- Apple prepares to ramp up the security of iOS app payments as required by new EU law.
- Users who are attempting to pay over €30 will have to go through an additional authentication step.
- This is to prevent fraudsters or unauthorized users from paying for stuff using other people’s money.
Apple is obliged to comply with the new “Strong Customer Authentication” (SCA) requirements, which were introduced in the form of new legislation on December 31, 2020, so apps on the iOS will have to ramp up their security and add some more safety steps for the successful completion of online purchases. Developers will have to ensure that their apps implement StoreKit and Apple Pay correctly and that the SCA system is supported as it should.
The EU has introduced some anti-fraud measures to protect users from falling victims to fraudsters or losing money to hackers who have somehow gained access to their accounts or devices. In this context, certain transactions that involve credit or debit cards, Apple Pay, and other electronic forms of payment will now have to be authenticated by the bank of the payment service provider. This extra step is added for safety, but it will inevitably make the process a tiny bit more cumbersome for the users, as they will have to approve and confirm the transaction.
As Apple explains, there are specific transaction types that should pass through the SCA system, while others are excluded as shown below:
- Auto-renewable subscription transactions will require an SCA verification on the first payment.
- Purchases over €30 will use SCA, but some below this threshold may also require it.
- Apple Pay already meets SCA requirements, so nothing changes there.
- Mobile phone billing, Apple ID balance (from gift cards or manual fund recharge) will not require SCA.
From now on, and for the transactions that should comply with the SCA requirements, users will be taken out of the purchase flow and onto the bank or online payment service platform to authenticate their card or account. This will be an interruption, but it will essentially ramp up the security of these payments, making it impossible for unauthorized users to engage in transactions using other people’s money.
Apple Pay already includes a built-in authentication system. Still, developers who are incorporating the system into their apps will have to ensure that the correct two-letter country code is used on payment requests.
Also, the final amount should be shown on the payment sheet, not the pending one. This helps in dynamic linking and proves the transaction’s origin and authenticity by including the merchant identifier and the actual amount in the cryptogram.