What Every Subscription Business Needs to Know About PSD2

And How Recurly Has You Covered

What is PSD2 and when does it go into effect?

PSD2 stands for Payment Services Directive 2 and is a new EU regulation that was originally supposed to go into effect on September 14, 2019, governing electronic and other non-cash payments. Per the EBA, the deadline has been extended to December 31, 2020. The main provision of PSD2 is for Strong Customer Authentication (SCA), a process that seeks to make online payments more secure and reduce fraud while increasing authorization rates. 

To meet SCA requirements, merchants must present their customers with a 3D Secure (3DS) flow when they make an online purchase. This allows the merchant to "authenticate" both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase.

Merchants  will need to build this additional authentication into their checkout flow in order to continue to process certain transactions once PSD2 goes into effect. Starting December 31, 2020card issuers will start declining payments that require SCA but which have not been authenticated via 3DS.

Key Dates to Remember

The original September 14, 2019 roll out date has been extended to December 31, 2020 — The PSD2 mandate will go into effect then. Banks will decline payments that require Strong Customer Authentication but which have not gone through the 3D Secure flow. January 2020 — Potential fines levied by card brands on merchants not ready with a 3D Secure flow.

“Recurly gave us the flexibility to play with the plans and with the promotions,” said Zvaifler. “Having that built-in has helped us test and learn what combination of promotions, marketing channels, and term length equate to the highest LTV. We couldn’t have done that without Recurly.”

Ben Zvaifler, Founder and CEO

To which transactions does PSD2 apply?

  • PSD2 does NOT apply to Merchant Initiated Transactions (MIT) like recurring subscription charges.

  • PSD2 DOES apply to the initial sign-up transaction and any one-time transactions. Merchants must present the 3DS flow on these transactions in order to satisfy SCA.

  • PSD2 applies to all online transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA). Merchants should also be aware that similar regulations are expected to be adopted in Australia and New Zealand in January 2020. 

  • Transactions impacted include payments made via credit cards and alternative payment methods.

Most alternative payment methods such as PayPal, AmazonPay, and ApplePay are PSD2-compliant and meet SCA requirements. Therefore, the main impact of PSD2 and SCA is on credit card transactions.

How is Recurly helping our customers prepare?

Recurly is actively working with the gateways and payment partners we support. Our goal is to make it as easy as possible for our customers by providing a solution which will minimize the amount of work development teams need to complete.

Gateway update

Recurly is actively working with the gateways and payment partners we support. Our goal is to make it as easy as possible for our customers by providing a solution which will minimize the amount of work development teams need to complete.

Work is well underway to add 3DS2 support to several gateways. We will provide notifications via email and other methods, along with instructions once a gateway is ready for testing which should be conducted on your Recurly site in 'Development mode.' 

Gateways available now for testing

  • Adyen

  • Braintree

  • Cybersource

  • Stripe

  • Worldpay

Subscription businesses must present the 3D Secure flow on the initial purchase only. Subsequent recurring purchases are exempt from PSD2 and Strong Customer Authentication unless the issuing bank declines the exemption.

Client-side integration

We have enhanced our client-side integration so our customers can use Recurly to satisfy the SCA requirement on both initial subscription sign-ups and one-time purchases. Our aim is to enable you to incorporate 3DS into your checkout flows in mere hours, not days. This integration is the only one you’ll need to update and has the following benefits: 

Simplify complexity

Recurly’s 3DS solution lets you update your integration with minimal effort. Our solution builds high-level abstractions around the low-level functionality provided by many of the payment gateways and their 3DS solutions.

Payment gateway agnostic

Recurly’s solution provides a one-to-many integration that normalizes all the payment-gateway specific implementations of 3DS. This approach gives you flexibility should your business needs evolve. For example, once your 3DS flows are built, you can use them for any other payment gateway that you may use in the future.

PayPal, AmazonPay, and ApplePay as well as many other alternative payment methods already include multi-factor authentication, so 3D Secure authentication is not required with these payment methods.

Leverage existing tools and reduce time-to-market

Our solution is provided to you as an enhancement to existing platform components that you’re likely already using. On the client side, we’ve augmented Recurly.js with additional functions to handle things like device fingerprinting and rendering customer challenge flows. To support server-side interactions with the payment gateway, we’ve augmented the Recurly API with some additional fields.   

What about subsequent renewal purchases?

