If you haven't heard, starting this month, a new regulation for authenticating online payments called Strong Customer Authentication, or SCA, will be rolling out across Europe as a part of the Second Payment Services Directive, or PDS2.
If you're a merchant located in Europe then your membership site will be required to comply with SCA. MemberPress supports SCA in the newly launched MemberPress 1.6.0, so if you're one of our EU customers then all you need to do is upgrade and you'll be compliant … automatically!
In this post, we will breakdown the highlights of this new regulation, how your membership business will be impacted, and how to ensure that your transactions are safe and sound.
First, What is SCA, Exactly?
SCA or Strong Customer Authentication is a new European regulation that has been put into place to make online payments safer and less prone to fraud. On September 14, 2019, when the regulation goes into effect, if you are a European merchant and are selling to a European customer then they'll have an additional layer of authentication on your membership site's checkout.
Will This Impact All Membership Sites?
This new regulation will not affect all membership sites.
SCA will ONLY impact your membership business if:
- You have “customer-initiated” online payments within Europe.
- If your business’ bank is located in the European Economic Area (EEA).
- If the customer’s bank/card is located in the EEA.
- If card payments are being made over the internet.
Here are a few instances where SCA is not necessary:
- Merchant-Initiated Transactions – Payments made with saved cards.
- Fixed recurring transactions and subscriptions – As long as the payment amount remains the same (as is typical in a membership site), future transactions will not need SCA. If the payment amount changes, then the extra SCA authentication will be necessary.
- Transactions below €30 – Stay under €30 and you will be exempt, unless five or more payments under €30 are made, or if a number of lower payments total more than €100.
- Phone Payments – If you collect a customer's card information over the phone, it could be an exemption to SCA and will not require authentication.
- Corporate Payments – Payments between two corporate companies directly are exempt from SCA ONLY IF the method is a dedicated B2B method, such as a corporate purchasing system.
- Credit Transfers – Transfers made between a current account to a savings account at the same bank that is controlled by the same person.
When you create an EU to EU subscription, the customer will have to complete a 3D Secure 2 login, which will be rolling out this year. This adds an extra step after the checkout where the customer/cardholder will be prompted by their bank to give additional information to complete payment. This authentication could be something like a one-time confirmation code sent to their phone or email authentication). This will be the main way that online card payments will be authenticated and the SCA requirements will be met.
If a subscription payment fails, then the gateway will send an email to the customer to complete another 3D secure authentication.
Is This Good or Bad for Membership Businesses?
Yes, this process may seem confusing and overwhelming, but overall, it's not as bad as it may seem for membership sites. First of all, if you're using MemberPress then you don't need to do anything — you'll be SCA compliant just by upgrading to MemberPress 1.6.0.
Also, if you're concerned about conversion rates slipping, the good news is those shouldn't be impacted too much either. First of all, any subscriptions created before September 14, 2019 won't be impacted at all. And, on EU to EU checkouts, your customers will just have to jump through an additional hoop but once they get through that, they shouldn't have to do it again for rebills, and that's the biggest source of revenue for most membership sites.
Have any additional questions about SCA? Let us know in the comments below and we’ll be sure to answer any inquiries you may have!
September 5, 2019
Hi Christina, to the best we can tell that is correct. There is some more information here: https://stripe.com/guides/strong-customer-authentication In either case, if the bank marks a transaction as needing authentication, MemberPress should handle it properly now. It wouldn't hurt to set this up just in case: https://docs.memberpress.com/article/35-stripe#sca