PSD2 & Subscriptions

By September 14th 2019, Strong Customer Authentication - or SCA - is mandatory by envocation of the Payment Service Directive version 2, or PSD2. The following guide outlines our readiness and your needed actions.

UPDATED 20th of August 2019

Overview

[PSD2](https://en.wikipedia.org/wiki/Payment_Services_Directive#Revised_Directive_on_Payment_Services_(PSD2) applies to all digital payment transactions where both the issuing and acquiring banks are located in Europe. This includes - Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK (even after BREXIT).

PSD2 enforces a set of rules for subscription- and e-commerce payment providers and acquirers must follow. PSD2 primarily applies to payment service providers (PSPs) and whilst Upodi does not fall into PSD2, we work effortlessly to comply and certify our payment partners to support subscription and recurring billing with our partners.

We recommend a discussion with your PSP to understand the SCA options for new customers and re-authentication. Upodi is ready to assist you and your PSP in any changes that support PSD2.

Strong Customer Authentication (SCA)

PSD2 enforces the requirement of a 3D secure payment flow to comply with the strong customer authentication requirement. 3D secure is the act on which your are guided through an online payment, to provide a 3rd element to verify you as the customer. 3D secure is in effect today (read this article by Adyen), however, PSD2 instills new requirements and allows new flows. The merit is the same; to ensure the safety of the consumer.

Subscriptions are also affected, and whilst most subscriptions are billed whilst the customer is asleep, there is no excuse for the request. There are, however, a few exceptions:

  • Merchant initiated transactions. Or MIT, are the subject to transactions initiated where the customer is not present. Subscriptions fall under this category, as a typical transaction is conducted by putting a credit card on file for future transactions.
  • SCA verified payment on a recurring basis. If you charge a recurring payment, of the same fixed amount and cycle, SCA mandates that only the first payment should be SCA secured. Changing the period and/or amount due, the customer must re-authorize the payment.
  • Whitelist by beneficiaries. A merchant may request to whitelist recurring payments of a fixed cycle but varying amount if a mandated agreement is present. Much like most mobile carriers do today. Guidance on this varies between the different PSPs. But is in PSD2, an approved route. Customers may be allowed by their bank to whitelist businesses, where they subscribe as ‘trusted beneficiaries’. SCA will, in that case, only be required for the first purchase but not for the subsequent purchases. Not all issuing banks support this feature currently but it should be more and more implemented during 2019. Upodi will follow up on guidance.
  • Corporate cards. SCA requirements will not apply to payments made by corporate cards. Exemption will be possible only if requested by the the card holder’s bank as neither the business nor the payment method provider will be able to detect whether the card used is a corporate card or not.

📘

SCA Solution to recurring billing

Upodi recommend that any change to subscription amount and/or cycle is done through customer initiation and engagement. In detail we recommend providing the customer with a self service page, to upgrade or downgrade the payment amount, and thereby SCA verifying the "new" chain of charges.

An alternative approach will be to allow the payment to enter dunning, and via the dunning flow - email the customer with a payment link to re-authorize the payment chain.

Upodi is ready to support you in the steps to PSD2

Upodi is certifying our partners and implementing the proper controls and integrations to allow and support PSD2 based payments. Some payment providers may be de-supported as we partner on a solution.

Upodi will ensure a solution to pass the authentication along with the 3D secure authorization to your payment gateway if they support. Be prepared to update your integration by September 14, 2019. We will be providing more detailed technical documentation as we get data from each gateway.

State of PSD2 support for payment gateways

Gateway (PSP)

SCA Ready

Technical guidance

PSD2 ready

AltaPay

Yes

Yes

No

Adyen

Yes

Yes

Yes

Bambora (ePay)

No. Will revert to 3D secure for failed payments.

No

No

DIBS (D2, D10, Easy)

Pending

No

No

iDEAL

Yes

Yes

Yes

Klarna

Pending

No

No

Paylike

Yes

Yes

No

NETS PBS/LS

Yes

Yes

Yes

NETS NetAxept

Yes

Yes

No

SEPA

Pending

No

Yes

Stripe

Yes

Yes

Yes

QuickPay

Yes

Yes

No

Questions & Answers (QnA)

We use a SEPA or Betalingsservice based payment. Does this fall under SCA?

Yes. All online payments fall under the scope of SCA. For NETS based services (Betalingsservice, Leverandørservice) it is recommended to move to the NEM-ID verified signup forms. For SEPA, please use the GoCardless, Stripe or Adyen hosted pages to capture payments.

Additional questions

As we recieve questions, we will post answers here. Please do not shy from posting any question using our PSD2 QnA form here.