essay / payments
Grandfathering 3DS2: a 4-sprint regulatory scramble
When we discovered stored cards that could not process recurring payments after SCA went live, we had four sprints to fix it without breaking the customer experience.
In late 2018, the PSD2 mandate required all online payments on European-issued cards to go through 3DS2 (Strong Customer Authentication). At Expedia, we built the Payment Web Framework to bring all brands into compliance. The integration was a massive cross-brand effort.
Late in the project, we discovered an edge case. VRBO processed recurring payments for a subset of properties using stored cards. These cards had been saved under VRBO’s entity, which meant they could not be processed through Expedia Group’s payment stack for recurring transactions. The regulatory deadline was approaching and we had four sprints to fix this without disrupting payments to these properties.
Understanding the problem
I set up interviews with product owners on both the EG and VRBO sides to understand the full picture. Why was this not a problem for other brands? EG had implemented a CIT/MIT (Customer Initiated Transaction / Merchant Initiated Transaction) framework well before SCA, which meant stored cards already had the transaction IDs needed for compliant recurring charges. VRBO had not gone through that process.
The stored cards needed to be “grandfathered” into compliance: acquire a transaction ID that would allow future recurring payments without requiring the cardholder to re-authenticate.
The solution from the processors
After documenting the problem clearly, I reached out to VRBO’s three payment processors directly. Each confirmed they had a mechanism for this: run a zero-dollar authorization on the stored card to acquire a transaction ID, then use that ID for subsequent recurring charges. The cardholder would never see or feel this process.
We built VPI APIs on top of the Payment Web Framework to orchestrate these zero-dollar authorizations, plus a batch job to run all affected stored cards through the new flow and persist the transaction IDs. For ongoing maintenance, we migrated cardholders to the EG entity as they logged in to update or add payment methods, a gradual and invisible transition.
The outcome
Delivered on time. No customer impact. Properties continued to be listed and paid without interruption. The approach worked because we started from the processor capabilities rather than trying to solve it purely at the application layer. Sometimes the answer to a platform problem is not more platform code, it is understanding what the external systems already support.