New legislation in the EU is set to take effect on December 31 that will impact online purchases. Apple has given a heads up about how developers will be impacted and what to do to prepare for the changes.
The European Union’s Strong Customer Authentication (SCA) legislation kicks in on December 31, 2020, and means developers who sell to users in Europe will need to check some settings/make some changes.
Apple notes that the App Store and Apple Pay are all set to work in accordance with SCA but that developers will need to verify their app implementation of StoreKit and Apple Pay.
Apple details what developers will need to do for both Store Kit and Apple Pay in a support document on dev site:
and here’s what to do for Apple Pay:
Handling transactions with StoreKit
For in-app purchases that require SCA, the user is prompted to authenticate their credit or debit card. They’re taken out of the purchase flow to the bank or payment service provider’s website or app for authentication, then redirected to the App Store where they’ll see a message letting them know that their purchase is complete. Handling this interrupted transaction is similar to Ask to Buy purchases that need approval from a family approver or when users need to agree to updated App Store terms and conditions before completing a purchase.
Make sure your app can properly handle interrupted transactions by initializing a transaction observer to respond to new transactions and synchronize pending transactions with Apple. This observer helps your app handle SCA transactions, which can update your payment queue with a state of “failed” or “deferred” as the user exits the app. When the user is redirected to the App Store after authentication, a new transaction with a state of “purchased” is immediately delivered to the observer and may include a new value for the transactionIdentifier property. You can test interrupted purchase scenarios in sandbox for a specific Sandbox Apple ID.
Read more details and get more resources from Apple on SCA in the EU here.
Apple Pay includes built-in authentication and doesn’t require additional authentication by banks. However, to avoid issues with payments made with Apple Pay on your apps and websites, make sure you’re using the correct country code on payment requests and showing the final amount on the payment sheet.
The countryCode value on the PKPaymentRequest (for apps) and ApplePayPaymentRequest (for websites) should be set to the correct two-letter country code for the country in which you’re processing the funds. Setting this correctly ensures a PSD2-compliant cryptogram when the merchant countryCodeand the user’s card issuer both fall within the EEA.
Show the final amount, not a pending amount, on the payment sheet. This will help with Dynamic linking, where the transaction amount and a merchant identifier are included in the cryptogram to prove the origin and authenticity of the transaction.