Security updates: SCA with Stripe at edoobox

19.1.2021

Releases

(Originally published on September 19, 2019)

Strong Customer Authentication (SCA) is a new EU Directive (EU) 2015/2366, Payment Service Directive 2), which will come into force on September 14, 2019 as part of the European PSD2 (Payment Services Directive 2) regulation and will bring changes to the authentication of online payments by your European customers. In order to comply with the SCA requirements, 3D Secure, a new authentication process, will then be required.

Card payments are traditionally made in two steps: Authorization and capture. A payment is authorized when the customer's bank or the card issuer approves a payment; the payment is captured when the card is debited.

When SCA comes into effect in September, an additional and mandatory step will be required before authorization and capture: authentication. This step serves to protect customers by preventing fraud. To authenticate a payment, customers respond to a request from the bank and provide additional information. This may be something that only the user knows, such as a password, or something that only the user has, such as a cell phone, or something that is the user, such as their fingerprint.

It is also important to differentiate between when exactly SCA is necessary and when it is not. This is because SCA is not mandatory for every online transaction. There are exceptions for recurring purchases and payments under 30 euros, for example. Companies should therefore carefully consider the situations in which enhanced authentication must be requested.

If the following statements apply to you, you should prepare for strong customer authentication:

Your company is based in the European Economic Area (EEA) or you create payments for linked accounts within the EEA.
You have customers in the EEA.
They accept credit or debit cards.

While authentication is not required for some low-risk transactions (based on volume, fraud rate associated with the payment provider or bank), banks do not have to approve these exceptions and may still require customer authentication.

The EU's PSD2 regulation does not apply to Switzerland. However, it does apply to Swiss companies that have payment transactions with the EEA.

Under our online documentation you will find the instructions "Stripe SCA Testing Radar" which show the default settings at Stripe and how you can change them.