Do you run online stores with WordPress? Or set them up for your customers? Then you should be aware of the "Second European Payment Services Directive", better known as PSD2. It prescribes new procedures for customer authentication in the payment process. We list the most important recommendations and plugins for WooCommerce. tl;dr - don't panic.
As a store owner, PSD2 usually comes into play when your customers pay by credit card. And even then, your service provider has a duty. You just need to make sure that they are already PSD2-compliant. To be on the safe side, check all other payment methods you offer. More on this in a moment.
The same applies to agencies and freelancers. Here you should check the payment plugins or the associated providers that your customers use: Have they converted their processes to PSD2? If not, keep an eye out for alternative extensions. You can find comprehensive information on WooCommerce in our 70+ page e-book WooCommerce for professionals.
Note
What is the PSD2 aka SCA?
New EU rules for payment transactions should apply from September 14, 2019: the Second European Payment Services Directive, or PSD2 for short. This includes the obligation for secure customer authentication for online banking services. In English: Strong Customer Authentication (SCA).
The introduction of the new payment rules on the Internet has now been postponed. "Temporarily", as they say. This is because the authorities are concerned that companies are not yet sufficiently prepared for the directive. Nevertheless, you should implement the directive now or have it implemented. More on this later.
Essentially, the aim is to make online shopping more secure. Strong customer authentication - or two-factor authentication (2FA) - is then required by law. Many banks have already changed their processes, and your bank has certainly already contacted you.
For online stores, this mainly affects payments by credit card. Unless they already use a secure procedure such as 3-D Secure or 3D-S. But be careful: PSD2 also requires an extended procedure here, called 3D Secure 2.0, or 3DS2 for short.
Until now, shopping customers often only needed their credit card number and the corresponding check digit to complete a purchase. In future, a transaction number (TAN), which is sent to the cell phone or smartphone, and a password will also be required. You are no doubt familiar with this procedure from your online banking. Paper lists with transaction numbers, iTAN for short, will no longer be permitted in future.
Note
What do you need to know?
In future, you must ensure that a secure procedure is used when paying by credit card or via other services (PayPal, Stripe, Amazon Pay, Apple Pay, etc.). However, you don't usually have to implement this yourself; the respective service providers are responsible for this. Unless you are using a very exotic or self-made solution. You should have this checked for compliance with PSD2 by a suitable law firm specializing in online law.
All major providers are working feverishly to implement the new directive. Ask the services you use: What is the status here? Is the authentication already PSD2-compliant? Are the new EU rules finally coming into force and your service provider is not yet ready? Then you should consider not offering the payment option until improvements have been made.
There are also changes to "Sofortüberweisung". According to the provider Klarna, the procedure will have an additional authentication step, which will be taken over by the respective bank. You should observe which payment service is easier to use in the future and whether this has an impact on your conversion in the store.
Important
What does WooCommerce say?
The makers of WooCommerce have dedicated a separate blog post to this topic. According to them, most payment service providers rely on 3D Secure 2 to meet the requirements.
In general, suitable services would have to take at least two of the following three steps into account in future in order to guarantee "strong customer authentication":
- Requesting information that only the customer knows. For example, their password or the answer to a security question.
- Sending an authentication to a "customer-controlled process". According to WooCommerce, this can be a hardware token or a push notification on your smartphone.
- Use of a physical identifier that is unique to the customer. For example, a fingerprint or a face ID.
Are you interested in the exact details? The specific requirements, i.e. whether the answer to a security question is sufficient, are set out in the EU treaties. See the current version of the "Regulatory standards for strong customer authentication".
Depending on the state of the art - and which methods are most likely to be exploited by hackers - there are likely to be some adjustments in the medium and long term. The fight for more security is always like a game of cat and mouse.
Opportunities for integration
WooCommerce names a few providers and their WordPress plugins that are already supposed to be "PSD2 ready". We have linked the extensions for you here:
- Stripe WooCommerce Plugin.
- Amazon Pay for WooCommerce.
- Global Payments Gateway (for credit card payments and mainly active in the UK).
- PayPal via the Braintree Payment Gateway for WooCommerce. For other PayPal plugins, you should contact the provider to check whether PSD2 is already supported as a process.
- Sage Pay
Do you use payment methods and networks other than those mentioned here? Ask the respective developers if and when PSD2 will be implemented. If this is not the case, then you should look around for an alternative plugin or service.
