Subscribe to newsletter
Michael Firnkes avatar
Michael Firnkes
0 Comments

Share on social media

WooCommerce PSD2

PSD2 & WooCommerce: What you need to know for your online shop

Do you run online shops with WordPress? Or do you set them up for your customers? Then you should be familiar with the “Second European Payment Services Directive”, better known as PSD2. It prescribes new procedures for customer authentication in the payment process. We list the most important recommendations and plugins for WooCommerce.

As a shop owner, PSD2 usually comes into play when your customers pay by credit card. And even then, your service provider has a duty to fulfil. You just need to make sure that they are already PSD2-compliant. To be on the safe side, also check all other payment methods you offer. More on this in a moment.

The same applies to agencies and freelancers. Here you should check the payment plugins or the associated providers that your customers use: Have they converted their processes to PSD2? If not, keep an eye out for alternative extensions. You can find comprehensive information on WooCommerce in our 70+ page e-book WooCommerce for professionals.

No legal advice!

This blog post is not legal advice. As a WordPress host, we have dealt with PSD2 ourselves. But we are not lawyers. So get advice from a suitable law firm for online law.

What is the PSD2 aka SCA?

New EU rules for payment transactions have been in force since 14 September 2019: the Second European Payment Services Directive, or PSD2 for short. This includes the obligation for secure customer authentication for online banking services. In English: Strong Customer Authentication (SCA).

Essentially, the aim is to make online shopping more secure. Strong customer authentication – or two-factor authentication (2FA) – is therefore required by law. Many banks have already changed their processes, and your bank has certainly already contacted you.

For online shops, this mainly affects payments by credit card. Unless they already use a secure procedure such as 3-D Secure or 3D-S. But be careful: PSD2 also requires an extended procedure here, called 3D Secure 2.0, or 3DS2 for short.

Upselling, cross-selling & measuring success

Discover how to effectively measure and boost cross-selling opportunities with actionable strategies tailored for agencies and freelancers on the Raidboxes blog.

To the article

Previously, shopping customers often only needed their credit card number and the corresponding check digit to complete a purchase. Now, a transaction number (TAN), which is sent to the mobile phone or smartphone, and a password are also required. You are probably familiar with this procedure from your online banking. Paper lists with transaction numbers, iTAN for short, are no longer permitted.

Note

Purchases on account and via direct debit are not affected by PSD2. See the explanations of IT-Recht Kanzlei.

What do you need to know?

You must ensure that a secure procedure is used when paying by credit card or via other services (PayPal, Stripe, Amazon Pay, Apple Pay, etc.). However, you don’t usually have to implement this yourself; the respective service providers are responsible for this. Unless you are using a very exotic or customised solution. You should have this checked for compliance with PSD2 by a suitable law firm specialising in online law.

All major providers are working feverishly to implement the new directive. Ask the services you use: What is the status here? Is the authentication already PSD2-compliant? Are the new EU rules finally being introduced and your service provider is not yet ready? Then you should consider not offering the payment option until improvements have been made.

There are also changes to “Sofortüberweisung”. According to the provider Klarna, the procedure will have an additional authentication step, which will be taken over by the respective bank. You should observe which payment service is easier to use in the future and whether this has an impact on your conversion in the shop.

Note

Are your providers passing on different data than before due to PSD2? Or are you integrating new payment services? Then you may need to adapt your legal texts in WooCommerce.

What does WooCommerce say?

The makers of WooCommerce have dedicated a separate blog post to this topic. According to them, most payment service providers rely on 3D Secure 2 to fulfil the requirements.

In general, suitable services would have to take at least two of the following three steps into account in future in order to guarantee “strong customer authentication”:

  • Requesting information that only the customer knows. For example, their password or the answer to a security question.
  • Sending an authentication to a “process controlled by the customer”. According to WooCommerce, this can be a hardware token or a push notification on your smartphone.
  • Use of a physical identifier that is unique to the customer. For example, a fingerprint or a face ID.

Are you interested in the exact details? The specific requirements, i.e. whether the answer to a security question is sufficient, are set out in the EU treaties. See the current version of the “Regulatory standards for strong customer authentication”.

Over 5,000 subscribers are already taking part!

Our newsletter provides you with WordPress insights, business tips & more once a month!

"*" indicates required fields

I would like to subscribe to the newsletter to be informed about new blog articles, ebooks, features and news about WordPress. I can withdraw my consent at any time. Please note our Privacy Policy.
This field is for validation purposes and should be left unchanged.

Depending on the state of the art – and which methods are most likely to be exploited by hackers – there are likely to be some adjustments in the medium and long term. The fight for more security is always like a game of cat and mouse.

Opportunities for integration

WooCommerce names a few providers and their WordPress plugins that are already supposed to be “PSD2 ready”. We have linked the extensions for you here:

We look forward to your feedback

Have you already asked your provider? Or do you have a plugin tip for us? Feel free to share your experiences in the comments.

