Okay. This is going to be just slightly more entertaining than watching paint dry. Apologies. But, please, stick with us for at least 10 sentences to receive the following service announcement:
On September 14th, the European Union introduces new requirements for authentication of online payments. This new so-called Strong Customer Authentication regulation (SCA) may have an impact on the payments of your Contractbook subscription. To be more specific, you may occasionally be prompted to confirm the payment for your subscription.
In those cases, you will receive an email from us containing a link to a landing page where you can confirm the transaction. Most often you will be asked for a code that you receive in an SMS. However, that depends on your credit card issuer.
It is important to note that you do not receive such emails because there is a specific risk related to your Contractbook subscription. This is a security requirement set up by our gateway provider Stripe in order for them to comply with the new rules and protect you against credit card fraud. Please also note that your subscription will be cancelled in case you do not confirm the transaction.
In the article below we will give a short introduction to the new rules and provide details to when and why you may be asked to confirm the payment of your Contractbook subscription.
What is Strong Customer Authentication?
The idea with the new rules is to protect European consumers against fraud and to create a common legal framework in all European countries - a bit like when the European Union introduced GDPR. By introducing more requirements to authentication, they seek to create more consumer trust in e-commerce and prevent credit card fraud.
However, the new rules will only have an effect on payments that; 1. Are initiated by the customer, 2. Happens within the European Economic Association. Currently, 19 % of all online payments in Europe are authenticated, but Mastercard expects that number to increase to 57 % in September.
With Strong Customer Authentication, merchants are required to verify the identity of their customers in order to authenticate an online payment. The reason is that the card issuer (most often the customer's bank) must decline all non-compliant transactions. Verification must include two or more elements from the following list
However, there are some exceptions where Strong Customer Authentication is not required:
Less than 30 euros: Purchases with a transaction value of fewer than 30 euros are low risk, and they do not require Strong Customer Authentication. However, the customer bank is required to receive authentication for every fifth transaction under 30 euros or for every cumulative 150 euros that the consumer spends.
Recurring payments: Recurring payments at fixed amounts (like your Contractbook subscription) do not require Strong Customer Authentication unless the card issuer has suspicions. However, the first transaction must be approved and authenticated. In case the prices changes, the updated transaction must also be approved.
Trusted beneficiaries: The customer's bank is able to add certain merchants to a whitelist where Strong Customer Authentication is no longer required on their transactions. We are yet to see how widespread this solution will be.
Transactions lists analysis: Payment service providers will get a fraud rate. Based on that they may not require Strong Customer Authentication.
These exemptions can be very useful, but it is worth noting that it is ultimately the cardholder’s bank that decides whether or not they want to accept an exemption. The big question is also how all the exemptions will be managed since Strong Customer Authentication inevitably will increase friction on the payment process.
How to authenticate a transaction?
Today, the most common way to authenticate an online card payment is by using the 3D Secure Standard (3DS). Typically, that involves an extra step after checkout where the purchaser is prompted by their bank to provide additional information such as a one-time code received on their phone to verify their identity.
The problem with 3DS is its negative effect on conversion rates because it adds friction to the process. So to create a better user experience and a more frictionless authentication flow that prevents drop-off and increases sales, all the major card networks will introduce a new 3D Secure 2 model (3DS2).
The idea 3DS2 to have more data elements sent from the merchant to card issuer. In this way, the bank can trust that the real cardholder is making the purchase. Also, the transaction can be approved without any additional input from the cardholder. However, there might be exemptions where the transactions should still be confirmed.
How will all this affect your Contractbook payments?
Nothing will be changed if you work outside Europe and your credit card does not have 3DS or 3DS2. In that case, you will still be able to buy your subscription by providing your credit card details and then we will automatically charge you for the next billing period.
In case your card has 3DS and therefore always require confirmation, then you will have to approve the transaction every time we charge your monthly payment. You will then receive an email with a link that leads you to a landing page where you can approve the transaction, most often with an SMS-code.
If your credit card has 3DS2, then you will have to approve some transactions. As Contractbook is a fixed-amount recurring payment, you will not have to approve each and every transaction. You will, however, have to approve in some cases:
- 1. The first time you create a subscription.
- 2. When there are changes to the amount of the monthly subscription. Either because you up- or downgrade, or if you purchase NemID signatures.
- 3. If your bank considers the transaction suspicious.
- 4. If the transaction falls as one of every fifth or when 150 euros have been cumulated.
In those cases you will also receive an email with a link, so you can approve to a transaction. Just like we described above. Otherwise, your subscription may be cancelled.
Our gateway provider Stripe has produced some informative and well-produced material where you can learn more about SCA and how to comply with the new rules. You could, for instance, read this article, or watch this informative Webinar. Just a suggestion!
Thanks for staying with us for the entire post.
Stay cool and compliant!
//Jarek, CPO in Contractbook
Effective Contract Management
for Modern Businesses
Create, sign and store all your legal documents in one, safe place.