The Event Espresso Stripe Add-on 1.1.4 update will add compliance with Strong Customer Authentication (SCA), a new requirement of Europe’s second Payment Services Directive (PSD2). If you accept payments from European customers with Stripe, we recommend that you update and switch to using Stripe Elements before September 19th, when PSD2 comes into enforcement.
Keep reading to find out what is changing in the Event Espresso Stripe add-on.
Your website does not operate in a vacuum. WordPress updates their code periodically, other plugins and themes change, and sometimes government policies change. You should update the software on your WordPress website often to keep it secure and have access to new features. The benefit of having an active support license for your Event Espresso plugins is that you have access to software updates and help that can keep your events up and running. This update for the Stripe add-on is another example of why you want to keep your support license active to have access to the software updates to the Stripe integration.
What are PSD2 and SCA?
European Regulators are at it again with PSD2. It adds SCA, which is a set of requirements designed to reduce fraud by requiring customers to provide 2 of the following things:
- Something they know (e.g., password or PIN)
- Something they have (e.g., a phone or token from an app like Google Authenticator)
- Something they are (e.g., fingerprint or face recognition)
Stripe has a good summary of PSD2 and SCA. Speaking of Stripe…
How Does Event Espresso Stripe Add-on Add Compliance for PSD2?
Stripe Elements adds special form inputs which directly send the sensitive credit card information to their PCI-compliant server, without having them ever touch your server. Then, based on factors like the customer’s location and bank, Stripe will show a pop-up requesting on behalf of their bank, in order to verify the customers’ identity before approving the payment.
With Stripe Elements, your customers never leave your website, even though card processing happens entirely on Stripe’s servers and 3D secure authentication happens through their bank. That means, with regards to PCI compliance, your website will be at the least strict level, SAQ-A.
What is Changing in the Event Espresso Stripe Add-on?
The Event Espresso Stripe Add-on now supports two different types of integrations: the new Stripe Elements, and the legacy Stripe Checkout.
When you update to 1.1.4, you will continue to use the legacy Stripe Checkout so that initially nothing will change for you or your customers. However, because the legacy Stripe Checkout does not comply with SCA, your European customers might not be able to pay with it.
For that reason, it is recommended you switch to the new Stripe Elements, which complies with SCA.
Stripe Checkout and Stripe Elements use the same credentials, so you can change between them easily by just changing a single setting in Event Espresso Stripe Payment Method’s settings. (And if you use Payment Methods Pro, you could even have Stripe Elements active on some events, and Stripe Checkout active on others.)
The only possible hurdle to using Stripe Elements is that it requires your website to use HTTPS. That’s not because your website will handle any sensitive credit card information. It’s because Stripe Elements’ special credit card inputs are served over HTTPS, and if the rest of your site is using HTTP, web browsers (like Chrome or Firefox) will give visitors warnings. So please make sure your website’s address starts with HTTPS. Our users’ favourite hosting companies, like SiteGround, make your site HTTPS for free.
How Do I Prepare for PSD2?
- Upgrade your Event Espresso Stripe Add-on to 1.9.4 (aren’t you glad you have an active support license? If you don’t, get one here: https://eventespresso.com/pricing)
- Make sure your site is on HTTPS
- Switch your Stripe Payment Method’s integration to “Stripe Elements” through your WP-admin (WP dashboard) → Event Espresso → Payments Methods → Stripe, then change “Integration Type” setting to “Stripe Elements” and save.
If you don’t want to accept payments from European customers, or you’re unable to switch your site to HTTPS right away, you can continue to use the Stripe payment method’s “legacy Stripe Checkout” for now. Just realize it may be discontinued (a.k.a. deprecated) in the near future.
What About Other Gateways?
Do you have European customers but use another payment method?
Off-site payment methods, like PayPal Express and PayPal Smart Buttons, added compliance for SCA from their end, so no update was needed. Other on-site payment methods, like PayPal Pro and Authorize.net AIM, will need updating. Your support license contributions are supporting our developers on working on those as we speak. Please stay tuned!
Thank you for using Event Espresso and trusting us with your events.
Please comment if you have questions or suggestions.
Note: this post does include an affiliate link to our customers’ favorite hosting company and a few internal links too.