Updated November 2020 with new enforcement dates
Is your business ready for PSD2? December 31, 2020 (September 14, 2021 in the UK only), the answer to this question will determine your ability to accept online payments in the European Economic Area (EEA).
The new PSD2 regulation is an effort to decrease the scourge of online fraud. The primary requirement that impacts businesses completing transactions online is Strong Customer Authentication or SCA. To meet this requirement, Recurly customers will have to present their subscribers with a 3D Secure (3DS) flow which allows the merchant to "authenticate" the subscriber’s identity and confirm that they are the valid holder of the credit card they’re using. While this may sound simple, compliance is actually quite complex, because each gateway differs in its technical integration requirements around PSD2 and SCA.
Recurly has been working hard to prepare for PSD2, and we want to make sure that our customers are prepared as well for what is essentially a breaking change. Following is information on what Recurly has been doing and what you, as a Recurly customer, need to do to ensure that starting December 31, 2020, you’ll be able to continue processing transactions.
To which transactions does PSD2 apply?
PSD2 applies to all online transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA). Merchants should also be aware that similar regulations are expected to be adopted in Australia and New Zealand in January 2020.
PSD2 applies to the initial sign-up transaction and any one-time transactions. Merchants must present the 3DS flow on these transactions in order to satisfy SCA.
PSD2 does not apply to Merchant-Initiated Transactions (MIT), like recurring subscription charges.
Transactions impacted include payments made via credit cards and some alternative payment methods. PayPal, Amazon Pay, and Apple Pay, as well as many other alternative payment methods, already include multi-factor authentication, so 3DS authentication is not required with these payment methods.
How is Recurly helping our customers prepare?
Because Recurly understands how critical compliance with PSD2 is, we’ve been actively working with the gateways and payment partners we support. Our goal has been to make it as easy as possible for our customers to be compliant—to ensure conversions are not impacted—and to do so by providing a solution which minimizes the development work needed.
Subscription businesses must present the 3DS flow on the initial purchase only. Subsequent recurring purchases are exempt from PSD2 and SCA unless the issuing bank declines the exemption.
We have enhanced our client-side integration so our customers can use Recurly to satisfy the SCA requirement on both initial subscription sign-ups and one-time purchases. Our aim is to enable you to incorporate 3DS into your checkout flows not within days, but in a matter of hours.
Update your client-side integration
Recurly’s solution minimizes the amount of development work you need to complete to comply with PSD2. Through our updated integration, you can use our platform to satisfy the SCA requirement—which applies to both initial subscription sign-ups and one-time purchases.
To utilize Recurly’s PSD2 solution, you MUST update your integration. If you have not already done so, you need to plan for and undertake this work soon! On December 31, 2020, banks will decline payments that require SCA but which have not been authenticated via 3DS.
The first step is to read the Integration Guide. This guide will provide instructions for updating your Recurly integration to satisfy the SCA requirement.
What about subsequent renewal purchases?
It is true that not all transactions will require SCA. There are certain conditions where a transaction can be exempt, including transactions under 30 EUR and subscription or recurring transactions (after the first purchase). These are called Merchant Initiated Transactions (MITs). Although each gateway takes a different approach to how these MIT exemption flags are structured and transmitted, Recurly handles these variables for you.
Our platform automatically applies the appropriate gateway-specific flags when we charge your subscribers’ credit card as part of the renewal process. This includes existing subscriptions that started prior to December 31, 2020. Recurly will "grandfather" these in as merchant-initiated so that they won’t require SCA when they come up for renewal on or after December 31, 2020.
However, at the discretion of the card issuer, there may still be subsequent renewal MIT purchases that require SCA. The card issuer can challenge a transaction, even merchant-initiated ones, for any reason. Because of this, Recurly provides fallback option(s) such as our "3DS dunning flow" to help you recover MIT transactions that fail due to SCA and need to be re-authenticated by your customer.
Read more about MITs and exemptions—and how dunning can play a key role—in this recent blog.
I have more specific questions about PSD2, SCA, or 3DS. Who should I ask?
While Recurly is here to help you prepare for PSD2, your gateway is your primary resource. We have worked with each of the gateways we support to understand how to best meet their technical integration requirements around PSD2 and SCA, but in terms of what the regulation means, how it will impact your business and your customers—your gateway should be your primary subject matter expert!
Recurly has developed a variety of resources to provide information and guidance. We encourage you to review these materials if you have not already done so.
Recurly takes pride in our ability to provide streamlined solutions to complex challenges, and PSD2 is no exception. We also know that the regulatory landscape is ever-changing, and our solution must be flexible enough to meet whatever new requirements come along. In short, Recurly aims to be a trusted partner, helping to ensure your continued subscription success.
If you still have questions about PSD2, we encourage you to contact our Support Team.