What Every Subscription Business Needs to Know About PSD2

What is PSD2 and when does it go into effect?

PSD2 stands for Payment Services Directive 2 and is a new EU regulation that was originally supposed to go into effect on September 14, 2019, governing electronic and other non-cash payments. Per the EBA, the deadline has been extended to December 31, 2020. The main provision of PSD2 is for Strong Customer Authentication (SCA), a process that seeks to make online payments more secure and reduce fraud while increasing authorization rates. 

To meet SCA requirements, merchants must present their customers with a 3D Secure (3DS) flow when they make an online purchase. This allows the merchant to "authenticate" both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase.

Merchants  will need to build this additional authentication into their checkout flow in order to continue to process certain transactions once PSD2 goes into effect. Starting December 31, 2020, card issuers will start declining payments that require SCA but which have not been authenticated via 3DS.

Key Dates to Remember

The original September 14, 2019 roll out date has been extended to December 31, 2020 — The PSD2 mandate will go into effect then. Banks will decline payments that require Strong Customer Authentication but which have not gone through the 3D Secure flow. January 2020 — Potential fines levied by card brands on merchants not ready with a 3D Secure flow.

To which transactions does PSD2 apply?

• PSD2 does NOT apply to Merchant Initiated Transactions (MIT) like recurring subscription charges.

• PSD2 DOES apply to the initial sign-up transaction and any one-time transactions. Merchants must present the 3DS flow on these transactions in order to satisfy SCA.

• PSD2 applies to all online transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA). Merchants should also be aware that similar regulations are expected to be adopted in Australia and New Zealand in January 2020. 

• Transactions impacted include payments made via credit cards and alternative payment methods.

Most alternative payment methods such as PayPal, AmazonPay, and ApplePay are PSD2-compliant and meet SCA requirements. Therefore, the main impact of PSD2 and SCA is on credit card transactions.

How is Recurly helping our customers prepare?

Recurly is actively working with the gateways and payment partners we support. Our goal is to make it as easy as possible for our customers by providing a solution which will minimize the amount of work development teams need to complete.

Gateway update

Recurly is actively working with the gateways and payment partners we support. Our goal is to make it as easy as possible for our customers by providing a solution which will minimize the amount of work development teams need to complete.

Work is well underway to add 3DS2 support to several gateways. We will provide notifications via email and other methods, along with instructions once a gateway is ready for testing which should be conducted on your Recurly site in 'Development mode.' 

Gateways available now for testing

• Adyen

• Braintree

• Cybersource

• Stripe

• Worldpay

Subscription businesses must present the 3D Secure flow on the initial purchase only. Subsequent recurring purchases are exempt from PSD2 and Strong Customer Authentication unless the issuing bank declines the exemption.

Client-side integration

We have enhanced our client-side integration so our customers can use Recurly to satisfy the SCA requirement on both initial subscription sign-ups and one-time purchases. Our aim is to enable you to incorporate 3DS into your checkout flows in mere hours, not days. This integration is the only one you’ll need to update and has the following benefits: 

Simplify complexity

Recurly’s 3DS solution lets you update your integration with minimal effort. Our solution builds high-level abstractions around the low-level functionality provided by many of the payment gateways and their 3DS solutions.

Payment gateway agnostic

Recurly’s solution provides a one-to-many integration that normalizes all the payment-gateway specific implementations of 3DS. This approach gives you flexibility should your business needs evolve. For example, once your 3DS flows are built, you can use them for any other payment gateway that you may use in the future.

PayPal, AmazonPay, and ApplePay as well as many other alternative payment methods already include multi-factor authentication, so 3D Secure authentication is not required with these payment methods.

Leverage existing tools and reduce time-to-market

Our solution is provided to you as an enhancement to existing platform components that you’re likely already using. On the client side, we’ve augmented Recurly.js with additional functions to handle things like device fingerprinting and rendering customer challenge flows. To support server-side interactions with the payment gateway, we’ve augmented the Recurly API with some additional fields.   

What about subsequent renewal purchases?

For renewal purchases, Recurly will request to have these transactions exempted from SCA by flagging them as "MIT" (Merchant Initiated Transactions). This includes existing subscriptions that started prior to December 31, 2019. Recurly will "grandfather" these in as merchant-initiated so that they won’t require SCA when they come up for renewal on or after December 31, 2020. However, at the discretion of the card issuer, there may still be subsequent renewal MIT purchases that require SCA. To help you recover these transactions, we are currently evaluating fallback (dunning) options to bring your customers back to complete SCA.