Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SCA to be effective as of September 14th - CC/PP to require 2FA
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SCA to be effective as of September 14th - CC/PP to require 2FA

YmpkerYmpker Member
edited August 2019 in General

As of September 14th European law dictates 2FA when paying with CC or PayPal online. This means if you are a provider you should be looking to support this soon. Maybe some Blesta module needs an update? Even if the most part is probably on the payment processor to implent this, It must be implemented with payment gateways and often your billing system too. It’s nothing your bank does for years. It’s a new regulation, SCA, and it will change how the authorisation works across the entire payment industry in September. Whoever is not compatible with SCA will see their payments declined (according to Clouvider).

https://150sec.com/new-eu-e-commerce-payment-rules-all-you-need-to-know/11273/

«1

Comments

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited August 2019

    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Thanked by 1Ympker
  • pikepike Veteran
    edited August 2019

    This new law sucks so much. My bank forces me either to use their shitty app (only android and iOS) or buy a code generator for 30€.

    Thanked by 1Ympker
  • @pike said:
    This new law sucks so much. My bank forces me either to use their shitty app (only android and iOS) or buy a code generator for 30€.

    I hear ya. My bank's app (which I didn't use so far) is rated poorly on playstore and is described as buggy and non-functional. Gotta love that.

  • NeoonNeoon Community Contributor, Veteran

    Its insecure as I can tell, compared to the method used before, which was you get lists of codes send to you and you need to use one and auth the transaction. Instead of using the same PIN everytime.

    Thanked by 1pike
  • @pike said:
    This new law sucks so much. My bank forces me either to use their shitty app (only android and iOS) or buy a code generator for 30€.

    Damn. My bank doesn’t really use Verified by Visa anymore (it shows the page but automatically redirects without any further prompts) but rather their own ‘system’:

    Thanked by 2pike Unixfy
  • What about automated payments? Do I have to do 2FA every month?

  • @lemon said:
    What about automated payments? Do I have to do 2FA every month?

    Nobody knows yet.

  • pikepike Veteran
    edited August 2019

    If it only was for buying goods online with my visa.. but now they will force me into using their app for simple money transfers to other accounts. So no way for me to avoid buying their silly 30€ generator or using their silly app.

    How can an app be more secure than the good old paper TAN list.

    Thanked by 1Ympker
  • jackbjackb Member, Host Rep

    @lemon said:
    What about automated payments? Do I have to do 2FA every month?

    merchant initiated transactions and recurring transactions are exempt, somehow. I suppose it must be enforced on the first transaction (otherwise fraudsters would just claim it is a recurring payment)

  • WHMCS is cutting it fine with being ready on time - 7.8 is at release candidate stage still and contains the required upgrade to Stripe elements. Hope they hurry up!

  • MikeAMikeA Member, Patron Provider
    edited August 2019

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    Thanked by 1MikePT
  • NeoonNeoon Community Contributor, Veteran

    @MikeA said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    Did I just hear CPanel 4.0?, must be a bug.

  • MikeAMikeA Member, Patron Provider
    edited August 2019

    @Neoon said:

    @MikeA said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    Did I just hear CPanel 4.0?, must be a bug.

    Hello,

    I am pleased to inform you that 2FA for cPanel accounts will cost an additional $0.05 per account.

  • NeoonNeoon Community Contributor, Veteran

    Seems like most companies figured, that the DLC model prints the most money.

  • @doghouch said:

    @pike said:
    This new law sucks so much. My bank forces me either to use their shitty app (only android and iOS) or buy a code generator for 30€.

    Damn. My bank doesn’t really use Verified by Visa anymore (it shows the page but automatically redirects without any further prompts) but rather their own ‘system’:

    You sure? I remember the first time using said card on Cineplex, it redirected me to Verified by Visa and requested my information. Afterwards, everytime it redirects to Verified by Visa, just redirects and approves the transaction, not that movie tickets were suppose to be expensive to start with.

    I gotten those text message things from a different bank for an etransfer before however.. Replying Y didn't work however.. :(

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @MikeA said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    Haha for sure!!! Its just ridiculous. Just another way for them to profit from us.

  • estnocestnoc Member, Patron Provider

    interesting how this thing will work out if customers are paying by cards through Paypal?

  • doghouchdoghouch Member
    edited August 2019

    @Edmond said:

    @doghouch said:

    @pike said:
    This new law sucks so much. My bank forces me either to use their shitty app (only android and iOS) or buy a code generator for 30€.

    Damn. My bank doesn’t really use Verified by Visa anymore (it shows the page but automatically redirects without any further prompts) but rather their own ‘system’:

    You sure? I remember the first time using said card on Cineplex, it redirected me to Verified by Visa and requested my information. Afterwards, everytime it redirects to Verified by Visa, just redirects and approves the transaction, not that movie tickets were suppose to be expensive to start with.

