Page 1 of 3

3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 2:54 pm
by Daniel
This is very important if you sell products to EU customers. From 14 September 2019 all EU credit card transactions will be rejected if your store does not have 3d secure setup on your web site.

I have been contacted by PayPal regarding this.

I can not find the link to any EU sites with the new law information. It is on stripes web site:

https://stripe.com/en-US/guides/strong- ... entication
On 14 September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
We are contacting all the gateways that are included in opencart to get them to update their opencart payment extensions.

If you require a quick solution i recommened cardinal commerces JS 3d secure intergration:

https://developer.cardinalcommerce.com/index.shtml

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 3:29 pm
by OSWorX
Well here you have:
https://ec.europa.eu/info/law/payment-s ... 15-2366_en
Here in German:
https://de.wikipedia.org/wiki/Zahlungsdiensterichtlinie
And English:
https://en.wikipedia.org/wiki/Payment_S ... _Directive
Ad a few more (in German):
https://www.concardis.com/at-de/blog/ar ... egeschaeft
https://newsroom.mastercard.com/eu/de/2 ... -haendler/
https://www.wuv.de/digital/neuer_bezahl ... r_beachten
https://www.six-payment-services.com/de ... e-2-0.html

In general, this Directive is old, made already in 2015.
Valid from January 2018 and have to be fullfilled not later than the 14th September 2019

This 'new' law is called 'EMV 3-D-Secure 2.0' (created by Europay, Mastercard and Visa) is part of the EU-Zahlungsdiensterichtlinie (PSD2)

Important to say, this process is valid only for transactions made with Credit Cards.
Wichtig hier, dieses Verfahren gilt nur für Kredikartenzahlungen!

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 5:20 pm
by paulfeakins
OSWorX wrote:
Fri Apr 12, 2019 3:29 pm
In general, this Directive is old, made already in 2015.
Valid from January 2018 and have to be fullfilled not later than the 14th September 2019
Why does no one know about it then? And why is there nothing online about it?

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 6:26 pm
by Daniel
This is bigger than GDPR

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 6:39 pm
by OSWorX
paulfeakins wrote:
Fri Apr 12, 2019 5:20 pm
OSWorX wrote:
Fri Apr 12, 2019 3:29 pm
In general, this Directive is old, made already in 2015.
Valid from January 2018 and have to be fullfilled not later than the 14th September 2019
Why does no one know about it then? And why is there nothing online about it?
Sorry, I do not know O0
And online is enough .. since a long time (2015 to be exact).
And the EC-Website can be read by everyone 24 hours a day, 7 days a week ..

Visa and MC for example made their first messages about this 1 year ago ..

Beside this, there are many directives out which will effect us all here (sorry, not GB anymore .. if they leave .. :laugh: )
For example the coming ePrivacy.
Or the packaging thing which is completely new in Germany since the 1st of January 2019.

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 6:44 pm
by OSWorX
Daniel wrote:
Fri Apr 12, 2019 6:26 pm
This is bigger than GDPR
Not really, because the GDPR is valid for all and every website - worldwide.
3D-Secure is only for payments made with Credit Cards - and currently more customers are paying with other payment methods (especially here in Europe).

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 10:35 pm
by Johnathan
Those of us with payment extensions may have already been notified (I found out last fall), but the APIs for the SCA requirements weren't even ready until recently. Stripe's is ready, but Braintree's still says it still shouldn't be used in production. I think the payment companies were a little behind the ball on this one --- yes the deadline is September, but April is the start of the window for moving to 3D Secure 2.0, and that's not even possible for many payment gateways right now.

I'll be updating my Stripe and Braintree extensions for the new requirements soon. If you're using a payment method from a different developer, you should contact them to see if they know anything about updating their code. Hopefully Daniel and the OpenCart team will ensure that all the built-in OpenCart payment methods are updated before September.

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 12, 2019 10:46 pm
by Daniel
There are still a lot of payment gateways with no documentation on what updates are required.

Re: 3D Secure required by law for all EU transactions

Posted: Mon Apr 15, 2019 9:35 pm
by Johnathan
Yeah, that doesn't surprise me. Either the law happened too quickly, or the payment processors are dragging their feet, or someone in the middle is holding things up. Hopefully everyone gets their documentation up soon, or there are going to be major issues for EU customers on all sorts of ecommerce websites (not just OpenCart) in September.

