If you’re a SaaS business in Europe and have customers in the US, or your business is in the US and you cater to European customers, then you need to be armed enough to meet the SCA requirements. This helped consumers and merchants get paid faster and quicker. This solution provides a simple way to authenticate transactions with a no- to low-friction checkout experience for cardholders, and allows merchants to shift liability to the issuers on authenticated transactions to help reduce costs associated with chargebacks categorized as fraud. Payment Services Directive (PSD2) regulations, 3D Secure 2: Next-generation Authentication, How SCA Applies to Common Payment Scenarios, Learn more about the latest update of the 3D Secure protocol, Learn more about Braintree’s 3DS2 solution, Learn more about how SCA will affect common payment scenarios, Get started with integration documentation. In the case of subscription renewals, the payments take place without the customers being online. Support both the versions of 3DS so you don’t lose out on customers whose banks support only 3DS 1. See detailed integration guides and API reference documentation for Braintree's SDKs. In other words, waiting to get updates from your payment gateway(s) and then making changes to your internal billing system might not be the most efficient approach. The lower the acquirer’s overall fraud rate, the higher the limit of low-risk transactions that can be claimed as exempt, as shown here: In some cases, corporate payments rely on other security methods that would then exempt the transactions from SCA. Despite this, banks continued to have monopoly over customer accounts. Our page, and the Money Advice Service provide more information. For a subscription being resumed or reactivated after December 31st, 2020, customers can be asked to complete 3DS for their subscriptions to be activated. We’d highly recommend testing the 3DS2 flow for your website before it goes live, which will give you time to find and fix potential problems you might face once the changes go live. These include corporate card payments made through secure processes and protocols as well as lodged corporate cards, which are used for employee travel and managed directly by a travel agent. SCA, also known as two-factor authentication, is a part of the PSD2 law that will bring an additional layer of security needed at the time of a transaction. Strong Customer Authentication (SCA) Exemptions, Impacted Areas for SaaS Recurring Billing Businesses. Pay your sellers and freelancers globally. Braintree will continue to stay close to developments related to this exemption to ensure that merchants and cardholders alike can take advantage of this exemption when technical solutions become available. This exemption will allow an acquirer to request approval from issuing banks to avoid SCA up to certain transaction-amount limits based on the acquirer’s overall fraud rate, calculated on a rolling quarterly basis (90 days). Help detect and prevent fraudulent transactions. Before seeking exemptions, we recommend merchants familiarize themselves with some of the nuances around this topic -- including how and when to seek them and the ways obtaining them could affect the ability to shift liability for fraud-related chargebacks and negatively impact the transaction lifecycle -- so they can build the right strategy for their business. But as part of PSD2, there is one new factor that will come into play - Strong Customer Authentication (SCA). Another good practice you can follow after September 14th, is to have your new customers complete 3DS for at least one transaction, so their other transactions have a better approval rate. PSD2 SCA compliance guide Learn about the Revised Payment Services Directive for strong customer authentication. Payment gateways will be primarily accountable for meeting the PSD2 requirements. On the surface that may seem ideal, but the reality may not be so straightforward. Firms required to provide access to TPPs. Since the approval rate for cards stored in the vault with at least one successful transaction is expected to be higher, you can perform a $1.00 authorization to make the approval rate better. But it will still require certain actions from your end. Once the first payment goes through 3DS, future recurring payments (if the plan amount is fixed) can be exempted from SCA. There’s still a possibility of a small percentage of international transactions that take place in the EU, to require SCA. A merchant initiated transaction, is a transaction made with a customer’s saved card when the cardholder isn't present. Since the information needed to validate these criteria is only available to the issuing bank, merchants will still need to confirm if SCA is required on all transactions that might fall into this exemption category and not any of the others described below. Subsequent transactions (when the customer is not in session) will then be considered merchant-initiated and out-of-scope for SCA. Account servicing payment service providers (ASPSPs) are required to have a PSD2-compliant way to provide TPPs with access to account data and payment functionality by 14 September 2019. providing customer data assets to businesses dealing with payments and technology. For existing customers, if they decide to upgrade to a higher plan or buy any add-ons, they may be asked for a 3DS verification. Once strong authentication requirements are enforced, merchants who do not perform SCA on transactions that require it are likely to see an increase in declines. Merchants offering a recurring or metered billing model (e.g: a subscription service or utility bill) will only need to apply SCA to the first transaction (or verification while vaulting a card in the Braintree Vault). Initially, customers used a time-bound one-time password to verify a transaction via 3D Secure (3DS). Exemptions have the potential to reduce checkout friction and customer drop-off by decreasing the number of times a customer needs to be authenticated. With all the exemptions under PSD2 that you can apply for your online transactions, in the end, it’s up to the customer’s bank to accept it. Customized pricing based on your business size and model. SCA fundamentals are well documented elsewhere on this website but just a few key reminders will help you to navigate your options as you consider implementing any of the customer engagement and payment transaction frameworks. New partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by: The Second Payment Services Directive, a.k.a PSD2, is set to bring major changes that will impact online payments in Europe. Regulation (EU) 2015/751 imposes limits on the level of interchange fees. Braintree’s 3DS2 solution also offers built-in support for both 3DS2 and 3DS1 protocols and can automatically divert your transactions, so you can be sure your business will be SCA-compliant regardless of issuer readiness. 3D Secure 2.0 brings in a new way to authenticate transactions that are compliant with SCA. PSD2 will mostly be applicable when both the business and the customer are based in the EU. Corporate cards that are not processed using these additional security methods, such as traditional employee corporate purchase cards (P-cards), will still be subject to SCA. In the latest PSD2 Tracker, PYMNTS examines challenges banks face in SCA compliance and explores how data privacy regulation affects countries beyond Europe. It can help you decrease friction and increase conversion rates. The intent of the PSD2 SCA regulation is to secure ALL electronic transactions, in ALL channels, with SCA. An even better option — use Chargebee js. bringing transparency by using a wider range of data. Under the terms of PSD2, certain types of transactions will be considered out-of-scope and therefore will not require SCA. Even though there’s a lot of skepticism and confusion around PSD2, it comes with the promise of making online transactions more secure and reducing fraud rates in the EU. If your billing system isn’t PSD2 ready by December 31st, 2020, then it will be raining payment failures impacting your recurring revenue. PSD2 will bring in increased security for online card payments through Strong Customer Authentication (SCA). Apply for exemptions whenever possible. An even safer bet, use a recurring billing system which is better prepared to maneuver through these changes, than you having to constantly create new patchworks of code that get messier over time. Complying with PSD2 can get challenging even for subscription businesses that bill their customers based on usage, as the amount would vary over time.