SCA best practices for recurring revenue businesses

Introduction

Last updated on 6 November 2019

On 14 September 2019, new requirements for authenticating online payments were introduced in Europe as part of the second Payment Services Directive (PSD2). We expect these requirements to be fully enforced by 31 December 2020.

Read the SCA Guide to learn about Strong Customer Authentication (SCA), two-factor authentication basics, and the overall regulatory requirements and exemptions. Managing these new rules and suggestions will be especially important for businesses with recurring charges, and this guide outlines how to prepare recurring payment flows for SCA.

How will SCA affect recurring revenue payment flows?

Recurring revenue businesses need to consider how SCA may impact five key payment flows:

  • First subscription charges, charging immediately — a new subscriber signs up and their card is charged immediately.
  • First subscription charges, charging later — a new subscriber signs up but their card isn’t charged until a later date, after a free trial, for example.
  • Recurring subscription charges — a subscriber’s card is charged automatically to renew their subscription at the end of a billing cycle.
  • Invoice charges — a customer is sent an invoice to be paid manually and their card is charged when they initiate the payment.
  • Admin charges — a charge is initiated by someone at your company from an internal admin dashboard. For example, you might initiate a charge in response to an email from a customer about a failed payment.

We’ll explain each payment flow, identify how SCA may affect it, and provide relevant resources and guidelines. You can use these resources to make sure you’re SCA-ready for the billing system that you use:

  • Stripe Billing — Stripe Billing is Stripe’s subscriptions and invoicing revenue platform. It integrates with Stripe Payments and manages subscriptions and invoicing. In the first half of 2019, Stripe Billing launched a set of features for SCA and users just need to make a few adjustments to their integrations to be SCA-ready.
  • Stripe Payments + in-house billing — Some businesses use Stripe Payments with an in-house billing system. Stripe Payments also recently launched a set of new features for SCA. Businesses with in-house billing systems will need to update the way their in-house systems work with the Stripe Payments API to be SCA-ready.
  • Third-party billing — If you use a third-party recurring billing system, we’ll provide some guidance around what you should expect of their products to make sure you are SCA-ready.

1. First subscription charges, charging immediately

In this scenario, a new customer pays in advance for the first billing cycle in a subscription. Their credit or debit card is charged immediately. This is common for flat-rate business to consumer (B2C) and per-seat business to business (B2B) recurring payment plans when there is no free trial, such as Typeform’s pro plan. This scenario also applies when a credit or debit card is not collected at the start of a free trial, such as with Squarespace. When this kind of free trial is over, the new subscriber will be asked to provide their card and it will then be charged immediately.

We expect SCA to be required most of the time in this scenario because it will typically be the first time a cardholder has transacted with your business. If your payment flow does not support SCA, your customer’s bank may be legally obligated to block the transaction. This will decrease your conversion rate. The impact will be worse to the extent your customer base uses compliant financial institutions in Europe.

Most SCA exemptions will not apply in this scenario. Your payment service may be able to apply low risk transaction exemptions, and we expect this exemption to be widely supported by banks, but this is largely out of your control. (Stripe Radar’s comprehensive, real-time risk assessment allows us to support this exemption for our users.)

To make your payment flow SCA-ready, your subscription checkout will need to identify when a first charge requires SCA and guide the new subscriber through their bank’s two-factor authentication flow.

Stripe Billing

Refer to Scenario 1 of the Stripe Billing SCA migration guide.

Stripe Payments+ in-house billing

Refer to the Recurring payments section of the Stripe Payments SCA Migration Guide.

Third-party billing

Contact the third party or refer to their documentation.

2. First subscription charges, charging later

This payment flow is necessary for subscriptions with free trials and metered payment plans which are charged in arrears. Hulu, for example, asks for credit card information up front and charges automatically at the end of the free trial (unless canceled).

Payment method information collected for later use will need to be authenticated at the time of collection. If payment method information isn’t authenticated, banks may decline these payments and you may notice a decline in your free trial conversion rate or an increase in failed payments for metered billing plans.

As with the first scenario, we don’t expect SCA exemptions to apply in this scenario because it will often be the first time your business has seen that customer. However, once a payment method has been authenticated, we do expect the merchant-initiated transaction exemption to allow businesses to charge that payment method without needing SCA in the future.

