Strong Customer Authentication – Where are we now?

The final part of the EU’s new payment directive, PSD2, which has not yet entered fully into force, is the so-called Regulatory Technical Standards (RTS) comprising the security element Strong Customer Authentication (SCA). 14 September 2019 was set as a deadline, but it did not hold water. In this article, we present the status of the SCA process and the current situation.

The fraud levels in digital payments have increased over the years in Europe as well as the rest of the world. As the European Commission agrees with the payment industry that combating fraud is critical to the further development of digitisation, SCA became a key part of EU’s Revised Payment Services Directive, PSD2.

PSD2 came into force the 1st of January 2018, but the RTS on SCA were delayed, and it was decided that the standards should be fully implemented no later than the 14th of September 2019. Consequently, from that date, no digital transaction in Europe – with certain exceptions – should ever take place without the use of SCA. However, as the September deadline came closer, more and more European countries realised that a vast number of their national ecommerce companies and banks were unable to comply with this already once postponed enforcement date.

It was estimated that, on average, European online shops would lose around 20% in revenue if they were unable to comply timely, and on the 21st of June 2019 the European Banking Authority (EBA), which is responsible for the RTS, announced a decision that allowed the National Competent Authorities (NCAs) around Europe to postpone the deadline with up to 18 months, should they need to.

So, the situation now is that the NCAs have announced the delay of the SCA deadline to their respective countries’ relevant national players, i.e. banks and PSPs, without specifying any date for the end of this transition period. However, to avoid a situation where the extension of the deadline could lead some of the parties to take no action until the new deadline comes dangerously close, EBA – via the NCAs – has demanded concrete SCA implementation plans from the parties to be completed by the 31st of December 2020 the latest. In other words, EBA has ensured that they will not face the same situation again as the next deadline approaches.

SCA applies to both payments and data access

PSD2 RTS applies to all kinds of digital payment transactions, except for MOTO transactions, electronic payments initiated by the payee, electronic payments at an unattended payment terminal to pay a transport or parking fare, and one leg out transactions. SCA must be applied unless the transaction can be categorised as SCA exemption e.g. low value transaction, Transaction Risk Analysis, recurring payment, trusted beneficiaries, and secure corporate payment.

In addition to payment transactions, SCA will apply in cases where a third-party provider (TPP), with the account holder’s approval, wishes to access account information in the account-holding bank, but without a payment transaction.

What merchants need to do

Assuming that the national regulators follow the EBA recommendation to complete the transition period before the 1st of January 2021, and considering that the payment ecosystem must be ready for the winter period that starts early November, online retailers need to be prepared for SCA and 3DS before summertime 2020.

As a first step, merchants should contact their PSP to confirm that they support at least 3DS 1.0 for SCA and that they will be compliant with the new regime. If a PSP cannot support SCA, an issuer bank may decline to authorise a merchant’s non-authenticated transactions. Although 3DS 1.0 is compliant with SCA for now, a PSP should also have in place a roadmap for migrating merchants to 3DS 2.x during the first semester of 2020.

Merchants also need to discuss the exemption rules with their PSPs and acquirers and agree which exemptions to request in order to achieve frictionless flow and high approval rate. The management of exemptions will be essential to reshaping the online payment experience, increasing the confidence of cardholders, and providing the right merchant’s conversion rates.

The new regulation could also have an impact on merchants outside of the European Economic Area (EEA) targeting consumers in Europe, if some issuer banks will apply the rules independent of the merchant’s location. Therefore, those merchants should proactively track their conversion rate and be prepared to introduce SCA for those markets.

A fresh look at payments

For their part, merchants need to review their payment processes and flows in order to take advantage of these changes and improve the experience of their customers. They may have to implement a 3DS Server to benefit from 3DS 2.x. If a bank requires strong authentication for a transaction, a merchant must be ready to support SCA as seamlessly as possible, minimising any inconvenience to online shoppers. Indeed, 3DS 2.x brings a lot of advantages in comparison to the previous version: a seamless user interface on all devices (especially on mobile devices), an enhanced authentication with the use of biometrics, and – with the support of exemptions – a frictionless checkout. Merchants may also want to take the opportunity to positively engage with their own end-users about any changes they will see when making online payments in the future. All players in the payments ecosystem, from banks to PSPs or merchants, will need to ensure that the ecommerce marketplace adapts to the new rules with the minimum of disruption. Worldline was one of the first payment providers in Europe to process 3DS 2.0 transactions in a live environment. Thanks to the payment acceptance solution, Worldline is the clear-cut European partner of choice for merchants looking to maximise frictionless flow, manage exemptions, and optimise online user experience.

This editorial was first published in our Cross-Border Payments and Commerce Report 2019 – 2020, which provides a comprehensive overview the major trends driving growth in cross-border payments, cross-border commerce, and marketplaces.

About Khalil Kammoun

Khalil Kammoun is Head Portfolio and Product Management at Worldline. Previously working in multiple management positions, Khalil is now focusing on omnichannel challenges for retailers. Within the global Omnichannel & Collecting business division, Khalil is responsible for all payment gateways and the omnichannel solution, as well as for supporting merchants in mastering their payment and digital challenges.

About Wordline

With more than 45 years of experience in the payments business, Worldline connects and secures transactions that form parts of our daily lives. Covering the entire payment value chain, our technology experts create and operate digital solutions to boost the business of companies across all sectors including banking, retail, transport, and government, through transformative technologies and in-depth knowledge. Best in class user experience is our mandate.