PSD2 & Strong Customer Authentication
- How to Be Ready and Beat The Deadline

Before the Payment Services Directive was rolled out, payments across the European Union (EU) were treated as cross-border payments — multiple regulations and varying fees did not really foster the spirit of healthy competition and participation in the fintech industry across the EU.

PSD1 pushed the pedal on creating a Single Euro Payments Area (SEPA) and establishing non-bank third parties, like Payment Service Providers (PSPs) a.k.a payment gateways in the EU, that could carry out financial transactions. This helped consumers and merchants get paid faster and quicker.

Despite this, banks continued to have monopoly over customer accounts. (The PSPs) wanted access to the banks' customer data, which called for deeper security measures and the ability for customers to control who can access their data.

With PSD2, the aim is to accelerate further innovation in the fintech space by opening up access to customer accounts for 3rd parties - think P2P payments, a single place for customers to manage all their accounts. This will require banks to open up their APIs to third parties. Which in turn necessitates stronger security measures.

To serve this purpose, the revised edition of the Payment Services Directive (PSD) will come into effect on September 14th, 2019.

A lot of SaaS businesses may feel PSD2 is scary. But here is something - you needn't have the entire world of PSD2 at your fingertips. Payment gateways will be primarily accountable for meeting the PSD2 requirements.

But as part of PSD2, there is one new factor that will come into play - Strong Customer Authentication (SCA). And this is something that should pique your interest.

SCA, also known as two-factor authentication, will add an additional layer of security needed at the time of a transaction.

Which brings us to the second piece that you will need to care about.
3D Secure 2 —an authentication standard supported by the vast majority of European cards. The problem with 3DS1 was that customers were redirected to another window for verification, which created friction in the checkout process and in turn, led to an increase in drop-offs at the checkout page.

Along with SCA, a newer version of the authentication protocol is being rolled out - 3DS2. And, that's a silver lining for subscription businesses — it's going to make online transactions safer, with the promise of a mobile-friendly experience, benefiting merchants and customers alike.

Then what's all the panic about?

SaaS businesses need to be aware of how they will go about having provisions in place and implementing them to be PSD2 ready. If your billing system isn't PSD2 ready by December 31st, 2020, then it will be raining payment failures impacting your recurring revenue.

Any business that conducts online transactions in the EU may be impacted by PSD2. PSD2 will mostly be applicable when both the business and the customer are based in the EU. Meaning, businesses that have a merchant account in the EU, with customers who make online payments with cards issued by EU banks.

There's still a possibility of a small percentage of international transactions that take place in the EU, to require SCA. If you're a SaaS business in Europe and have customers in the US, or your business is in the US and you cater to European customers, then you need to be armed enough to meet the SCA requirements.

Subscription businesses will have to bring in changes at various touch points (refer impact areas section) so that they don't lose out on their revenue or customers.

Merchant Initiated Transactions (MIT)

A merchant initiated transaction, is a transaction made with a customer's saved card when the cardholder isn't present. Even though a merchant-initiated transaction is exempted from PSD2, the first transaction will require 3DS2 verification and we'd recommend you have it enabled for all transactions so that payments don't fail.

There are some exemptions where PSD2 will not be needed. And recurring payments have made it to the list! Apart from recurring payments, here are some more exemptions that you can use whenever possible:

• Low value and low risk transaction: If a transaction is under 30 EUR, or marked as "low risk", SCA doesn't have to be applied.
• Whitelisted merchants: Customers who shop regularly from specific merchants can mark them as "trusted beneficiaries", so that 3DS will not have to be applied for those transactions.
• Mail and telephone orders (MOTO): Purchases made via mail or telephone are not considered to be electronic payments and SCA doesn't apply to them.
• Corporate cards: Payments made via corporate processes, between two B2B corporations, using payment methods specific to these types of payments, such as virtual or corporate cards, are also exempted from SCA (these payment methods would not be available to end customers).

But hold up. There's a plot twist: some of the customers' banks may not take this exemption into consideration, in which case, 3DS2 authentication will be required.

With all the exemptions under PSD2 that you can apply for your online transactions, in the end, it's up to the customer's bank to accept it. If verification is required, a pop-up window will appear on the same page, asking the customer to verify their identity. For MIT transactions, since the customer isn't present for the transaction, 3DS verification will fail and the payment won't go through.

