How to ensure strong SCA authentication on your WooCommerce site?

Do you manage a WooCommerce store or plan to launch one soon?

So you can't miss this. This is Strong authentication (SCA) for your (future) WooCommerce site. 

Does this acronym mean anything to you? Yet, it is essential to reduce fraud and secure online purchases. 

And above all, it is It is vital that you comply with itOtherwise, you risk having many payments refused and your sales dwindling.

At the end of this article, you will have a complete overview of the SCA system, with all our advice to ensure that Your WooCommerce store must comply with this regulatory measure..  

What is the SCA?

A regulatory measure to reduce fraud

SCA stands for "Strong Customer Authentication." It is a European regulatory measure that allows... verify the identity of anyone making an online purchase, thanks to two identification factors.

This device aims to reduce fraud during online purchaseswhile strengthening the security of online payment transactions. In France, it has been mandatory since May 15, 2021 for online purchases of at least 30 euros.

Overall, the SCA is a measure planned in European Directive (EU) 2015/2366 on payment services (DSP2).

This European regulation, voted by the European Parliament in 2015 and entered into force in September 2019, repeals Directive 2007/64 of 13 November 2007 concerning electronic payment services in the internal market (PSD1).

Strengthen security and protect consumers

PSD2 pursues several objectives:

1. "To harmonize payment regulations within the European Union", indicates the France Num website ;
2. modernize European payment services in the interest of consumers and businesses, by promoting "Innovation, competition, and efficiency" This includes, for example, opening the market to new players, called PSPs (Payment Service Providers), such as Stripe or PayPal.
3. strengthen the level of payment security and promote better consumer protection.

To achieve this, PSD2 includes several components: 

• the requirement for strong authentication, SO ;
• the ban on overbilling : it is not possible to apply additional payment fees in the case of payment by credit or debit card; 
• strengthening consumer rights and their data, for example, by lowering the deductible that the customer has to pay in the event of fraudulent card payment before dispute, from €150 to €50.

How does Strong Customer Authentication (SCA) work?

One device, three elements

Before strong authentication came into effect, security requirements were less strict when a customer wanted to initiate an electronic payment.

Most of the time, to finalize an order, the user simply had to provide the merchant website with a code sent by their bank via SMS. The verification took only one element into account.

The SCA uses what is called two-factor authentication (two-factor authentication, in English). 

From now on, when a customer wishes to make an online payment, they must provide two of the following three elements to validate the transaction: 

1. An element of knowledgeThis refers to something only the user knows, such as a password or a numerical code. It cannot, under any circumstances, be their bank card number or its expiry date.
2. An element of possessionHere, identity verification relies on an element that only the user possesses, such as their mobile phone or a token key.
3. An element of inherenceThat is to say, something that is unique to the person and defines them. This includes, for example, their voice, fingerprint, or facial features.

Strong customer authentication is implemented directly by banks and other electronic payment service providers. They are directly responsible in case of any problems.

However, as an e-commerce merchant, you must ensure that Strong Customer Authentication is properly supported on your store. WordPress ecommerce (we will come back to this in detail), in order to comply with the regulations in force. 

How a payment tunnel works with strong customer authentication

With strong authentication on WooCommerce, the consumer goes through 4 steps during the payment process: 

1. He enters his payment information : name of the bank card holder, credit card number, expiry date and security code (Card Validation Code).
2. The payment institution (e.g., the user's bank) sends him ua notification on the bank's smartphone app.
3. The consumer enters a password or a biometric fingerprint to validate the payment during the checkout phase.
4. If the identification is confirmed, the experiment is validated and Payment accepted.

Who is affected by SCA on WooCommerce?

A wide range of applications

Strong authentication must be implemented for all electronic payment transactions, whether carried out in an online or offline environment.

Since PSD2 is a European directive, its scope applies to payment services provided within the European Union (and not worldwide).

As the service provider Stripe specifiesThis concerns "card transactions where both the business and the cardholder's bank are located in the same country."European Economic Area (EEA) ».

This strong authentication measure applies to the entire payments ecosystem:

• the banks;
• payment providers (such as Worldline, Paybox, Ogone, Monext, Stripe, Paypal etc);
• card networks (Visa, Mastercard);
• e-commerce businesses.

What are the possible exemptions?

The legislator has provided for several cases of exemption from the obligation of strong customer authentication. 

