Strong Customer Authentication (SCA) is coming
Strong Customer Authentication (SCA) takes effect on September 14, 2019*. Let’s look at what it is, why it’s important, and how it affects your EDD-powered store.
Update: Be sure to check out our latest updates on SCA.
What is SCA?
Strong Customer Authentication (SCA) is a European regulation that requires merchants use two methods of verification to authenticate customers’ identities. This is likely the beginning of many international regulations that endeavour to protect merchants and customers alike.
When SCA takes effect, a form of two-factor authentication will be required for most online card payments in Europe. From the 14th of September, European banks will decline payments that require SCA and do not have this additional authentication.
SCA applies to “customer-initiated” online payments within Europe. This means that almost all card payments and all bank transfers will require SCA.
SCA requires customers use at least two of the following three methods of verification:
- Something the customer knows (such as a password or PIN)
- Something the customer has (such as a phone or hardware token)
- Something the customer is (such as a fingerprint or face recognition)
Why is SCA important?
This new requirement is aimed at reducing fraud and making online payments more secure. This protects the merchant (that’s you), as well as the customer.
You can find the official SCA requirements in the Regulatory Technical Standards (RTS).
How SCA affects your EDD-powered store
For online purchases with a debit or credit card, SCA will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).
Selling subscriptions? SCA will apply to the first payment, however recurring or ongoing direct debits or subscriptions are considered “merchant-initiated” and will generally not require additional customer authentication unless there is a change in the cost of the recurring payment.
Exemptions from SCA
Low-value transactions below € 30 will generally be exempt from SCA. However, if the customer makes five purchases or their total amount spent goes above € 100, SCA will be required.
Ultimately, the cardholder’s bank will deem whether or not a transaction will be exempt. Read more about possible exemptions.
What is EDD doing about SCA?
SCA readiness in Easy Digital Downloads is our top priority. The new update will include support for the new Stripe Payment Intents API.
Stripe Payment Intents API & SCA support
The Stripe gateway has been completely refactored to use the Stripe Payment Intents API instead of the old Charges API. The Payment Intents API complies with the Strong Customer Authentication regulation in Europe by adding support for 3D Secure when it’s required to complete the payment.
We’re finalizing how it integrates with our system, and are working to have SCA-related features implemented in EDD before September 14th (the original planned date) so you have time for configuration and testing.
*We are also monitoring a possible delay of the SCA enforcement. At this time we will be continuing to work towards the original date of September 14th. You can learn more about the delay on Stripe’s website.
Removing the Stripe Checkout modal
Unfortunately, Stripe is no longer recommending the use of this modal and they will not be updating it to support the Strong Customer Authentication requirements. As a result, we have decided to remove the current Stripe Checkout option from Easy Digital Downloads to ensure SCA compliance.
If you’re using the current Stripe Checkout then you will automatically be swapped over to our normal Stripe gateway when you update.
Will this affect my existing subscriptions?
As this is a design change only, it does not affect payment processing or renewals. Customers who have active recurring subscriptions that were created via Stripe Checkout will still have their renewal payments processed by Stripe and picked up by Easy Digital Downloads.
Updates to gateways
The following gateways will be updated for SCA. The exact release date is not confirmed just yet, but updates will be released as soon as they are ready:
- Stripe
- PayPal Pro
The following gateways will not receive updates for SCA support at this time. If you require SCA support, and use any of the below gateways that will not support SCA, you’ll need to switch to a gateway that has support for SCA:
- 2Checkout Onsite
- PayPal Payments Advanced
- Braintree
- Authorize.net
If you’re using the following gateways, no action needs to be taken. These gateways process payments offsite:
- PayPal Standard
- PayPal Express
- 2Checkout (not 2Checkout Onsite)
What do I need to do?
As Stripe adds SCA-related tools to their dashboard, you may need to configure a few items and/or update the version of the Stripe API leading up to September 14th. We’ll release more details as they become available, and if you have any questions, please let us know.
To get ready for SCA, you or your host will also need to ensure that your website is running on a server with PHP version 5.6 or greater. Additionally, when the Easy Digital Downloads update is released, you’ll need to update to the latest plugin version.
Where can I learn more about SCA?
For more information about SCA, Stripe is an excellent resource:
- Stripe – Strong Customer Authentication
- Stripe Blog – SCA Readiness
- Stripe Docs – Strong Customer Authentication
And if you have any questions, please feel free to drop it in the comments below.
Please note: We’re not lawyers here at EDD, so for further questions about international laws and regulations, and peace of mind, we recommend seeking advice from a legal professional.
Using WordPress and want to get Easy Digital Downloads for free?
Enter the URL to your WordPress website to install.
Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.
Is there no work around to the Stripe checkout modal? This is such a nice feature to make the checkout process smoother. Is this the alternative? https://stripe.com/payments/checkout
If so will EDD be providing this as an option?
@Andrew
Stripe is deprecating the Stripe Checkout Modal entirely. The new Checkout (v2) is not a modal but an off-site checkout page (much like PayPal).
Since this is such a drastic change compared to the Checkout v1 (the modal), it was not a simple 1-to-1 change and felt it would be highly disruptive to people who had chosen and expected the modal implementation
We are looking to support the new Checkout in the near future, after we complete our focus on SCA.
Are you kidding? Because of changes in Europe my existing store is forced to made updates with less than a months notice?
