The Payment Services Directive (PSD2) is a new set of policies regulating payments within the European Economic Area (EEA), going into effect on September 14th, 2019. These regulations mean that transactions between two EEA parties will require Strong Customer Authentication (SCA) in order to be successfully processed, unless they are granted a real-time exception from the cardholder’s bank.
Let’s take a look at what that all means for your membership site.
Does it apply to me and my customers? My business isn't in the EU or EEA.
These new regulations only apply to transactions where both the cardholder and merchant are members of the EEA. If either you or your customers are not within the EEA, the transaction is not subject to these new regulations. It’s also expected that the UK will adopt this regulation—regardless of the outcome of Brexit.
What do I need to do to be compliant?
As a Memberful customer with a Stripe account, you will be compliant on day one with no additional action required. We’ve updated our payments technology to be fully compliant with a focus on minimizing friction for your members.
How will this affect my members?
When both the cardholder and merchant are in the EEA many transactions will require an extra step of authentication, 3D Secure 2.0, before the order is fully processed. We say “most” because some transactions will be exempt, which we’ll explain below.
How does the authentication step work?
All customers will still need to fill out our payment form just as they do today. Once they place their order, their bank will decide whether or not extra authentication is required. If it is, the customer will see a modal with content from their bank requiring they take action to complete the transaction. They won’t have to leave the Memberful checkout flow to complete this.
The specific authentication method that the customer will need to provide is determined by their bank, and will be different for everyone. It could be a code sent through SMS, face or fingerprint recognition, or a password.
If the bank denies the authentication or it fails for another reason, we will return the customer to the payment form where they can try again. If the authentication is successful, the order will go through as normal and we will redirect them to our order confirmation page.
Once the new regulations are implemented on September 14th, 2019, banks will decline all payments that require SCA, but don’t meet the above criteria, and aren’t exempt.
What about customers signing up from free trials?
When signing up for a plan with a free trial that requires a credit card, we will display the 3D Secure 2 authorization step for that first sign up—even though the customer is not being charged. This is so we can successfully charge them later when the trial expires and converts into a paid membership, without requiring another authorization.
Will this apply to renewals?
In some cases a 3D Secure 2 authorization will be required to renew a subscription, whenever it is scheduled to take place. In these cases Memberful will proactively email your members a link where they can authorize the renewal charge to keep their subscription active.
What are exemptions?
Even when both the merchant and the cardholder are within the EEA and subject to the new regulations, the transaction may not actually require any additional authorization as described above. We will request exemptions on your behalf in every situation we can, but the cardholder’s bank may decide to require authentication regardless.
For every single transaction, Memberful and Stripe will request an exemption and only display the authentication step if it’s denied.
Transactions most likely to be granted an exemption include “lower risk” transactions where the likelihood of fraud is lower. The good news is that this might also include lower priced, fixed amount recurring charges that are common with Memberful.
These regulations are complex, brand new, and likely to change over time. Memberful has made sure that your membership business will be fully compliant on day one and able to adapt to any new changes that arise over time. We’ve done this with a focus on maintaining a simple, secure, low friction experience for your new and existing members.
If you have any questions, please reach out to us at: firstname.lastname@example.org
Want to learn more about the technical details of SCA? See Stripe’s website