To make this payment flow SCA-ready, your subscription checkout will need to ask a new customer for their consent to charge their card in the future, guide them through their bank’s two-factor authentication flow, and then save their card details for later use.

Stripe Billing

Refer to Scenario 2 of the Stripe Billing SCA migration guide.

Stripe Payments+ in-house billing

Refer to the Payment captured more than seven days after authorization section of the Stripe Payments SCA Migration Guide.

Third-party billing

Contact the third party or refer to their documentation.

3. Recurring subscription charges

The majority of payments in a subscription business are not the customer’s first payment. These renewal payments are considered "off-session", meaning the customer is not on your website or app when their payment is processed.

Recurring subscription charges will be subject to SCA when the new requirements come into effect. If you don’t update the way you process these charges, they could be declined by banks and you may notice an increase in unintended churn.

If a subscriber’s payment method is authenticated via a first subscription payment, as with scenario 1, or when the payment method details are collected, as with scenario 2, recurring subscription charges may be eligible for SCA exemptions. Both the fixed-amount subscription and merchant-initiated transaction exemptions could apply in this scenario. However, since it’s up to payment processors to make the necessary engineering changes to request exemptions, and up to banks to accept them, you should ensure this payment flow can handle SCA if required.

To make this payment flow SCA-ready, you will need to be able to identify which recurring charges require SCA and contact subscribers to bring them “on-session” to provide two-factor authentication.

Stripe Billing

Refer to Scenario 3 of the Stripe Billing SCA migration guide.

Stripe Payments+ in-house billing

Refer to the Recurring payments section of the Stripe Payments SCA Migration Guide.

Third-party billing

Contact the third party or refer to their documentation.

4. Invoice charges

Many recurring businesses send out invoices for manual payment. This is especially common for businesses with high per-account values, whose customers may have Accounts Payable processes requiring invoices. Invoices may be used for first subscription charges or recurring subscription charges.

SCA will likely be required if invoices are paid by credit or debit card. Since invoices may be used for a subscription’s first charge and recurring charges, sign up and unintended churn numbers could be impacted when SCA comes into effect. Similarly, because invoices can be used in the first and recurring charge scenarios, most of the exemptions previously mentioned in this guide can apply.

To make this payment flow SCA-ready, payments made on hosted invoices will need to direct the customer through a two-factor authentication flow if SCA is required, much like in the first scenario.

Stripe Billing

Refer to Scenario 4 of the Stripe Billing SCA migration guide.

Stripe Payments+ in-house billing

Refer to the One-time payments section of the Stripe Payments SCA Migration Guide.

Third-party billing

Contact the third party or refer to their documentation.

5. Ad hoc charges

Your operations team may occasionally charge customers manually. For example, Deliveroo might do a one-off charge for training or event tickets.

When SCA comes into effect, these charges may require two-factor authentication. These charges involve similar considerations to the recurring subscription charge scenario because the customer will likely be “off-session”.

The merchant-initiated transaction exemption is likely to be the most helpful in this scenario, but the low-risk and below €30 payment exemptions may also be relevant. Fixed-amount subscription exemptions will likely not be relevant in this scenario because charges initiated by your operations team will be ad-hoc, outside the normal cycle of a subscription.

To make this payment flow SCA-ready, you will need to provide a way for admin initiated charges to support an “off-session” SCA payment flow, collecting two-factor authentication from customers, much like in the recurring payments scenario.

Stripe Billing

Refer to the Tools for collecting off-session payments section of the Stripe Billing SCA Migration Guide.

Stripe Payments+ in-house billing

Refer to the Other off-session payments section of the Stripe Payments SCA Migration Guide.

Third-party billing

Contact the third party or refer to their documentation.

Reporting

We also recommend to ensure you can report how many charges are requiring SCA, how many are being successfully authenticated, how many aren’t, and where those charges are occuring. To make sure your implementation is handling SCA correctly for all payment flows, it’ll be important for you to spot any spikes in SCA related declines and unintended churn quickly so that you can respond. Stripe has a number of reporting tools that can help.

Further resources

Our SCA guide provides a detailed overview of SCA for all types of online businesses. Stripe’s SCA documentation covers implementation details and the SCA Migration Guide for Stripe Billing walks through the updates Stripe Billing users will need to make.

Learn more about Stripe’s SCA-ready products on our website. If you have any questions or feedback, please let us know.

Back to guides
You’re viewing our website for Canada, but it looks like you’re in the United States.