The whole credit card payment system is built on another legacy system (we have emboss letter on credit card because of compatibility with a zip-zap machine!) so having explicit authorization consent for recurring payment is probably not going to be as easy as it seems. The last time payment industry tried to do something that resembles an explicit user consent, it resulted in the 3-D Secure system, which is horrendous and not even secure.
The last time payment industry tried to do something that resembles an explicit user consent, it resulted in the 3-D Secure system, which is horrendous and not even secure.
Meanwhile, merchants in Europe are looking forward to the new Strong Customer Authentication rules under PSD2 that will come into effect later this year. At least it will be interesting to have hard data on how much damage that causes and whether the damage is worse than the cost of fraud it will supposedly prevent.
AFAIK the new Strong Customer Authentication will be based on 3-D Secure 2, which as far as I know is basically bundling a couple of existing verification method (e.g. AVS, Address Verification System) under a new scheme and fallback to 3-D Secure authentication if the trust level isn’t met.
The issue is that, well, the whole scheme is designed to protect the merchant (via liability shift) and not the user, and we still have to trust the bank to “verify” us (might not be a big problem in EU, but in Asia it’s still common to have OTP code over SMS or even... a 6 digit passcode)
The right mechanism should be to request explicit authorization.