Event Espresso Stripe Add-On Adds PSD2 Compliance

European Regulators are at it again with PSD2. It adds SCA, which is a set of requirements designed to reduce fraud by requiring customers to provide 2 of the following things:

• Something they know (e.g., password or PIN)
• Something they have (e.g., a phone or token from an app like Google Authenticator)
• Something they are (e.g., fingerprint or face recognition)

Stripe has a good summary of PSD2 and SCA. Speaking of Stripe…

Stripe has added support for SCA through Stripe Elements (and accompanying technologies like Stripe JS and Payment Intents), which primarily add 3D secure authentication.

Stripe Elements adds special form inputs which directly send the sensitive credit card information to their PCI-compliant server, without having them ever touch your server. Then, based on factors like the customer’s location and bank, Stripe will show a pop-up requesting on behalf of their bank, in order to verify the customers’ identity before approving the payment.

With Stripe Elements, your customers never leave your website, even though card processing happens entirely on Stripe’s servers and 3D secure authentication happens through their bank. That means, with regards to PCI compliance, your website will be at the least strict level, SAQ-A.

The Event Espresso Stripe Add-on now supports two different types of integrations: the new Stripe Elements, and the legacy Stripe Checkout.

When you update to 1.1.4, you will continue to use the legacy Stripe Checkout so that initially nothing will change for you or your customers. However, because the legacy Stripe Checkout does not comply with SCA, your European customers might not be able to pay with it.

For that reason, it is recommended you switch to the new Stripe Elements, which complies with SCA.

Stripe Checkout and Stripe Elements use the same credentials, so you can change between them easily by just changing a single setting in Event Espresso Stripe Payment Method’s settings. (And if you use Payment Methods Pro, you could even have Stripe Elements active on some events, and Stripe Checkout active on others.)

The only possible hurdle to using Stripe Elements is that it requires your website to use HTTPS. That’s not because your website will handle any sensitive credit card information. It’s because Stripe Elements’ special credit card inputs are served over HTTPS, and if the rest of your site is using HTTP, web browsers (like Chrome or Firefox) will give visitors warnings. So please make sure your website’s address starts with HTTPS. Our users’ favourite hosting companies, like SiteGround, make your site HTTPS for free.

1. Upgrade your Event Espresso Stripe Add-on to 1.9.4 (aren’t you glad you have an active support license? If you don’t, get one here: https://eventespresso.com/pricing)
2. Make sure your site is on HTTPS
3. Switch your Stripe Payment Method’s integration to “Stripe Elements” through your WP-admin (WP dashboard) → Event Espresso → Payments Methods → Stripe, then change “Integration Type” setting to “Stripe Elements” and save.

If you don’t want to accept payments from European customers, or you’re unable to switch your site to HTTPS right away, you can continue to use the Stripe payment method’s “legacy Stripe Checkout” for now. Just realize it may be discontinued (a.k.a. deprecated) in the near future. 

Do you have European customers but use another payment method?

Off-site payment methods, like PayPal Express and PayPal Smart Buttons, added compliance for SCA from their end, so no update was needed. Other on-site payment methods, like PayPal Pro and Authorize.net AIM, will need updating. Your support license contributions are supporting our developers on working on those as we speak. Please stay tuned!

Thank you for using Event Espresso and trusting us with your events.

Please comment if you have questions or suggestions.

Note: this post does include an affiliate link to our customers’ favorite hosting company and a few internal links too.