There’s no denying that recurring payments are likely to bear the brunt of PSD2. Although the recurring payment exemption exists, there are often times when a subscription amount changes, or the bank may not honor this exemption at all. In this instance, a way of collecting authentication for the payment will be required.
Here’s a quick overview of the ways you can make your recurring payments PSD2 compliant whilst maintaining the best possible user experience:
Recurring payment exemption
If a subscription is always for the same amount - a regular occurrence in SaaS -it’s advised that you apply the recurring payment exemption when processing the payment.With this exemption, it’s likely that the bank will not request SCA. Exemptions will not always be granted, though, so you’ll need to be ready if SCA is requested (see ‘Authentication dunning’ below).
Merchant Initiated Transactions
A Merchant Initiated Transaction (MIT) takes place when the customer is not present in a purchase flow. One of the most common instances of this will be subscription renewals.
MITs will not always be exempt. You’ll need to have collected SCA as part of the initial transaction, so we recommend enabling 3DS for all subscription sign-ups , even if you could get an exemption (such as the low amount exemption). This ensures you’ll always have SCA associated with the subscription, so you won’t need to authenticate with every renewal.
Another potential complication is that SCA gathered with an initial payment is ignored if a payment has not been taken against the subscription for 1 year. This can complicate yearly subscriptions or instances where companies are vaulting a card for occasional later use. For yearly subscriptions, the recommendation is to send a pre-billing email around a week before the renewal is due. In this email, you can provide a link for the user to authenticate in advance of you taking the payment, ensuring it succeeds when you process the renewal a week later. When circumstances don’t allow this, you’ll need to have built a solution for gathering authentication when it is requested and the customer is not present. This brings us to…
Existing subscriptions made under previous regulations will not require SCA in order to be renewed after September 14, 2019.
There are still some unknowns here. It’s possible that the 1 year rule mentioned above still applies, so you may still get asked for SCA if payment has not been taken in the last year. Our advice? Make sure you have a system in place to gather SCA if you’re asked for it!
If SCA is requested and you don’t have the customer in a checkout, you’ll need a way to get them to authenticate the payment. We’re calling this ‘authentication dunning’. When you process a recurring payment and SCA is requested, you’ll need a way to get them into 3DS to authenticate the payment. We recommend sending them an email and/or an SMS message containing a link to authenticate.
This is purely for the purpose of gaining SCA for their recurring payment, so be sure you make that clear in your wording - you don’t want them to think they’re being asked to sign up again.