    I gotten those text message things from a different bank for an etransfer before however.. Replying Y didn't work however.. :(

    Yeah — I’ve entered my information once before and it just redirects for me now as well.

    As for replying “y” to transactions: you need to try the transaction a second time after the SMS message.

  • raindog308raindog308 Administrator, Veteran

    Ympker said: My bank's app

    pike said: their app

    I hate per-site apps. We have web browsers, which liberated us from the idea of having a different program to do every single task. The smartphone era where every web site wants to have its own app is Windows 3.1 thinking.

  • HxxxHxxx Member

    Apps easier for the majority of users. Less work on their part.

    @raindog308 said:

    Ympker said: My bank's app

    pike said: their app

    I hate per-site apps. We have web browsers, which liberated us from the idea of having a different program to do every single task. The smartphone era where every web site wants to have its own app is Windows 3.1 thinking.

  • raindog308raindog308 Administrator, Veteran

    Hxxx said: Apps easier for the majority of users. Less work on their part.

    How so?

    • have to download app
    • have to hope it integrates with your password manager
    • have to keep it up to date
    • have to learn any quirks because the interface is different than the web
    • have to reload the app if you move to a different device

    Etc.

    Thanked by 1pike
  • jsgjsg Member, Resident Benchmarker
    edited August 2019

    @raindog308

    Html isn't all rosy. Browsers are extremely fat and bloated (or virtually useless) and highly insecure.

    But I'm also not with @Hxxx because I think that for most users "apps" in the browser are the most "natural" and normal way of interaction.

    As for 2FA I don't care. It's just security theater like most wide-spread or demanded by law "security" - as plenty ridiculously broken banking apps, anti-virus, etc clearly demonstrate.
    For the sake of fairness: with modern societies rapidly walking towards idiocracy good 2FA is hard to do and bad 2FA has already been broken (e.g. sending codes via SMS).

    I find it funny btw. that millions of people don't hesitate to spend $30 or even more per year on snakeoil like anti-virus but are unwilling to spend 50$ once for reasonable security (if available. many banking apps suggest that those would be poor too).

    So what? Amazon, ebay, etc flourish

    P.S. Why is 2FA via SMS broken? Because politicians and large corporations agreed that extremely lousy security was the right thing to do. Why has TLS such a poor track record? Because founding let's encrypt and giving away security illusion, err, certificates away for free is cheaper than doing PKI properly plus it pleases the large (clueless) majority.
    TL;DR: We are having problems because either democracy per se doesn't work or because we the people (most of us) are too stupid for democracy, sorry..

  • ClouviderClouvider Member, Patron Provider

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

  • ClouviderClouvider Member, Patron Provider

    @MikePT said:

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

    You need to indicate through API that you intend to use card for recurring payments and that needs to go through 3DS2, otherwise when it's rolled in - your recurring transactions will decline automagically.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Clouvider said:

    @MikePT said:

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

    You need to indicate through API that you intend to use card for recurring payments and that needs to go through 3DS2, otherwise when it's rolled in - your recurring transactions will decline automagically.

    And won't WHMCS be able to do that?

  • @MikePT said:

    @Clouvider said:

    @MikePT said:

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

    You need to indicate through API that you intend to use card for recurring payments and that needs to go through 3DS2, otherwise when it's rolled in - your recurring transactions will decline automagically.

    And won't WHMCS be able to do that?

    I believe this is something that is not solely up to WHMCS to work and be implemented correctly. Could be wrong though.

    Thanked by 1MikePT
  • SpartanHostSpartanHost Member, Host Rep

    @MikeA said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    They don't charge anymore for two factor auth (time-based tokens) in WHMCS 7.8 :smile:

    Source: https://preview.whmcs.com (Free Two-Factor Authentication)

    Thanked by 2MikeA MikePT
  • raindog308raindog308 Administrator, Veteran
    edited August 2019

    jsg said: For the sake of fairness: with modern societies rapidly walking towards idiocracy good 2FA is hard to do and bad 2FA has already been broken (e.g. sending codes via SMS).

    There are other forms of 2FA though - my employer requires it for most logins and we use an authenticator. Previous employer used RSA fobs. I'm not sure why a Google Authenticator, et al is hard to use, though SMS codes are more popular, probably due to familiarity.

    jsg said: I find it funny btw. that millions of people don't hesitate to spend $30 or even more per year on snakeoil like anti-virus but are unwilling to spend 50$ once for reasonable security (if available. many banking apps suggest that those would be poor too).

    I don't know if I'd call AV pure snake oil...it can be helpful, though it's purely reactive and of course, provides the illusion of complete protection when at best it's piecemeal.

    jsg said: TL;DR: We are having problems because either democracy per se doesn't work or because we the people (most of us) are too stupid for democracy, sorry..

    Absolutely...democracy is the demented idea that idiots can identify and select good leaders. But then, I've always assumed Sturgeon's Law applies to human intelligence.

    Thanked by 1jsg
Sign In or Register to comment.