How does Paddle Handle Secure Customer Authentication and PSD2?
PSD2 was introduced in September 2019 as a way to ensure consumer protection through increased security around card payments made online for many online payments across all payment types. The aim is to create a more open and competitive payments landscape across Europe. Banks will decline any payment where Strong Customer Authentication (SCA) is not gathered when they request it.
What is Strong Customer Authentication (SCA)?
The new legislation requires all customers in the EU (with some exceptions) to authenticate payments when requested, providing at least 2 items from the below list:
Something the customer knows (password or PIN) Something the customer has (phone or hardware token) Something the customer is (fingerprint or face recognition)
If the customer is asked to provide authentication during the checkout process, they will see their banks interface. However, if they have to authenticate a payment outside the checkout process, for example for a recurring subscription payment, they will receive an email with a link to the authentication process specific to their bank.
3D-Secure 1 (3DS1) VS. 3D-Secure 2 (3DS2)
3DS1 is the version of the authentication process which you may have experienced as a customer in previous years when making online purchases (if your bank has requested this), where you are redirected away from a checkout process to your bank’s websites and then back to a confirmation page hosted by the checkout. This is now being replaced by the much improved and less invasive 3DS2 which is being rolled out as a part of PSD2. 3DS2 has a much better user experience, and is less likely to result in checkout abandonment. This process will not require re-directions or pop-ups from the customer’s bank, but will instead be an integrated part of the checkout.
Paddle is 100% compliant and ready for 3DS2. However, it is up to the customer’s bank to request 3DS2 (or 3DS1). Before PSD2 took effect, it was reported that many banks would not be ready for 3DS2 in time, and this is exactly what we’re seeing. Support and usage of 3DS2 by issuing banks is extremely low, with just 1% of 3DS authentications currently taking advantage of 3DS2 - the rest using 3DS1. As the banks catch up and support 3DS2, more and more of them will eventually start requesting SCA through 3DS2. Given the limited uptake of 3DS2, we’ve improved our 3DS1 flow by showing the issuing bank’s website within our checkout, rather than in a popup window. We’re also working on improving our dunning emails when authentication is required for recurring payments, just in case banks start getting more strict with these.
We’ll be monitoring the trends in this area in the coming months and working closely with our payment partners in order to give end users the best checkout payment and authentication experience possible.
What do I have to do?
No action is required from you. Paddle will handle the entire process, and all the compliance so that you can focus on more important things.
Should you have any questions regarding this, please don’t hesitate to reach out to the Seller Support team (email us or message us via the Dashboard Chat).