Though subscription businesses can apply this exemption for processing their recurring payments, it's a safer bet to have a provision in place to enable SCA for transactions that might require it in the future. An even safer bet, use a recurring billing system which is better prepared to maneuver through these changes, than you having to constantly create new patchworks of code that get messier over time.

Subscriptions

Existing Subscriptions

Customers whose cards are stored before December 31st, 2020, will be eligible for SCA exemptions and the approval rates for their transactions will be better if at least one transaction is carried out before December 31st, 2020.

New Subscriptions

For new subscriptions created post December 31st, 2020, customers can be asked for additional verification on your checkout page. If your checkout is not capable of handling the SCA flow, then the payment will fail.

When new customers are signing up for a subscription plan and paying with their cards, they will need to complete a 3DS verification at the checkout page. Once the first payment goes through 3DS, future recurring payments (if the plan amount is fixed) can be exempted from SCA.

Subscription Changes

For existing customers, if they decide to upgrade to a higher plan or buy any add-ons, they may be asked for a 3DS verification.

Subscription Renewals

In the case of subscription renewals, the payments take place without the customers being online. Even though subscription renewals are exempted, there is a chance that some recurring payments may still require SCA to complete a purchase.

Another common scenario for an MIT is when your customer asks to resume or reactivate their subscription. For a subscription being resumed or reactivated after December 31st, 2020, customers can be asked to complete 3DS for their subscriptions to be activated.

Future and Trial Subscriptions

It will be a similar situation for future and trial subscriptions. If you have existing customers with a future or a trial subscription that's set to be activated any time after September 14th, gateways should ideally apply exemptions for these subscriptions. Since the approval rate for cards stored in the vault with at least one successful transaction is expected to be higher, you can perform a $1.00 authorization to make the approval rate better.

Another good practice you can follow after September 14th, is to have your new customers complete 3DS for at least one transaction, so their other transactions have a better approval rate. This goes for billing future renewals or changing next renewals as well.

Complying with PSD2 can get challenging even for subscription businesses that bill their customers based on usage, as the amount would vary over time.

Checkout and Invoicing

Merchants with subscription businesses will have to apply 3DS to their checkout flows once the PSD2 regulation goes live. Your checkout needs to be able to handle all the SCA flows so that 3DS 1 and 3DS2 can be applied for transactions that require it. This means your checkout page will need additional authentication built in.

Along with this, you will need to check if your checkout page has all the required fields to capture the necessary information.

If you have an internal recurring billing system in place

Handling PSD2 compliance with an in-house billing solution can get from complex to very frustrating very soon. If you have built your own recurring billing solution on top of a payment gateway, you will need to dedicate a lot of developer hands plus time, to enable SCA authentication flows. God forbid, if you decide to migrate to a different gateway, then you'll have to go through the entire process of connecting the gateway's APIs once again, to comply with SCA standards.

There is still a lot of uncertainty concerning how payment gateways are handling their PSD2 compliance. Some gateways are rolling out changes for SCA in batches, whereas some aren't too clear about how and when they'll be PSD2 compliant. In other words, waiting to get updates from your payment gateway(s) and then making changes to your internal billing system might not be the most efficient approach.

For the benefit of many others like you, we have identified (and broken our heads over) some of the impact areas you will have to take care of, to become PSD2 compliant, if/when you're building your billing solution on top of a payment gateway.

The details as to how payment gateways are tackling PSD2 may vary. So while you're thinking of a plan to meet SCA requirements, here are some things to keep in mind:

• Integrate 3DS into your checkout and payment flow.
• Handle payments that've failed because SCA requirements were not met.
• Set up dedicated email notifications to inform and collect SCA from customers.
• Align your recurring billing logic to be SCA ready.

If you have a recurring billing provider

Ideally, your subscription management solution should have done all the groundwork for you to be PSD2 compliant. But it will still require certain actions from your end. It will also depend on the checkout solution and the payment gateway you are working with. Reach out to your provider to understand how they are tackling this.

