Ask HN: PSD2 - Is EU trying to rid itself of all SaaS?
https://stripe.com/docs/billing/migration/strong-customer-authentication
If I read it right, it means that the EU is forcing a 2-factor authentication flow for every single payment, recurring or not.
I'm running a SaaS business (https://talkjs.com). My reading of this is that we have to send every EU customer we have an email each month that goes "Hi! It's time to pay again! ^_^" with a link. They then have to click that link, login to our site, and then go through a 2-factor payment authentication flow. This means they need to have all the required gear for that on them, which depending on their bank will often mean having a special bank-issued debit card reader ready that can generate unique one-time auth codes.
Our customers will get one such email every month for every service they use. If they're a SaaS-heavy business like we are, they'll get tens of these emails each month, driving them mad and away from us, to any alternative that can help them escape from this madness.
Am I reading this right? Is this stuff really this insane? Does anyone have more insights here? Mitigation strategies?
6 comments
[ 2.5 ms ] story [ 62.9 ms ] threadAs a person who prefers to manually pay every bill every month I consider this a great thing. I'd be happy if this was already in place for every company in every country.
I do find 2FA very annoying though so I wish they didn't put that in...
Only for the first payment. But the first payment might be later than the user signing up to the SaaS. "Examples where the first charge is delayed until a later date are free trials, metered billing, and $0 plans."
If you charge the same amount every month, then there is an extra step for the initial payment but no distraction later.
On a high level, the EU is trying to protect consumers from predatory businesses. We think protecting consumers is awesome. However, by virtue of creating stringent laws to do so, they've inadvertently caught many good businesses in the trap as well.
You're right that the worst case scenario is that you'd need to send an email (or just use the pre-built emails we created/tested/optimized) to your customer every month, for every charge. But it's quite unlikely that this worst case scenario would happen. This is because the regulation allows for exemptions, which means that certain charges don't need to go through 3D Secure2 every time.
Examples of exemptions include regular amount subscriptions (same amount, same interval; only the first charge needs to be authenticated), what's called "Merchant Initiated Transactions" which means that metered/usage based billing can also be exempted, and "merchant whitelists" where customers can just put trusted businesses on an exempted list. The challenge with these exemptions -- the reason we can't 100% promise all of your same amount recurring charges won't have 3DSecure applied -- is that it's up to your customer's issuing bank (e.g. Chase, HSBC, etc.) to apply the exemption at their discretion. We have been interviewing top EU banks in the past months and the vast majority of them plan to exempt recurring transactions when they assess fraud level as low.
We know this is complicated, developing expertise on the vagaries of issuing banks and global regulators is not everyone’s dream job, and is not why you started a SaaS business.
But this is where we have spent time developing expertise, and that's why Stripe Billing wants take care of this for you: we will automatically apply for an exemption whenever it is potentially available, and deeply optimize for recurring related exemptions in particular. We will understand the nuances of different issuing banks, and give them the right information in the network request we make to maximize chances of success. From your standpoint can treat this logic kind of like a black box -- just attempt the charge, Stripe will either tell you it's all good or not. If it's all good, you'll just see a successful outcome. If not, you can then choose to have Stripe auto-send emails and reattempt the charge, or you can do so yourself.
Most importantly: Stripe wants to do whatever is in our power to help SaaS businesses and other subscription businesses succeed. As this continues to develop (and btw, it looks like something like this is going to happen in Australia as well), we've got your back and promise to do whatever we can to maximize your revenue under these regulations.
If you have any other questions, would love to be helpful. Stripe will stay in touch — we’ll be emailing you as changes happen — but you can always email me at tara@stripe.com, or just reply to the email you received earlier today!
(edit: quick grammar fix!)
It's really cool how much work you do to smooth over the insane legalisms invented by politician lawyers. Do you know whether Stripe is planning to one day do the same with the EU VAT mess? Right now I can't use Stripe's autogenerated receipts, and I can't Stripe Checkout, merely because both lack VAT number field.
We're actually launching something next week. Stay tuned!