PSD2, SCA & 3DS: What SaaS Businesses Need To Know About Compliance

by Adam Feber

If you sell a product or service online, you’ve likely heard of the second Payment Services Directive (PSD2) that takes effect in the EU on September 14, 2019. Unless you enjoy stressful situations, we urge all businesses to start their preparation planning sooner rather than later—even those that are not immediately impacted.  

Failing to understand and comply with PSD2 could cripple your ability to process transactions and collect revenue. Below are the common questions and answers that will help you better prepare for the impending deadline:

  • Which businesses are impacted?
  • What exactly is PSD2?
  • How do you prepare for the deadline?
  • What is Chargify doing to ensure compliance?

Which businesses are impacted?

On September 14, 2019, PSD2 will begin impacting businesses that have a merchant account in the European Union (EU) and process payments for customers that have cards issued from an EU bank. We anticipate PSD2 regulation to be enforced in the UK, regardless of the outcome of Brexit.

Not you? Don’t stop reading yet…

At the center of PSD2 compliance is Strong Customer Authentication (SCA), which we will explain in the next section. It is recommended that every business—even businesses outside of the EU—educate themselves on how to collect SCA when requested, as all banks could start asking for it at any time.

What exactly is PSD2?

PSD2 is a new European Economic Area (EEA) regulation that requires Strong Customer Authentication (SCA) as a means to increase security and authorization rates while decreasing online payment fraud. 

SCA will need to be collected prior to processing a payment by authenticating two of three possible identification traits—something the customer owns, knows, or is.

PSD2 SCA Traits

3D Secure (3DS) has become the most common, globally accepted security protocol that collects and confirms SCA. 3DS was initiated and created by Visa and MasterCard and may be familiar to some merchants through these card networks’ brand names such as Visa Secure and Mastercard Identity Check. But PSD2 turns 3DS into a requirement vs. a nice-to-have. 

Keep reading to understand how to enable 3DS, which transactions will require SCA, which transactions may be exempt, and the changes that will impact both current and future customers.  

How do you prepare for the deadline?

Here is the cliff notes version of how it all works and what the process looks like:

  • When a customer initiates an online transaction, the issuing bank will flag transactions that require SCA based on a number of criteria 
  • Your payment gateway will receive this request and initiate 3DS in order to authenticate the customer
  • Businesses must be using a PSD2 compliant billing solution that supports 3DS workflows to present, capture, and pass the SCA identification traits back to the payment gateway’s 3DS service
  • Once SCA is confirmed, it is sent back to the issuing bank to successfully process the transaction 

PSD2 3DS workflow

Because payment gateways are ultimately on the hook for initiating 3DS and establishing SCA, all the major players are either working on or have already delivered a solution to enable 3DS. Step #1 starts with contacting your payment gateway to learn more about enabling 3DS. 

Your payment gateway will likely charge a small fee to use their 3DS service, but it’s important to understand that not all subscription transactions will require SCA, even after PSD2 goes into effect.

Grandfathered Existing Customers Exemption 

Someone or something that is ‘grandfathered’ means that they are exempt from a new law or regulation. In the case of PSD2, transactions for existing paying customers will not require SCA in order to be renewed after September 14, 2019, as long as a previous relationship is established using the new Stored Credentials framework

Merchant-Initiated Transaction Exemption

A Merchant Initiated Transaction (MIT) happens when payment is initiated by the merchant—not the customer—with a saved card. SCA will usually be required for the initial transaction after September 14, 2019, but subsequent payments technically fall outside the scope of SCA. Marking a payment as a “merchant-initiated transaction” acts as an exemption request, but it will still be up to the bank to decide whether SCA will be required.

The caveat is that if a transaction is not processed for a customer within a year, then any preexisting grandfathered or MIT exemptions will be invalidated, and that customer will have to reauthenticate. This one year rule creates additional complications for annual subscriptions that may renew outside of the exemption grace period. We will cover suggested ways to handle this use case in the next section. 

Other Exemptions

  • Amount Exemption: Transactions less than €30 will be exempt from SCA
  • Whitelisted Merchants Exemption: Some issuing banks will support whitelisting, where customers can add trusted companies to a ‘skip SCA’ list 
  • Low-Risk Exemption: If you have low fraud rates, the bank will allow higher transaction values (up to €500) without requiring SCA
  • Recurring Payments Exemption: A new SCA is not required for subscription renewals when the transaction amount is exactly the same from one due date to the next

What is Chargify doing to ensure compliance?

While payment gateways do a lot of the heavy lifting, customer-facing billing solutions like Chargify are required to integrate with these gateways’ 3DS services and modify signup/renewal workflows for merchants that enable 3DS. 

Work is nearing completion for our updated PSD2 compliant gateway integrations. As of now, supported gateways will include Braintree, Cybersource, Payment Express, QuickPay, and Stripe.

Other updates that ensure compliance:

  • For existing “grandfathered” customers, we’ve been working with Visa and our shared gateway partners above to ensure that these credentials are stored correctly so that existing subscriptions continue to process successfully. Learn more about the Stored Credentials framework here
  • If you use our API or Chargify.JS to process transactions, you’ll need to make some minor updates to your implementation. Detailed guides and documentation will be published soon for guidance.
  • Hosted Chargify pages like our Public Signup Pages and subscriptions created through our user interface will include native support for 3DS workflows.
  • If you use Chargify Direct to process transactions, 3DS support is TBD. If this is you, we recommend updating your signup workflows to use Chargify.JS and our API, or Public Signup Pages. 
  • Subscription imports will allow merchants to include a previously-stored transaction to establish a previous relationship.
  • For any renewals that require SCA, Chargify will send an email to the customer where they can authorize the transaction using your gateway’s 3D Secure service.

Our sales and support teams are well trained and ready to answer any question you may have. Stay tuned for additional communication and documentation around these updates and what actions Chargify merchants should take to prepare for the September 14, 2019 deadline.

Turn Business Blockers Into Business Accelerators

Revenue management for SaaS allows businesses to respond quicker to market needs, build long-lasting relationships and derive meanigful insights from the noise.