What 3DS V2 and SCA Compliance Means For Your Software Business

If you run a software business or any type of business that deals in subscriptions and renewals chances are over the last few months and throughout 2021 you’ve had days where renewals have been significantly lower than you expected. 

Enough to make you look at your charts and go “wtf, why are we bleeding money”. 

Enter SCA (Strong Customer Authentication) or what some of you may know as 3D secure. There’s a technical difference with these terms which we’ll explore later but first the background. 

What is SCA and 3D Secure (3DS)

SCA is a requirement on payment services from the European Union (EU) on payment services (PSD2). 

Now Strong Customer Authentication is not 3D secure, they are not interchangeable terms (despite many people using them as such).

3D Secure (or 3DS for short) has been around since 1999 in 1.0 guise which is what up until recently used to verify all online card transactions. 

But when PSD2 came about, which is the revised payment directive from the EU, it introduced the SCA requirement which subsequently led to 3DS V2. 

3DS V2 has a key feature of being SCA compatible and thus compliant with PSD2 (keep with me, I know I know). 

When Did 3DS V2 Start

3DS V2 started to be used in 2019, and countries around the world placed different enforcement dates on when all card transactions must be processed using SCA compliant technology. 

See while it came from the EUs directive, countries worldwide implemented similar requirements. 

3DS V2 is available on both Visa and Mastercard Issued cards. 

For the UK where I live the enforcement date was recently extended by the Financial Conduct Authority (FCA) to March 2022. 

What Happens When 3DS V2 is Forced?

In short you are going to see renewals plunge through the floor and should you not be using 3DS V2 for new customers as well you’ll see most transactions declined. 

You may be thinking, “Why will my renewals fail?” Because you don’t have pre-authorization for 3DS V2 transactions in most cases and as a 3DS V2 transaction needs to be approved often by 2 factor authentication such as a text or fingerprint or face ID to the customers device there’s no way to send that to them on a renewal that was never setup for 3DS V2. 

For example, to set up a 3DS V2 transaction in Stripe you must use PaymentIntent and set up a future intent to use that card for renewals which flags the card as “Yes, by my first authentication I approve all future transactions using this payment intent ID”. 

If you use a third party payment platform like Zoho, they are not currently 3DS secure compatible in full and thus there’s no way you can easily fix this apart from switching platforms, they have partial compatibility but not full. 

Yet there are also outliers to this, let’s look to India for an example. They have some of the strictest SCA rules in the world.

Here’s the full guide by Stripe but in short if the payment is over 5,000 INR ($67 USD), you must bring the customer back for a new authorization and can’t automatically authorize the transaction even with payment intent setup. A disaster for software businesses. 

Wrapping Up

3DS V2 is going to see software and subscription businesses around the world about to face a harsh test of their protocols and payment processes throughout 2022 to retain subscribers that fail the initial 3DS V2 renewal. 

This is just the first post in a series of posts I’ll be writing on 3D secure, and payment protocols, be sure to check back for more soon. 

Similar Posts