Preparing for the SCA regulations

SteveMcLeod · July 6, 2019, 5:52pm

Quoting from Stripe’s page on the topic:

Strong Customer Authentication (SCA), a new rule coming into effect on September 14, 2019, as part of PSD2 regulation in Europe, will require changes to how your European customers authenticate online payments. Card payments will require a different user experience, namely 3D Secure, in order to meet SCA requirements. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.

To prepare for SCA, you should:

Determine if your business is impacted

Decide which one of our new SCA-ready products is right for your business

Make changes before September 14, 2019, to avoid declined payments

What, if anything are you doing/have you done for this?

SteveMcLeod · July 6, 2019, 5:28pm

In my case, I’m relying on Quaderno Checkout to make the necessary changes in time.

jwr · July 7, 2019, 3:41am

In my case, I marked the E-mail messages from Braintree regarding SCA as IMPORTANT.

gravelld · July 8, 2019, 2:19pm

Done and dusted, just needed to move to the Stripe payment intents API. Took a few days.

SlyBridges · August 22, 2019, 11:52am

Hi,
We’re in the SCA rollercoaster ride as well. We thought we could get away with it easily by replacing our custom payment form with the new managed Stripe Checkout form. We did just that and everything looked good.
But then, we started to look at how to manage failed payments during subscription renewal using Checkout. Turns out it is not (yet) possible and we are back to square one having to manage Payment Intents and Payment Authentication ourselves.

Anybody been through this and may have a simple solution we may have overlooked?

@SteveMcLeod not using Quaderno right now but will check their solution, thanks!

SlyBridges · August 22, 2019, 11:56am

Looks like the link is dead?

SteveMcLeod · August 22, 2019, 12:48pm

Dead for me too… there’s now this Quaderno page which seems to be more generic: https://support.quaderno.io/article/390-strong-customer-authentication-sca

I’m currently using Stripe + Quaderno. But I’m thinking very strongly about changing to Paddle, so that it becomes someone else’s problem to keep my payment process up to date with changes like SCA.

gravelld · August 22, 2019, 4:17pm

I was told yesterday the introduction of SCA has been delayed in the UK: https://internetretailing.net/themes/themes/uks-fca-delays-psd2-sca-deadline-to-secure-payments--good-or-bad-news-for-consumers-and-retailers-20068

SlyBridges · August 23, 2019, 7:06am

If you end up using Paddle, please do share your experience! I really like Stripe (+Octobat for invoice/vat management) but impacts on this new SCA regulation on our payment flow is really not trivial.

jwr · August 28, 2019, 1:32pm

A progress update that might be useful to those using Braintree. I updated the integration to their latest versions, and then went through about three weeks of back-and-forth with Braintree support where their replies were, well, bizarre: they would speak in generalities, or describe flows which were not relevant to my use case. After three weeks I finally understood that Braintree quite simply isn’t ready for SCA, and all their calls to action and E-mails are pretty much a smoke screen. I got them to eventually confirm this.

The current status quo is that I am waiting for them to get their software ready.

Based on what I see, I think this whole SCA thing is going to be a terrible mess. I hope the introduction will get delayed.

SteveMcLeod · August 28, 2019, 1:43pm

I have to admit that I’ve done nothing so far for SCA except bug Quaderno from time to time with questions about it.

I take solace from your experience so far, in that inaction might actually be the best course at the moment,

jwr · August 28, 2019, 2:11pm

Well, that was my takeaway, which I’m not very happy with. But I also tried to estimate the risk and I’m actually not that worried. If SCA starts being enforced in Europe, then only my European new customers will be affected (existing subscriptions do not fall under the SCA requirements). Assuming I can detect failed SCA attempts, I can offer these customers a yearly invoice paid with a wire transfer, which customers in the EU really like (for those outside Europe: wire transfers in the EU are quick, cheap, easy and reliable).

