(no title)

On a high level, the EU is trying to protect consumers from predatory businesses. We think protecting consumers is awesome. However, by virtue of creating stringent laws to do so, they've inadvertently caught many good businesses in the trap as well.

You're right that the worst case scenario is that you'd need to send an email (or just use the pre-built emails we created/tested/optimized) to your customer every month, for every charge. But it's quite unlikely that this worst case scenario would happen. This is because the regulation allows for exemptions, which means that certain charges don't need to go through 3D Secure2 every time.

Examples of exemptions include regular amount subscriptions (same amount, same interval; only the first charge needs to be authenticated), what's called "Merchant Initiated Transactions" which means that metered/usage based billing can also be exempted, and "merchant whitelists" where customers can just put trusted businesses on an exempted list. The challenge with these exemptions -- the reason we can't 100% promise all of your same amount recurring charges won't have 3DSecure applied -- is that it's up to your customer's issuing bank (e.g. Chase, HSBC, etc.) to apply the exemption at their discretion. We have been interviewing top EU banks in the past months and the vast majority of them plan to exempt recurring transactions when they assess fraud level as low.

We know this is complicated, developing expertise on the vagaries of issuing banks and global regulators is not everyone’s dream job, and is not why you started a SaaS business.

But this is where we have spent time developing expertise, and that's why Stripe Billing wants take care of this for you: we will automatically apply for an exemption whenever it is potentially available, and deeply optimize for recurring related exemptions in particular. We will understand the nuances of different issuing banks, and give them the right information in the network request we make to maximize chances of success. From your standpoint can treat this logic kind of like a black box -- just attempt the charge, Stripe will either tell you it's all good or not. If it's all good, you'll just see a successful outcome. If not, you can then choose to have Stripe auto-send emails and reattempt the charge, or you can do so yourself.

Most importantly: Stripe wants to do whatever is in our power to help SaaS businesses and other subscription businesses succeed. As this continues to develop (and btw, it looks like something like this is going to happen in Australia as well), we've got your back and promise to do whatever we can to maximize your revenue under these regulations.

If you have any other questions, would love to be helpful. Stripe will stay in touch — we’ll be emailing you as changes happen — but you can always email me at tara@stripe.com, or just reply to the email you received earlier today!

(edit: quick grammar fix!)