Published November 4, 2020




Remember the Strong Customer Authentication (SCA) regulations? Based on everything that has happened in 2020, it’d be understandable if you didn’t. These regulations technically went into effect back in September of 2019 but the deadline was pushed and they are finally about to be enforced across Europe. 


If your bank is ...

  1. based in the European Economic Area (EEA) and 
  2. you have customers who are also located in the EEA and 
  3. you are using an onsite payment processor such as Stripe, Braintree or Authorize.net CIM 

... then your business’ ability to process payments will likely be affected when these regulations are enforced.


Read on for more information about the MemberMouse features (available in v2.3.0 and above) that allow you to comply with these regulations, as well as proactive and reactive steps to take to minimize your exposure to these changes.




What Is SCA & Why Should You Care?



If this is the first time you’re hearing about it, SCA stands for Strong Customer Authentication. 


It’s a new payment requirement that was introduced as a part of the European Union’s Revised Payment Services Directive (PSD2) on September 14th, 2019. Its goal is to provide consumers with an additional layer of protection for online payments and to minimize fraudulent payment attempts.


Important Note: Currently, SCA only applies to businesses and consumers within the European Economic Area which includes the EU member states as well as the UK, Iceland, Liechtenstein and Norway.


Here’s an excerpt from Stripe’s guide on SCA you may find helpful:


“Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.”



Image Credit: Stripe


 

Although SCA went into effect on September 14th, 2019, poor compliance issues and confusion around implementation caused the European Banking Authority (EBA) to grant an extension to businesses before enforcing the new requirements.


That being said, the deadline for enforcement is right around the corner.


On October 16th, 2020, The EBA announced that SCA compliance will be fully enforced on December 31st, 2020 in the European Economic Area.


However, due to the COVID-19 pandemic, the UK regulator announced a revised enforcement date of September 14th, 2021. This same enforcement date also applies to Switzerland.


Despite these official dates, gradual enforcement of SCA requirements have already begun. According to Stripe, some banks have started to decline a portion of payments that aren’t SCA-ready.


To get all of the details regarding SCA and its enforcement, we recommend you review the following resources:





What does this mean for you?



If the bank account you use for your online business is based in the EEA and your customers are also based in Europe, you will need to comply with these new SCA security standards.


This excerpt from Braintree’s guide to SCA compliance clearly explains who will be impacted by this change:


“SCA will be required on card transactions in which both the merchant’s acquiring bank and the bank issuing the buyer’s debit or credit card are located within the European Economic Area (EEA). The affected countries/regions include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (including Gibraltar, Guernsey, Jersey, and the Isle of Man).”


TL;DR: If your business and customers are in Europe and the UK, SCA applies to you.




How SCA Impacts The Different Payment Providers


Stripe & Braintree


Stripe and Braintree will both be relying on 3D Secure 2.0 to provide authentication. 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (such as, a one-time code sent to their phone or fingerprint authentication through their mobile banking app). In September 2019, MemberMouse added support for Stripe Elements and Braintree Hosted Fields which are SCA-ready and use 3D Secure 2.0. To use these on your site, they need to be enabled through the Payment Settings menu in MemberMouse.


PayPal


MemberMouse uses the PayPal hosted integration which means that your customers are automatically directed from your website to PayPal once they’re ready to pay. And since PayPal hosts the payment process, PayPal will augment their “Pay with PayPal” user flow to handle the new Strong Customer Authentication requirements. There will be no work required by merchants.


Authorize.net (CIM)


The Authorize.net payment solution is only available to businesses physically located in the United States or Canada. Currently, SCA regulations only apply to European businesses with European customers. Because of this, Authorize.net falls outside of the scope of SCA regulations and has not been updated for compliance. Authorize.net is connected with another solution called Cybersource, which is their recommended payment service provider for European-based businesses. 


MemberMouse does not integrate with Cybersource. We will continue to support our Authorize.net integration as is. However, if you are based in the EEA and use Authorize.net (CIM), then our recommendation is that you evaluate other payment provider options such as Stripe.




What We've Done To Help You Prepare For SCA



In September of 2019, we released MemberMouse version 2.3.0 which includes support for Stripe Elements and Braintree Hosted Fields. These are SCA-ready and use 3D Secure 2.0.


For merchants located in the European Economic Area (EEA), activation of this feature will allow you to comply with the Strong Customer Authentication requirement of the Revised Payment Services Directive (PSD2).


When Stripe Elements or Braintree Hosted Fields are enabled, your customer may be asked to complete an extra step at checkout where they are prompted by their bank to provide additional information (such as, a one-time code sent to their phone) before the payment will be processed.


Then, in October of 2019, we released MemberMouse version 2.3.1 which included enhancements to the styling for Stripe Elements checkout; functionality for the Braintree 3DSecure checkout; and a review of both of the SCA Payment Gateways to ensure PCI compliance is maintained in all situations.


