Gear up for PSD2: Strong Customer Authentication with Chargebee

~ 9 min read | July 18

Spring, 2018. Exactly a year ago in Europe.

Countdown to GDPR begins. SaaS businesses are doing everything in their power to avoid ending up as a GDPR horror story.

Spring, 2019. Europe Today.

PSD2 is set to strike in a few months. A cloud of ambiguity looms over. Unprepared SaaS businesses in Europe may have to face a surge in payment failures.

PSD2, a.k.a the Second Payment Services Directive brings fundamental transformations to Europe’s banking system. The directive is aimed at fostering innovation in fin-tech by ending the monopoly banks have enjoyed so far over customers’ data.

How does this work?

Banks will now be required to open up their APIs to third-parties who can now use these to build value-add products like P2P payments. In fact, third-parties can now even design a central console for consumers to see and manage all their bank accounts in one place.

But for any of that to happen, online transactions need to become simpler, smarter, and more secure.

The final result of the PSD2 regulation is a paradigm shift in the way banks, payment gateways and processors operate.

Now the question is – why should you, a subscription business, worry about PSD2?

TL;DR Version:
Your checkout flow and billing logic need to align with the process changes that your gateways and payment processors bring.
Otherwise, starting September 14, a majority of your subscription renewals will just rain payment failures.

A major chunk of PSD2 narrates how banking systems and payment processors should operate. So let’s skip all those mandates that do not concern you — 10 out of 11 mandates to be precise, and just focus on one.

What’s so special about this one mandate, you may ask. To answer that, we’ll have to meet two main protagonists who play a huge part in this mandate.

Protagonist #1

Name: Strong Customer Authentication (SCA)

Mission: Making online transactions smoother and safer by adding an additional layer of security at the time of the transaction.

Backstory: SCA does not cross paths with every Tom, Dick, and Harry in the subscription business. It has a clear target.

If your payment processor is based out of EU and your customers make online payments with cards issued by EU banks, you should gear up for PSD2. If you aren’t sure about this, then reach out to your gateway and clear the air right away!

strong-customer-authentication

Note: Even if you are not based in the EU, but sell to a significant customer base there, there’s a possibility that those transactions will require SCA. We would recommend that you are prepared to handle SCA requirements.

Tip: SCA applies only for card payments. And it wouldn’t affect merchants accepting payments via direct debit, Paypal, and other e-wallets.

Subscription businesses are, by default, a part of the Exemptions to Strong Customer Authentication.

Every initial purchase might require SCA. And future recurring transactions will be exempted as Merchant Initiated Transactions (MIT). In case the issuing bank chooses to override the exemption, the payment will fail and get into a fallback flow (more on that later).

Tip: If you are a B2C business, break this news to your customers well in advance. Give them a heads-up about PSD2 and what they need to do to verify the transaction.

Protagonist #2

Name: 3D Secure 2 a.k.a 3DS2

Mission: Minimizing checkout drop-off by making the flow mobile-friendly and accommodating modern authentication mechanisms.

BackstoryPreviously in 3D Secure 1, once a customer enters the card details to make a payment, she would be redirected to a 3D Secure page. The authentication is usually done on this page to reduce fraudulent activities. 

But, redirection meant bad user experience. Adding to that, 3DS1 wasn’t designed for smartphones. All this meant one thing – dropoffs! According to Worldpay, 3DS1 had a dropoff rate of 5-15%  at the checkout.

With 3DS2, you get a chance to minimize checkout drop-off. The flow is more mobile-friendly and it will also accommodate modern authentication mechanisms. 3DS2 also sends about 100 data points including background data collected from the browser to the cardholder’s bank to assess the transaction risk.

If the customer’s bank believes that to be a secure transaction, the customer needn’t even go through SCA – Frictionless flow. 

But when the customer’s bank wants more proof to authenticate a transaction, the bank can request additional information from the customer like a password, on their payments page. – Challenge flow.

Banks that aren’t 3DS2 ready will have to go through the Strong Customer Authentication by redirecting the user to a new page (3DS1) – Redirect flow.

Now that the basics are covered, here’s how it would look like when Sarah decides to buy your service.

sca-flow-Customer-initiated-transaction

And when her subscription is up for renewal, here’s how her payment would be processed.

Note: Whenever a payment is initiated when the customer is not present, such as renewals (like the one below) or trial-to-paid upgrades, it is termed as an off-session payment in PSD2 lingo.

sca-flow-merchant-initiated-transaction

There. That should give you a solid bird’s eye view of what to expect from PSD2. If you want to dive into the nitty-gritty of the why, the what, and the how of PSD2, and what this means to your SaaS business, then head over to this comprehensive guide on PSD2 and Strong Customer Authentication for SaaS.