• If you're a B2C subscription business, give your customers a heads-up about PSD2 and what they need to do to verify their transaction via 3DS2.
• Apply for exemptions whenever possible. It can help you decrease friction and increase conversion rates.
• Set up reminder emails for customers who haven't completed the authentication. Decouple them from payment failure emails for smoother workflows.
• If you are a B2B business, you can reach out to your customers asking them to check with their banks if the 'whitelisting merchants' feature is supported by the bank, so that they can skip the authentication and have smoother transactions. Most of the banks in the EU will have this feature ready by the end of this year.
• If you are processing usage-based billing or variable amount recurring billing (which come under merchant-initiated transactions), and 3DS verification was done for the first transaction, then those subscriptions can be applied for exemption. However the customer's bank will still have the final say if that subscription still requires SCA. This might be an added friction. You can choose to skip this by accepting payments via direct debit which falls under Customer Initiated Transactions.
• You will need to think of a dunning flow for payments failing because of 3DS failure. For such situations, you can raise an unpaid invoice (makes it so much easier to track) for the customer, and send the unpaid invoice via an email with a link to complete 3DS for the failed transaction.

SCA, also known as two-factor authentication, is a part of the PSD2 law that will bring an additional layer of security needed at the time of a transaction. Initially, customers used a time-bound one-time password to verify a transaction via 3D Secure (3DS).

Even though there's a lot of skepticism and confusion around PSD2, it comes with the promise of making online transactions more secure and reducing fraud rates in the EU. SCA requires more than just entering a password or a code. Verifying a transaction needs two of the following authentication methods:

SCA applies to online card transactions since alternate payment methods like wallets and Direct Debit have their own authentication processes. 3D Secure 2.0 brings in a new way to authenticate transactions that are compliant with SCA.

With 3DS2 coming into the picture, it's set to improve the payment experience by:

• offering a mobile-friendly design.
• making the authentication process more flexible and secure.
• using biometric authentication for online transactions.
• bringing transparency by using a wider range of data.
• providing customer data assets to businesses dealing with payments and technology.

For an online transaction to be verified, the way the merchant's and the customer's banks communicate with the Access Control Server (ACS) strong customer authentication can go through one of these flows:

• Frictionless Flow
  When the card-issuing bank a.k.a the customer's bank has enough information (collected in the background) to authenticate an online transaction, the payment goes through easily without the need for further verification. For a frictionless SCA flow to take place, the customer's IP address or device ID can suffice to verify a transaction.
• Challenge Flow
  When the customer's bank wants more proof to verify their identity, the bank can request additional information from the customer like a password, on their payments page.
• Redirect Flow
  There will be some banks in the EU that may not have the 3DS2 flow implemented by the September deadline. In such cases, when an online transaction goes through the authentication process, the customers will be redirected to a new window to verify their identity via 3DS 1.
• Fallback Flow
  A fallback flow comes into play for recurring payments, like when a subscription renewal takes place in the customer's absence. When a transaction requires 3DS verification and fails, the payment will not go through. The customer needs to know about the payment failure and they need to complete the 3DS verification for the payment to go through.

We are working with payment gateways to upgrade our gateway integrations and APIs to support 3DS2. When you integrate with a subscription billing solution like Chargebee on top of your payment gateway, your PSD2 compliance part will be taken care of, so you don't have to lose out on your time and developer resources for this.

For merchants who have or are going to implement a custom checkout, you will need to keep changing your APIs based on your gateway rolling out APIs. Add to that all the SCA flows (refer SCA authentication workflow section) you'll have to add into your checkout flow. If you decide to change payment gateways because your payment gateway decides it won't support 3DS, then you'll have to restart the entire process of integrating APIs and updating them constantly. Using your the gateway js. is a better option. An even better option — use Chargebee js. and all you need to do is enable 3DS, and we will take care of getting your payment flow ready for PSD2 (even if you decide to switch gateways).

Read how Chargebee can help you get SCA ready

• PSD — Payment Services Directive was introduced by the European Union to unify and create a single market for European payments.
• SCA — Strong Customer Authentication is a requirement of the PSD2 law to make online payments more secure and reduce payment fraud.
• 3DS — Three-Domain Secure is used as a method of authentication for online transactions and verify the identity of the person trying to make the online payment.
• EU — The European Union which consists of 28 member states.
• SEPA — Single Euro Payments Area regulation was set down by the European banking authority, which consists of standards and technical rules for payment services and infrastructure in Europe.
• MIT — Merchant Initiated Transaction is where the merchant tries to collect the payment on the customer's behalf in their absence.
• AISP — Account Information Service Providers provide customers with information on their bank account(s).
• PISP — Payment Initiation Service Providers can access customers' account data and initiate online payments on behalf of the customers.
• TPP — Third-party Providers are online service providers which can be AISPs or PISPs introduced under the PSD2 law.
• ACS — Access Control Server is the customer's bank that has issued the card they use to make an online payment.