Beginning September 14, 2019 an update to the EU’s Payment Services Directive (known as PSD2) will change requirements for many online payments for customers in the European Economic Area (EEA).
Note: If your business is not based in the EEA, you’re exempt from these requirements. You’re also exempt if you’re based in the EEA, but your customer isn’t.
For businesses based in the EEA, that are serving customers in the EEA, there will be a change to how payments might be processed, but there is no action required on your part to continue accepting payments on Thinkific. However, if you’re a business based in the EEA, with existing subscriptions and/or payment plans for customers in the EEA, you may want to update your Stripe settings to include failed payment notifications (see below).
Beginning September 14, 2019, Strong Customer Authentication (SCA) will be required for online payments between businesses based in the EEA and customers based in the EEA.
Whether you accept payments on Thinkific via Stripe or Paypal, both will provide SCA and be compliant with PSD2 prior to the legislation coming into effect.
What’s Strong Customer Authentication (SCA)?
SCA requires two or more of the following elements to authenticate someone who initiates a transaction online:
- knowledge (something only the user knows, like a password);
- possession (something only the user possesses, like a phone); and/or
- inherence (something the user is, like a fingerprint).
Each must be independent and not compromise the reliability of the others.
What do you need to do?
If you’re not based in the EEA and/or you’re serving customers not based in the EEA, there’s no change to the checkout experience for your students.
If you’re an EEA-based business serving EEA customers, there’s no action required on your part to accept new payments if you’re using either of Thinkific’s integration payment processors (Stripe & Paypal) — strong customer authentication (SCA) will appear automatically when required for transactions with customers also based in the EEA.
For EEA-based businesses serving EEA customers with subscriptions and payments plans that originated prior to September 14, 2019, your customers may have to undergo additional 3D Secure verification on their renewal date as a result of this change. (Most transactions should be grandfathered and not require additional authentication, but this will protect you either way.)
If you’re based in the EEA and have ongoing subscriptions and/or payment plans we suggest updating your settings in Stripe to send emails when 3D Secure authentication fails.
Head to your automatic collections settings in Stripe and scroll down to “Manage payments that require 3D Secure”:
- Select “Send a Stripe-hosted link for cardholders to authenticate when required”
- Stripe will pre-select reminder times, but you can adjust them if you want
- You can preview the email and make any adjustments you’d like
- Save your changes
You’re now all set for September 14th!
- If you’re not based in the European Economic Area (EEA) — no matter where your customers are located — you’re exempt from this legislation and there’s no change or action required.
- If you’re based in the EEA and you’re only accepting one-time payments for your courses, you’ll be fully compliant September 14th with no action required.
- If you’re based in the EEA and you have ongoing subscriptions or payment plans we suggest you take the actions above to prepare, but most recurring transactions should be grandfathered so there’s nothing to worry about. All transactions from September 14th going forward will include SCA automatically when required.
Let us know if you have any other questions via firstname.lastname@example.org