Republic / Articles /

Article updated 2025-02-05.
Written by Christofer Sandin.

Strong Customer Authenti­cation in Card Payments

The EU's new regulations for card payments, Strong Customer Authentication (SCA), came into effect on September 14, 2019. It has been in the pipeline for some time, but as of January 1, 2021, the transition period is over, and the law applies to all card purchases in the EU. In Swedish, this regulation is referred to as stark kundverifiering.

The requirement is part of a broader regulation known as Payment Services Directive 2 (PSD2), which was adopted by the EU a few years ago. The aim is to create better conditions for secure and efficient payments, especially for individuals.

SCA applies to all card payments made by consumers within the EU. There are indeed exceptions, such as purchases under €30 that are deemed low-risk, but you still need to have a system in place for transactions that are not covered by these exceptions.

What this means in practice is that sellers within the EU must verify purchases using so-called two-factor authentication for the banks to approve the transaction.

What Does Two-Factor Authentication Mean?

Two-factor authentication (2FA) is a security solution that requires you to verify your identity with two different things for the authentication to be approved.

Two factors essentially mean two different things.

The most common example is likely when you enter a password online and also need to input a one-time code sent to you via SMS. This protects you with two factors: your password that you know and the one-time code sent to your phone.

In the example above, the one-time code is sent to your phone, making it much harder to hack your account compared to if only a password were required, as this would also necessitate either accessing the SMS or having physical access to the phone.

Many larger companies have both implemented and recommended two-factor authentication recently, including Apple to protect your Apple ID and Google to protect your Google account.

How Does Two-Factor Authentication Work for Card Purchases?

To approve a purchase, buyers in the EU must verify themselves with two of the following factors against their bank after January 1, 2021:

  • something the buyer knows (e.g., a code/password),
  • something the buyer has (e.g., a mobile device or computer), and
  • something the buyer is (part of the physical person, such as a fingerprint).

Overall, this is, of course, beneficial, as it enhances the entire purchasing experience for individuals, but it will also require a significant adjustment.

In some cases, it will not impact much and will flow relatively naturally, but in other cases, sellers will find it considerably more challenging to operate as before.

Payment flows where payment is made directly (such as at checkout in a web shop) will not be affected significantly, as it is relatively natural to add another factor at that step.

However, flows where card details have traditionally been saved for later charges will become considerably more complicated (as hotels often operate) since this may require the buyer to verify the purchase even at a later time, which will likely be much more challenging for the seller to facilitate.

Stripe has produced a short two-minute film explaining this.

In practice, this means that in cases where strong customer authentication is needed, a new step will appear between when the user enters their card details and when the money is deducted from the card. This step will involve the new 2FA.

The new step may look slightly different depending on which bank the customer has, but it will include verification of an additional factor such as:

  • a one-time code,
  • verification in the bank's app,
  • verification with Mobile BankID, or
  • verification with a fingerprint,

to achieve 2FA.

Support for 2FA?

There is a standard called 3D Secure (3DS) that can be used today and is actually used by many Swedish banks, which in theory should suffice to comply with SCA, as 3D Secure requires the buyer to perform an additional verification during the purchase. The standard is sometimes referred to by other names by card companies, such as Visa Secure and Mastercard Identity Check.

In Sweden, this was often done previously via a bank card reader but has today almost been replaced by Mobile BankID or the bank's app.

There is also a new standard called 3D Secure 2 (3DS2) that banks began transitioning to in 2019. The reason is that 3DS2 was developed to make compliance with the new legal requirements and SCA easier.

What Does It Look Like for Craft Commerce and Stripe?

For us, Stripe is the payment processor we most often use when building e-commerce. Stripe has an API called Payment Intents API that has built-in support for SCA. Stripe determines if the customer needs to verify themselves in more than one way, and if necessary, two-factor authentication occurs. If not needed, the card purchase is processed directly. Convenient.

Craft Commerce and Stripe have built-in support.

For Craft Commerce, there is an updated version of the official plug-in that handles communication with Stripe, Stripe for Craft Commerce, which supports their Payment Intents API.

So for our favorite combination, e-commerce with Craft Commerce and payments through Stripe, it is a green light.

References