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 19, 2019 7:05 pm
by futurehosting
Most of the Payment Gateway providers have already taken this into consideration, from https://worldnettps.com/ I know every client we have referred to them and to the various merchant banks are fully aware of this and it is a standard procedure. The advantage of the gateway is that it lifts the PCI compliance requirement out of the clients/site owners hands and onto that of the Gateway provider . All these providers must be compliant.

The only difference now coming down the tracks was when a client was setting up credit card, the option to go for 3d secure was optional, now it is required. All merchant banks are in correspondence to their customers about this anyway.

Here is the link to the details
https://eba.europa.eu/regulation-and-po ... Id=1627603

Regards

Re: 3D Secure required by law for all EU transactions

Posted: Fri Apr 19, 2019 7:09 pm
by futurehosting
Johnathan wrote:
Mon Apr 15, 2019 9:35 pm
Yeah, that doesn't surprise me. Either the law happened too quickly, or the payment processors are dragging their feet, or someone in the middle is holding things up. Hopefully everyone gets their documentation up soon, or there are going to be major issues for EU customers on all sorts of ecommerce websites (not just OpenCart) in September.
This has been flagged for a very long time, it was the banks themselves. Now to be honest 3d secure is a nightmare and the banks are trying to come up with something better. Some banks are forcing customers to sign up and link their mobile so they can txt to customers.

But there are other rulings coming down with other consequences as well which I linked in the above post. This is to give greater transparency to the customer, protect from fraud and allow greater ability to charge backs. For the site owner I can see other levels of verification that will need to be considered, from email verification to secure the order, etc.

Regards

Alex

Re: 3D Secure required by law for all EU transactions

Posted: Sat Apr 27, 2019 1:46 pm
by adamdevine78
Still there are many gateways that are not secured.

Re: 3D Secure required by law for all EU transactions

Posted: Tue Apr 30, 2019 12:19 am
by rpmb
I have had confirmation from Paymentsense that their module is ready for this.

Version 3.0.0 for OpenCart 3.x

I am not sure if that also applies to the module they have for 2.x

Re: 3D Secure required by law for all EU transactions

Posted: Sun May 05, 2019 9:51 pm
by straightlight
As the first post addresses, however, it is not only about the 3D Secure payments but also about, yes, the second payment services directive (PS2) but also about the: Strong Customer Authentication (SCA) as per this web page with MPP within the UK:

- https://www.paypal.com/uk/webapps/mpp/psd2
- https://developer.paypal.com/docs/psd2-compliance

Jonathan did addressed the SCA package on the above. In addition, the web page has now been provided for more information.

Re: 3D Secure required by law for all EU transactions

Posted: Tue May 07, 2019 5:19 am
by straightlight
Based on the first post with Stripe, a forum user indicates it is not compatible with Egypt still on this day: viewtopic.php?f=198&t=211580#p754334 .

Countries available with Stripe: https://stripe.com/global

Re: 3D Secure required by law for all EU transactions

Posted: Fri May 10, 2019 2:55 pm
by Daniel

Re: 3D Secure required by law for all EU transactions

Posted: Tue Jul 09, 2019 10:12 pm
by ecoleman
Hi Daniel,

Are there any plans to update the Sagepay Direct payment method to Protocol 4.00?
It seems pointless me finding somebody to update this if somebody is already updating this from your end.

Cheers
Elliott

Re: 3D Secure required by law for all EU transactions

Posted: Wed Jul 24, 2019 3:56 pm
by Root66
Very good info you shared in this thread.

Re: 3D Secure required by law for all EU transactions

Posted: Sat Jul 27, 2019 8:26 pm
by RainbowDogs
We currently use the Clear Thinking Stripe extension so will be updating to the new compliant version.

I would however like to have PayPal as a backup. Is 'Paypal Payments Standard' already compliant or do I need to do anything?

Opencart version: 1.5.6.4

Re: 3D Secure required by law for all EU transactions

Posted: Sat Jul 27, 2019 9:49 pm
by Johnathan
Since PayPal Standard redirects to paypal.com, and then the customer enters their PayPal account or credit card info there, I'd imagine it will be SCA compliant by the deadline in September. PayPal handles the payments on its own site, and since they're a huge company I'm sure they'll have everything ready. Unless it needs some particular data from the OpenCart side (which I haven't heard anything about at this point) I think you should be fine.