
Ask HN: PSD2 - Is EU trying to rid itself of all SaaS? - skrebbel
Stripe just emailed their customers a link to this page:<p>https:&#x2F;&#x2F;stripe.com&#x2F;docs&#x2F;billing&#x2F;migration&#x2F;strong-customer-authentication<p>If I read it right, it means that the EU is forcing a 2-factor authentication flow for every single payment, recurring or not.<p>I&#x27;m running a SaaS business (https:&#x2F;&#x2F;talkjs.com). My reading of this is that we have to send every EU customer we have an email each month that goes &quot;Hi! It&#x27;s time to pay again! ^_^&quot; with a link. They then have to click that link, login to our site, and then go through a 2-factor payment authentication flow. This means they need to have all the required gear for that on them, which depending on their bank will often mean having a special bank-issued debit card reader ready that can generate unique one-time auth codes.<p>Our customers will get one such email every month for every service they use. If they&#x27;re a SaaS-heavy business like we are, they&#x27;ll get tens of these emails each month, driving them mad and away from us, to <i>any</i> alternative that can help them escape from this madness.<p>Am I reading this right? Is this stuff really this insane? Does anyone have more insights here? Mitigation strategies?
======
mtmail
> is forcing a 2-factor authentication flow for every single payment,
> recurring or not.

Only for the first payment. But the first payment might be later than the user
signing up to the SaaS. "Examples where the first charge is delayed until a
later date are free trials, metered billing, and $0 plans."

If you charge the same amount every month, then there is an extra step for the
initial payment but no distraction later.

------
tarstarr
(I work at Stripe, specifically leading our subscriptions and recurring
revenue product, Stripe Billing)

On a high level, the EU is trying to protect consumers from predatory
businesses. We think protecting consumers is awesome. However, by virtue of
creating stringent laws to do so, they've inadvertently caught many good
businesses in the trap as well.

You're right that the worst case scenario is that you'd need to send an email
(or just use the pre-built emails we created/tested/optimized) to your
customer every month, for every charge. But it's quite unlikely that this
worst case scenario would happen. This is because the regulation allows for
exemptions, which means that certain charges don't need to go through 3D
Secure2 every time.

Examples of exemptions include regular amount subscriptions (same amount, same
interval; only the first charge needs to be authenticated), what's called
"Merchant Initiated Transactions" which means that metered/usage based billing
can also be exempted, and "merchant whitelists" where customers can just put
trusted businesses on an exempted list. The challenge with these exemptions --
the reason we can't 100% promise all of your same amount recurring charges
won't have 3DSecure applied -- is that it's up to your customer's issuing bank
(e.g. Chase, HSBC, etc.) to apply the exemption at their discretion. We have
been interviewing top EU banks in the past months and the vast majority of
them plan to exempt recurring transactions when they assess fraud level as
low.

We know this is complicated, developing expertise on the vagaries of issuing
banks and global regulators is not everyone’s dream job, and is not why you
started a SaaS business.

But this _is_ where we have spent time developing expertise, and that's why
Stripe Billing wants take care of this for you: we will automatically apply
for an exemption whenever it is potentially available, and deeply optimize for
recurring related exemptions in particular. We will understand the nuances of
different issuing banks, and give them the right information in the network
request we make to maximize chances of success. From your standpoint can treat
this logic kind of like a black box -- just attempt the charge, Stripe will
either tell you it's all good or not. If it's all good, you'll just see a
successful outcome. If not, you can then choose to have Stripe auto-send
emails and reattempt the charge, or you can do so yourself.

Most importantly: Stripe wants to do whatever is in our power to help SaaS
businesses and other subscription businesses succeed. As this continues to
develop (and btw, it looks like something like this is going to happen in
Australia as well), we've got your back and promise to do whatever we can to
maximize your revenue under these regulations.

If you have any other questions, would love to be helpful. Stripe will stay in
touch — we’ll be emailing you as changes happen — but you can always email me
at tara@stripe.com, or just reply to the email you received earlier today!

(edit: quick grammar fix!)

~~~
skrebbel
Thanks for your extensive reply!

It's really cool how much work you do to smooth over the insane legalisms
invented by politician lawyers. Do you know whether Stripe is planning to one
day do the same with the EU VAT mess? Right now I can't use Stripe's
autogenerated receipts, and I can't Stripe Checkout, merely because both lack
VAT number field.

~~~
tarstarr
it's funny you should mention...

We're actually launching something next week. Stay tuned!

------
BA4gDY-cqjsEPWn
Assuming you are actually reading it right. I'm probably not your average SaaS
consumer, but here's my 2 cents:

As a person who prefers to manually pay every bill every month I consider this
a great thing. I'd be happy if this was already in place for every company in
every country.

I do find 2FA very annoying though so I wish they didn't put that in...