How Chargebee helps you get SCA ready

Here is a checklist to help you get PSD2 ready with Chargebee. We are striving to make all our customers SCA ready well ahead of the deadline. Watch out for emails and in-app notifications to set up each of these steps within your Chargebee app. 

  1. Enable 3DS for the gateway(s) of your choice. Make sure that 3DS 2.0 is also enabled in your gateway account
  2. Enable dunning to handle off-session payment failures due to 3DS
  3. Configure Dunning reminder emails for off-session payments. You can also configure the frequency and the template for these emails.

Getting Your Checkout Flow Compliant with PSD2 and SCA

Chargebee V2 and V3 Checkout

If you use Chargebee’s checkout – both the full-page and the drop-in-script option, we have got you covered.

Just sit back and sip your coffee (oh, sorry.. I meant tea!). We’ll handle all the SCA heavy-lifting for you, and let you know when your checkout flow is ready to test and roll.

Gateway Javascript + API

If you’ve built your own custom checkout flow using the Chargebee APIs and your gateway’s JS, you may have to do a little bit of tweaking at your end.

But don’t worry. Let’s get through it together.

We will be rolling out APIs specific to various gateways in phases. You will also have to upgrade the Javascript integration with your gateway. Once you’ve updated your gateway JS to process 3DS, you can handle 3DS using gateway JS and call the updated Chargebee APIs. Once it’s done, you can test out the flow in the gateway sandbox environments.

The first phase of the release will include support for Stripe, Braintree, Adyen, Worldpay.

Tip: If you use multiple gateways, updating each integration individually is going to get super clunky. To solve for this, we will be rolling out a JS helper in early August. With this, you can implement 3DS for all your gateways with just a single integration.

PS: We are told that Authorize.net would not be supporting PSD2. So if you are processing payments through Authorize.net, you might have to migrate to Cybersource. We would recommend you to reach out to them and clear things up right away.

Raw card details + API

You will have to build multiple APIs that can go through all 3DS2 flows before processing payments. You would also need a system that can capture the data points and feed it to the payment gateway. From what we learn, this is pretty much out of the picture because these data points can’t be captured using APIs. 

Alternatively, using Chargebee Checkout, Gateway JS or even Chargebee JS will seamlessly handle all these 3DS flows and have better approval rates. So the chances of your customers going through frictionless flow are higher. We would recommend you to move to a JS-based integration. Please reach out to Chargebee support for assistance for the same.

Handling off-session payments

Off-session payments would fall typically under MIT (Merchant Initiated Transactions). In case the issuing bank chooses to override this exemption, the payment will fail. Chargebee is well prepared to handle these scenarios too. For such a failed payment, the invoice is pushed into dunning. And based on the dunning configuration, emails would be sent for re-attempting authentication.

Summing up some under-the-hood points on PSD2

  1. Not all gateways support this change in the same way. Some (like Authorize.net) has chosen to just move out of the European market. If you’re using Authorize.net and Chargebee, you don’t have to worry about this at all. In fact, even if your payment provider doesn’t support the change, you can flip gateways on Chargebee almost instantly!
  2. Chargebee handles all the integration and heavy-lifting on the gateway side for you.
  3. Most European SaaS businesses will now have to rework their checkout integration. If you’re already using Chargebee’s checkout, though, this would be completely seamless. In fact, you can forget you even received this email today and continue with your Thursday just the same.
  4. Dunning and revenue recovery systems need to allow for an additional “point of failure”. Businesses will have to account for their dunning logic to complete the 3DS2 authentication step as well.
  5. PSD2 regulations only impact credit card transactions. Direct debit and Wallets like Paypal Express & Amazon Pay don’t have to jump the PSD2 hoops. If you have been considering offering these additional payment methods for your customers in Europe, now may be a great time to bring them in.

Gear up and get ahead of the deadline

Payment failures sound the death knell for SaaS businesses that thrive on recurring revenue. So it’s imperative that you stay on top of the PSD2 updates, and ensure that you have all the provisions in place for you to be PSD2 ready.

And it goes without saying that Chargebee will support you every step of the way on your compliance journey. Here’s the PSD2 part of that promise. If you’d rather talk to a human than read a help document, reach out to us at support@chargebee.com, and we’ll take it from there.

Swetha M

Product Marketer | Chargebee