Preparation for the EU's upcoming PSD2 regulation (Strong Customer Authentication)

The Revised Directive on Payment Services (PSD2) will come into full effect in the EU on September 14, 2019. Today we'd like to share some comments on how this will affect Skedda users.

If you're not using online payments through Skedda or you're not based in the European Economic Area, then you don't need to worry about this and you can stop reading now 👍. Otherwise, read on!

An important element of the PSD2 is the requirement for Strong Customer Authentication (SCA) on the majority of electronic payments. If you're taking payments through Skedda, it will be through a Stripe account. Rest assured that Stripe is leading the industry with respect to the PSD2. Stripe is investing heavily to make sure that payment flows remain smooth and frictionless despite the additional requirements imposed by SCA.

To start, Stripe will automatically apply appropriate exemptions to avoid end-users having to complete an authentication step. For example, Stripe will perform a real-time risk analysis to determine whether the payment falls under the "low risk" category (based on the transaction amount and the percentage of your merchant's transactions that have been reported as fraudulent in the past). For the usual scenario where the booking amounts are relatively small and you're not a fraudulent merchant, such exemptions will likely be frequently applicable and accepted by banks.

In the hopefully-rare case that no exemption can be made and the bank requires the customer to complete an on-session authentication flow, there are two cases in Skedda to consider:

  • Customer-initiated transactions: This is the "upfront" payments approach in Skedda, whereby the customer pays immediately for their booking. If SCA is required for the payment to complete, a modal dialog will pop up with the relevant bank's authentication challenge for the customer to complete. There won't be any messy page-reloads or redirects in this process so the payment flow will remain smooth and enjoyable.

  • Merchant-initiated transactions: This is mainly applicable for the case where the venue is following the "book now, pay later" payments approach and it's a venue admin (i.e. the merchant) that initiates the payment when the customer is not "on-session". In these scenarios, when the customer first adds their payment method, they'll be asked to complete authentication and also agree to have their card charged by the merchant at a later time. We'll then mark admin-initiated charges as "merchant-initiated" so that the relevant bank doesn't require SCA. Stripe is currently finalizing the APIs for this particular scenario (expected to be available for Skedda to implement by July 1).

From the Skedda side, we're currently working hard to make sure that all the required changes are being made from our side well in advance of the deadline (namely upgrading to the latest APIs that support these SCA flows). We've already completed a significant portion of this work.

Skedda users can rest assured that they've chosen the correct products to work with (Stripe and Skedda) as we move together towards an even safer internet!

As usual, feel free to reach out to our support team if you have any questions on the PSD2 or SCA. We'll provide further updates on this topic in the upcoming months as events warrant.