Get Subscriptions ready for PSD2

With the dust almost settled from the chores of introducing general data protection regulation (GDPR) in Europe, the subscription and payment industry face a new refined regulation — the second implement of the payment service directive or PSD2.

PSD2 is only subject to businesses whom sell into European payers, or European companies providing means of payment. So — if your business is located in west Virginia and you sell only there, you should leave this article unless you just want to brush up 😊

The directive become part of each EU member state’s legislation from the 13th of January 2018. It is an addition to the outdated directive version 1 from 2007.

What will change?

PSD2 is quite comprehensive, however the most important measures for merchants are the following:

  • New rules and regulations regarding surcharging. Limited impact to your subscription business.
  • Requirement to impose Strong Customer Authentication (or SCA). High impact to your subscription business.

What will be introduced?

PSD2 also implies new opportunities with account-to-account (A2A) based payment outside of the normal credit card handling we have gotten so used to. With this A2A, your bank or a new payment provider can introduce new innovative ways to providing payments. Most banks in EU, work to provide A2A based payment flows. PSD2 open a new world of digital payments across any mean of payment, not only subject to the credit card industry.

More on that in a later article. Let’s look into the changes.

1) Surcharging

PSD2 will require that you as a merchant (selling to customers using online payments) differentiate what types of payment cards are used in transactions, and which can be surcharged.

There are two distinct scopes:

· Consumer cards. Debit- or credit cards issued to individuals (B2C) by the card holders individual bank. Your account is linked via a card scheme to your bank account. You can identify these cards by the label on your card. If only your name is listed — is a personal card.

· Business/corporate cards. Debit- or credit cards issued in the name of companies for business-related purchases (B2B). The cards are linked to the companies’ bank accounts, and the label on the card includes the legal trading name of the business.

With PSD2, surcharging — that is adding fees and costs of the payment transaction — to consumers in B2C purchases will be banned. This change applies to transactions which take place within an EU member state or across its borders, in either online or physical (point-of-sale) stores.

PSD2 will strictly forbid you as a merchant to apply surcharging to payment transactions made with consumers cards (VISA, Mastercard, Dankort) or payments made with direct debit services like SEPA or iDEAL.

If however the transaction in scope, is subject to a corporate payment transaction (B2B) — surcharging can be applies as long as the merchant can prove the given payment instrument is a corporate card.

2) Introducing Strong Customer Authentication (or SCA)

As bots and digital AI enters our daily life, digital payments are the forefront of fraud and automated attacks. PSD2 impose the introduction of a revised SCA.

You know SCA from the digital payments on e-commerce websites in which you have been redirected to your banks payment page to provide a secondary identity claim. This was the norm of PSD1, and the introducing of 3D secure — or general known as “Verified by VISA/Mastercard”.

With PSD2, the directive strengthens the security of a 2-factor authentication protocol to include with inclusion of at least two of the following elements:

  • Something that only the customer knows. A password, PIN, or response to a security question that is known only to the customer.
Card data (e.g., card number, CVV, or expiry date) is not considered a valid knowledge factor by the European Banking Authority or regulators in Germany and France.
  • Something that only the customer possesses. Hardware token, mobile phone, or other device that is in the customer’s possession
  • Something that only the customer is. A biometric ID such as a fingerprint, facial recognition, or iris scan. Detection of unique behavioural patterns (e.g., keystroke analysis) will also qualify as a valid biometric. Get out your best dance move 😉

With PSD2, a minimum of two (2) of the above elements need to be included as part of the payment. The customer also has to be informed up front of the amount and the business being paid.

Application of SCA

The application of SCA renders all payments initiated by the customer, rather than payment initiated by the merchant.

Most card payments are considered by the SCA requirements to be initiated by customers, although subscriptions (recurring payments) often are treated as business-initiated payments of which the merchant holds a copy of the payment instrument in a wallet and issues a payment using this wallet.

Credit transfers are considered to be initiated by customers and direct debits are considered to be initiated by businesses.

There are a few exclusions of SCA:

  • Transactions below €30. PSD2 has ruled that transactions below €30 are not subject to PSD2 enforcement. However often the €30 transaction happen, does not change the application of this norm.
  • Whitelisted merchants. As a customer, SCA introduce the ability to whitelist merchants in your payment arrangement (i.e. your bank) to whom you trust payments to be issued. SCA is required for the customer’s first payment to the business but not for subsequent payments. SCA is also required when the customer creates, confirms, or amends the whitelist. There are no limitations in terms of the transaction amount, number of transactions, or period since SCA was last performed, and whitelisting applies to both card payments and credit transfers (as the rules refer to “payment transactions”, which encompasses both).
  • Fixed Subscriptions. This exclusion will apply where the customer makes a series of recurring payments for the same amount (exactly!) to the same business. SCA is applied to the customer’s first payment to the business but not to subsequent payments.
Be aware! While subscription payments are often periodic and directed to the same business, the amount of each payment tends to vary from one period to the next and so many subscriptions businesses would not be covered by this exemption.

Such business’ may need to look to alternatives, such as initiating payments themselves using payment methods like direct debit or, alternatively, using the “Whitelisted Trusted Beneficiaries” exemption by asking their customers to whitelist them so they can bill them for different amounts — without requiring SCA for every payment.

  • B2B secured corporate payments. In general, corporate or commercial payment means fall within the scope of SCA. However, for corporate payments made through so-called “dedicated payment processes or protocols” (iDEAL, SEPA, LeverandørService, Account-2-account), there is an exemption where security is achieved by means other than authentication.

Preparing for the PSD2

At Upodi we welcome PSD2 and prepare our software in dedicated work with our payment partners. As a customer, you can rest assure we will guide you in the coming months. The new digital payment channels introduced with PSD2 gives your subscription business a new edge and advantage — and this is exactly why we designed Upodi without the mindset of the payment card industry and central thinking around transactions but the customer and events over time.

However, you should think of a few options:

  • Ready your business for a future with multiple payment methods. Upodi has the capabilities built in to handle online, offline and direct based.
  • Validate your currently payment providers (PSP) and learn their strategy to include PSD2. Upodi is working with our partners to ready the business indigitated payments to comply with PSD2.
  • Stay up to date. Register for our newsletters or business updates at
  • Talk to us, calls us or write. We are experts and work daily with these changes and we have the knowledge. Don’t be shy.