July 28, 2020 | Authored by: Calvin Nguyen
Ensuring strong customer authentication in the age of the subscription model
With the tremendous growth of subscriptions over the past few years, protecting customer identity and securing payments have come to the forefront of payment security and fraud prevention discussions. These priorities are integral to the success of any online business – especially for subscription businesses that engage in recurring transactions.
Payment Service Directive 2 (PSD2) was a new European Union (EU) regulation that went into effect on September 14, 2019, introducing new requirements for authenticating online payments. The new requirements are known as Strong Customer Authentication (SCA). General enforcement will begin on December 31, 2020. This regulation aims to make online payments more secure and to reduce fraud by requiring SCA and Common and Secure Communication (CSC).
The new regulation impacts subscription businesses whose acquirer is in the European Economic Areas (EEA) – or acquirer has an EEA license – and who are transacting business online for a value higher than €30 with customer credit cards whose issuer is also in the EEA. To ensure SCA, an authentication protocol called 3D Secure 2 (3DS2) is being implemented. 3DS2 is widely supported by most European cards and payment processors. This is good news for subscription businesses, as 3DS2 makes online transactions safer, smoother, and more apt to complete transactions dealing with European cards. These standards can affect all businesses and consumers globally, especially those who transact with members of the EU.
Vindicia takes care of SCA and CSC
To aid subscription businesses in complying with these measures, Vindicia has been working directly with various payment gateways to implement SCA and CSC into our APIs and gateway integrations. Enhancements that are especially useful for subscription businesses include:
- Vindicia Subscribe APIs have been enhanced to support input of the authentication parameters required, allowing subscription businesses to route transactions requiring 3DS2 for cardholder authentication prior to the transaction authorization process.
- SCA and CSC compliance is provided across all functions and required components for customizing checkout processes and billing models.
- For businesses utilizing Vindicia iFrames in their checkout processes (HOA, PMT), the checkout processes have been enhanced to support the new flows.
The primary regulatory requirements of PSD2 apply to the subscription billing platform, payment service providers, and payment gateways. So by simply using Vindicia’s subscription lifecycle platform, businesses will be able to take advantage of SCA and CSC’s enhanced security and protection.
PSD2 background and purpose
PSD2 is a revision of the original directive known as PSD. PSD2 aims to make payments safer, increase consumers’ protection, and foster innovation and competition in the payments space by regulating new actors not covered by the original directive. The regulation is administered by the European Commission. The commission regulates payment services and payment service providers through the EU and EEA to reduce fraud and make online payments around the globe more secure.
What do SCA and CSC do for subscription businesses and customers?
The SCA standard of PSD2 outlines three strategies known as Knowledge, Possession, and Inherence, through which customers authenticate themselves. These strategies are commonly described as:
- Knowledge – Something the customer knows, like a PIN or a password
- Possession – Something the customer has, like a mobile phone or a hardware token
- Inherence – Something the customer is, such as a fingerprint, iris, face, or voice recognition
SCA requires that businesses use at least two of these three authentication strategies before being allowed to accept payments, making payments safer. While SCA makes payments safer, CSC standards promote competition and innovation among payment service providers by introducing third-party payment service providers (TPP) and account servicing payment service providers (ASPSP) that include banks and payment institutions that essentially provide accounts for customers.
CSC branches work together with SCA to swiftly authenticate payments, establish a one-stop-shop for information of all payment accounts irrespective of where they are held, and make payments on behalf of customers by obtaining customer’s consent and establishing secure communication between payment providers and customers. For example, CSC’s APIs are designed to enable TPPs such as major banks to provide payment initiation and account information securely. Both SCA and CSC comply with the EU’s General Data Protection Regulation (GDPR). Together, SCA and CSC effectively protect cardholder or customer data and prevent payment fraud.
Exemptions to SCA requirements
Certain transactions can be exempted from SCA requirements. For example, low-value online transactions that total less than €30 each – or up to five transactions in a row up to €30 each with a total of less than €100 – can skip the SCA requirements. Also exempted are repeated, low-risk transactions from customers who shop regularly from the business. These transactions, marked as “trusted beneficiaries,” are exempted.
Navigating the new standards
Vindicia is leveraging its expertise in payments, agile product architecture, and relationships with payment providers to help subscription businesses navigate the new standards for payments affecting businesses and consumers globally. By using Vindicia’s subscription lifecycle platform, which incorporates SCA and CSC measures, businesses are able to provide a more secure, content-driven transaction experience to customers. We are here to help your business engage in more authentic and secure online payments, providing an enhanced experience for your customers.
For more information, contact Vindicia support at email@example.com and check out Understanding the Final Regulatory Technical Standards published by the European Payments Council.
Which billing platform is right for B2C subscriptions?Download