In case you didn’t know, since January 1, 2021 it is mandatory that all online payment systems comply with the European regulation PSD2, to guarantee the security of online payments. This is if you want to make or receive payments with businesses or clients in the European Economic Area.
What is the PSD2 regulation?
PSD2 is the name given to Directive 2015/2366 of the European Parliament and the Council on payment services in the internal market.
It is a regulation that mainly seeks transparency, security and standardization of digital services, as well as protection of the rights of users to purchase online in Europe.
Its application has been postponed in recent years but it has been effective since January 1, 2021 and is mandatory.
What is the SCA?
SCA is the part of the regulation that requires double identification of buyers in online stores.
This Strong Customer Authentication consists of requesting additional information from the buyer, to ensure that they are who they say they are, when the risk analysis systems or the buyer’s bank identify an operation with a high risk of fraud.
Examples of this additional information may be
- One-time use code sent by SMS to the buyer’s cell phone
- Card PIN for internet purchases
- Biometric identification in your bank’s app
Most online sales transactions will have to be identified by at least two of these three security factors from the time they come into effect. They will have to be processed by a “Secure Purchase” protocol (3D Secure).
Where is it mandatory to implement PSD2 and SCA?
Enhanced customer identification applies to “customer-initiated” online payments in Europe.
Most card payments and all bank transfers require the SCA.
For Internet card payments, these requirements apply to transactions where both the company and the cardholder’s bank are located in the European Economic Area (EEA).
In short, if your online store is located in the European Union or if you sell to customers in the European Union, it is mandatory to offer the SCA.
How does PSD2 and SCA change the payment process for online purchases?
From the implementation of the secure payment the process of payment of a purchase will have at least 3 steps:
- Start the payment
Your customer completes his card details and the purchase form to initiate payment.
- Activate double identification
The payment gateway detects if double identification is required. If so, it uses 3D Secure to identify the customer using a unique access code or biometric ID, depending on what the bank accepts or determines.
- Complete the payment
Once the customer’s identity has been confirmed by 3D Secure, the card or bank account can be charged.
Who has to guarantee secure payment?
Although online stores that have been processing their payments without identification (unsecured purchase) must now offer secure purchase with double identification, the reality is that most of the adaptation process towards PSD2 and SCA must be done by the payment issuers and processors, these are, the banks, the card brands and the payment platforms or gateways.
You, as the person responsible for an online store, must make sure to process as “secure purchase” (3D Secure) all the operations in which it is mandatory, as there are exceptions.
SCA exempt payments
However, there are some types of payment that are exempt from the Enhanced Customer Identification or SCA, which are as follows:
- Recurring payments are considered “merchant-initiated” and do not require enhanced identification. SCA is required only on the initial payment. Very important: Subscriptions initiated prior to the effective date do not have to be identified by SCA.
- Contactless card payments
- Card payments made in person.
- Payments initiated by phone or mail.
- Payments with anonymous prepaid cards.
- Payments ≤ 30€.
- Payments considered as low risk of fraud by the entity.
What do I have to do to check if my online store is ready for PSD2 and SCA?
Once understood the above, and as the adaptation process falls mainly on payment gateways and banks, your most important part is to check if your bank and the payment gateways you offer in your online store are PSD2 and SCA compliant through 3D Secure.
The first step is to use WooCommerce for your online store, as it offers many payment gateways adapted to SCA:
- Sage Pay
SCA and PSD2 compatible payment gateways
As I was saying, if you use WooCommerce you can practically ensure that most of the payment gateways prepared for the plugin are SCA compliant, so the main ones already have specific pages where their compatibility is indicated:
Using any of these gateways will activate 3D Secure for card transactions issued in the European Economic Area and the United Kingdom (post Brexit, at least for the time being), as required by this directive. You don’t need to change anything.
Banks prepared for SCA and PSD2
Of course, none of the above will take effect if the bank of the customer’s payment method has not adapted to the PSD2 regulation and does not require SCA.
So yes, the customer may not be required to have a SCA through 3D Secure even if the payment gateway is prepared for it, simply because their bank does not require it.
However, this would be totally irregular in any European bank, as everyone is obliged to do so. However, if the customer operates from a bank in another non-EU country, it may not require double identification of the CCS. This is becoming increasingly rare, but it happens.
Check if it is working
As far as I know the only foolproof method of checking whether the Enhanced Customer ID is working in your online store is to test it yourself by making a purchase with all the payment gateways active.
The process would be as we have seen:
- You choose the payment method and accept the store’s conditions, privacy, etc.
- Enter your payment method details or you will be redirected to the chosen platform.
- You will be required to provide double identification (SMS, pin, biometrics in the bank app, etc.)
- Finish the payment.
However, in Stripe you can see if payments are being made through SCA.
You can go to the Developers -> Logs section, and check if there are transactions with the
payment_intents identifier, which indicates that the payment has been processed through the Stripe API for SCA.
You will see that there are other identifiers (charges, sources, etc.) that are not SCA payments, usually associated with recurring payments and other types of exemptions/exclusions, as we saw earlier.
Do I have to do anything else to adapt my online store to PSD2?
If you have checked all of the above and…
- You use WooCommerce
- You offer SCA-compatible payment gateways
You only have one step left that many forget…
Adapt the terms and conditions of sale in your online store to indicate the new payment procedure, informing your customers of the steps they will encounter from now on when making payments.
With this you will avoid unpleasant, abandoned carts and problems in general. A good practice that has already been carried out by some online stores is to send an informative notice by email to their registered customers, indicating the new procedure and an explanation of the reasons (PSD2, more security, etc.)
Will the implementation of the PSD2 regulation affect my sales?
Yes, online stores that are testing abandoned carts have shown that they are increasing the unfinished payment processes by 20%.
To avoid this or to reduce the impact, inform your customers as best and as thoroughly as possible. Let them now why and the benefits of it.
Read this post in Spanish: WordPress, PSD2 y SCA ¿qué tengo que hacer para cumplir en mi tienda online?