You run online shops with WordPress ? Or set them up for your customers? Then you should know the "Second European Payment Services Directive", better known as PSD2. It prescribes new procedures for customer authentication during the payment process. We name the most important recommendations for action and Pluginsfor WooCommerce.
Tl;dr - don't panic.
Usually, PSD2 is especially useful for you as a shop owner when your customers pay by credit card. And even then, your service provider has a duty. All you have to do is make sure that your service provider is already PSD2-compliant. To be on the safe side, check all other payment options you offer. More about this in a moment.
The same applies to agencies and freelancers. Here you should check the paymentPlugins or associated providers used by your customers: Have they switched their processes to PSD2? Otherwise look for alternative extensions. Comprehensive information can be WooCommercefound in our 70+ sites strong e-book WooCommerce for professionals.
This blog post is not legal advice. As WordPress host we've been studying PSD2 ourselves. But we are not lawyers. So get advice from a suitable law firm for online law.
What is the PSD2 aka SCA? And who does it concern?
From 14 September 2019, new EU rules should apply to payment transactions: the Second European Payment Services DirectivePSD2 for short. This includes the obligation for secure customer authentication for online banking offers. In English: Strong Customer Authentication (SCA).
The introduction of the new payment rules on the Internet has now been even though postponed. "Temporarily," as they say. This is because the authorities are concerned that companies are not yet sufficiently prepared for the directive. And yet you should implement the directive now or have it implemented. More on this later.
The core issue is to make shopping on the Internet safer. A Strong customer authentication - or also 2-factor authentication (2FA) - is then legally required. Many banks have already converted their processes, and your bank has certainly already contacted you.
For online shops, this mainly affects payments by credit card. If these are not already protected by a secure procedure such as 3-D Secure or 3D-S run. But be careful: Due to the PSD2, an extended procedure is also required here, called 3D Secure 2.0short 3DS2.
Until now, shopping customers often only needed their credit card number and the associated check digit to complete a purchase. In future, a transaction number (TAN), which is sent to the mobile phone or smartphone, and a password will also be required. You probably know this procedure from your online banking. Paper lists with transaction numbers, iTAN for short, will no longer be permitted in the future.
Purchase on account and via direct debit are not affected by the PSD2. See the explanations of the IT-Recht Kanzlei.
What do you need to know as a shop operator or WP professional?
In the future, you must ensure that when paying by credit card or other services (PayPal, Stripe, Amazon Pay, Apple Pay, etc.) a secure procedure is used. However, you usually do not have to implement this yourself, the respective service providers are in demand here. Unless you use a very exotic or homemade solution. You should have this checked for PSD2 by a suitable law firm specializing in online law.
All major suppliers are working feverishly on the implementation of the new directive. Check with the services you use: What's the status here? Is the authentication already PSD2-compliant? The new EU rules are finally coming into effect, and your service provider is not yet ready? Then you should check not to offer the payment option until it is improved.
There are also changes to the "instant bank transfer". The procedure receives according to supplier Klarna an additional authentication step to be taken over by the respective bank. You should observe which payment service can be used how well in the future, and whether this will affect your Conversion in the shop.
Your providers pass on different data through the PSD2 than before? Or you integrate new payment services? Then you may have to change your Legal texts in WooCommerce adjust.
What do you sayWooCommerce?
In general, appropriate services would have to consider at least two of the following three steps to ensure "Strong Customer Authentication" in the future:
- Requesting information that only the customer knows. For example his password or the answer to a security question.
- The sending of an authentication to a "customer controlled process". This can be loudly WooCommercea hardware token or a push notification to your smartphone.
- Use of a physical identifier unique to the customer. For example, a fingerprint or a Face ID.
Are you interested in the exact details? How concrete the requirements are, for example whether the answer to a security question is sufficient, is determined by the EU treaties. See the latest edition on "Regulatory standards for strong customer authentication".
Depending on the state of the art - and which methods are most likely to be exploited by hackers - there may be some adjustments to be made in the medium and long term. The fight for more security is always like a cat-and-mouse game.
What are the possibilities of integration?
WooCommerce names a few providers or their WordPress plugins, which are supposed to be "PSD2 ready" already now. We have linked the extensions here for you:
- Stripe WooCommercePlugin.
- Amazon Pay for WooCommerce.
- Global Payments Gateway (for credit card payments and mainly active in the UK).
- PayPal via the Braintree Payment Gateway for WooCommerce. For other PayPal plugins you should contact the provider, if PSD2 is already supported as a process.
