Gear up for PSD2: Strong Customer Authentication with Chargebee

~ 7 min read | October 22

Spring, 2018. Exactly a year ago in Europe.

Countdown to GDPR begins. SaaS businesses are doing everything in their power to avoid ending up as a GDPR horror story.

Spring, 2019. Europe Today.

PSD2 is set to strike in a few months. A cloud of ambiguity looms over. Unprepared SaaS businesses in Europe may have to face a surge in payment failures.

PSD2, a.k.a the Second Payment Services Directive brings fundamental transformations to Europe’s banking system. The directive is aimed at fostering innovation in fin-tech by ending the monopoly banks have enjoyed so far over customers’ data.

How does this work?

Banks will now be required to open up their APIs to third-parties who can now use these to build value-add products like P2P payments. In fact, third-parties can now even design a central console for consumers to see and manage all their bank accounts in one place.

But for any of that to happen, online transactions need to become simpler, smarter, and more secure.

The final result of the PSD2 regulation is a paradigm shift in the way banks, payment gateways and processors operate.

Now the question is – why should you, a subscription business, worry about PSD2?

TL;DR Version:
Your checkout flow and billing logic need to align with the process changes that your gateways and payment processors bring.
Otherwise, starting September 14, a majority of your subscription renewals will just rain payment failures.

A major chunk of PSD2 narrates how banking systems and payment processors should operate. So let’s skip all those mandates that do not concern you — 10 out of 11 mandates to be precise, and just focus on one.

What’s so special about this one mandate, you may ask. To answer that, we’ll have to meet two main protagonists who play a huge part in this mandate.

Protagonist #1

Name: Strong Customer Authentication (SCA)

Mission: Making online transactions smoother and safer by adding an additional layer of security at the time of the transaction.

Backstory: SCA does not cross paths with every Tom, Dick, and Harry in the subscription business. It has a clear target.

If your payment processor is based out of EU and your customers make online payments with cards issued by EU banks, you should gear up for PSD2. If you aren’t sure about this, then reach out to your gateway and clear the air right away!

strong-customer-authentication

Note: Even if you are not based in the EU, but sell to a significant customer base there, there’s a possibility that those transactions will require SCA. We would recommend that you are prepared to handle SCA requirements.

Tip: SCA applies only for card payments. And it wouldn’t affect merchants accepting payments via direct debit, Paypal, and other e-wallets.

Subscription businesses are, by default, a part of the Exemptions to Strong Customer Authentication.

Every initial purchase might require SCA. And future recurring transactions will be exempted as Merchant Initiated Transactions (MIT). In case the issuing bank chooses to override the exemption, the payment will fail and get into a fallback flow (more on that later).

Tip: If you are a B2C business, break this news to your customers well in advance. Give them a heads-up about PSD2 and what they need to do to verify the transaction.

Protagonist #2

Name: 3D Secure 2 a.k.a 3DS2

Mission: Minimizing checkout drop-off by making the flow mobile-friendly and accommodating modern authentication mechanisms.

BackstoryPreviously in 3D Secure 1, once a customer enters the card details to make a payment, she would be redirected to a 3D Secure page. The authentication is usually done on this page to reduce fraudulent activities. 

But, redirection meant bad user experience. Adding to that, 3DS1 wasn’t designed for smartphones. All this meant one thing – dropoffs! According to Worldpay, 3DS1 had a dropoff rate of 5-15%  at the checkout.

With 3DS2, you get a chance to minimize checkout drop-off. The flow is more mobile-friendly and it will also accommodate modern authentication mechanisms. 3DS2 also sends about 100 data points including background data collected from the browser to the cardholder’s bank to assess the transaction risk.

If the customer’s bank believes that to be a secure transaction, the customer needn’t even go through SCA – Frictionless flow. 

But when the customer’s bank wants more proof to authenticate a transaction, the bank can request additional information from the customer like a password, on their payments page. – Challenge flow.

Banks that aren’t 3DS2 ready will have to go through the Strong Customer Authentication by redirecting the user to a new page (3DS1) – Redirect flow.

Now that the basics are covered, here’s how it would look like when Sarah decides to buy your service.

sca-flow-Customer-initiated-transaction

And when her subscription is up for renewal, here’s how her payment would be processed.

Note: Whenever a payment is initiated when the customer is not present, such as renewals (like the one below) or trial-to-paid upgrades, it is termed as an off-session payment in PSD2 lingo.

sca-flow-merchant-initiated-transaction

There. That should give you a solid bird’s eye view of what to expect from PSD2. If you want to dive into the nitty-gritty of the why, the what, and the how of PSD2, and what this means to your SaaS business, then head over to this comprehensive guide on PSD2 and Strong Customer Authentication for SaaS.

Summing up some under-the-hood points on PSD2

  1. Not all gateways support this change in the same way. Some (like Authorize.net) has chosen to just move out of the European market. If you’re using Authorize.net and Chargebee, you don’t have to worry about this at all. In fact, even if your payment provider doesn’t support the change, you can flip gateways on Chargebee almost instantly!
  2. Chargebee handles all the integration and heavy-lifting on the gateway side for you.
  3. Most European SaaS businesses will now have to rework their checkout integration. If you’re already using Chargebee’s checkout, though, this would be completely seamless. In fact, you can forget you even received this email today and continue with your Thursday just the same.
  4. Dunning and revenue recovery systems need to allow for an additional “point of failure”. Businesses will have to account for their dunning logic to complete the 3DS2 authentication step as well.
  5. PSD2 regulations only impact credit card transactions. Direct debit and Wallets like Paypal Express & Amazon Pay don’t have to jump the PSD2 hoops. If you have been considering offering these additional payment methods for your customers in Europe, now may be a great time to bring them in.

Gear up and get ahead of the deadline

Payment failures sound the death knell for SaaS businesses that thrive on recurring revenue. So it’s imperative that you stay on top of the PSD2 updates, and ensure that you have all the provisions in place for you to be PSD2 ready.

And it goes without saying that Chargebee will support you every step of the way on your compliance journey. Here’s the PSD2 part of that promise. If you’d rather talk to a human than read a help document, reach out to us at support@chargebee.com, and we’ll take it from there.

Swetha M

Product Marketer | Chargebee