These updates made it possible for you to be in compliance with SCA when it originally went into effect in September of 2019. 


If you are using Stripe or Braintree on your site, and haven’t updated your plugin since August 2019 (meaning you are not on v2.3.0 and above), to comply with SCA you will need to update. Please follow the instructions outlined in the following section.




Next Steps For You If You Are Running v2.2.9 or below


In order to comply with the new SCA regulations, here are the three steps we recommend you take:



1. Update your MemberMouse plugin to at least version 2.3.0


This is the minimum that will allow for SCA compliance, however, since there are new features, bug fixes and security enhancements in each of our releases, we recommend that you update to the latest version 2.3.3.


To upgrade your plugin, follow the instructions outlined in this support article.



2. Enable the extra security features for your payment gateway (Stripe or Braintree)


For Stripe Users: 


  1. Go to your WP Admin Panel

  2. In the left column, select MemberMouse > Payment Settings

  3. Confirm that your integration settings show Enable Stripe Elements checked, like this:

  4. Mark the indicated checkbox if necessary, scroll to the bottom, and click Save Payment Methods 

 

 

For Braintree Users: If you use Braintree as your payment gateway, you will activate Hosted Fields / 3D Secure 2 in the Payment Settings menu. 

Once your Stripe integration has Stripe Elements enabled or your Braintree integration has 3D Secure 2 enabled, your integration is SCA compliant.

Whether you use Stripe or Braintree, once activated, we recommend that you test the checkout process to confirm that the checkout fields display as you’d like with your theme. If you have customized your pages around the old form elements, your layout and look of the checkout will likely be different because Elements / Hosted Fields removes the credit card fields and inserts iframes. Additional information on activation, testing and formatting can be found here


For more information, you can review these support articles on how to configure Stripe and activate the 3D Secure checkout process for SCA.







Next Steps For You If You Are Running v2.3.0 and above



1. Confirm that you have your payment gateway configured correctly and are using Stripe Elements or Braintree Hosted Fields.


For Stripe Users: 


  1. Go to your WP Admin Panel

  2. In the left column, select MemberMouse > Payment Settings

  3. Confirm that your integration settings show Enable Stripe Elements checked, like this:

  4. Mark the indicated checkbox if necessary, scroll to the bottom, and click Save Payment Methods 

 

 

For Braintree Users: If you use Braintree as your payment gateway, you will activate Hosted Fields / 3D Secure 2 in the Payment Settings menu. 


Once your Stripe integration has Stripe Elements enabled or your Braintree integration has Hosted Fields enabled, your integration is SCA compliant.

Whether you use Stripe or Braintree, once activated, we recommend that you test the checkout process to confirm that the checkout fields display as you’d like with your theme. If you have customized your pages around the old form elements, your layout and look of the checkout will likely be different because Elements / Hosted Fields removes the credit card fields and inserts iframes. Additional information on activation, testing and formatting can be found here.

For more information, you can review these support articles on how to configure Stripe and activate the 3D Secure checkout process for SCA.





2. Take proactive steps to handle subscriptions created prior to compliance.


Even after you achieve compliance, subscriptions created prior to enabling Stripe Elements or Braintree Hosted Fields will not be SCA-ready. The result of this is that once SCA regulations are enforced, there is a likelihood that you may encounter declined transactions. By following the steps outlined below, you can take proactive steps to minimize your exposure to SCA-related issues.



A. Review what happens when payments fail



When this happens, MemberMouse will begin its Automated Overdue Payment Handling process. This process places the member’s account into overdue status and automatically attempts to rebill the card 3 more times over the course of a week. 

 

This process also involves a trigger of a push notification based on payment failure which sends an email to the member. This push notification is included by default in MemberMouse, but can be deleted, so you should confirm that it is still active and formatted as you’d like. 

 

When the member logs in to update their payment information, they can use the same card, and they will be presented with the SCA challenge at that point.

 

Provided it's completed successfully, the member's card-on-file data will be updated to use the new integration, and MemberMouse will request any relevant exemptions to the SCA challenge process going forward.

 

We recommend that you review the steps involved in this process which are customizable to confirm that these are formatted as you’d like, specifically:

 

i. what access rights a member has when in overdue status and 

ii. the email that is sent to customers when a payment fails 

 

You also may want to consider:


iii. adding an alert to an admin or other employee when accounts go into overdue status. This would allow for additional review of these accounts and a chance for extra outreach as needed.



B. Identify your active members with non-SCA-compliant subscriptions



A second proactive step is to get in touch with your active members who created subscriptions prior to turning on Stripe Elements or Braintree Hosted Fields . You may want to encourage them to update or simply re-enter their billing details.


If your customers do proactively update their payment information, these details will be SCA-challenged just as payment information newly submitted directly through the checkout page would be and future payments will be in compliance.