These exemption requests are made during payment processing. It is the cardholder's bank that decides whether or not to maintain strong authentication, based in particular on the risk level of the transaction.

Specifically, these exemptions apply, for example, to the following situations: 

• low-value transactions, the sales amount of which does not exceed €30; 
• recurring operations having the same amount and the same beneficiary; 
• low-risk transactions, that is to say, payments made at an e-commerce site with a low fraud rate; 
• telephone sales ; 
• company card payments ;
• transfers between accounts held by the same natural or legal person. 

What is the impact of PSD2?

Strong customer authentication, and more broadly the PSD2 directive, introduces multiple benefits for both consumers and owners of e-commerce websites. 

Let's look at them in detail one by one.

Consumer benefits

For consumers, PSD2 essentially means stronger protection. This concerns several aspects: 

• The security of their online purchases is improvingthanks to stricter standards. This reduces the risks of fraud and hacking; 
• their rights are more extensiveConsumers, for example, have the right to a full refund without any questions asked for payments made in euros;
• the confidentiality of their personal financial data is better protected at the sourceFor example, no data processing can take place without the consumer's consent, in accordance with what is stipulated in the General Data Protection Regulation (GDPR).

Furthermore, consumers benefit from a new, smoother and more convenient payment experience.

Advantages for e-commerce sites 

For online store owners, SCA on WooCommerce offers definite advantages at various levels: 

• the risks of fraud are less significant, since the identification of the payer is strengthened. Consequently, financial losses are more limited and management is easier, as potential disputes are reduced;
• consumer confidence increases because the payment verification process is more secure. A potential customer may then be more inclined to buy, thus increasing your conversions;
• opening the market to competition allows you to test new service providers who are more willing to meet your needs and those of your customers; 

Did you know Two-factor authentication isn't just for online transactions. You can also use it to enhance the security of your WordPress admin login page. Several WordPress security plugins (iThemes Security, SecuPress, Wordfence etc) allow you to activate two-factor authentication in just a few clicks. 

How can I ensure compliance with strong authentication on WooCommerce?

Now that you understand how strong authentication works and its overall impact, it's time to determine if your ecommerce store complies with the SCA framework with WooCommerce. 

If this isn't the case, many purchases will be declined on your WordPress website, and your revenue will be negatively impacted. So it's best to avoid that!

Technically, you need to ensure that your payment gateway allows for the authentication of online payments.

This is usually done via the 3D Secure 2 protocolwhich guarantees compliance with the requirements of strong customer authentication in Europe.

Good news: the vast majority of payment providers use the 3D Secure 2 function. 

To find out if the one you are considering or the one you are currently using on your WordPress website is compliant, contact your payment provider (or your bank) by asking their customer service or management department.

To help you, WooCommerce has published a non-exhaustive list from several popular payment gateways compatible with Strong Customer Authentication for WooCommerceThe examples below demonstrate integration: 

• Stripe; 
• Amazon Pay;
• Global Payments Gateway (formerly Realex);
• PayPal;
• PayPal powered by Braintree;
• Sage Pay;
• Sofort;
• Klarna Payments;
• Klarna Checkout etc.

Is there another method available to you? The official WooCommerce extensions directoryIn the "Payments" category, click on "Processors & gateways" to access a list of official plugins (select "France" from the list of countries):

All you have to do then is click on the one that interests you to make sure that it supports and offers integration with Strong Customer Authentication on WooCommerce (search in its description to find a trace of the term, for example).

If you are starting from scratch, we will finally show you how to benefit from SCA on WooCommerce using Stripe. 

How to set up SCA on WooCommerce with Stripe?

Why use this platform?

Stripe is an online payment processing platform that allows them to be accepted in different forms, and therefore obviously by bank card. 

It combines numerous advantages and features that make it a preferred solution for your WooCommerce site: 

• It uses strong authenticationwhich means you don't have to do anything on your end; 
• it is very easy to use, both for the webmaster and the consumer (the latter can pay for items in one click with the Stripe Checkout option); 
• she proposes a free WordPress plugin which connects to your WooCommerce store. This plugin can even integrate with contact form plugins like Gravity Forms (via an add-on). Furthermore, Stripe works with any WordPress theme and any hosting provider; 
• she accepts both one-time and recurring payments of your customers (Transaction fees are still charged on each payment received.); 
• the payment process takes place directly on the merchant's websiteThe buyer never leaves your site, which limits the risk of...abandoned cart ; 
• The platform also accepts SEPA direct debit., payment by bank transfer, but also Apple Pay or Google Pay;
• the tool uses the 3D Secure 2 protocol ;
• A dashboard gives you access to statistics on payments, orders and transactions in your store ;
• the purchases of products/services in more than 135 different currencies are possible;
• Your client does not need to have a Stripe account to pay for a purchase (unlike PayPal).

