Skip to content

    Subscription Payment Processing: What Merchants Should Know

    subscription payment processing
    Picture of Basis Theory ·
    Payments

    The subscription economy is having its moment in the sun, with many everyday services moving to a subscription model: meal kits, streaming services, book clubs, and more. The Zuora Subscription Economy Index conducted in 2022 found that subscription businesses grew 4.6x in the decade between 2012 and 2022, significantly outperforming the S&P. 

    While some of this growth can be attributed to 2020’s stay-at-home orders, subscriptions have become a mainstay in most homes long after those orders were lifted. In fact, the average household now has between 4 and 5 active subscriptions, a number that is broadly expected to increase in coming years.

    What is Subscription Payment Processing?

    Subscription payment processing includes the systems and methods that manage recurring payment processing for subscription-based businesses. From the consumer’s point of view, this looks like any normal payment processing that may occur, but the behind-the-scenes activities can be much different.

    This is dependent on the payment model used for subscriptions, which defines the infrastructure and business relationships necessary to protect, retain, and process regular payment succesfully.

    Types of Subscription Payment Models

    While some may assume subscription-based payments are all the same, the payment model significantly impacts how this works. There are a variety of subscription payment models that businesses can use, with the right choice depending on their products and services, their customers, and what is operationally most efficient. A few of these subscription models include:

    Fixed Subscription

    Fixed subscriptions are the most straightforward model, where subscribers pay a fixed amount at regular intervals to access a product or service. This could be monthly, quarterly, or annually. Examples include Netflix’s monthly subscription or a newspaper’s annual subscription.

    Pay-as-you-go (Usage-Based)

    Subscribers on a pay-as-you-go model only pay for what they use each billing period. This is commonly used for utilities: you only pay for the water and electricity you actually used in the previous period. Many digital storage services also follow this model, where you only pay for the resources or cloud space you use.

    Freemium

    In the freemium model, basic features of the product or service are free, while advanced features or services come at a cost. Many digital services and SaaS products like Spotify or Hubspot follow this freemium subscription model.

    Per-user Pricing

    Many B2B SaaS companies follow a per-user pricing model where subscribers pay per user seat instead of a fixed price. In some instances, it’s a set per-user cost, and in other cases, the price per user decreases as more seats are purchased.

    Tiered

    The tiered pricing model offers different levels of service at different price points. Each tier offers different features, allowing customers to choose the level that best suits their needs and budget. This pricing model frequently pairs with a Freemium pricing model.

    How Does Subscription Payment Processing Work?

    To the subscriber, subscription payment processing is relatively simple: they sign up, select their product and plan, and pay with a preferred method. However, the inner workings are more complicated than that.

    Broadly speaking, subscription payment processing works in the following steps:

    1. Customer signs up: they’ll fill out a form with the necessary details and payment information to start the subscription. They will likely also select their preferred payment plan (if applicable).
    2. Basic security checks: The merchant may run some basic security checks on the details it has received (e.g., ensures they have a valid card number or CVV code), then delivers those details to a PSP partner (some merchants may have only one, others may have agreements with a range of PSPs).
    3. Payment authorization: the collected payment details will be checked by the customer’s bank or card provider, resulting in the payment being either approved or denied. This approval or denial is relayed through to the payment processor and gateway. The merchant then receives this authorization with either the green light to complete the transaction, or the notification of a decline.
    4. Payment information is securely stored for later use: This collected sensitive payment information is usually tokenized (replaced with unique identifiers) and stored in a secure environment known as a cardholder data environment (CDE). This will be used to bill later on during the recurring billing cycle.
    5. Recurring billing: At the designated billing cycle (monthly, quarterly, annually, etc.), the payment processor will automatically attempt to process the card payment again by sending a request to the CDE for use in a card-on-file (COF) transaction.
    6. Payment declines: Should the transaction decline (due to insufficient funds or an expired card, etc.), the processor may retry the payment. If it fails again, the subscription may be suspended.

    Some subscription merchants may choose to work with a subscription management system that can automate this process. These tools can handle subscription changes and cancellations, as well as ongoing billing needs. Alternatively, some merchants work with a payment orchestrator to create decisioning for ongoing billing, updates, and plan changes. 

    PCI Compliance Implications

    Accepting debit or credit cards will inherently bring your business into scope with the Payment Card Industry Data Security Standard. Fortunately, many payment service providers (PSP), like Stripe and Adyen, provide tools and services that significantly reduce the effort to be PCI DSS compliant by storing the original cardholder data in their compliant infrastructure and issuing tokens for merchants to store and use to initiate future transactions. 

    While their platforms work great for small-to-medium-sized e-commerce solutions, using cardholder data for other purposes, like sending payments to other PSPs or partners, is impossible without taking back significant PCI scope. To have full control and future optionality in your payment stack, you’ll need to decouple cardholder data from your PSP, either by building and maintaining your own cardholder data environment or using a tokenization service provider.

    Secure Card Storage and Orchestration

    In recent years, tokenization has become a popular mechanism for subscription merchants to enjoy the flexibility of COF transactions without absorbing the PCI DSS costs, risks, and distractions required to store cardholder data. 

    Traditionally, the process works by swapping a sensitive data value, like a Primary Account Number (PAN), with an irreversible token or string. The token can then be stored and exchanged with another service, like a PSP, with instructions to initiate a payment. This keeps your systems out of scope while allowing you to use the token with your PSP to initiate transactions. Unfortunately, PSP tokens are unique to the PSP that generated them, so a token generated by PSP A can’t be used with Partner B or PSP C.  

    By providing customers with a secure and compliant cardholder data environment to store, process, and route payments, customers of these services get the same PCI scope as working with a PSP and control over their cards-on-file without the costs and distractions of building their own PCI-compliant environment. Basis Theory is one such solution. Contact us to learn more.

    Subscribe to the Blog

    Receive the latest updates straight to your inbox

    Build the Payments Stack fit for Your Business   Book a Meeting or Contact us to Learn More