- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strong Customer Authentication
Hi,
We have software which integrates with Authorize.Net using an Authorize.Net hosted payment page. I understand that a new EU regulation regarding online payments is coming into force on September 2019, called Strong Customer Authentication (SCA), part of PSD2, and I'm assuming that Authorize.Net has or will be making changes to support it. Can anyone confirm whether we'll need to make any changes to our integration as a result or will everything be handled on the Authorize.Net side?
Any pointers would be gratefully received!
Thanks,
Matt
07-10-2019 09:30 AM - edited 07-10-2019 09:31 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also wondering the same and would love a reply to this from Authorize.net. Thanks!
07-31-2019 07:33 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, is there an update here? It seems that Authorize.net is pretty slow to react to changes like this, unlike Stripe.
08-10-2019 02:18 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matt, were you able to find any good resources on this? Not seeing much! Which seems odd.
08-10-2019 02:20 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I haven't found anything about it.
It sounds like the industry as a whole has been slow to implement the necessary changes and, as a result, the UK's regulator, at least, is likely to delay when they start enforcing of it:
http://www.fstech.co.uk/fst/FCA_UK_Finance_18_Month_Delay_SCA_Deadline.php
Other countries' regulators may or may not do the same.
08-12-2019 03:58 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A few things about this- 1 is that you can use 3D secure to comply with this. Auth.net payment transaction API already has a request field to pass this value. 2 is that this is only applicable to transactions of a certain amount, equal to around $50 USD I think. 3 the $50 doesn’t help you that much, but you can also get an exemption for “low risk transactions” which depend on the fraud rate at your MSP and payment provider. I think if both fraud rates are .01% or less you are exempt for any transaction of any amount. 4 cybersource which has common ownership with auth.net is implementing this, so it is likely on auth.nets radar.
The easiest way that already exists on auth.net seems to be the 3DS. For that it is up to your MSP to use 3DS 2.0.
08-12-2019 08:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, seems so far I'm getting the run around on this and playing a game of "Pass the Hot Potato".
I first called Authorize.net Merchant Support and my rep told me they do not have any information on PSD2 yet and he directed me to: Privacy@visa.com for further support.
I did question why Authroize.net was referring me to Vias for this but they said that's who is responsible for this matter. Then I got this email response:
"Thank you for writing. Your question was forwarded to the Visa USA area for further assistance. For future queries that address is: askvisausa@visa.com"
Who later responded with this:
"Thank you for your inquiry.
For specific assistance of this nature, please contact the Visa client financial institution with which you have your business account. Visa does not set up, service, or have access to cardholder or merchant accounts. This is done through our client financial institutions (the banks).
Your bank is the only party that can directly assist you with this matter. You may wish to speak with a manager or supervisor.
Thank you for writing.
Visa Webmaster"
Is Vias referring me back to Authroize,.net here or my bank? Correct me if I'm wrong but my bank, (BB&T) has nothing to do with PSD2 and how the credit cards are being processed via Authroize.net. Or am I wrong on that?
I'm not happy about the run around I'm getting at all.
08-12-2019 08:09 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BB&T is likely your payment processor and MSP. Auth.net acts as a gateway only for many companies.
I googled it and I don’t see that authorize.net has a location in the EEA. I’m not seeing how any transaction for a U.S. based company with a U.S. based payment gateway and a U.S. bank falls under the jurisdiction of the EU. The PSD2 legislation is online, and without reading all of it, it has the scope of the regulation including businesses *located* in the EU or EEA. It has language “both the payee ..... and the payer” in reference to the PSPs in the scope, meaning if any one party is outside the EEA on either side then the SCA isn’t applicable.
So unless you are an EEA member based business with an acquiring bank located in the EEA, I don’t think this is an issue to be concerned with.
08-13-2019 05:58 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your input on this, R.:)
I would really like to hear it directly from someone at Authorize.net (would put all of our minds at ease I'm sure) since it seems some of the other online payment processors like Stripe and CyberSource have already addressed and made sure they are PSD2 compliant.
08-14-2019 08:09 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will likely get an answer from auth.net at some point, but I would rest easy if I were you. If someone on the phone tells you that you are required to comply, they are wrong and you can rest easy. If they tell you that you do not need to comply, you can rest easy there too. You can skip the middle man and google to get the legislation.
08-14-2019 09:36 PM - edited 08-14-2019 09:38 PM