PSD2 compliance with Recurly: A comprehensive guide
PSD2 is a European regulation for online payment services that seeks to make them more secure and less fraudulent. In this article, we’ll answer all your questions about this regulation and how you can stay PSD2-compliant with Recurly.
What is PSD2?
PSD2 stands for Payment Services Directive 2 and is an EU regulation governing electronic and other non-cash payments. The main provision of PSD2 is for Strong Customer Authentication (SCA), a process that seeks to make online payments more secure and reduce fraud while increasing authorization rates.
To meet SCA requirements, companies must present their customers with a 3D Secure (3DS) flow when they make an online purchase. This allows companies to authenticate both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase.
To which transactions does PSD2 apply?
PSD2 applies to all initial sign-up transactions or any one-time transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA). Transactions impacted include payments made via credit cards and alternative payment methods such as PayPal, AmazonPay, and ApplePay. PSD2 does not apply to Merchant Initiated Transactions (MIT) like recurring subscription charges.
How do I know if my business is impacted by PSD2?
If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the EEA—and you transact with customers in the EEA—you will be impacted by PSD2 and should be prepared to do SCA. On the other hand, if either of the parties in a transaction is outside the EEA, then the SCA regulation does not apply.
Will 3DS ever be prompted on recurring, merchant-initiated transactions, for example if the value differs from the original (sign up) transaction amount?
The card issuer can technically challenge a transaction, even merchant-initiated ones, for any reason. Because of this, Recurly is planning to provide fallback option(s) like a “3DS dunning flow” to help you recover MIT transactions that fail due to SCA and need to be re-authenticated by your customer.
How will 3DS impact my checkout conversion?
Businesses saw between a 3-15% dropoff in checkout conversion with 3DS1, although that number varies widely by country. With 3DS2, issuers are targeting a dropoff of, at most, 5% at checkout. (Statistics provided by WorldPay).
How will 3DS affect authorization rates?
Businesses that have previously not implemented 3DS see, on the whole globally, about an 84% authorization rate. 3DS1 increased that rate to 92%. Issuers are hoping to see 3DS2 further improve authorization rates to 95%. (Statistics provided by WorldPay).
What reduction in fraud can be expected?
Businesses that have previously not implemented 3DS see, on the whole globally, about 0.29% in fraud rates, inclusive of both authenticated and unauthenticated fraud. 3DS1 reduced that to 0.12%. Issuers are hoping to see 3DS2 further reduce fraud rates to 0.05%. (Statistics provided by WorldPay).
How much transaction latency should I expect as a result of 3DS?
In general, 3DS authentication can take up to 10 seconds. In addition, if the issuer rejects an exemption and forces SCA to take place, there could be an additional latency of up to 1-2 seconds for the issuer to evaluate an exemption, reject it, and then force SCA. (Statistics provided by WorldPay).
With usage-based billing, would SCA be required on each re-bill?
As long as the transaction is merchant-initiated and is appropriately flagged as such, subsequent re-bills should in most cases not require SCA, even if the amount varies (as in usage-based billing). However, it’s important to note that there may still be cases where subsequent renewal, MIT purchases will still require SCA. Card issuers always have the final say and can require SCA for any transaction, for any reason.
With a fixed subscription where the first month is prorated, would the second month (charging the full amount) still qualify to be exempted from SCA?
Best practice suggests that in this scenario, merchants should authenticate for the full amount of the subscription at the time the customer signs up, even if the first month is prorated. Then, subsequent re-bills should in most cases not require SCA as long as they are appropriately flagged as MIT. Recurly will take care of both of these pieces for our merchants: authenticating for the full amount and flagging subsequent re-bills as MIT.
Stay PSD2 compliant with Recurly
Recurly makes compliance as easy as possible for our customers by providing a solution that minimizes work for your development teams.
We have enhanced our client-side integration so our customers can use Recurly to satisfy the SCA requirement on both initial subscription sign-ups and one-time purchases. Recurly’s 3DS solution lets you update your integration with minimal effort.
This approach gives you flexibility should your business needs evolve. For example, once your 3DS flows are built, you can use them for any other payment gateway that you may use in the future.
PayPal, AmazonPay, and ApplePay as well as many other alternative payment methods already include multi-factor authentication, so 3D Secure authentication is not required with these payment methods.
Want to learn more? Check out our documentation on PSD2 from specific gateways: Adyen, Braintree, SagePay, Stripe, Wirecard, and WorldPay.