A New European Union directive replacing the First Payment Services Directive, which regulates payment services in Europe, will go into effect September 2019. The new security requirements will impact online businesses accepting card payments.
How to know if your business will be impacted by PSD2:
If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the European Economic Area (EEA) - and you transact with customers in the EEA - you will be impacted by PSD2. On the other hand, if either of the parties in a transaction are outside the EEA, then the SCA regulation does not apply.
Required Components of PSD2:
SCA (Strong Customer Authentication)
The PSD2 text introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction and is compulsory. Most payments will need at least 2 forms of authentication – or form factors* – to process a payment from institutions (banks) that issue credit and debit cards.
Form Factors (Forms of Authentication)
At least 2 of these form factors will be required in order to process the online payment:
Knowledge: Something you know such as a password.
Possession: Something you have such as a one-time code generated by a security token or access through a trusted device, such as an SMS or text message.
Inherence: Something that you are and is unique to you, such as a voice or finger-print.
3-D Secure (3DS)
3D Secure is the authentication service offered by the card payment industry, which performs SCA. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
Formstack Payment Integrations
The following payment integrations will support 3DS (and thus comply with the PSD2 directive).
- PayPal Pro
The following payment integrations will not comply with PSD2 directive because the payment provider has not added support.
For all payment providers, it is highly recommended that your forms collect customer address information and submit to Stripe on every transaction to reduce the risk of the transaction being flagged.
🔺Ensure your form includes the following fields as required for 3D Secure Transactions (and add any missing fields if necessary):
- Billing First Name
- Billing Last Name
- Email Address
- Billing Address1
- Billing City
- Billing State
- Billing Zip
- Billing Country
Once these fields have been added to your form, ensure that the fields are mapped in the Payment account being used by your payment fields so the information is sent to the payment provider when the form is submitted. See Map Payment Data article for instructions.
The Stripe integration uses 3DS to perform SCA and comply with PSD2. Stripe merchants will not need to take any action for non-recurring payments.
🔺Additional Action Required for Subscription (recurring) Payments: Within Stripe’s dashboard, you must enable ‘Manage payments that require 3D Secure’.
If you do not enable this function in your Stripe account, a subscription payments with a card that requires 3DS will fail. This change should not affect currently active subscriptions.
Paypal Pro and Authorize.net use Cardinal Commerce to enable 3DS. A Cardinal Commerce account and credentials are required to configure the payment integrations to use 3DS.
If 3DS is not enabled in Formstack Salesforce App (i.e. no Cardinal Commerce account info added) then payments are not impacted at all. This applies to Visa, Mastercard and American Express and they will continue to work as they do today.
🔺Community Forms do not support PayPal Pro or Authorize.net payments that require 3DS support and the card issuing institution may reject the transaction. Stripe is recommended as the payment gateway if Community Form payments are required in jurisdictions that require 3DS.
🔺In order to accept American Express cards with PSD2/SCA compliance through Cardinal Commerce, you must contact Cardinal Commerce to request that this feature be activated and work with them to test it for the cards you expect. We recommend the use of Stripe if American Express cards are important for your use case.
Step 1) Obtain Cardinal Commerce account and credentials
See below for details on obtaining credentials for PayPal Pro and Authorize.net.
Step 2) Enter your Cardinal Credentials into Formstack Salesforce App payment accounts
Once you’ve obtained your credentials, log into Salesforce and access the Salesforce App. Navigate to a payment field on a form and update an existing or add a new Authorize.net account. Setup the PSD2-specific fields. This will need to be done to each PayPal Pro or Authorize.net account you have if you have multiple set up. All forms using this payment account will use the new payment details.
Step 3) Ensure your form includes the following fields as required for 3D Secure Transactions (and add any missing fields if necessary)
Once these steps have been completed, your PayPal Pro or Authorize.net integration with Formstack will be ready for PSD2 compliance
Obtain Cardinal Commerce Account for PayPal Pro
To comply with PSD2 requirements in Europe, PayPal Pro merchants located in the UK will need to take steps to continue to successfully take payments from their customers located in the EEA.
Step 1) Register your PayPal Pro Merchant Account with CardinalCommerce (PayPal’s Preferred customer authentication partner)
In order to activate the Strong Customer Authentication requirement of PSD2 you must register your PayPal Pro merchant account with CardinalCommerce. It’s free for PayPal merchants.
When filling out the registration form, under the Additional Information section, be sure to check ‘Select All’ next to Products and choose ‘Custom Built Cart’ in the Shopping Cart dropdown list.
Note: If you use multiple PayPal Pro merchant accounts you must register each one individually.
Step 2) Obtain your Cardinal Credentials
CardinalCommerce provides your credentials when you register with them. Make sure you whitelist the following email address: paypal3DSUKboarding@cardinalcommerce.com. Whitelisting an email address marks the address as a safe sender and allows emails from that address to pass through spam filters and into your inbox.
If you didn't proactively whitelist the email address, check your junk or spam email folder for the email with your credentials. If your credentials aren't in the junk/spam folder, email paypalUK@cardinalcommerce.com and ask them to regenerate them for you.
If you try to register with CardinalCommerce and receive a message that you're already enrolled, you might need to reset your password or request your cart credentials be re-sent to you.
Message: "It appears that you are already enrolled. If you need assistance with accessing your account, please try again or contact us at firstname.lastname@example.org."
Additional Notes on PayPal
💡 Visa and Mastercard payments that do not require 3DS will continue to work as expected even when 3DS is enabled (Cardinal Commerce settings in Formstack Salesforce App).
💡 To accept American Express cards, contact PayPal and Cardinal Commerce support to request that American Express using 3DS is accepted. Once this is enabled on your accounts then American Express payments will work. If you do not enable American Express for 3DS with both PayPal and Cardinal Commerce you will see an error message when payments are attempted.
Obtain Cardinal Commerce Account for Authorize.net
Step 1) Contact Authorize.net to obtain a Cardinal Commerce account and credentials.
Step 2) Enable Verified by Visa and Mastercard SecureCode in Authorize.net account.
Additional Notes on Autherize.net
💡 Visa and Mastercard payments are accepted when 3DS is enabled in Formstack Salesforce App payment account (Cardinal Commerce settings in Formstack Salesforce App) and when Visa and Mastercard 3DS are enabled in Authorize.net account.
💡 American Express cards are not accepted at all when 3DS is enabled (Cardinal Commerce settings in Formstack Salesforce App).
💡 Visa and Mastercard payments made when 3DS is enabled (Cardinal Commerce settings in Formstack Salesforce App) but when Visa and Mastercard are disabled in Authorize.net account will fail.