What's this Magento email warning about PSD2?

OK, so you got this email from Magento with the subject line “Compliance Information for Any Merchants Selling to EU Customers” and in it there are bunch of acronyms and an urgent sounding message: “Regulatory Technical Standards (RTS) for the European Union's Payment Services Directive (PSD2) are scheduled to go into effect on 14 September, 2019.”

First, if you do not sell to customers located in UK or EU countries, you can stop reading now and ignore PSD2, because nothing has changed for you or your site. It doesn’t affect you.

What is all of this (PSD2, SCA, 3DS2, RTS)?

Europe is implementing a new law about online payment processing security (PSD2), in an effort to reduce fraud. The law requires banks to do strict identity checks on every buyer to confirm that they are who they say they are (this is Strong Customer Authentication, or SCA). The primary way this is being done is through 3D Secure 2 (3DS2).

What does this message mean to you if you are an online retailer with customers in the EU?

It means that by September 14th, 2019 you will need to have a payment processor in place on your site that meets PSD2’s SCA requirements, otherwise your EU customers may start having their payments declined.

What’s the fuss?

The fuss for us is that not all gateways support or intend to add support for SCA, nor do all payment methods for those gateways.

Of particular interest to us, Authorize.Net has informed us that they do not intend to support SCA for the 2019-09-14 deadline.

Our Authorize.Net payment gateway extensions are used by thousands of Magento stores and process billions of dollars in sales annually. As a result, we’ve received a fair number of requests asking if our Authorize.Net extensions are or will be updated to be “SCA compliant.” Like I said though, our Authorize.Net extensions cannot be updated to support SCA because Authorize.Net itself does not support SCA. Whether or not an extension implements 3D Secure 2 doesn’t play into it.

So is there anything I can do if I use Authorize.Net and sell in the EU?

If you’re affected by these changes, you will need to change to Authorize.Net’s sister company CyberSource for your payment processing. To learn more about that option and process, visit https://store.paradoxlabs.com/magento2-cybersource-payment-method.html.

Do I have any other options?

If you sell to EU and use a gateway or payment method that doesn’t support SCA, your options are:

  • Switch to a different payment method or gateway that does support it.
  • Ignore it and risk credit cards for your EU customers being declined.
  • Stop selling to EU.

Note that UK is also implementing PSD2, but has delayed its deadline by 18 months, to 2021. At this time there is no indication that EU plans to change its 9/14 deadline.