Background: The Second Payments Services Directive (PSD2)
A New European Union directive replacing the First Payment Services Directive, which regulates payment services in Europe, will go into effect September 14, 2019. The new security requirements will impact online businesses accepting card payments.
How to know if your business will be impacted by PSD2:
If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the European Economic Area (EEA) - and you transact with customers in the EEA - you will be impacted by PSD2. On the other hand, if either of the parties in a transaction are outside the EEA, then the SCA regulation does not apply.
Required Components of PSD2:
SCA (Strong Customer Authentication)
The PSD2 text introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction, which will be compulsory on the 14th September 2019. Most payments will need at least 2 forms of authentication – or form factors* – to process a payment from institutions (banks) that issue credit and debit cards.
Form Factors (Forms of Authentication)
At least 2 of these form factors will be required in order to process the online payment:
Knowledge: Something you know such as a password.
Possession: Something you have such as a one-time code generated by a security token or access through a trusted device, such as an SMS or text message.
Inherence: Something that you are and is unique to you, such as a voice or finger-print.
3-D Secure (3DS)
3D Secure is the authentication service offered by the card payment industry, which performs SCA. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
How Formstack is Preparing
The following payment integrations will support 3DS (and thus comply with the PSD2 directive by September 14, 2019):
PayPal Pro (WPP)
The following payment Integrations will NOT support 3DS and therefore will NOT comply with the PSD2 Directive:
PayPal Payflow Pro
We do not have plans at this time to update these integrations to support 3DS in the near future.
How Merchants can Prepare
PayPal WPS Integration Users
No Action Needed
PayPal will update its "Pay with PayPal" user flow to include SCA, so no action is needed.
Stripe Integration Users
No Action Required for One-Time Payments.
Action Required for Subscription Payments: Within Stripe’s dashboard, you must enable ‘Manage payments that require 3D Secure’
If you do not enable this function in your Stripe account, subscription payments with a card that requires 3DS will fail.
This change should not affect currently active subscriptions.
Unsupported Payment Integration Users
Action Required: Move existing payment flows to use PayPal Pro, PayPal WPS, or Stripe Integrations.
Does PSD2 affect me?
Answer: If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the European Economic Area - and you accept credit card payments from customers in the EEA - you will be impacted by PSD2. On the other hand, if either of the parties in a transaction are outside the EEA, then the SCA regulation does not apply.
Which Formstack payment integrations will support SCA on September 14, 2019?
Answer: Stripe, PayPal Pro (WPP), and PayPal Website Payments Standard (WPS)
How will PSD2 change how I collect payments with Formstack?
Answer: PSD2 requires Strong Customer Authentication, an authentication process that validates the identity of the user of a payment service or a payment transaction. Most payments will need at least 2 forms of authentication – or form factors – to process a payment from institutions (banks) that issue credit and debit cards.
A typical PSD2 payment flow includes an authentication prompt in the form of an SMS message or notification from a banking app prior to the completion of the form submission.
I use PayPal Website Payments Standard (WPS) which redirects my customers to PayPal in order to pay. Do I need to take action?
Answer: PayPal will update their "Pay with PayPal" user flow to do Strong Customer Authentication, so no action is needed.
What if I don't use a PSD2 compliant payment integration after September?
Answer: If you don’t use a PSD2 compliant payment integration and do business in the EEA, your payment transactions will fail after the September deadline.
How does Brexit affect enforcement of this new regulation in the UK?
Answer: We expect enforcement of SCA no matter the outcome
Will my customers need to authenticate every recurring payment in a subscription?
Answer: SCA will apply to the initial transaction, but each subsequent transaction will not require authentication as they are considered “merchant-initiated”.
I have more specific questions about PSD2, SCA, or 3DS. Who should I ask?
Answer: We recommend reaching out to your payment gateway provider to learn more about how PSD2, SCA, or 3DS may impact your business.