PSD2, SCA and What it Means for Magento Store Owners and their Customers

The way online payments are authenticated will change on 14th September 2019, so for anyone trading online, you’ll need to understand what that means for you.

What is PSD2?

PSD or, the ‘Payment Services Directive’ was setup by the European Union back in 2007. The purpose of the directive was to regulate payment services and payment service providers.

PSD2 is the 2nd phase of the directive and provides a set of requirements for companies that provide payment services to improve consumer protection, make payments more secure and reduce costs or payment services.

Further details are available at FCA.ORG

What is SCA?

SCA or ‘Strong Customer Authentication’ is a new requirement that is part of PSD2 specifically aimed at making payments more secure and reducing fraudulent payments.

If you’re someone that uses online banking, you’ll be aware of this to some degree because when you setup a payment there’s usually a 2nd step where you receive an automated call or text to a designated personal number asking you to provide further authentication.

People familiar with 2-step authentication for logging on to online tools or websites will also be familiar with the concept too.

This 2nd line of defence aims to make online transaction much more secure.

There are 3 factors that determine whether a user passes SCA and users need to authenticate with a combination of 2 successfully;

  1. Something you have – Payment card (credit or debit), Smartphone, token, badges etc
  2. Something you know – Password, PIN Number, personal information
  3. Something you are – Biometric features like a fingerprint, facial recognition or DNA signature

Failure to provide authentication via methods requested within 21 days will result in a declined payment from the bank.

3D Secure becomes 3DS2

Everyone who’s bought anything online in the last 15 years will be aware of 3D Secure. It’s the extra security step after you provide your card details where you’re asked for additional information – e.g. specific characters from a password or code sent to your phone, to confirm you are the owner the card.

To meet the requirements of PSD2 and provide a frictionless authentication process, 3D Secure is being upgraded to 3D Secure 2.

3D Secure 2 aims to provide better user experience by taking advantage of the ubiquitous relationship we have with our smartphones and devices whilst providing the additional security authentication requirements of SCA.

A more detailed overview of 3DS2 can be read at Stipe.com

What does SCA mean for Magento Store owners and their customers?

For Magento store owners, Magento has provided a list of recommended actions for Magento 1.X and Magento 2.X for native payment service provider integrations. The recommended actions are illustrated in the table below.

Payment Provider Magento Commerce 2.x RecommendationMagento Commerce Recommendation
PaypalContinue using the current Magento built-in integration, as the 3d Secure 2.0 Payment flow changes are all handled by Paypal3DS 1.0 is supported. When and/or where the use of 3DS 2.0 is required, Merchants will either need to replace Paypal with Braintree or Upgrade to Magento
BraintreeUse the official extension (recommended) that will offer 3D Secure 2.0 prior to the deadline or use the Magento integration in the upcoming version2.33+ 0r 2.2.10+

Braintree Integration supports 3D Secure verification out-of-the-box. Starting with the Magento 2.3.3 release, Braintree integration will support 3D Secure 2.0
Use the official extension
Authorize.netUse the official extension (recommended) or the Magento integration in upcoming version 2.3.3+ or 2.2.10+ with a 3D Secure provider like CardinalCommerce.

Authorize.net provides the ability, via the Cardholder Authentication request field, to make 3D Secure verification via 3rd party services like CardinalCommerce. Starting with the Magento 2.3.3 release, Authorize.net AcceptJs integration will support 3DS 2.0 via CardinalCommerce.
Please check our Devblog page for updates on official Authorize.net extensions for M1 as they become available.
Cybersource Use the official extension.

Cybersource introduced Payer Authentication API with 3D Secure 2.0 support for Secure Acceptance Hosted Checkout and Simple Order API. Also, the integration with CardinalCommerce can be used for 3DS verification.

Use the official extension.
eWay Use the official extension.Use the official extension.

It is recommended that for all other payment integrations Magento Store owners check with the integration provider for the suggested course of action.

If you’re unsure what you should do and need advice, contact a member of our team today on 0161 820 7628 or complete the form below and we’ll advise on the best course of action.