Article updated on 20/09/2019
From 14th September 2019, the European Commission is introducing new requirements to improve the security of online card payments.
This directive is known as the Payment Services Directive, or PSD2 - and it will still apply to the UK when we leave the EU.
It means that card issuers (so all banks) will have to apply a stronger method of verification, called Strong Customer Authentication (SCA), when processing payments. SCA will apply to all 'customer-initiated' online payments within Europe, and requires that the payment process uses at least two of these three elements:
- Something only the user knows (a password or a PIN, for example)
- Something only the user has (a phone, for example)
- Something only the user is (a fingerprint or voice recognition, for example)
The FCA announced on 13th August that it had agreed an 18-month plan to implement SCA, so as not to cause disruption to consumers and businesses. Their press release says:
The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
This means that banks and retailers now have until March 2021 to fully enact SCA on financial transactions. After then, payments that require SCA and don't meet at least two of the criteria above will be declined. As a sidenote, recurring direct debits will not be affected because these are considered 'merchant-initiated'.
So what does this mean for financial transactions via CiviCRM, Drupal and WordPress sites? First of all, don't panic! There are three scenarios:
- Your payment processor is PSD2-compliant, so you won't need to do anything
- Your payment processor will need upgrading
- You will need to switch to a different payment processor
Moving from one payment processor to another
It's important to note that this isn't a simple process, particularly if your organisation has recurring contributions. If you think you will need to do this, we would advise speaking to your account manager as soon as possible so that s/he can investigate how the process will work for you and put together a quote with the team.
We also thought it would be helpful to clarify the PSD2 status of each payment processor on Circle sites so that you can identify the action, if any, you need to take - read on to find yours.
CiviCRM
Authorize.net
AuthNet is not supporting PSD2 compliance. If your site uses AuthNet, you are very probably based in the US - but for any EU-based payments, you will need to switch to Cybersource, which is supported by the Omnipay processor. More on AuthNet here.
GoCardless
GoCardless is PSD2-compliant, so no action required if your site uses this.
iATS Payments
It isn't yet clear if this extension is PSD2-compliant, but a user has opened an issue on Github which you can follow here.
PayPal
There are several options here. PayPal Standard, PayPal Express and the newly-released PayPal Checkout are all PSD2-compliant. The former two redirect users from your site to PayPal, which is also less burdensome for you in terms of PCI requirements, because you're not recording card details on your site. However, it means that the experience for users is less seamless than it would be if they remained on your site.
PayPal Checkout integration with Omnipay and Civi has just been released. Here, the user remains on your site, but a PayPal pop-up window is launched where they enter payment details. So as far as the user is concerned, the payment experience is seamless, and PCI requirements are satisfied.
The community has been quiet about a PSD2-compliant integration of PayPal Pro and Civi, so we don't believe there is ongoing development work in this area. It's also worth noting that the PCI requirements around processing payments directly on your site are fairly onerous, and you may find it's much better for your organisation to go for one of the options above.
Sage Pay via Omnipay
TBC on this one - we're investigating and will update here when we know.
Stripe
PSD2-compliant integration for Stripe and Civi is now ready; however, there is a bug affecting both one-off and recurring contributions. See here for the issue.
Drupal
Drupal Commerce Global Payments (formerly Realex)
A PSD2-compliant version of this module has just been released and users are testing it - follow the conversation here.
Drupal Commerce PayPal
The same applies here as for the CiviCRM section above - PayPal Standard, PayPal Express and PayPal Checkout all process payments offsite and are PSD2-compliant, but there are no plans to update Pro. If your site uses Pro, you will need to switch to another PayPal payment method to ensure you can continue accepting EU-based payments.
Drupal Commerce Sage Pay
According to this issue, your site will only be affected if you use the direct payment method - if you use server or form, you shouldn't have any problems, as these are both offsite payment methods. If you do use the direct method, you will almost certainly want to switch to the server or form method.
Ubercart Global Payments (formerly Realex)
A PSD2-compliant version of the module has been released - follow the conversation here.
Ubercart Stripe
A PSD2-compliant version of the module has been released - follow the conversation here.
WordPress
AmazonPay via WooCommerce
WooCommerce has confirmed that the PSD2-compliant version of this plug-in is now ready - see here for further details.
Global Payments (formerly Realex) via WooCommerce
As above, a PSD2-compliant version of this plug-in is now ready.
PayPal powered by Braintree via WooCommerce
The PSD2-compliant version of this plug-in is ready.
Stripe via WooCommerce
The PSD2-compliant version of this plug-in is also ready.
Stripe on Gravity forms
Gravity released a PSD2-compliant update for its Stripe plug-in for WordPress on 4th September, along with a blog explaining the changes.
If you think you might need to change the payment processor and/or payment processor library that your site currently uses, or just want further information about the changes, then please email your account manager or raise a support ticket in the usual way.
Although it's great that the deadline has been extended, we would still advise planning to implement any changes as soon as possible. We won't be upgrading or changing processors as standard, so if this is something you want done, you will need to let us know.