As of September 14, 2019 there was an update to the EU’s Payment Services Directive (known as PSD2) which changed requirements for many online payments for customers in the European Economic Area (EEA).
If your business is not based in the EEA, you are exempt from these requirements. You’re also exempt if you are based in the EEA, but your customer isn’t.
For businesses based in the EEA that are serving customers in the EEA, there was a change to how payments are processed, but there is no action required on your part to continue accepting payments on Thinkific. However, if you’re a business based in the EEA, with existing subscriptions and/or payment plans for customers in the EEA, you may want to update your Stripe settings to include failed payment notifications (see below).
As of September 14, 2019, Strong Customer Authentication (SCA) is required for online payments between businesses based in the EEA and customers based in the EEA.
What’s Strong Customer Authentication (SCA)?
SCA requires two or more of the following elements to authenticate someone who initiates a transaction online:
- knowledge (something only the user knows, like a password);
- possession (something only the user possesses, like a phone); and/or
- inherence (something the user is, like a fingerprint).
Each must be independent and not compromise the reliability of the others.
Based on the credit card billing address of the business and the customers, the payment provider will determine whether SCA is necessary for the transaction and it will happen automatically.
What do you need to do?
If you’re not based in the EEA and/or you’re serving customers not based in the EEA, there’s no change to the checkout experience for your students.
If you’re an EEA-based business serving EEA customers, there’s no action required on your part to accept new payments if you’re using either of Thinkific’s integration payment processors (Stripe or Paypal) — Strong Customer Authentication (SCA) will appear automatically when required for transactions with customers also based in the EEA.
For EEA-based businesses serving EEA customers with subscriptions and payments plans that originated prior to September 14, 2019, your customers may have to undergo additional 3D Secure verification on their renewal date as a result of this change. (Most transactions should be grandfathered and not require additional authentication, but this will protect you either way.)
If you’re based in the EEA and have ongoing subscriptions and/or payment plans, we suggest updating your settings in Stripe to send emails when 3D Secure authentication fails.
Head to your automatic collections settings in Stripe and scroll down to “Manage payments that require 3D Secure”:
- Select “Send a Stripe-hosted link for cardholders to authenticate when required”
- Stripe will pre-select reminder times, but you can adjust them if you want
- You can preview the email and make any adjustments you’d like
- Save your changes
You’re now all set!
- If you’re not based in the European Economic Area (EEA) — no matter where your customers are located — you’re exempt from this legislation and there’s no change or action required.
- If you're based in the EEA and you're only accepting one time payments for your courses, there is no action required.
- If you're based in the EEA and you have ongoing subscriptions or payment plans we suggest you take the actions above to prepare, but most recurring transactions should be grandfathered so there's nothing to worry about. All transactions from September 14th going forward will include SCA automatically when required.
Please don't hesitate to reach out if you have any questions!