How to deal with Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) requirements for online payments took effect within the European Union since September 14th, 2019.
What is SCA?
Strong Customer Authentication is one of the new requirements of the PSD2, the second Payment Services Directive which requires authentication for online payments. The aim of SCA is to reduce fraud and make online payments more secure by adding an extra step for authentication.
SCA applies to all online transactions where the payment processor (e.g. the Stripe or PayPal account through which you accept payments) and the card Issuing Bank is from the European Economic Area (EEA).
When Strong Customer Authentication is required for the credit card of one of your customers then, during checkout, on top of the usual credit card number and CVV code they will have to provide more evidence that they are the legitimate owners of the credit card.
Typically, this involves showing the customer an authentication page where they are prompted to enter a password associated with the card or a verification code sent to their phone.
Note that this is not something that you can disable or even control in any form. Ultimately, the bank that issued the credit card of the customer determines how this is implemented and what kind of additional security credentials the user will have to provide. Some low-value transactions may be exempted by the banks and would not ask for additional authentication, but it’s better to assume that all transactions will require some form of authentication.
How does this affect me? Do I need to do something?
If you use Stripe as your payment gateway and your business is based in the EU or you have a strong customer base in Europe SCA, affects you. However, you do not need to do anything else, we have made all the needed adjustments and you are SCA compliant and everything's safe and secure.
Those LearnWorlds customers that use PayPal, Shopify or 2 CheckOut as their payment gateway, are also covered: the checkout process redirects to an external page, where any SCA requirements are already implemented, i.e. during checkout the customer will be asked to provide additional credentials.
How does SCA affect my school and my Stripe payment gateway?
The main change in the process of the payment is the fact that your learners will need to authorize the transaction.
Credit cards issued by different banks may require different levels of authentication. For example, depending on the credit card, an authentication may be required for an one-off payment the first time that the customer uses the card. However, if the learner has set up the card and use the saved card for subsequent off-session payments, no further authentication will be needed. Or maybe a card requires authentication on all transactions, regardless of how the card is set up.
One-Off Payments (Courses, Bundles)
The procedure of the Checkout will be the same: a popup will appear with the information of the product, text fields where the credit card info needs to be entered, and a payment button (e.g. “Pay $22”). This is what has been happening so far.
Now that SCA is in place, after the users insert their credit card info and click the “Pay $22” button...
… a pop up will appear and customers will be asked to verify their identity with a push notification, a text message, or another method chosen by their bank. You can see below a sample user authentication form
Once the end customers complete the authentication, they will gain access to the respective course and they will receive the relevant receipt/invoice and welcome email.
Recurring Payments (Installments in Courses and Bundles, Subscriptions)
Once again, the procedure of the Checkout will be the same but after the users insert their credit card info and click the “Pay” button for the subscription (or the payment of their first installment), a pop up will appear and customers will be asked to verify their identity with a push notification, a text message, or another method chosen by their bank and consent in this way that they allow the system to store their credit card on file for the future/recurring payments (for the future payments of the subscription or the remaining installments).
After the users complete the Authentication, the system will try to charge the credit card for the first subscription payment (i.e. first month or year, if it’s a yearly subscription) or the first installment.
If for some reason the bank does not authorize the transaction, a second pop-up will appear and the users will need to verify the payment/transaction (with a push notification, a text message, or another method chosen by their bank) and at the same time they will receive an automated email from your school that the attempt to collect the payment for this specific payment has failed (please see the next section about how you can edit the email).
In some cases, a bank/credit card may require that each and every payment needs to be authorized. In this case, the authorization email is sent to the users for all the off-session transactions, e.g. the payment for the 2nd, 3rd, 4th month of a subscription and/or installment. Also, the users will see a red notification in their account that they have a Pending Payment.
After login page with pending payment (at the bottom of the page):
Account page with pending payment (at the top of the page):
Any other page with pending payment (at the top of the page):
How to edit the SCA-related email
As mentioned above, the SCA-related email requesting the end-customer to authorize a payment to your school will be sent automatically by the LearnWorlds platform for failed transactions when it comes to subscriptions and/or installments (not for one-off payments) if for some reason the banks do not approve it.
In order to edit the email, you need to navigate from your admin menu to “Notifications”
And then click the “SCA-related” field
There you will see the template and may change it as you wish. You can also enable it or disable it by clicking the “That’s a great idea” checkbox.
We strongly recommend that you enable this email because if you don’t then your customers might not even realize that their payments to your school are not being authorized by their bank. The purpose of this email is to remind them that a transaction is pending and they need to authorize it in order to keep having access to the courses/content of your school.
How to edit/translate the SCA-related text in your school
The popups used for the SCA contain some text which you may customize. LearnWorlds already provides the default English text. However, if you have a different language set up in your school then you may want to translate those strings to your language of choice. In order to edit the SCA-related text you can navigate from your admin menu to “Settings” -> “School language” and while the “Account” option is selected in the dropdown menu you can translate the last 7 strings.
Also, you can select the “Payments” option from the drop-down menu and translate the last 6 strings which are SCA-related.