- Legend Pay
You use other payment methods and networks than those mentioned here? Ask the respective developers if and when PSD2 will be implemented. If this is not the case, then you should look for an alternative Pluginor service.
We appreciate your feedback
You have already enquired with your provider? Or you have a Plugintip for us? Share your experiences in the comments.
The rules of the PSD2 also apply to payments in the subscription model. For example, if you use the Plugin WooCommerce Subscriptions work to enable recurring payments.
Does the PSD2 or SCA also apply to traders outside the EU?
It does not necessarily depend on the registered office of the dealers. This is WooCommercequite clear:
The SCA also applies if the acquiring bank or acquiring processor is located in the European Economic Area (EEA) and the customer's payment instrument was issued in the EEA.
The European Economic Area comprises all Member States of the European Union plus Iceland, Liechtenstein and Norway. A merchant abroad must therefore work completely with domestic service providers, banks and customers so that he is not affected by PSD2 or Strong Customer Authentication. This is one of the reasons why international payment service providers are in such a hurry to comply with the requirements. The European call for more security on the net has global implications.
Will the TAN by SMS remain allowed?
At the same time as PSD2, a side discussion has developed in expert circles as to how secure TAN via SMS (also called mTAN) still is. See the article Online banking and PSD2 on heise.com. Because lately, the number of reports of attempted attacks in which the mobile phone or smartphone of the victim is taken over has been increasing. For example via phishing mails or manipulated apps.
The Federal Office for Information Security (BSI) writes about this:
Although the mTan procedure is practical and user-friendly, it unfortunately also involves some risks. Under certain circumstances, criminals may intercept or redirect SMS messages sent for authentication ... The BSI therefore recommends not using mTAN procedures.
Within the framework of PSD2, the mTAN is to remain permitted until now. However, the banks are already looking for alternatives. Heise names pushTAN, chipTAN, photoTAN, appTAN and signatureTAN.
What should the PSD2 do?
The directive is not only intended to make (online) payment transactions safer. The initiators also hope that competition in the market will become stronger. The European bank formulates it in its Information on the PSD2 SEO expert Dominik Stein describes the situation as follows:
Consumers do not need to log in to their bank's online banking system when shopping on the internet, for example, but can order the transfer via a payment initiation service offered on the merchant's website.
The PSD2 regulates the access of these "third-party payment service providers" to payment accounts with the payment service providers holding the account. However, access is only granted to these providers if you as the account holder explicitly agree to this.
In the future, there will therefore be many more players in the market for online payments. The banks and credit institutions are losing power. The involvement of "third party payment service providers" - which are, however, under the supervision and control of national supervisory authorities - will enable the development of completely new services and business ideas. In Germany, this supervisory authority is the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin).
Exceptions to PSD2
Various media and banks report on exceptional cases where payment service providers can dispense with strong customer authentication. For example, a limit of 30 euros is mentioned for "electronic remote payment transactions". Below this threshold, two-way authentication is not necessarily required. Further information can be found in the blog post PSD2 and SCA of the law firm Wilde Beuger Solmecke.
The BaFin itself mentions a threshold of 50 euros, but for contactless card payments. For card payments on the Internet, it expresses itself more vaguely. The payment service providers could carry out a so-called transaction risk analysis here. This is what the Federal Agency says:
Every incoming payment is automatically checked to determine whether the risk of fraud is low ... If the payment information available to the payment service provider gives the impression of an increased risk of fraud, he must carry out strong customer authentication.
Indications of an increased risk of fraud should, for example, be a deviation from the customer's usual patterns of behaviour. Or a similarity to known fraud patterns. Corresponding relaxations are also planned for B2B. And there is to be a whitelist on which a bank can classify its corporate customers as trustworthy payees.
However, you as a shop operator usually do not have to worry about such limits yourself, if a service provider is involved.
You want to know more about PSD2 aka SCA? Here are suitable technical articles for users and developers:
- The EU Commission Regulation
- The blog post from WooCommerce
- Technical possibilities of two-factor authentication
- Payment Services Directive PSD2: Transitional period granted for eCommerce
- Bundesbank: PSD2 for consumers and traders
- Web punks: New EU directive for online shops
- PSD2 explains in 3 minutes
Get more WooCommerce tips in our 70-page e-book WooCommerce for Professionals: Online shops with WordPress. This book is aimed at freelancers, agencies, WordPress professionals as well as beginners.
Picture: William Iven