Recommendation:
Leave Stripe modal option in place for those that choose to use it until they have time to process the required changes. Stripe may be depreciating it but that’s not happening today, is it? Leave your customers with the options the bought in for. This should not be forced, especially on such a short time frame. This is VERY disruptive.
@Joe,
It is not just because of Europe. The Checkout v1 Implementation simply is not part of the updated Stripe JavaScript library. Leaving it in place isn’t an option because the Stripe JavaScript library does not contain the modal checkout code any longer.
I Do apologize for this disruption, however it is out of our control on that end. Even if SCA didn’t happen we would eventually have to move to Stripe Elements for PCI Compliance standards, which requires v3 of the Stripe JavaScript library as well.
@Joe
As a note, I failed to mention, we are looking into an alternative that would ‘mimc’ the Stripe Checkout v1 modal using the Stripe Elements library that comes with the new version of their Stripe Javascript library, and will look into a way to implement this if possible.
An alternative modal would be great Chris, the modal popup is convenient and clean looking, would hate to lose it. Not sure why they would end the modal in the first place.
@nate,
We’re continuing to look into adding this type of functionality back into the extension in the near future. I cannot say for sure why they are removing the modal, however with as much hard work Stripe has been putting into their platform to be SCA ready, I can only assume that they looked for ways to make it possible, without succeeding in a way that met the requirements of SCA. They’ve really done a great job getting their platform ready and documenting how to work with Stripe with SCA.
Yea, I agree, love Stripe and the company is very well ran so I’m sure they did everything they could to keep the modal. Europe needs to just chill out a bit, first the ugly cookie notifications on every website and now this 😉
Thanks for The additional details. A better simple payment option would certainly be a good thing.
Why are you not updating 2checkout, Braintree and the rest of the gateways?
Stripe is very limited in terms of country availability as well as niche industry support.
I am unable to use Stripe – got rejected for all 3 of my WP related product sites even though I am based in an EU country so I had to choose 2co and Braintree instead.
If you don’t update these plugins then hundreds of online EDD stores will have to remove card payments from their site. It will have a impact on conversion rates and revenue. These are businesses that has been paying for your product for many years.
Would you reconsider releasing an update for these gateways too?
@Imre,
We didn’t state we’d not ever be updating them, just not immediately. We’d love to fully support as many gateways as possible with SCA. We have stated with Stripe and PayPal Pro as they are the most popular gateways used in EDD that would require it, therefore supporting the most number of customers directly.
It also came down to which platforms had their development/testing environments ready for us first. Stripe was one of the first to have their testing environment ready for us to starting writing the SCA implementation. Some gateways are still altering their documentation on how to use SCA, which I think is why the mandated enforcement dates were pushed back by the regulatory bodies.
As we finish supporting Stripe and PayPal Pro, we’ll look into offering support for others as we can get them working. 2Checkout is still offering an SCA compliant method with the non-on-site method, which I understand isn’t a ‘card payment on site’ but still uses the same gateway.
We’ll be sure to keep everyone posted as we can get other gateways implemented.
Can you confirm any kind of timeline for these releases?
I sent your support an email about Braintree SCA compliant updates and dev docs back in 2018 April, and the reply was that “Our development team is currently investigating the steps that need to be taken to remain compliant.”
I believe if one’s site doesn’t stay compliant that will put the merchant account in risk of closure – which I wouldn’t want to get to. Timely updates to remain compliant therefore are crucial.
I will try the non-API standard 2co option and see if that remains a feasible solution for that gateway, thanks.
I don’t have an exact date yet for any of the releases, we’re working as hard as we can and will have releases for some of the gateways prior to the September 14th date.
I remember reading your ticket for Braintree, and while documentation was available, the main key was being able to start development. Stripe was the first to have their development environment up and running for us to test against. We will be attempting to get as many gateways supported that we can.
How will this affect 3rd party payment gateways like Paystack
@ibezim,
It will be up to the 3rd party gateways to update to be compliant with the gateway platform on an individual basis. Easy Digital Downloads core is not making any changes to be compliant at this time, we are simply using each individual gateways implementation.
If you have a 3rd party gateway you should reach out to them to find out what their plans are for SCA.
My bank is in the USA and I take payments from all around the world with some customers in Europe. Will this affect me? Based on the 2 excerpts below I can’t tell for sure:
“SCA applies to “customer-initiated” online payments within Europe. This means that almost all card payments and all bank transfers will require SCA.”
“For online purchases with a debit or credit card, SCA will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).”
Based on the first statement it seems like it would affect me, but based on the second it seems it wouldn’t since my bank is in the USA. Can you please let me know?
@Keith,
From what we’re reading and being told (we’re not lawyers, so we can’t give legal advise on compliance), it has nothing to do with your bank, but your customer’s bank. If your customer’s bank requires SCA or 3DSecure, then the process would be required. So since you support and sell to customers in Europe, then you would need to be SCA compliant in order to receive payments from customers who have a bank that requires it.
OK. Can you let me know where you got the below from so I can do some research? Since my business or business bank is not in Europe I have to find out if this statement is true:
“For online purchases with a debit or credit card, SCA will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).”
@keith,
Our information is from reading multiple sources and talking with gateways. If you have specific questions about implementations it’s best to talk directly to your gateway of choice, to get the most accurate information for your account specifically.
is it true? and does it just work in European country? since i don’t live in Europe but wonder to know more about it