Strong Customer Authentication (SCA) takes effect on September 14, 2019.
What is Secure Customer Authentication or SCA?
Strong Customer Authentication (SCA) is part of PSD2 (Payment Services Directive 2) regulation in Europe, that will require changes to how your European customers authenticate online payments in order to help reduce fraud. After the deadline, any European customer who pays online must use two-factor authentication. Otherwise, the payment will not go through.
Up until now customers of your membership site located in Europe could pay using just their credit card and security number. Now they’ll need a second security factor to complete the payment.
The 2 factor authentication process in payments isn’t something new. It’s been used for quite some time in online banking for example.
However once SCA takes effect, European card payments will require a different user experience, namely 3D Secure. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.
The only exception to this is if the payment amount is less than 30 euros. Then the two-factor authentication is not required.
How SCA affects your WordPress Membership Site?
If your membership site powered by Paid Member Subscriptions is accepting payments from European customers, you need to comply with the SCA regulations.
Depending on the payment gateway you’re using, the steps you need to take for compliance are really simple:
1. PayPal Standard and PayPal Express
Since both PayPal Standard and Express Checkout happen mostly on the PayPal side, there are no required updates to the payment gateway add-ons you need to make. European customers checking out with PayPal (Standard and Express) will receive an SCA challenge in PayPal.
The Stripe API changed in order to support 3D Secure Payments. If you’re using the Stripe add-on for Paid Member Subscriptions to collect payments you simply need to update both the core plugin as well as the Stripe add-on to the latest version.
So, as long as you keep Paid Member Subscriptions and the Stripe Add-on updated, you’re good to go.
Stripe Add-on for Paid Member Subscriptions
The Stripe add-on has been updated to use the Stripe Payment Intents API. The Payment Intents API complies with the Strong Customer Authentication regulation in Europe by adding support for 3D Secure when it’s required to complete the payment.
When you update both Paid Member Subscriptions and the Stripe add-on, you”ll notice two gateway options:
- Stripe (Payment Intents)
Only one gateway can be selected. They are similar just that one uses the old API, while the Stripe (Payment Intents) supports payments made with additional authentication (3D Secure, 3D Secure 2) making it SCA compliant.
What happens if I’m using the Stripe add-on now?
If you’re currently using the Stripe add-on and are looking to be SCA compliant, simply upgrade to the latest version and select Stripe (Payment Intents) under Paid Member Subscriptions -> Settings -> Payments-> Active Payment Gateways.
We’re also displaying a temporary warning for who decides to use the old Stripe API, which is not SCA compliant.
Will this affect my existing subscriptions?
Existing recurring subscriptions will need to be authenticated. When this happens, the plugin will send to the member an email containing a link for the authentication page.
After clicking on the link, the member will be redirected to the website where a popup for the 3D Secure authentication will appear. After the authentication is confirmed, the users subscription will resume normally.
This will happen only for the first payment of each user after the regulation is enforced, subsequent payments will not require the authentication anymore.
How will the subscription form look like?
Using Stripe (Payment Intents) the registration form allowing subscription payments will no longer contain all the credit card fields separated. It will display instead a simplified card payment input with all the fields loaded inline.
Once the form is submitted your customers will be asked to verify their identity with a push notification, a text message, or another method chosen by their bank. Once it’s verified, the payment will be completed.
What if I don’t upgrade?
You can still continue to accept payments using the old Stripe API. However if your business is located in the European Economic Area (EEA) or you accept card payments from customers in the EEA you are required to use the Stripe (Payment Intents) gateway in order for payments to be processed correctly. Otherwise you will start seeing transactions being declined due to `Authentication` errors.
Your existing subscriptions will continue to work and renewal payments will be processed. Also, the registration form will display a simplified payment input with all the fields loaded in line.