cancel
Showing results for 
Search instead for 
Did you mean: 

Strong Customer Authentication

Hi,

 

We have software which integrates with Authorize.Net using an Authorize.Net hosted payment page. I understand that a new EU regulation regarding online payments is coming into force on September 2019, called Strong Customer Authentication (SCA), part of PSD2, and I'm assuming that Authorize.Net has or will be making changes to support it. Can anyone confirm whether we'll need to make any changes to our integration as a result or will everything be handled on the Authorize.Net side?

 

Any pointers would be gratefully received!

 

Thanks,

Matt

 

mattcollins
Member
11 REPLIES 11

I'm also wondering the same and would love a reply to this from Authorize.net. Thanks! 

phanie12
Member

Yeah, is there an update here? It seems that Authorize.net is pretty slow to react to changes like this, unlike Stripe. 

dnetzer
Member

Hi Matt, were you able to find any good resources on this? Not seeing much! Which seems odd. 

dnetzer
Member

No, I haven't found anything about it.

 

It sounds like the industry as a whole has been slow to implement the necessary changes and, as a result, the UK's regulator, at least, is likely to delay when they start enforcing of it:

http://www.fstech.co.uk/fst/FCA_UK_Finance_18_Month_Delay_SCA_Deadline.php

 

Other countries' regulators may or may not do the same.

 

@dnetzer @mattcollins

A few things about this- 1 is that you can use 3D secure to comply with this. Auth.net payment transaction API already has a request field to pass this value. 2 is that this is only applicable to transactions of a certain amount, equal to around $50 USD I think. 3 the $50 doesn’t help you that much, but you can also get an exemption for “low risk transactions” which depend on the fraud rate at your MSP and payment provider. I think if both fraud rates are .01% or less you are exempt for any transaction of any amount. 4 cybersource which has common ownership with auth.net is implementing this, so it is likely on auth.nets radar.

The easiest way that already exists on auth.net seems to be the 3DS. For that it is up to your MSP to use 3DS 2.0.

OK, seems so far I'm getting the run around on this and playing a game of "Pass the Hot Potato". 

 

I first called Authorize.net Merchant Support and my rep told me they do not have any information on PSD2 yet and he directed me to: Privacy@visa.com for further support.

 

I did question why Authroize.net was referring me to Vias for this but they said that's who is responsible for this matter. Then I got this email response:

 

"Thank you for writing. Your question was forwarded to the Visa USA area for further assistance. For future queries that address is: askvisausa@visa.com"

 

Who later responded with this:

 

"Thank you for your inquiry.

For specific assistance of this nature, please contact the Visa client financial institution with which you have your business account. Visa does not set up, service, or have access to cardholder or merchant accounts. This is done through our client financial institutions (the banks).

Your bank is the only party that can directly assist you with this matter. You may wish to speak with a manager or supervisor.

Thank you for writing.

Visa Webmaster"

 

Is Vias referring me back to Authroize,.net here or my bank? Correct me if I'm wrong but my bank, (BB&T) has nothing to do with PSD2 and how the credit cards are being processed via Authroize.net. Or am I wrong on that? 

 

I'm not happy about the run around I'm getting at all. 

@phanie12

BB&T is likely your payment processor and MSP. Auth.net acts as a gateway only for many companies.

I googled it and I don’t see that authorize.net has a location in the EEA. I’m not seeing how any transaction for a U.S. based company with a U.S. based payment gateway and a U.S. bank falls under the jurisdiction of the EU. The PSD2 legislation is online, and without reading all of it, it has the scope of the regulation including businesses *located* in the EU or EEA. It has language “both the payee ..... and the payer” in reference to the PSPs in the scope, meaning if any one party is outside the EEA on either side then the SCA isn’t applicable.

So unless you are an EEA member based business with an acquiring bank located in the EEA, I don’t think this is an issue to be concerned with.

Thanks for your input on this, R.:)

 

I would really like to hear it directly from someone at Authorize.net (would put all of our minds at ease I'm sure) since it seems some of the other online payment processors like Stripe and CyberSource have already addressed and made sure they are PSD2 compliant. 

Cybersource is the parent of auth.net. Visa is the parent company of Cybersource. Cybersource deals with large businesses, while auth.net is the arm that does the smaller businesses. From this we can deduce two things- 1 Cybersource deals with more multinational companies, and 2 being that Cybersource and auth.net are under the same leadership at some level, if auth.net has anything needed for this they will be doing it just like Cybersource. Stripe may be a larger processor, I don’t know. Their website also mentions the location exclusion.

You will likely get an answer from auth.net at some point, but I would rest easy if I were you. If someone on the phone tells you that you are required to comply, they are wrong and you can rest easy. If they tell you that you do not need to comply, you can rest easy there too. You can skip the middle man and google to get the legislation.