You run online shops with WordPress ? Or do you set them up for your customers? Then you should know the "Second European Payment Services Directive", better known as PSD2. It prescribes new procedures for customer authentication in the payment process. We list the most important recommendations for action and Plugins for WooCommerce.
tl;dr - do not panic.
As a rule, PSD2 comes into play for you as a shop owner when your customers pay by credit card. And even then, your service provider is responsible. You just have to make sure that they are already PSD2 compliant. To be on the safe side, also check all other payment options you offer. More on this in a moment.
The same applies to agencies and freelancers. Here you should check the paymentPlugins or the associated providers that are used by your customers: Have they converted their processes to PSD2? If not, keep an eye out for alternative extensions. You can find comprehensive information on WooCommerce in our 70+ sites strong e-book WooCommerce for professionals.
This blog post is not legal advice. As WordPress web hoster we have dealt with the PSD2 ourselves. However, we are not lawyers. So get advice from a suitable law firm for online law.
What is PSD2 aka SCA? And who does it affect?
New EU rules for payment transactions should apply from 14 September 2019: the Second European Payment Services Directive, or PSD2 for short. This includes the obligation for secure customer authentication for online banking offers. In English: Strong Customer Authentication (SCA).
The introduction of the new payment rules on the Internet have now been postponed. "Temporarily", as they say. Because the authorities are concerned that companies are not yet sufficiently prepared for the directive. And yet you should already implement the directive or have it implemented. More on this later.
At its core, this is about making shopping on the Internet more secure. Strong customer authentication - or 2-factor authentication (2FA) - is then required by law. Many banks have already changed their processes, and your bank has certainly already contacted you.
In online shops, this mainly affects payments by credit card. Unless they are already using a secure procedure such as 3-D Secure or 3D-S. But be careful: Due to PSD2, an extended procedure is required here as well, called 3D Secure 2.0, or 3DS2 for short.
Until now, shopping customers often only needed their credit card number and the corresponding check digit to complete a purchase. In the future, a transaction number (TAN), which is sent to the mobile phone or smartphone, and a password will also be required. You certainly know this procedure from your online banking. Paper lists with transaction numbers, iTAN for short, will no longer be allowed in the future.
Purchase on account and via direct debit are not affected by PSD2. See the explanations of the IT-Recht Kanzlei.
What do you need to know as a shop owner or WP professional?
In the future, you must ensure that a secure procedure is used when paying via credit card or other services (PayPal, Stripe, Amazon Pay, Apple Pay, etc.). However, you usually don't have to implement this yourself; this is the job of the respective service providers. Unless you use a very exotic or self-made solution. You should have this checked by a suitable law firm specialising in online law with regard to PSD2.
All the major providers are working feverishly to implement the new policy. Check with the services you use: What's the status here? Is the authentication already PSD2 compliant? The new EU rules are finally coming into force and your service provider is not yet ready? Then you should consider not offering the payment option until improvements have been made.
There are also changes to "Sofortüberweisung". According to the provider Klarna, the procedure will receive an additional authentication step, which will be taken over by the respective bank. You should observe which payment service can be used in the future and how well, and whether this has an impact on your conversion in the shop.
Do your providers pass on different data than before due to PSD2? Or you integrate new payment services? Then you may have to adapt your legal texts in WooCommerce.
What does WooCommerce say?
In general, suitable services in the future would have to take at least two of the following three steps into account in order to ensure "Strong Customer Authentication":
- Request information that only the customer knows. For example, his password or the answer to a security question.
- Sending authentication to a "customer-controlled process." This can be a hardware token or a push notification to your smartphone, according to WooCommerce .
- Use of a physical identifier that is unique to the customer. For example, a fingerprint or Face ID.
Are you interested in the exact details? How concrete the requirements are, i.e. whether the answer to a security question is sufficient, is determined by the EU treaties. See the current version of the "Regulatory standards for strong customer authentication".
Depending on the state of the art - and which methods are most likely to be exploited by hackers - there will probably be some adjustments in the medium and long term. The fight for more security always resembles a cat-and-mouse game.
What are the possibilities for integration?
WooCommerce names a few providers or their WordPress plugins, which are supposed to be "PSD2 ready" already now. We have linked the extensions here for you:
- Stripe WooCommerce Plugin.
- Amazon Pay for WooCommerce.
- Global Payments Gateway (for credit card payments and mainly active in the UK).
- PayPal via the Braintree Payment Gateway for WooCommerce. For other PayPal-Plugins you should contact the provider if PSD2 is already supported as a process.
