PSD2 and ClearBookings
2019-09-10
TL;DR
There is a buzz of activity in the banking and payment services sector within the EU in recent months which you have likely heard rumblings about. This is related to EU regulations introduced in January 2018 known as the second Payment Services Directive, or PSD2. The deadline for enforcement of these regulations is September 14th, 2019 - just a few days away as of this writing.
What's it all about?
These regulations aim to improve the landscape for electronic payments across the EU for consumers, merchants and service providers. The goal is for these to provide greater efficiency and security of payment handling, encourage more competition in the payment services sector and achieve better prices and protections for consumers.
PSD2 focuses on the notion of Strong Customer Authentication (SCA) - taking additional steps to verify the identity of customers prior to accepting electronic payments from their cards. Merchants and their payment providers are encouraged to provide additional identifying information about customers to the cardholder's bank at the time of transactions. The new 3D Secure version 2 allows for these additional data points. Banks then make a decision on the basis of this information whether to accept the transaction on the spot or challenge the customer with additional authentication steps eg. a password, out-of-band confirmation prompt (think mobile apps) or a secure code transmitted to the user such as via SMS.
Rather than diving into the nitty-gritty here though, you can find a rounded description of 3DSv2 over at Stripe.
As a ClearBookings customer, how am I impacted?
As an event organiser using the ClearBookings service, the impact on you directly is likely to be minimal.
Come September 14th though, some of your customers may start to receive authentication prompts when completing payments for bookings through our website. This is on account of 3DSv2 no longer being an opt-in feature of payment processing within the EU. The PSD2 regulations do cater for a variety of exemption scenarios to limit the need for authentication challenges to customers. Among others, these include low value transactions (below €30). That being said, banks are not obliged to implement these exemptions and any given transaction can still legitimately be challenged with an authentication request.
If you have a monthly subscription-based service plan with ClearBookings and are paying by a registered credit card, you may at some point receive communications directly from Stripe requesting authentication to process further monthly subscription charges, though this should only be a once-off event, since fixed recurring charges on a card also fall under an exemption case once authentication is completed for the initial payment.
What should I do?
We've got you covered. ClearBookings has worked with both Global Payments and Stripe to ensure our payment integrations are ready when the new regulations take effect. The necessary improvements have been active for several months now already actually. The approach taken to handling the new requirements varies between payment providers and so our solution for each varies accordingly.
For those using Global Payments, you may have noticed a couple of small changes on the checkout page:
- Phone numbers are now validated and matched to a country.
- A new 'Country' field appears at the bottom of the 'Your Details' section. This defaults to the country of the customer's entered phone number, and is sent to Global Payments along with the card details as part of the verification process.
For those using Stripe for payment processing, there is generally no visible change besides the new phone number validation (and the potential for authentication challenges during payment processing of course).
The only action we advise for event organisers at this point is to ensure you collect customer phone numbers for any bookings involving a payment, as this is a minimal data point required by Global Payments. That said, the default set of customer fields defined when creating a new event includes the phone number, so the action really is just "keep the phone number field". Easy peasy lemon squeezy!
Where can I learn more?
The Central Bank of Ireland has some good information on the subject of PSD2, including an FAQ page here:
centralbank.ie/regulation/psd2-overview/faq
If you have any PSD2 queries specifically in relation to ClearBookings service, please don't hesitate to get in touch!
Final Note
Although September 14th is the official deadline for enforcement of PSD2 regulations, the overall level of readiness amongst merchants, payment providers and banks varies widely at this point. Many regional regulators within the EU have announced phasing in periods of up to 2 years to ease this process. That said, it is still likely that some banks may immediately enforce the new authentication scheme and introduce friction to some payments.
It is essentially a case of holding tight, monitoring the situation and being ready to react to situations as they emerge. ClearBookings is here, we are prepared for PSD2 and we are at hand to help, should you need it.