The PSD2 rules also apply to payments in the subscription model. For example, if you work with the WooCommerce Subscriptions plugin to enable recurring payments.

Does PSD2 or SCA also apply to merchants outside the EU?

It does not necessarily depend on where the retailer is based. WooCommerce is very clear about this:

The SCA also applies if the acquiring bank or processor is located in the European Economic Area (EEA) and the customer’s payment instrument was issued in the EEA.

The European Economic Area includes all member states of the European Union as well as Iceland, Liechtenstein and Norway. A merchant abroad must therefore work entirely with domestic service providers, banks and customers in order to avoid being affected by PSD2 or Strong Customer Authentication. This is one of the reasons why international payment service providers are in such a hurry to fulfil the requirements. The European call for more online security has a global impact.

WooCommerce Hosting

With WooCommerce hosting, you can launch your own online store quickly and securely and manage it professionally – without any technical hurdles. Check our Raidboxes WooCommerce Hosting now.

To the WooCommerce Hosting

Will the TAN by SMS still be permitted?

At the same time as PSD2, a side discussion has developed in professional circles as to how secure the TAN via SMS (also known as mTAN) still is. See the article Online banking and PSD2 on heise.de. Recently, there have been an increasing number of reports of attempted attacks in which the victim’s mobile phone or smartphone is taken over. For example, via phishing mails or manipulated apps.

The Federal Office for Information Security (BSI) writes about this:

Although the mTan procedure is practical and user-friendly, it unfortunately also harbours some risks. Criminals may be able to intercept or redirect the SMS messages sent for authentication purposes … The BSI therefore recommends avoiding the use of mTAN procedures.

As part of PSD2, the mTAN is to remain permitted. However, the banks are already looking for alternatives. Heise mentions pushTAN, chipTAN, photoTAN, appTAN and signatureTAN.

What is PSD2 supposed to achieve?

The directive is not only intended to make (online) payment transactions more secure. The initiators also hope that competition in the market will increase. The Deutsche Bundesbank formulates it as follows in its information on PSD2:

For example, consumers do not have to log into their bank’s online banking system when making a purchase on the Internet, but can order the transfer via a payment initiation service offered on the merchant’s website.

And further:

PSD2 regulates the access of these “third-party payment service providers” to the payment accounts with the account-holding payment service providers. However, these providers are only granted access if you as the account holder explicitly consent to this.

In the future, there will be many more players in the online payment market. Banks and credit institutions will lose power. The integration of “third-party payment service providers” – which are, however, under the supervision and control of national supervisory authorities – will enable the development of completely new services and business ideas. In Germany, this supervisory authority is the Federal Financial Supervisory Authority (BaFin).

Exceptions to PSD2

Various media and banks report on exceptional cases in which payment service providers can dispense with strong customer authentication. For example, a limit of 30 euros is mentioned for “electronic remote payment transactions”. Below this threshold, two-way authentication is not necessarily required. Further information can be found in the blog post PSD2 and SCA by the law firm Wilde Beuger Solmecke.

BaFin itself states a threshold of 50 euros, albeit for contactless card payments. It is more vague when it comes to online card payments. The payment service providers could carry out a so-called transaction risk analysis here. The Federal Financial Supervisory Authority says:

Each incoming payment is automatically analysed to determine whether the risk of fraud is low … If the payment information available to the payment service provider gives the impression of an increased risk of fraud, it must carry out strong customer authentication.

Indications of an increased risk of fraud should be, for example, a deviation from the customer’s usual behaviour patterns. Or a similarity to known fraud patterns. Corresponding relaxations are also planned for B2B. And there is to be a whitelist in which a bank can categorise its corporate customers as trustworthy payment recipients.

However, as a shop operator, you do not usually have to worry about such limits yourself if a service provider is involved.

Further sources

Want to know more about PSD2 aka SCA? Here are suitable specialist articles for users and developers:

You can find more tips on WooCommerce in our 70+ page e-book WooCommerce for professionals: Online shops with WordPress. It is aimed at freelancers, agencies, WP professionals and beginners.

Your questions about PSD2

What questions do you have? Feel free to use the comment function. For more insights on WordPress, web design or online business, follow Raidboxes on Facebook or LinkedIn – or subscribe to our newsletter.

Featured image: William Iven

Michael Firnkes avatar
Michael Firnkes
Michael took care of the magazine and content marketing at Raidboxes until April 2024. He then moved to the People Team. He has been active in the blogger and WordPress community since 2007. Among other things, he is a co-organiser of WordPress events, book author and corporate blog trainer. He loves writing, both professionally and privately. Michael works remotely from Hamburg and Freiburg.

Leave a Reply

Your email address will not be published. Required fields are marked *