With two-factor authentication quickly becoming a requirement within the European Union, WP Courseware now offers support for strong customer authentication (SCA).
With the number of high-profile data breaches we’ve seen making the news over the past few years, you can only imagine what these massive leaks of secure information cost consumers and companies. For consumers, although largely protected against fraudulent financial activity, trying to untangle the knots of identity theft can be an incredibly stressful experience.
For businesses experiencing a security breach, the work required to repair the damage, smooth over a brand’s tarnished image, and build back the trust of customers can be monumental and costly.
Currently, over 12% of all retail purchases are made online according to the United States Department of Commerce. This generates trillions of financial transactions each year around the globe which all collect some degree of sensitive information. When a breach occurs, the average total cost to clean it up comes in at $3.92 million and 25,575 records are obtained, on average, during each incident according to a study conducted by IBM.
In response, many financial institutions, in cooperation with their overseeing federal lawmaking bodies, are implementing measures to prevent fraudulent transactions online. India became one of the first nations to implement drastic fraud prevention measures and several others currently have legislation in debate.
As of this month, the European Banking Authority has amended its requirements laid out in its 2015 adoption of a customer protection act titled the Revised Directive on Payment Services (PSD2) to require a new two-factor authentication standard for transactions within the European Union’s established European Economic Area.
This new directive has been labeled Strong Customer Authentication, or SCA, a title which is almost as ambiguous as the drop-dead date set for its implementation by merchants and banks (more on that in a moment).
What Is SCA?
This new requirement for European transactions processed online forces a two-factor authentication process during a purchase in which the bank accepting the payment and the issuer of the payment instrument (ie. the bank issuing the card used for purchase) are both located within the European Economic Area.
There are a number of secure details associated with the payment instrument being used (credit card, debit card, etc.) and this two-factor authentication process requires that two pieces of sensitive data are passed along with the transaction to ensure it against fraud. These two pieces of data transmitted must represent two of the three following methods of identification:
- Something the customer knows (password, PIN, etc.)
- Something the customer has (such as a phone number)
- Something the customer is (fingerprint, facial recognition, etc.)
If two of these are passed successfully, the transaction will continue to process and if not, the payment may be declined.
As you might imagine, any payment gateway used to facilitate these transactions will now be responsible for the transfer of associated two-factor authentication to process the payment.
What This Means for WP Courseware Users
WP Courseware has users around the globe selling access to courses from and to dozens of different countries and around 25% of those users are within the European Economic Area. This being the case, our talented lead developer, Cory Crowley, has been working tirelessly to ensure that our EU customers who are using WP Courseware to create and sell courses are in compliance with the new SCA requirements.
There are a few important facets to the impacts of this legislation, so we’ll cover the essential “need to know” facts.
Strong Customer Authentication (SCA) FAQs
Who Is Affected?
This change affects WP Courseware users who:
- Receive funds for the sale of courses at a bank located within the EEA
- Sell courses to customers who bank within the EEA
If you do happen to fall into these two categories, please read on for further details.
What Do I Need to Do?
For the most part, any required changes have been taken care of for you. WP Courseware currently allows users to sell courses using either PayPal or Stripe.
PayPal has taken the step to handle this new two-factor authentication on their end. In a nutshell, if you are currently selling your courses with PayPal you likely won’t even be aware of any changes as customers will interface with PayPal during the transaction.
Stripe, however, has left it to software developers who include payment gateway functionality to ensure that their transaction process utilizes the Stripe Payment Intents API as opposed to their legacy Stripe Charges API.
If you use Stripe to sell your courses within the EEA, WP Courseware has now been updated to utilize the Payment Intents API so that EU transactions can facilitate the two-factor authentication process.
If you are using the Stripe Checkout modal payment form, Stripe is no longer recommending this method of accepting payments. Stripe Checkout will continue to allow you to sell courses within the EU for the time being. WP Courseware has not removed the Stripe Checkout option and Stripe itself has built the SCA two-factor process into Checkout. However, over time you’ll want to phase the old modal out of your transaction process.
All WP Courseware Users
If SCA requirements do affect your sale of online courses using WP Courseware, we recommend logging into the Installed Plugins screen within your WordPress administrative dashboard and updating to WP Courseware version 4.6.3 immediately.
We’re also recommending that SCA-affected WP Courseware users ensure that their website’s server or host are updated to PHP version 5.6 or greater.
What About Subscriptions?
For WP Courseware users affected by SCA, any existing recurring subscriptions will not be affected. Do keep in mind, however, that while this is a general agreement among EEA banks, it is up to the customer’s individual bank to accept this exemption for existing recurring payment profiles or to reject it and require SCA for all transactions regardless of the creation date of the subscription.
For all newly created subscriptions, the two-factor authentication step will be required on the first payment and subsequent payments will be processed without re-authenticating.
Does This Affect Me If I’m Not In the EU?
It’s possible. Keep in mind that these changes affect transactions where the bank accepting the payment and the bank issuing the payment are located within the EEA. If you are accepting funds within a bank in the EEA for the sale of your courses but your business is not physically located in the EEA, you are still required to comply when the purchaser is also banking within the EEA.
Also, please note that the EEA also includes Iceland, Liechtenstein, and Norway in addition to the EU member countries.
Are There Exemptions?
So far regulators have stated that transactions less than €30 will bypass Strong Customer Authentication. However, a few details of this regulation are still being debated and modified within individual nations having differing requirements as well.
Is There a Deadline for Implementation?
The first deadline to comply with SCA was September 14th, 2019 and this was behind our efforts to update WP Courseware as soon as possible. However, due to massive lack of preparedness among European banks an 18-month extension has been granted for them to put the proper protocols in place. That being said, it is best to comply as soon as possible.