a) the way these work, you'd need to hack the merchant to make an existing authenticated recurring payment relevant for you somehow. This is typically used by marketplace type transactions, eg. amazon where you agree to pay 100 quid, but there are actually 5 different payments in there to different market place merchants. only the first part is authenticated, but the authentication token can only be used for 100 quid worth of payments.
Sometimes used for stuff like Pay 1/3 now, 1/3 in a month, 1/3 in two months type store credit deals, or yearly subscriptions (although, the authentication is only supposed to be stored for 90 dyas max, so yearly might be pushing it.)
b) every 5th payment with a low value exemption (or any exemption, there are a few, like the merchant says it's a low risk product) is rejected and has to be authenticated anyway, so you might get lucky. Also required the merchant to have a low value exemption agreement with their acquiring bank, which requires them to have a solid record of not having fraudulent activity and usually a high transaction volume.
c) merchant initiated transactions are only accepted if they can be linked back to a customer initiated transaction that was authenticated.
Spent the last year implementing this stuff for a payment provider. It's been a nightmare, to be honest.
Should have been ready January 1st 2019, but no one was ready, no banks/ card issuers/ merchants/ gateways, no one. So the deadline was extended to June, with an agreement not to fine anyone until March 2020. Pretty much everyone we work with is now ready for the 2FA on every transaction part, but the exemptions are mostly not ready anywhere except France that basically has a nationally standard banking protocol that everyone uses, so it was implemented centrally and rolled out last November. UK banks were hoping Brexit would relieve them of the requirements, but the big card companies made it part of the spec, so they had to do it anyway... If your implementation of the protocol is more than 1 version behind the latest, other banks are allowed to just reject your transactions...
Biting the hand that feeds IT
