SCA Compliance

Since version 2.0.0. the plugin is fully compliant with SCA (Strong Customer Authentication), but what changes for the user?

On 14 September 2019, new requirements for authenticating online payments have been introduced in Europe as part of the second Payment Services Directive (PSD2). So, based on specific conditions in the checkout, European customers might be asked to two-factor authenticate their payment with additional control, which will depend on the bank’s preferred system (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

This applies to all customer-initiated payments but does not apply to payments that are considered merchant-initiated, like recurring direct debits.

Recurring payments with YITH Subscriptions (v. 1.6.1 or greater)

Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers like Stripe are able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.

The most relevant exemptions for internet businesses are:

  • Low-risk transactions
  • Payments below €30
  • Fixed-amount subscriptions
  • Merchant-initiated transactions (including variable subscriptions)
  • Trusted beneficiaries
  • Phone sales
  • Corporate payments

Please, refer to this section of Stripe documentation for more information about each of these exemptions.

Two additional exemptions apply regardless of payment amount and frequency:

  • You saved the card details before September 14, 2019
  • You explicitly tell Stripe the transaction is off-session (all recurring payments initiated by our YITH Stripe plugin are marked as off-session)

To learn more about SCA grandfathering, please, refer to this page.

Non-authenticated saved cards

For those customers that have saved their card details on Stripe before, it may happen that the bank will require them to authenticate also renewal orders with the same card, as the payment was not originally authenticated through this system. Our plugin gives users the possibility to authenticate the payment from My Account > Payment Methods, by simply clicking on the Confirm button, as shown below.

Non-authenticated renewal orders – Email

You can set up an email that will be sent whenever a recurring payment is stopped by the bank because it requires strong customer authentication. Thanks to it, you can make sure your customers get the right explanation about why the order requires these additional controls and guidance about how to go on with the authentication and payment.

The email will look like this, but you’ll be able to customize it from WooCommerce > Settings > Emails > YITH WooCommerce Stripe – Payment confirmation email and will include a Confirm Payment button that will let your customers authenticate the payment.

This is a preview of the email that you can send:

Email preview

Please, refer to Stripe official documentation about SCA for further details.

To read the full text of the European Directive about it, please, refer to this page.