Strong Customer Authentication (SCA) compliance

I’m creating this post to share some light on what has been discussed so far in Slack and Github, so that everyone can follow what’s going on.
I would like to add that once again I’m doing a summary, but that this summary is based on the work made by @lin_d_hop @kristinalim and @Matt-Yorkley

I’m making this post a wiki, please correct / add info as much as needed.

What is it about ?

Strong Customer Authentication (SCA) regulation is an EU regulation which requires a two-factor authentication on many payments in Europe. Payments without SCA may be declined.

Who does it impact ?

All EU instances, and more particularly all EU instances using Stripe (UK, FR, BE and Katuma).

We will need to made significant updates to Stripe in order to avoid an increase in declined charges and be compliant with this new regulation. Luckily Stripe has everything very well documented :ok_hand:

First steps made by the software team

The regulation was supposed to come into force on September the 14th. So we started a spike on what needed to be done. The issue covering the spike is here :

And the result of the spike can be seen in this epic:

Main outcomes:

  • Priority number :one: is ensuring that once-off payments in the shopfront will trigger the 3DSecure authentication when necessary.
  • Priority number :two: is ensuring that in BOTH places a user can save a card (shopfront & Account->Cards), we always create a PaymentIntents for off-session payments (customer authentication) and save this
  • Priority number :three: is ensuring that Subs workflow can handle when SCA is requested despite us having PaymentIntents for this off-session payment
  • Priority number :four: is having a suitable workflow for hub managers to be able to handle taking card payments on the admin side

Plot twist

Instead of the previous deadline of September 14th, some EU countries said they would give banks a delay to apply the regulation.
We know today that it is the case for UK (until March 2021) and France (until September 2022).
We don’t know about Belgium and Spain and we don’t know when payments will be declined because of this.

On one hand, the risk is there but it may be low. On the other, we know we will have to do this work for sure. Moreover the spike is still fresh on our minds and @kristinalim is ready to tackle priority number :one: (ensure checkout is working) in the coming month (after bugs and performance work).

The size of priority number :one: is estimated at M.

So the proposal is currently to move forward and prioritize this first step. But this means we have less time to do something else.

We would love to have your feedback on this, especially for instances that are not faced with this issue ping @tschumilas @lauriewayne1 @Kirsten

I’m totally in favour of this work and defer on process to those of you closer to it. Eventhough I live in a land where the government is asleep when it comes to data privacy and user rights, I agree with it strongly. The work puts OFN-CAN in a stronger ethical position, even if our government doesn’t require this.