We look forward to your feedback
The PSD2 rules also apply to payments in the subscription model. For example, if you work with the WooCommerce Subscriptions plugin to enable recurring payments.
Does PSD2 or SCA also apply to merchants outside the EU?
It does not necessarily depend on where the retailer is based. WooCommerce is very clear about this:
The SCA also applies if the acquiring bank or processor is located in the European Economic Area (EEA) and the customer's payment instrument was issued in the EEA.
The European Economic Area includes all member states of the European Union as well as Iceland, Liechtenstein and Norway. A merchant abroad must therefore work entirely with domestic service providers, banks and customers so that they are not affected by PSD2 or Strong Customer Authentication. This is one of the reasons why international payment service providers are in such a hurry to comply with the requirements. The European call for more online security has a global impact.
Will the TAN via SMS remain permitted?
At the same time as PSD2, a side discussion has developed in specialist circles as to how secure the TAN via SMS (also known as mTAN) still is. See the article Online banking and PSD2 on heise.de. Recently, there have been an increasing number of reports of attempted attacks in which the victim's cell phone or smartphone is taken over. For example, via phishing emails or manipulated apps.
The Federal Office for Information Security (BSI) writes about this:
Although the mTan procedure is practical and user-friendly, it unfortunately also harbors some risks. Under certain circumstances, criminals can intercept or redirect the SMS messages sent for authentication ... The BSI therefore recommends not using mTAN procedures.
Under PSD2, the mTAN is to remain permitted until now. However, the banks are already looking for alternatives. Heise mentions pushTAN, chipTAN, photoTAN, appTAN and signatureTAN.
What is PSD2 supposed to achieve?
The directive is not only intended to make (online) payment transactions more secure. The initiators also hope that competition in the market will increase. The Deutsche Bundesbank formulates it as follows in its information on PSD2:
For example, consumers do not have to log into their bank's online banking system when making a purchase online, but can order the transfer via a payment initiation service offered on the merchant's website.
And further:
PSD2 regulates the access of these "third-party payment service providers" to the payment accounts with the account-holding payment service providers. However, these providers are only granted access if you as the account holder explicitly agree to this.
In the future, there will be many more players in the online payment market. Banks and credit institutions will lose power. The involvement of "third-party payment service providers" - which are, however, under the supervision and control of national supervisory authorities - will enable the development of completely new services and business ideas. In Germany, this supervisory authority is the Federal Financial Supervisory Authority (BaFin).
Exceptions to PSD2
Various media and banks report on exceptional cases in which payment service providers can dispense with strong customer authentication. For example, a limit of 30 euros is mentioned for "electronic remote payment transactions". Below this threshold, two-way authentication is not necessarily required. Further information can be found in the blog post PSD2 and SCA by the law firm Wilde Beuger Solmecke.
BaFin itself states a threshold of 50 euros, albeit for contactless card payments. It is more vague when it comes to online card payments. Payment service providers could carry out a so-called transaction risk analysis here. The Federal Financial Supervisory Authority says:
Each incoming payment is automatically checked to determine whether the risk of fraud is low ... If the payment information available to the payment service provider gives the impression of an increased risk of fraud, it must carry out strong customer authentication.
Indications of an increased risk of fraud should be, for example, a deviation from the customer's usual behavior patterns. Or a similarity to known fraud patterns. Corresponding relaxations are also planned for B2B. And there is to be a whitelist in which a bank can classify its corporate customers as trustworthy payment recipients.
However, as a store operator, you do not usually have to worry about such limits yourself if a service provider is involved.
Further sources
Want to know more about PSD2 aka SCA? Here are suitable specialist articles for users and developers:
- The EU Commission Regulation
- The blog post from WooCommerce
- Technical options for two-factor authentication
- Payment Services Directive PSD2: transition period granted in e-commerce
- Bundesbank: PSD2 for consumers and retailers
- WebPunks: New EU directive for online stores
- PSD2 explained in 3 minutes
You can find more tips on WooCommerce in our 70+ page e-book WooCommerce for professionals: Online stores with WordPress. It is aimed at freelancers, agencies, WP professionals and beginners.
Your questions about PSD2
What questions do you have? Feel free to use the comment function. Want more tips on WordPress & WooCommerce? Then follow us on Twitter, Facebook or via our newsletter.
Featured image: William Iven