3D Secure v2 (SCA / PSD2) and how does it effect Magento
https://magento.stackexchange.com/questions/280455
-
06-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
As of the 14th of September PSD2 comes into effect (more info here)
As I understand it this means all transactions have to be 3d secure ( maybe all have to use the new 3D Secure v2).
What does this mean for our magento website checkouts, what changes are needed (if any)?
Solution
This new directive has a significant compliance impact on most payment processing services involving credit cards or bank transfers for goods & services sold to customers in the EU.
If you need to take action depends on the way each payment module is working. PayPal redirects to their own payment page, so they should take care of the PSD2 requirements. What's a bit confusing though is the following recommendation from an official Magento newsletter sent today:
When and/or where use of 3DS 2.0 is required, Merchants will either need to replace PayPal with Braintree or upgrade to Magento 2.3.x.
I reached out to Piotr Kaminski, who is a Lead Product Manager at Magento and he replied as follows:
The PayPal integration that is in 1.x for some of the PayPal payment methods require use of Cardinal for 3D secure. The Cardinal integration only supports 3DS 1.0. PayPal Standard/Express/HSS Pro is not affected. All the others (PayFlow Pro, PayFlow Link, PP Payments Pro 2.0/3.0, PP Advanced) are affected and the recommednation is to switch to Braintree
Some payment integrations take credit card data directly in the Magento checkout (inline payment). Those integrations are likely those who need to be udpated if they do not yet support PSD2, yet.
OTHER TIPS
If you are using sagepay suite use the "form" or "server" methods, you should be fine (as long as you have 3d Secure turned on), but if you are using direct changes are needed ( 9 addional feilds need to be past). More info here
If you are using "direct" then sagepay suite needs to be updated. Ebizmarts ( the creators of the sagepay suite extension) are working on an update and say should be ready mid August.
Update: Ebizmart that do the sagepay module said they will be updating there module to be compatible with 3d secure V2
Due to delays on Sage Pay's TEST environment updates these are the new release dates for Sage Pay Suite Pro compatibility with 3D v2 + SCA:
- Direct integration: August 22nd 2019.
- Pi Integration: August 30th 2019.
Please note that Form and Server integrations are already supported
Update 2: As pointed out in wr125 answer, The FCA have recently announced an 18-month plan extension. So I contacted sagepay for confirmation, they said:
Yes this new update from the FCA has relaxed the deadline so vendors will not face penalties for not using SCA until March 2021. Sage Pay will still be updating the payment gateway in time for September 14th when 3D Secure v2 will be made available but vendors do now have until March 2021 to become compliant
......Essentially 3D Secure v2 will be available from September 14th 2019 as planned but there will be no penalties for vendors not using 3D Secure v2 until March 2021, as such you have more time to update your integration
Update 3: Just for completion (from sagepay)
Yes, you can continue not using 3D Secure at all. Not passing transactions through 3D Secure at all can incur additional charges from your merchant bank however...
The FCA have recently announced an 18-month plan (extension?) to this.
The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
To me, this sounds like if you aren't ready by 14th September, but are working towards it, you'll be OK, but I could be wrong.
Does anyone have a different interpretation of this?
I have asked this from Magento slack channel, see below:
Piotr just replied:
ok got some clarifiication. PayPal Standard/Express/HSS Pro is not affected. All the others (PayFlow Pro, PayFlow Link, PP Payments Pro 2.0/3.0, PP Advanced) are affected and the recomemdnation is to switch to Braintree
The FCA have recently announced an 18-month plan (extension?) to this.
The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
To me, this sounds like if you aren't ready by 14th September, but are working towards it, you'll be OK, but I could be wrong.
Does anyone have a different interpretation of this?
NOTE: The FCA information is only for UK based merchants! France, italy and austria plan to extend the deadline. For germany there is nothing planned till now - only for CC payment.
