdly, is this a PCI-compliant method if required in the U.S.?

    • Craig
      June 27, 2019 at 1:38 pm #

      As I read it if you sell to customers in the eu then that customer will go via a 3d v2 process. I also think that the payment issuers will handle this so providing the relevent plugins are updated you will be covered wherever you are in the world. I also expect other countries to follow this process as security with payment is something that is beneficial to customers and businesses right?

    • Allen Snook
      July 1, 2019 at 11:13 pm #

      > If I don’t sell product to the EU or EEA countries, am I still obligated to implement this method?

      No.

      > Second, how does this align with GDPR?

      Sellers should review the privacy policies of the payment providers they are using and ensure that their own store’s privacy policies are up to date and in-line with local laws.

      > Thirdly, is this a PCI-compliant method if required in the U.S.?

      PSD2/SCA readiness should not affect PCI compliance. Did you have a specific concern?

  15. wolfemacleod
    June 26, 2019 at 8:53 pm #

    Is this something that’s going to be automatically implemented somehow in a Woocommerce update?
    If not, how are we expected to implement it?
    How will the gateway “know” if the customer is answering correctly?

    • Allen Snook
      July 1, 2019 at 11:15 pm #

      > Is this something that’s going to be automatically implemented somehow in a Woocommerce update?

      If changes are needed to your payment gateway extension, the update would be to the payment gateway extension itself, not the WooCommerce plugin.

      > How will the gateway “know” if the customer is answering correctly?

      The payment gateway will be told by the payment processor that they declined the sale for buyers who fail to pass any required authentication.

  16. Nick
    June 27, 2019 at 12:55 am #

    This does not affect USA customers purchasing in the USA within the European Economic Area, it would have been nice for the author to have made it clearer for the readers.

  17. Futr Online
    June 27, 2019 at 1:44 am #

    Hi Team

    What’s the implication for eCommerce sites based in Australia, and utilising the PayPal Payment Gateway?

    I note Stripe is already SCA ready.

    Cheers,
    Futr Online

    • Allen Snook
      July 1, 2019 at 11:18 pm #

      Like all sellers, Australian sellers can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

      Separately, Australia is also soon to require similar authentication for Australian buyers’ protection.

  18. Abhay
    June 27, 2019 at 5:28 am #

    Will it gonna affect in Asian countries like India ?

    • Allen Snook
      July 1, 2019 at 11:19 pm #

      Like all sellers, sellers in India can expect PSD2/SCA to apply when the acquiring bank is in the EEA and the buyer’s payment instrument is issued in the EEA.

  19. Noor Alam
    June 27, 2019 at 5:56 am #

    Hi, Do you have a solution for PayPal?

    • Allen Snook
      July 1, 2019 at 11:19 pm #

      We (and PayPal) are working on it. Stay tuned!

  20. John Asbury
    July 1, 2019 at 7:41 pm #

    “SCA applies to subscriptions, too. After September 14, 2019, your customers will have to authenticate the first payment on their subscription.”

    Does this mean for all new subscriptions, or existing subscriptions as well? This could be hugely costly for existing subscription businesses which have many existing subscribers!

  21. Luke
    July 2, 2019 at 11:26 am #

    2 questions:

    1. Are there any parts of the theme that requires updating to support SCA? From my personal experience of using SCA there seems to be a very different workflow.

    2. How do we test SCA on our staging sites? Is there a way to force it in test mode?

  22. John
    July 5, 2019 at 4:25 am #

    Thanks for the information. PayPal does not yet accept SCA this would be any issue. how would we comply?

    Also how would woocommerce have the system in place.

    Thank you

  23. Chloe
    July 5, 2019 at 10:22 pm #

    I’m looking forward to the new revolution of storing and using customer I’d and payment information. In this day and age it is an unnecessary hassle for us merchants to have to worry about keeping customer personal and payment info safe when this can be done by the customers themselves using new generation mobile apps such as Nuggets Pay and Id, where I thankfully will have no access to the buyers info but their purchase and payment will go through regardless. And they are SCA compliant. My current payment gateway is nowhere near being compliant to the new standard, as hinted by one of their representatives.

WooCommerce - the most customizable eCommerce platform for building your online business.

  • 30 day money back guarantee
  • Support teams across the world
  • Safe & Secure online payment
%d bloggers like this: