The Spring of 2018, Europe: Countdown to GDPR begins. Subscription businesses are doing everything in their power to avoid ending up as a GDPR horror story.
The Spring of 2019, Europe: PSD2 is set to strike in a few months. A cloud of ambiguity looms over. European subscription businesses who are not PSD2 ready by September are looking at a surge of payment failures.
PSD2, a.k.a the Second Payment Services Directive will fundamentally transform Europe’s banking system. The directive is aimed at fostering innovation in the fin-tech space by ending banks’ monopoly over customers’ data. Banks will be required to open up their APIs to third-parties who’ll use that to build value-add products on top like P2P payments, maybe a central console for consumers to see and manage all their bank accounts. But none of this can happen without making online transactions simpler and more secure.
What we are looking at is a paradigm shift in the way banks, payment gateways and processors operate. Now the question is – why should you, a subscription business, worry about PSD2?
Gateways and issuing banks have been working on how to go about implementing PSD2. Your checkout flow and billing logic should also be aligned with these process changes.
Otherwise, come September 14, it’ll rain payment failures.
A major chunk of PSD2 narrates how banking systems should operate. So let’s skip all those mandates that do not concern you – 10 out of 11 mandates to be precise, and just focus on one. What’s so special about this one mandate, you may ask.
To answer that, we’ll have to meet two main protagonists who play a huge part in this mandate.
Name: Strong Customer Authentication (SCA)
Mission: Making online transactions smoother and safer by adding an additional layer of security at the time of the transaction.
Backstory: SCA does not cross paths with every Tom, Dick, and Harry in the subscription business. It has a clear target.
If your payment processor is based out of EU and your customers make online payments with cards issued by EU banks, you should gear up for PSD2. If you aren’t sure, reach out to your gateway and clear the air right away!
Note: Even if you are not based out of the EU but still have a significant customer base in the EU, there’s a possibility that those transactions will require SCA too. So, we would recommend that you be ready for SCA too.
Tip: SCA applies only for card payments. And it wouldn’t affect merchants accepting payments via direct debit, Paypal, and other e-wallets.
Subscription businesses are, by default, a part of the Exemptions to Strong Customer Authentication.
Every initial purchase might require SCA. And future recurring transactions will be exempted as Merchant Initiated transactions. In case the issuing bank chooses to override the exemption, the payment will fail and get into a fallback flow (more on that later).
Tip: If you are a B2C business, break this news to your customers well in advance. Give them a heads-up about PSD2 and what they need to do to verify the transaction.
Name: 3D Secure 2 a.k.a 3DS2
Mission: To serve as a competent upgrade to 3D Secure 1.
Backstory: Previously in 3D Secure 1, once a customer enters the card details to make a payment, she would be redirected to a 3D Secure page. The authentication is usually done on this page to reduce fraudulent activities.
But, redirection meant bad user experience. Adding to that, 3DS1 wasn’t designed for smartphones. All this meant one thing – dropoffs! According to Worldpay, 3DS1 had a dropoff rate of 5-15% at the checkout.
With 3DS2, you get a chance to minimize checkout drop-off. The flow is more mobile-friendly and it will also accommodate modern authentication mechanisms.
3DS2 sends about 100 data points including background data collected from the browser to the cardholder’s bank to assess the transaction risk.
If the customer’s bank believes that to be a secure transaction, the customer needn’t even go through SCA – Frictionless flow.
But when the customer’s bank wants more proof to authenticate a transaction, the bank can request additional information from the customer like a password, on their payments page. – Challenge flow.
Banks that aren’t 3DS2 ready will have to go through the Strong Customer Authentication by redirecting the user to a new page (3DS1) – Redirect flow.
Now that the basics are covered, here’s how it would look like when Sarah decides to buy your service.
And when her subscription is up for renewal, here’s how her payment would be processed.
Note: Whenever a payment is initiated when the customer is not present, such as renewals (like the one below) or trial-to-paid upgrades, it is termed as an off-session payment in PSD2 lingo.
There. That should give you a solid bird’s eye view of what to expect from PSD2. If you want to dive into the nitty-gritty of the why, the what, and the how of PSD2, and what this means to your SaaS business, then head over to this comprehensive guide on PSD2 and Strong Customer Authentication for SaaS.
How can your Business be PSD2 ready?
Handling PSD2 compliance with an in-house billing solution can get from complex to very frustrating very soon. If you have built your own recurring billing solution on top of a payment gateway, you will need to dedicate a lot of developer hands plus time, to enable SCA authentication flows. God forbid, if you decide to migrate to a different gateway, then you’ll have to go through the entire process of connecting the gateway’s APIs once again, to comply with SCA standards.
There is still a lot of uncertainty concerning how payment gateways are handling their PSD2 compliance. Some gateways are rolling out changes for SCA in batches, whereas
some aren’t too clear about how and when they’ll be PSD2 compliant. In other words, waiting to get updates from your payment gateway(s) and then making changes to your internal billing system might not be the most efficient approach.
For the benefit of many others like you, we have identified (and broken our heads over) some of the impact areas you will have to take care of, to become PSD2 compliant, if/when you’re building your billing solution on top of a payment gateway.
The details as to how payment gateways are tackling PSD2 may vary. So while you’re thinking of a plan to meet SCA requirements, here are some things to keep in mind:
- Integrate 3DS into your checkout and payment flow.
- Handle payments that have failed because SCA requirements were not met.
- Set up dedicated email notifications to inform and collect SCA from customers.
- Align your recurring billing logic to be SCA ready.
If you have a recurring billing provider
Ideally, your subscription management solution should have done all the groundwork for you to be PSD2 compliant. But it will still require certain actions from your end. It will also depend on the checkout solution and the payment gateway you are working with. Reach out to your provider to understand how they are tackling this.
How Chargebee can help
With the PSD2 D-Day barely a few weeks away, the key impact areas are too many for subscription businesses to dedicate their resources to solve this problem. Because there is dependence on the payment gateway to be PSD2 ready, merchants are already short on time if they decide to update their APIs as and when their gateway releases it.
To help solve for this complexity, Chargebee will take care of all the compliance wizardry of PSD2 compliance. Chargebee’s plug-and-play checkout and customizable Chargebee JS options, merchants can easily make their checkout flow compliant with any regulation without any developer dependency from day zero.
Apart from this, we urge merchants to safeguard their revenue from payment gateway risks. With Chargebee, merchants can configure multiple payment gateways, set up a fallback gateway, and be prepared for any last-minute surprises. This means they can also smartly route payments based on a currency or payment method.
For subscription businesses looking to jump over the PSD2 puddle, they can tap into offering more payment methods rather than just card payments. By plugging Chargebee into their system, merchants can offer their customers a whole range of payment methods in seconds—Direct Debit via SEPA and BACS, eWallets like PayPal and Apple Pay to avoid SCA payment failures.
For recovering payments that fail SCA, merchants can retry payments when they are likely to succeed with Chargebee’s Automated Smart Dunning. This is beneficial for merchants since they can skip building a logic that handles authentication failures. What’s more, merchants can easily configure the frequency of emails and the number of retries that works best for them.
Gear up and get ahead of the deadline
Payment failures sound the death knell for SaaS businesses that thrive on recurring revenue. So it’s imperative that you stay on top of the PSD2 updates, and ensure that you have all the provisions in place for you to be PSD2 ready.
And it goes without saying that Chargebee will support you every step of the way on your compliance journey.
Editor’s Note: This article originally appeared on the Chargebee blog.