Strong Customer Authentication (SCA) came into effect on September the 14th 2019 as part of the latest General Data Protection Regulation. This new regulation affects many online merchants who sell to those within Europe and other businesses that operate within the region. This regulation was devised to limit the amount of online fraudulent activity and create a secure payment process for those within Europe.
In this article, we will take a look at what SCA is and how you can determine whether or not your Stripe checkout currently complies with the new regulations.
What is SCA?
Known as SCA for short, Strong Customer Authentication came into effect in early September 2019 and is a regulation which stipulates how the credit card payments of European customers should be handled. In terms of the Stripe Payment Gateway, they handle this by ensuring European customers use the 3D Secure Card Payments checkout which requires an additional verification step.
If the plugin you are using to create a Stripe checkout experience on your website is adhering to SCA and is using the 3D Secure Card Payments authentication, your European customers may be prompted to enter their credit card password or a mobile verification code. If the Stripe plugin you are using is not yet up to speed with the new SCA rules and regulations, unfortunately, more times than not, the European customer’s payment will be declined and they will not be able to checkout successfully on your website.
The verification steps will be made up of at least two of the following:
- Know; A Knowledge-Based Question (Password, Pin or the Answer to a Question)
- Has; A Possession Based Code (Mobile Phone)
- Is; An Inheritance Characteristic (Finger Print, Facial Recognition)
Many websites that wish to be SCA compliant will also ensure that permission for recurring payments is provided. At a minimum, an SCA compliant website that intends on offering subscription products will:
- Ask for the customer’s permission to collect a series of payments on their behalf
- Clearly outline the frequency of the payments
These things are often outlined on a terms and conditions page and are opted-in through the use of a checkbox. Currently, the Stripe Payments Plugin has an option to include a checkbox for this purpose.
Why Should I Ensure that my Checkout is SCA Compliant?
Even if your online business operates out of a country that is not located within Europe, if you intend on selling to those who reside in Europe, you will need to ensure your checkout is SCA compliant.
While for businesses operating and selling directly to US residents, SCA is not so much of an issue, for those online companies selling to a number of customers around the world, ensuring they are complying with global regulations prior to the deadline ensures that they will not lose customers or revenue.
While primarily if you are using a plugin that offers Stripe as one of the top payment gateways, the developer should be aware of changes to regulations and be implementing fixes as needed, it is also your responsibility as a merchant to monitor your customer base and ensure they can easily checkout on your website. In particular, those online businesses that primarily sell products or services to European customers should ensure that their checkout is SCA compliant.
How Can I Ensure my Stripe Checkout is SCA Compliant?
“Plugins are built by third-parties on top of the Stripe API. Stripe does not build these plugins, so it is the responsibility of the plugin owner to perform the necessary updates to become SCA ready. If you have have integrated through a plugin, you should contact the plugin owner for more information on their plans for SCA compliance.” -Stripe
Video Summary: Is my Checkout SCA Complaint?
1. Check with the Developers to See if the Plugin is SCA Compliant
If you are using a plugin such as the Stripe Payments Plugin, the developers ensured it was SCA compliant prior to the deadline. If you are using a plugin that handles eCommerce processes for you, you can simply contact the developers to ask whether or not the plugin is SCA ready. You may need to update the plugin or complete some settings to ensure you implement SCA.
2. Take a Look at Your Stripe Dashboard Logs
Within your Stripe Dashboard, you can browse through the logs to determine whether or not the customers on your website are able to use an SCA compliant checkout or not.
- Log into your Stripe dashboard.
- Click on the ‘Developers‘ menu and then on ‘Logs‘.
- If you see charges that has the words: ‘/v1/charges‘ these are not SCA compliant checkouts.
- Any transaction that states: ‘payment_intents‘ has been processed using the new SCA compliant Stripe API.
3. View Stripe’s SCA Compliant Plugin List
If you are using a Stripe eCommerce plugin on your website, whether that be a WordPress website or not, the easiest way to determine if the plugin you are using is SCA compliant or not is to visit the following documentation that outlines all plugins/addons that are currently adhering. While the Stripe documentation has an extensive list of SCA ready plugins, this does not have a complete list and some plugins/addons that are not included may still be SCA ready.
4. Complete a Test Transaction
If you have a relative or friend who resides in Europe, you can always have them complete a test transaction on your website. If they use a European bank account, they should be prompted to complete extra levels of authentication when checking out. If they are unable to complete their transaction on your website, chances are your checkout is not SCA ready. While some banks are currently being lenient, within the next few months, European transactions will not be able to be processed on non-SCA compliant websites.
What Does an SCA Stripe Checkout Look Like for my Customers?
If you are using the latest SCA compliant Stripe API’s to set up a checkout on your website, those customers paying with their credit card who are located within Europe will need to complete the following steps:
- Click on your buy now button (many websites will have a terms and conditions checkbox prior to this stage).
- Enter in their credit card information as normal.
- Stripe dynamically determines whether SCA is required. The type of SCA required is determined by the bank, for example, it may be a simple pin code or a password sent to the customer’s mobile number.
- If the customer successfully confirms their identity with Stripe 3D Secure, the payment will be processed and they will be able to complete the transaction.
Exempt Transactions for SCA Compliance
While there a handful of different scenarios where your European customers may not need to complete SCA, it is advised to set your website up presuming all transactions will require SCA. For merchant knowledge, the following transactions may be exempt from SCA:
- Transactions under €30 although if 5 of these transactions are completed on the website then SCA will come into effect.
- SCA is generally only required for the first payment within a subscription. This is again at the bank’s discretionary.