A New European Union directive replacing the First Payment Services Directive, which regulates payment services in Europe, will go into effect September 2019. The new security requirements will impact online businesses accepting card payments.
How to know if your business will be impacted by PSD2:
If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the European Economic Area (EEA) - and you transact with customers in the EEA - you will be impacted by PSD2. On the other hand, if either of the parties in a transaction are outside the EEA, then the SCA regulation does not apply.
Required Components of PSD2:
SCA (Strong Customer Authentication)
The PSD2 text introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction and is compulsory. Most payments will need at least 2 forms of authentication – or form factors* – to process a payment from institutions (banks) that issue credit and debit cards.
Form Factors (Forms of Authentication)
At least 2 of these form factors will be required in order to process the online payment:
Knowledge: Something you know such as a password.
Possession: Something you have such as a one-time code generated by a security token or access through a trusted device, such as an SMS or text message.
Inherence: Something that you are and is unique to you, such as a voice or finger-print.
3-D Secure (3DS)
3D Secure is the authentication service offered by the card payment industry, which performs SCA. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
For all payment providers, it is highly recommended that your forms collect customer address information and submit to Stripe on every transaction to reduce the risk of the transaction being flagged.
🔺Ensure your form includes the following fields as required for 3D Secure Transactions (and add any missing fields if necessary):
- Billing First Name
- Billing Last Name
- Email Address
- Billing Address1
- Billing City
- Billing State
- Billing Zip
- Billing Country
Once these fields have been added to your form, ensure that the fields are mapped in the Payment account being used by your payment fields so the information is sent to the payment provider when the form is submitted. See Map Payment Data article for instructions.[Map-Payment-Data]
The Stripe integration uses 3DS to perform SCA and comply with PSD2. Stripe merchants will not need to take any action.
🔺Additional Action Required for Subscription (recurring) Payments: Within Stripe’s dashboard, you must enable ‘Manage payments that require 3D Secure’
If you do not enable this function in your Stripe account, a subscription payments with a card that requires 3DS will fail. This change should not affect currently active subscriptions.