Last year, website owners needed to deal with the new European privacy laws known as GDPR. We wrote a guide to Joomla and the GDPR.
This year, there are new European rules that involve eCommerce. There are two names for these new requirements:
- PSD2: Payment Services Directive.
- SCA: Strong Customer Authentication.
PSD2 is the overall set of laws and SCA is the specific group of regulations launching this month. So SCA is what we're going to talk about in this post.
What are the SCA rules?
The goal of the SCA is to make online credit card purchases more secure and to reduce the number of fradulent purchases..
The aim is to verify the customer's identity and make sure they're the valid holder of the credit card used for the transaction.
To ensure that your site meet SCA requirements, you will have to present customers a 3D Secure (3DS) flow. Yes, there's one more acronym for you: 3DS.
The old approval method only had 2 steps:
- Authorize the transaction.
- Chargethe credit card.
The new 3DS method has 3 steps:
- Authenticate the customer's indentity.
- Authorize the transaction.
- Charge the credit card.
So there's now an addiitonal first step. You may have come across 3DS already under names such as Visa Secure, Mastercard Identity Check, or American Express SafeKey. Often the customer has to respond to a prompt from their bank and provide more information. I had a real-life example this week, when trying to buy a Joomla extension from RegularLabs.com, which is in the Netherlands. I got denied with a message just like this:
Some transactions are exempt, including transactions under 30 Euros and recurring transactions (after the first purchase). But you can't design your eCommerce platform to have one rule for transactions over 30 Euros and one for cheaper payments. So in reality, all your payments will need to be SCA-compliant.
If you want more details, I can also recommend this 2 minute video:
Who does SCA impact?
- If your bank and your customers are both in Europe, then you'll need to follow these requirements.
- You particularly need to pay attention if you accept credit cards online This is because the new rules are focused on credit cards and don't impact platforms such as Paypal.
- Customers can only be authenticated if they're actively using your website. So adding this step will be simpler for businesses that charge customers right away, and more complex for businesses that charge customers after they’ve left the checkout flow.
When do I need to be ready?
Originally the answer was September 14 (last week!), but that deadline has been pushed back in some countries.
How can you make sure your platform is ready?
Unless you're a talented developer, you can't update your platform. This is a tricky technical challenge. It took us several weeks to update Joomlashack's checkout process. Those improvements are now available in the Simple Renew extension.
- If you are a developer, this is a very technical guide I've seen.
- Stripe has an excellent guide to 3DS.
- In fact, Stripe has wonderful guides to the whole SCA topic, including this brilliant introduction.
One key factor in this is security: sensitive data should be sent directly from the customer to the payment gateway. Credit card numbers, month, year and CCV fields should not touch your site. In our Simple Renew extension, all those fields are now loaded in iframes so your data never passes through Joomlashack.com.
If you're not a developer, your best bet is to contact the developers of your eCommerce extension.
What's going to happen if I'm not ready?
You will probably see an increase in declined transactions. Banks will decline payments that require SCA but which have not been authenticated via 3DS.
Over to you
Let us know if you have any questions about these SCA changes. We're not high-level experts in this area, but we've spent a couple of months implementing the rules here at Joomlashack, and we'll do our best to help.