On September 14, 2019, the new requirements and enforcement of the Strong Customer Authentication (SCA) standards for online payments in the EU came into effect.
The European Banking Authority (EBA) met with National regulators (NCAs) and a transition period of 12 months for SCA compliance was generally agreed for online “card-not-present” transactions. During this transition period, it is expected that issuers will continue to approve transactions based on their own risk assessment. For your convenience, we’ve boiled down the individual statements released by the following 15 European countries:
Austria announced a temporary enforcement extension for Austrian cards. The enforcement should go into full effect by the end of 2019.
The Belgian regulator released a formal announcement setting out the Bank’s expectations regarding the regulatory technical standard for SCA of online payments. No set timeline has been published as of now.
Denmark released an official announcement of an 18 month extension period for SCA . The FSA emphasized that the implementation period will not change the fact that the rules on strong customer authentication will enter into force on 14 September 2019.
Finland announced a temporary enforcement extension for Finnish cards. The Financial Supervisory Authority will decide on the length of the transitional period this year after further consulting with the supervisors of other Member States.
The French are also working on a phased implementation plan, and have released an official document breaking down their current status and plans ahead.
Payment service providers based in Germany are allowed to make credit card payments on the Internet from September 14, 2019 initially without strong customer authentication. BaFin estimates that the card-issuing payment service providers in Germany are prepared for the new requirements, while companies that use credit card payments on the internet as payees might not be fully prepared yet.
Ireland released an announcement stating a migration period limited only to e-commerce transactions. Therefore no disruption to payment systems is anticipated.
The Italian regulators also released an announcement stating a transitional migration period, although its length of delay has not yet been officially confirmed.
The Luxembourg regulator announced a temporary enforcement extension for Luxembourg cards. The financial institutions that wish to make use of the extension period are required to inform the CSSF and back their request with a proper migration plan and timelines.
The DNB (De Nederlandsche Bank) has released the regulator’s intention to allow parties that were unable to prepare for SCA (for credit card transactions) a limited extension time – the amount of time hasn’t been stated.
The Norwegian regulator also announced a temporary enforcement extension for e-commerce and card payments. The payment service providers who need to extend their deadline are requested to contact the Financial Supervisory Authority.
The Polish regulator also announced an extension for Polish cards, contactless payments, and e-commerce. A proper migration plan will need to be submitted by the relevant parties in order to benefit.
Since the authentication of the majority of card payments made in online stores in Slovenia (and the wider EU) is currently protected only by a one-time password received via a text message, such method of authentication does not meet the requirements of SCA. To ensure compliance, the Bank of Slovenia allows an extension for Slovenian payment providers with a registered office in Slovenia beyond the deadline of 14 September.
The Swedish regulator also published an announcement that allows extension beyond 14 September for SCA. The extension applies for e-commerce transactions made with card payment. Submission of a detailed plan will have to be submitted and should include the company’s planned communication activities to inform e-merchants and payment service users about the new conditions.
On 13 August 2019, the UK regulator announced an 18 month phase-in period for SCA requirements on online card payments. As a result, we don’t expect banks to fully require SCA for online payments from UK cards until March 2021.
About Strong Customer Authentication (SCA) and its importance
In 2015, the first Payment Services Directive (PSD1) was first introduced to regulate payment services and providers throughout the European Union and European Economic Area.
The Second Payment Services Directive (PSD2) is an updated version of the first directive and focuses also on Strong Customer Authentication (SCA). SCA requires the implementation of a two-factor authentication for all electronic payments (specific exemptions apply). SCA should be comprised of at least two of the following three elements:
- Something the customer knows
- Something the customer has
- Something the customer is
SCA compliance is mandatory for merchants, but its deployment will also ensure a better payment experience for customers, reduced fraud risks and a much safer, and seamless, online shopping experience.
Moving from 3DS1 to EMV 3DS
Whereas 3DS 1.0 focused mainly on a simple challenge (e.g. the insertion of a code on a static webpage, an authentication sent via SMS, etc.), 3DS 2 facilitates rich data exchange between merchants, card-holders and issuers, more so than ever before to achieve more accurate authentication. Transactions can be verified by merchants using the customer’s issuing bank instead of a customer needing to remember a PIN or getting redirected to a new webpage. The result is a more frictionless payment experience, although in some cases a challenge may be required to verify user identity.
The benefits of 3DS compliance
Compliance with 3DS EMV has its benefits. These include:
- EMV 3DS compliance protects merchants & customers with robust security, with greater fraud prevention and 10x more data shared with Issuers for better risk analysis.
- Better customer experience: Frictionless customer identification has the potential to contribute to a shortened check-out process and to reduce cart abandonment.
- Increased authorization rates – authentication becomes a quick process that can take place on the same page.
- EMV 3DS allows to easily build authentication flows natively into Apps or websites.
- EMV 3DS helps to shift liability away from the merchant (the issuing bank assumes the risk).
What should you do about 3DS as a merchant?
Merchants should integrate a 3DS solution that supports both 3DS 1.0 and EMV 3DS whilst also keeping pace with PSD2 SCA compliance.
EMV 3DS and PayU
The deployment of EMV 3DS has major effect on all businesses selling products to the European market. By implementing the most cutting-edge technology, PayU are constantly making sure that our merchants stay fully compliant with the latest 3DS requirements.
If you have specific issues or inquiries, feel free to contact your local account manager.