Now, we'll show you how to link this service to your WooCommerce-powered WordPress store, using a short, practical 4-step tutorial. As you'll see, we'll cover various topics in a hands-on way. 

Step 1: Create a Stripe account

First, you need to create an account to accept payments on your site/blog. 

To do this, go to the official Stripe website, then click on the "Login" button in the top right corner: 

On the next page, click on the link called "Register", located below the login form:

Please provide the following information: 

• your email; 
• your name ;
• a password.

And click on the "Create an account" button:

You will then be asked to confirm your email address by sending an email to your inbox.

You will then arrive at your dashboard. For the moment, your account is in Test mode. 

Activate your account to switch to production mode:

To do this, you simply need to...add information about your company and add your bank account so you can receive payments.

Step 2: Update WooCommerce

When everything looks good on your dashboard, log in to your WordPress CMS administration interface. 

For the purposes of this test, we assume that you have already accommodation space, a configured WooCommerce store, and a theme dedicated to asset trading.

If this is not the case, activate the ecommerce plugin and configure it using its setup wizard.

Before moving on, Check that you are using the latest version of the pluginThis is important to benefit from the latest developments and features, and it helps to strengthen the security of your site. 

To find out, go to the Dashboard > Updates menu. If you don't see the WooCommerce plugin listed in the Extensions section of the menu, it will appear there. WordPress updatesThat's all good. 

Otherwise, update the ecommerce extension.

Tips Beforehand, before a major update like the WooCommerce update, consider save your WordPress websiteTo do this, you can use one of the many backup plugins such as UpdraftPlus, or a tool dedicated to maintenance such as WP Umbrellawhich offers a backup function.

Step 3: Activate the WooCommerce Stripe Payment Gateway extension

Once WooCommerce is updated to its latest version, go to the Extensions > Add New menu.

In the search bar, type "WooCommerce Stripe Payment Gateway". This is the official extension created by WooCommerce:

Install and then activate this extension. 

If your WordPress site or blog is not using HTTPS, the plugin will ask you to enable this protocol, which secures the connection to your WordPress site built with WooCommerce.

For an online store, this is an essential prerequisite to protect and secure your customers' payment (and personal) data.

To switch your site to HTTPSYou need an SSL certificate. Most hosting providers (Kinsta, o2switch, OVH, etc.) offer to activate one for free. 

Contact your hosting company for more information, if applicable.

Step 4: Check the SCA configuration options on WooCommerce

Next, connect your Stripe account to WooCommerce by entering your API LIVE keys and the "Webhooks" (a term familiar to developers).

You will find this information in the "Developers" section of your account:

Did you know A webhook notifies your application when an event occurs in your account. Stripe specifies that "webhooks are particularly useful for asynchronous events such as confirmation of a payment by the customer's bank, a payment dispute by the customer, the completion of a recurring payment, or the collection of subscription payments."

Then, in the "Payments" tab of WooCommerce Settings, simply ensure your Stripe account is activated. And that's it: strong customer authentication on WooCommerce is now up and running.

If you wish, you can also run tests to simulate various transactions. To do this, check the "Enable TEST mode" box and then verify the functionality on your theme:

Summary

Strong customer authentication (SCA) on WooCommerce is an essential measure for Securing online transactions on the WordPress CMSwhile reducing the risk of fraud. 

Throughout this section, we have explored several themes. You have notably discovered the following: 

• the operating mode of Strong Customer Authentication;
• its scope;
• its impact on e-commerce site owners and managers and on consumers; 
• the means at your disposal to verify the compliance of your WooCommerce site with Strong Customer Authentication; 
• How to integrate Stripe into your online store to benefit from strong authentication.

If you have a WooCommerce site, it's crucial to ensure its compliance with this regulatory requirement. Do you need assistance deploying strong authentication on your online store?

Contact the WP Maintenance teamAvailable 7 days a week. our WordPress support service will offer you a tailor-made solution that will meet your needs with speed, professionalism and efficiency.