ThriveCart has been fully compliant with SCA/PSD2 regulations since before it was initially introduced in September 2019. From January 2021, further enforcement of these regulations (through PSD2) has been imposed from banks and card issuers across the EU, and ThriveCart continues to remain compliant with these regulations.
You can find our initial release documentation directly on our blog here.
Starting from September 14th 2019, there was new regulation coming into effect for European customers which will impact online sales and payment processing – Strong Customer Authentication (SCA), part of the new PSD2 regulations.
The goal of these regulations is to reduce the amount of fraud committed online by requiring consumers to verify their payments at the point of transaction, normally using their mobile phone or banking app to provide a pin – much like most 2-Factor Authentication services.
As a result of these requirements, checkout providers such as ThriveCart and the supporting payment processors have enabled 3D Secure online payments functionality in checkout.
Stripe has enabled, and fully supports, the 3DS verification steps that your customers will follow in checkout.
Authorize.net does not support 3DS verification.
Most PayPal checkouts will not require 3DS verification, as this would be required when adding a card to their PayPal wallet, but some checkouts may.
How this works in the ThriveCart Funnel Flow
Customers clicking your “buy” button will see a popup from their bank requiring additional confirmation. This popup changes bank to bank, but it may be via a text message on their phone or a unique time-bound code generated in their banking app.
The code will be verified and their payment will then be processed.
The payment intent is created in Stripe as soon as the “buy” button is clicked, but will remain as “incomplete” and will not be confirmed until their 3DS confirmation has been completed.
In most cases they will not be required to enter 3DS Verification again while moving through the funnel, but since upsell purchases using Stripe Enhanced and Stripe Connect+ are processed separately, they may have to enter their verification code at each stage of the funnel. This is not something that can be adjusted by ThriveCart or by Stripe as it would be their bank’s requirement.
Subscription payments
Most subscription payments are considered pre-authenticated and will not require authentication each month. However, some banks may request random or mid-subscription authentication, such as when a paused subscription is resumed.
If this happens, we’ll email the customer the below, with a link to re-authorize the payment. The language of this email is based on your product settings.
This email is sent from notifications@thrivecart.email only. The same email address from which they would have received their initial receipt.
Subject: [Important] Your recurring payment requires re-authentication
Your recurring payment for {{product}} from {{vendor}} requires re-authentication
Hi {{customer_name}},
You must click here to authenticate this payment quickly and easily.
Please note: if you do not do this, your service may be interrupted.If you have any questions, please click here to contact {{vendor}} directly.
After clicking the link, the customer will then see the below screen with their payment and purchase details:
Clicking the “Confirm payment” button will walk them through their bank’s required re-authentication steps, if necessary, before their payment is processed and their rebill transaction created.
If the customer does not confirm payment through this re-authentication process, their subscription could end up being cancelled for non-payment by your payment gateway.