For renewal purchases, Recurly will request to have these transactions exempted from SCA by flagging them as "MIT" (Merchant Initiated Transactions). This includes existing subscriptions that started prior to December 31, 2019. Recurly will "grandfather" these in as merchant-initiated so that they won’t require SCA when they come up for renewal on or after December 31, 2020. However, at the discretion of the card issuer, there may still be subsequent renewal MIT purchases that require SCA. To help you recover these transactions, we are currently evaluating fallback (dunning) options to bring your customers back to complete SCA.

Frequently Asked Questions

How do I know if my business will be impacted by PSD2?

If your merchant account provider a.k.a. your acquirer or acquiring bank, is based in the EEA — and you transact with customers in the EEA — you will be impacted by PSD2 and should be prepared to do SCA. On the other hand, if either of the parties in a transaction are outside the EEA, then the SCA regulation does not apply.

When will technical documentation be available so my teams can plan to do the work necessary to prepare for PSD2?

We published our technical documentation on July 1, 2019. If there are any changes to the mandate or changes made by individual gateways that impact our technology, we’ll update the documentation and inform our customers.

Will 3DS ever be prompted on recurring, merchant-initiated transactions, for example if the value differs from the original (sign up) transaction amount?

The card issuer can technically challenge a transaction, even merchant-initiated ones, for any reason. Because of this, Recurly is planning to provide fallback option(s) like a “3DS dunning flow” to help you recover MIT transactions that fail due to SCA and need to be re-authenticated by your customer.

What happens with MITs where the original transaction was pre-December 31, 2020? Will we have to authenticate all MITs for existing customers prior to December 31st, 2020?

For subsequent renewal purchases, Recurly will endeavor, on your behalf, to have these transactions exempted from SCA by flagging these purchases as “MIT” (Merchant Initiated Transactions). This includes existing subscriptions that started prior to December 31, 2020. Recurly will attempt to “grandfather” these subscriptions as merchant-initiated so that they don’t require SCA when they come up for renewal on/after December 31.

How will 3DS impact my checkout conversion?

Businesses saw between a 3-15% dropoff in checkout conversion with 3DS1, although that number varies widely by country. With 3DS2, issuers are targeting a dropoff of, at most, 5% at checkout. (Statistics provided by WorldPay)

How will 3DS affect authorization rates?

Businesses that have previously not implemented 3DS see, on the whole globally, about an 84% authorization rate. 3DS1 increased that rate to 92%. Issuers are hoping to see 3DS2 further improve authorization rates to 95%. (Statistics provided by WorldPay)

What reduction in fraud can be expected?

Businesses that have previously not implemented 3DS see, on the whole globally, about 0.29% in fraud rates, inclusive of both authenticated and unauthenticated fraud. 3DS1 reduced that to 0.12%. Issuers are hoping to see 3DS2 further reduce fraud rates to 0.05%. (Statistics provided by WorldPay)

How much transaction latency should I expect as a result of 3DS?

In general, 3DS authentication can take up to 10 seconds. In addition, if the issuer rejects an exemption and forces SCA to take place, there could be an additional latency of up to 1-2 seconds for the issuer to evaluate an exemption, reject it, and then force SCA. (Statistics provided by WorldPay)

With usage-based billing, would SCA be required on each re-bill?

As long as the transaction is merchant-initiated and is appropriately flagged as such, subsequent re-bills should in most cases not require SCA, even if the amount varies (as in usage-based billing). However, it’s important to note that there may still be cases where subsequent renewal, MIT purchases will still require SCA. Card issuers always have the final say and can require SCA for any transaction, for any reason.

With a fixed subscription where the first month is prorated, would the second month (charging the full amount) still qualify to be exempted from SCA?

Best practice suggests that in this scenario, merchants should authenticate for the full amount of the subscription at the time the customer signs up, even if the first month is prorated. Then, subsequent re-bills should in most cases not require SCA as long as they are appropriately flagged as MIT. Recurly will take care of both of these pieces for our merchants: authenticating for the full amount and flagging subsequent re-bills as MIT.

I have more specific questions about PSD2, SCA, or 3DS. Who should I ask?

While Recurly is here to help you prepare for PSD2, your gateway is your primary resource. We are working with each of the gateways listed below to understand how best to meet their technical integration requirements around PSD2 and SCA, but in terms of what the regulation means, how it will impact your business and customers, etc., your gateway will be the subject matter expert.

Where can I get additional gateway-specific resources on PSD2?

Following are links to more information on PSD2 from specific gateways: Adyen, Braintree, SagePay, Stripe, Wirecard, WorldPay. Specific updates needed for your gateway configuration can be found here.

Table of Contents