We know, it seems like we’ve all only just recovered from all those GDPR changes, and now more legislation is coming into play! The good news however is that these changes will make your ecommerce site much more secure and give you an additional layer of security.
What’s the change?
From September 2019, most ecommerce payments will have to undergo Strong Customer Authentication (SCA).
SCA will mean ecommerce businesses handling online transactions must use at least two independent authentication items when a customer checks out. Authentication means verifying a customer’s identity before accepting their online payments.
So what are these authentication items? You will have to authenticate your customers by using one of the following three avenues:
- Something only the customer knows:
- In context, this means setting up your online checkout to always have the customer use a password, a security question, a validation code or something along those lines. Please note that card data – for example the long 16 digit card number, expiry date or the CVV does not count. It must be something uniquely created by the customer to safeguard the payment.
- Something the customer possesses: This one is slightly more abstract. The authentication must use something like a hardware token or the customer’s mobile phone.
- Customer Unique Features: Here the customer can use their unique biometrics to safeguard their payments through things like an iris scan, facial recognition or a fingerprint. I know that this one seems a little futuristic, but with technology advancing and new smart phone models hitting the marketing with amazing new features, the future is now.
Why is this change coming into effect?
Quite simply it’s to protect your customer’s payment and personal details.
As we’ve said above, with technological advancements and so much commerce happening online, there are more and more hackers out there looking for vulnerabilities, so you as businesses have to be more and more vigilant and take measure to protect against that happening.
By changing your site to use SCA, you’re addressing these threats and ensuring the security of your customer’s electronic payments.
By using this, you can also shift your liability for a fraud dispute from your business to the cardholder’s bank. So even if this change wasn’t mandatory (which it is), you’d probably be wanting to make the change anyway. When do you need to be compliant by?
When do you need to be compliant by?
From September 14th 2019, any unverified payments that require SCA will be declined by the customer’s bank. That’s right, if you don’t make this change, you could be forfeiting actual business. Most payment gateways will be updating their platforms to cater for these changes with “3D Secure 2 Authentication” from May onwards, so you’ve got a bit of time between the roll out of these changes and the deadline.
Who will this legislative change effect?
If you use Apple Pay, iDeal or Bancontact, you’re in luck, you don’t have to do anything! As these payment gateways already use the additional layer of authentication and are therefore compliant. However if you use any other payment gateways, you will be affected by this new legislation.
There are however some exemptions to SCA. Yes, that’s right, even if you don’t use Apple Pay, you may still not have to make any changes if you meet the criteria of the following – please note that there may be more, but we deemed this to be the most relevant to our clients:
- Under €30 transactions
If a customer buys a product and it is considered to be a “low value transaction”, SCA will not need to be applied. If however that same card has been used to purchase more than 5 items under €30 which have been exempt from SCA, or if the exempted transactions equate to more than €100, your may still be subject to SCA. It is up to the payment provider or the card holder’s bank to track and decide whether SCA must be applied or if the exemption still stands.
Recurring payments to the same business for the same sum of money will not be subject to SCA. SCA however may still be required for the first payment, but not the subsequent ones.
Under this new legislation, your customers may have the option to class you as one of their “trusted beneficiaries”. This means that your customer could let their bank know that any payments to your business should be considered non-fraudulent and to be processed without needing SCA. Again, for the first payment of this type, your business may be subject to SCA, but after the whitelisting, there are no limitations thereafter for money value, amount of transactions, etc. If however your customer amends their whitelist, any transactions they make to your business may be subject to SCA once more.
- Corporate Payments
This means that any cards considered as “lodged” – where a corporate card is held directly with a third party e.g. a corporate card used to pay for managing employee car rentals is held directly with a car rental company are exempt from SCA.
Where? Does this just apply to the UK?
If you are reading this in the States or anywhere else in the globe outside of Europe, and are feeling like you don’t need to read the rest of this article as this is only applies to businesses in Europe, you’d be wrong. This SCA will actually apply even to you if the cardholder’s bank and the business’ payment provider are both located in the EU.
What do you need to do next?
The best thing for you to do as an online ecommerce business owner is to check with your payment gateway and ask them how they are handling this change.
In most cases, the payment gateway providers will already be well on the way to making changes to their plugin or integration so that it will be relatively painless change for you to comply with the SCA requirement.
For Woocommerce site owners it will likely mean the release of an updated plugin for your payment gateway (for example WorldPay will release an updated plugin that is SCA compliant).
Once the update is released, you should ask your web developer to set up your site on a test server, install or update the plugin and then test that it’s working by placing some test transactions before making these changes live.
Failure to make the changes may affect your ability to process successful transactions so it’s really important that these changes are made by the deadline so add something to your calendar now.
If you’d like to know more about this legislative change, more can be found out here.
In the interim, if you have any questions relating to 3DS v2 and what may be required of you, please don’t hesitate to drop us a note via our contact form.
Would you like to be notified each time we post new digital media?