- Sage Pay
You use other payment methods and networks than the ones mentioned here? Ask the respective developers if and when PSD2 will be implemented. If this is not the case, then you should look for an alternative Plugin or service.
We are happy about your feedback
You have already asked your provider? Or do you have a Plugin tip for us? Feel free to share your experiences in the comments.
The PSD2 rules also apply to payments in the subscription model. For example, if you work with Plugin WooCommerce Subscriptions to enable recurring payments.
Does PSD2 or SCA also apply to merchants outside the EU?
It does not necessarily depend on where the dealers are based. Here WooCommerce expresses itself quite clearly:
The SCA also applies if the acquiring bank or processor is located in the European Economic Area (EEA) and the customer's payment instrument was issued in the EEA.
The European Economic Area includes all member states of the European Union as well as Iceland, Liechtenstein and Norway. So a merchant abroad must work entirely with domestic service providers, banks and customers to avoid being affected by PSD2 or Strong Customer Authentication. This, among other reasons, is why international payment service providers are in such a hurry to comply. The European call for more security online has global implications.
Will TANs via SMS remain permitted?
At the same time as PSD2, a side discussion has developed in specialist circles about how secure the TAN via SMS (also known as mTAN) still is. See the article Online banking and PSD2 on heise.de. Recently, there have been an increasing number of reports of attempted attacks in which the mobile phone or smartphone of the victim is taken over. For example, via phishing emails or manipulated apps.
The Federal Office for Information Security (BSI) writes about this:
Although the mTan procedure is practical and user-friendly, it unfortunately also harbours some risks. Under certain circumstances, criminals can intercept or redirect the SMS messages sent for authentication ... The BSI therefore recommends not using mTAN procedures.
Within the framework of PSD2, the mTAN is to remain permitted until now. However, the banks are already looking for alternatives. Heise mentions pushTAN, chipTAN, photoTAN, appTAN and signaturTAN.
What is the PSD2 supposed to achieve?
The directive is not only intended to make (online) payment transactions more secure. The initiators also hope that competition in the market will become stronger. The european Bundesbank puts it as follows in its information on PSD2:
Consumers do not need to log in to their bank's online banking system when shopping on the internet, for example, but can order the transfer via a payment initiation service offered on the merchant's website.
The PSD2 regulates the access of these "third party payment service providers" to the payment accounts at the account-holding payment service providers. However, access is only granted to these providers if you as the account holder explicitly agree to this.
In the future, there will be many more players in the online payment market. The banks and credit institutions are losing power. The integration of "third party payment service providers" - which are, however, under the supervision and control of the national supervisory authorities - enables the development of entirely new services and business ideas. In Germany, this supervisory authority is the Federal Financial Supervisory Authority (BaFin).
Exceptions to PSD2
Various media and banks report on exceptional cases where payment service providers can dispense with strong customer authentication. For example, a limit of 30 euros is mentioned for "electronic remote payment transactions". Below this threshold, two-way authentication would not necessarily be required. Further information can be found in the blog post PSD2 and SCA by the law firm Wilde Beuger Solmecke.
BaFin itself mentions a threshold of 50 euros, but for contactless card payments. For card payments on the Internet, it expresses itself more vaguely. The payment service providers could carry out a so-called transaction risk analysis here. The Federal Agency says:
Each incoming payment is automatically checked to determine whether the risk of fraud is low ... If the payment information available to the payment service provider gives the impression of an increased risk of fraud, the payment service provider must carry out strong customer authentication.
Indications of an increased risk of fraud should be, for example, a deviation from the customer's usual behaviour patterns. Or a similarity to known fraud patterns. Corresponding relaxations are also envisaged in B2B. And there is to be a whitelist in which a bank can classify its corporate customers as trustworthy payment recipients.
However, as a shop operator you usually do not have to take care of such limits yourself, provided that a service provider is interposed.
You want to know more about PSD2 aka SCA? Here are suitable technical articles for users and developers:
- The EU Commission Regulation
- The blogpost of WooCommerce
- Technical possibilities of two-factor authentication
- Payment Services Directive PSD2: Transitional period granted for eCommerce
- Bundesbank: PSD2 for consumers and merchants
- WebPunks: New EU directive for online shops
- PSD2 explained in 3 minutes
You can find more tips on WooCommerce in our 70+ sites strong e-book WooCommerce for professionals: Online shops with WordPress . It is aimed at freelancers, agencies, WP professionals, but also at beginners.
Picture: William Iven