Strong Customer Authentication (SCA) takes effect on September 14, 2019*. Let’s look at what it is, why it’s important, and how it affects your EDD-powered store.
Update: Be sure to check out our latest updates on SCA.
What is SCA?
Strong Customer Authentication (SCA) is a European regulation that requires merchants use two methods of verification to authenticate customers’ identities. This is likely the beginning of many international regulations that endeavour to protect merchants and customers alike.
When SCA takes effect, a form of two-factor authentication will be required for most online card payments in Europe. From the 14th of September, European banks will decline payments that require SCA and do not have this additional authentication.
SCA applies to “customer-initiated” online payments within Europe. This means that almost all card payments and all bank transfers will require SCA.
SCA requires customers use at least two of the following three methods of verification:
- Something the customer knows (such as a password or PIN)
- Something the customer has (such as a phone or hardware token)
- Something the customer is (such as a fingerprint or face recognition)
Why is SCA important?
This new requirement is aimed at reducing fraud and making online payments more secure. This protects the merchant (that’s you), as well as the customer.
You can find the official SCA requirements in the Regulatory Technical Standards (RTS).
How SCA affects your EDD-powered store
For online purchases with a debit or credit card, SCA will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).
Selling subscriptions? SCA will apply to the first payment, however recurring or ongoing direct debits or subscriptions are considered “merchant-initiated” and will generally not require additional customer authentication unless there is a change in the cost of the recurring payment.
Exemptions from SCA
Low-value transactions below € 30 will generally be exempt from SCA. However, if the customer makes five purchases or their total amount spent goes above € 100, SCA will be required.
Ultimately, the cardholder’s bank will deem whether or not a transaction will be exempt. Read more about possible exemptions.
What is EDD doing about SCA?
SCA readiness in Easy Digital Downloads is our top priority. The new update will include support for the new Stripe Payment Intents API.
Stripe Payment Intents API & SCA support
The Stripe gateway has been completely refactored to use the Stripe Payment Intents API instead of the old Charges API. The Payment Intents API complies with the Strong Customer Authentication regulation in Europe by adding support for 3D Secure when it’s required to complete the payment.
We’re finalizing how it integrates with our system, and are working to have SCA-related features implemented in EDD before September 14th (the original planned date) so you have time for configuration and testing.
*We are also monitoring a possible delay of the SCA enforcement. At this time we will be continuing to work towards the original date of September 14th. You can learn more about the delay on Stripe’s website.
Removing the Stripe Checkout modal
Unfortunately, Stripe is no longer recommending the use of this modal and they will not be updating it to support the Strong Customer Authentication requirements. As a result, we have decided to remove the current Stripe Checkout option from Easy Digital Downloads to ensure SCA compliance.
If you’re using the current Stripe Checkout then you will automatically be swapped over to our normal Stripe gateway when you update.
Will this affect my existing subscriptions?
As this is a design change only, it does not affect payment processing or renewals. Customers who have active recurring subscriptions that were created via Stripe Checkout will still have their renewal payments processed by Stripe and picked up by Easy Digital Downloads.
Updates to gateways
The following gateways will be updated for SCA. The exact release date is not confirmed just yet, but updates will be released as soon as they are ready:
- PayPal Pro
The following gateways will not receive updates for SCA support at this time. If you require SCA support, and use any of the below gateways that will not support SCA, you’ll need to switch to a gateway that has support for SCA:
- 2Checkout Onsite
- PayPal Payments Advanced
If you’re using the following gateways, no action needs to be taken. These gateways process payments offsite:
- PayPal Standard
- PayPal Express
- 2Checkout (not 2Checkout Onsite)
What do I need to do?
As Stripe adds SCA-related tools to their dashboard, you may need to configure a few items and/or update the version of the Stripe API leading up to September 14th. We’ll release more details as they become available, and if you have any questions, please let us know.
To get ready for SCA, you or your host will also need to ensure that your website is running on a server with PHP version 5.6 or greater. Additionally, when the Easy Digital Downloads update is released, you’ll need to update to the latest plugin version.
Where can I learn more about SCA?
For more information about SCA, Stripe is an excellent resource:
- Stripe – Strong Customer Authentication
- Stripe Blog – SCA Readiness
- Stripe Docs – Strong Customer Authentication
And if you have any questions, please feel free to drop it in the comments below.
Please note: We’re not lawyers here at EDD, so for further questions about international laws and regulations, and peace of mind, we recommend seeking advice from a legal professional.