I’ve been transitioning to this type of billing contrary to the usual wisdom (“automate everything”) — it doesn’t actually cost that much to manually process a single invoice + bank payment per year per customer, I save on the 2.5-3% transaction fees, and I stop being 100% dependent on a single payment processor (which worries me quite a bit).

SteveMcLeod · August 28, 2019, 3:57pm

Interesting thought, and relevant to me. Just today I wrote down on my todo list to create a better system for dealing with billing by bank transfer.

SlyBridges · August 28, 2019, 6:05pm

Things are looking brighter for us with our Stripe implementation upgrade for SCA. I had mentioned previously that I thought Stripe lacked the possibility to easily outsource to them the management of payment details after a failed payment.

One week later and after getting lost in Stripe documentation and videos, it turns out this was inaccurate. There is a solution, and quite a simple one. It is not as easy as checking a box in the Dashboard settings but it is still quite straight forward and definitely less complex than managing an SCA-ready payment flow yourself. For those on the same boat with Stripe, you may find some details here (or contact me if you have questions).

It is sad that Stripe Customer support couldn’t guide me towards this solution when I contacted them earlier (they told me I had to manage everything myself for my use case).

We now delegate everything payment-related to Stripe directly, using Checkout and their hosted pay pages. On our end, we only manage the subscription cycle (and display a helpful “payment failed” message that redirects to a Stripe hosted page when a user card gets declined during a renewal). That removed a lot of the complexity from our app around payments while improving PCI compliance paperwork.

That also means that if another regulation comes in in another country, we’ll be compliant as long as Stripe is compliant, with no additional work. And, as a bonus it should open us to adding new payment channels like IDeal or Bank transfer with just a click of a button in Stripe Admin (yet to be tested though.).

All in all, quite happy with the overall experience!

jwr · August 29, 2019, 4:41pm

My “system” is simply a spreadsheet: I figured that up to a certain level (say, 20) I can simply do this myself, and afterwards this work is easily outsourceable, so I don’t think I’ll be building any automation for this anytime soon. Perhaps when I get to hundreds.

polimorfico · September 4, 2019, 9:59am

Hi there! I’m Carlos, the founder of Quaderno

We recently relaunched our Checkout form to make it 100% SCA compliant. It works with Stripe and PayPal so far. It calculates taxes in real time, collect location evidence for VAT MOSS, issue tax receipts automatically, support discount coupons, and generate beautiful tax reports

You have more info at https://quaderno.io/checkout/

If you have any questions about this or SCA in general, just let me know. Happy to help!

SteveMcLeod · September 10, 2019, 9:35am

After all, it seems that Sweden is the only country enforcing the new SCA regulations from the official start date of September 14th!

More info here:
https://support.stripe.com/questions/strong-customer-authentication-sca-enforcement-date

jmstfv · September 13, 2019, 1:21pm

I integrated Stripe Billing into my web app couple months ago, just when Stripe started announcing upcoming SCA changes. It boiled down to swapping few API primitives with each other:

Charges API is replaced with PaymentIntents
Sources, Tokens API is replaced with PaymentMethods

It has been quite messy at the time since half of Stripe’s docs were still pointing at the older API (Charge, Source, Token) with warnings all over the place. Back then I was still unsure whether I will be affected by SCA, so I decided to future proof my integration and build against these newer API primitives.

jwr · September 14, 2019, 9:05am

Progress report: it is now September 14. I deployed the latest versions of Braintree software. They seem to have problems with Ghostery (and probably other tracker-blockers), because they try to load cross-site elements from Cardinal systems.

I have no idea if Braintree is ready, because all I hear from them is more of the “get ready for PSD2” propaganda. There is nothing more I can do to “get ready”, and yet it’s the only thing they keep saying. All I can do is use the latest version of their drop-in UI and wait.

I just tried a payment using my own credit card and the whole thing doesn’t work. I got a “session expired” message seemingly from my bank.

In other words, it is all a big mess which doesn’t work at all.

SteveMcLeod · September 14, 2019, 9:31am

This makes me glad I’ve done nothing so far about SCA.