Starting on September 14th, 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second payment services directive (PSD2).
SCA DELAY INFORMATION
Many countries have announced delays regarding the enforcement of SCA and 3D Secure. You can read more about the specific timing and delays for each country here: https://support.stripe.com/questions/strong-customer-authentication-sca-enforcement-date
For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.
These new authentication rules will require European customers to pass additional verification, or their banks may decline transactions. When required by the customer's bank, PayWhirl will display a "3D Secure" authentication popup to the customer, which will allow them to authenticate the transaction with a second form of identification. Once the payment method has been authenticated successfully, subsequent charges should process normally.
We have rolled out support for SCA authentication on a gateway by gateway basis with support/notes for the following gateways:
- Stripe - Already Released
- Braintree - Coming Soon (Scheduled for release by 9/14/2019)
- Authorize.net - Coming Soon (Scheduled for release ASAP)
- Spreedly BETA Gateways - We will roll out support as Spreedly releases tools for each specific gateway. Currently none we offer are supported through Spreedly.
Example SCA Checkout Flow
For customers going through the normal widget flow, it will be a seamless experience. After the customer clicks "Checkout & Pay," they may have to provide additional information to complete the checkout process.
A small pop up will appear with instructions from the customer's bank to authorize the purchase. Authorization could be a one-time code sent directly to the customer's mobile device, fingerprint authentication, Face ID, or even authentication through their mobile banking app.
NOTE: The authentication process will only appear when the customers' bank requires further action by the customer. Many transactions will be exempt.
Recurring payments or additional "one-time" payments charged to this payment method should continue to process automatically without customer interaction.
However, the customer's bank may decide to decline a transaction at a later time. If that happens, the customer's subsequent payment(s) would also be declined however, they would be rescheduled according to your failed payment settings (Account Settings > Advanced Settings) automatically and the customer would receive a notification email.
Customer Email Notifications for SCA & 3D Secure
If you have the default failed payment email notification enabled in your account, the customer will be sent a link to log in to their account and complete authentication when the bank requires it.
NOTE: If you have already customized the failed payment notification email in your account, you will need to re-apply those changes to the NEW DEFAULT TEMPLATE that contains the updated SCA invoice links. If needed, you can re-generate the latest failed payment email template from your email template settings page.
After clicking "Verify & Pay" in the failed payment email, customers will be redirected to the specific invoice that needs authentication. Once logged in, customers can click "Verify & Pay Invoice" to complete the authentication process, and the payment will process successfully.
SCA Verification Example from Stripe
Once verified, transactions should process normally for the customer and payment method being used.
Getting Permission (aka “a mandate”) to Save Customer Cards
After payment methods are authenticated with SCA, your payment gateway (ie. Stripe) will mark any subsequent off-session payment as a merchant-initiated transactions (MIT) to reduce the need to authenticate again.
Merchant-initiated transactions require an agreement (also known as a “mandate”) between you and your customer. As a result, we've included some new default text on checkout where customer's save their payment methods.
PayWhirl Mandate Default Text (editable via translation settings):
By clicking the button below I authorize %company_name% to charge my payment method according to the plans and services I purchase on this site.
The mandate text is editable from the translation settings in your paywhirl account. https://app.paywhirl.com/translation
Mandate example (from Stripe):
I authorise [your business name] to send instructions to the financial institution that issued my card to take payments from my card account in accordance with the terms of my agreement with you.
At a minimum, ensure that your terms cover the following:
- The customer’s permission to you initiating a payment or a series of payments on their behalf
- The anticipated frequency of payments (i.e., one-time or recurring)
- How the payment amount will be determined
If you have any questions about PayWhirl's Strong Customer Authentication (SCA), or 3D Secure features, we're here to help.