When is a deadline not a deadline? When it relates to strong customer authentication (SCA) for online payments under PSD2.
While 14 September 2019 has for some time been set as the implementation date for SCA, it is now clear that the deadline is not immovable. In the latest twist in the SCA story, a string of regulators across Europe have announced extensions of this timeframe, leading to an increasingly varied position across the member states and the potential for confusion among merchants and consumers. SCA is a part of the EU’s plans under the Second Payment Services Directive (PSD2) to make European payments more robust and secure.
These announcements come after increasing demands from industry for a delay, with many concerned about the range of businesses who would not be ready in time for the September 2019 time limit.
Many payment services providers (PSPs) and merchants were going to struggle to achieve the SCA requirements, with the potential for confusion and uncertainty for users and businesses alike. In June, the European Banking Authority acknowledged that, on an exceptional basis, an extension could be granted by national regulators for online payments (although the September timeline would remain in place for SCA for online access to bank accounts).
Now that we are seeing regulators in France, Germany, Ireland, Italy, the Netherlands, Poland and the UK offering or moving towards extensions of the deadline for e-commerce payments, the industry's attention will move to see how many other national regulators will follow this tide. Some extensions, such as in the UK, will apply to all PSPs, while in other territories each PSP may need to obtain an individual extension, which may vary from one PSP to another. The result could be greater challenges for PSPs and merchants, as they grapple with a new set of variations in the regulatory environment across Europe, and possibly within member states.
In light of the extensions, card issuers face the choice of whether to push ahead with SCA (potentially even where it is not mandated), in order to deliver improved transaction security, or to hold back until it is mandated, on the grounds that cardholders may currently see SCA as adding to the payment friction.
Where SCA is applicable in principle, PSPs and merchants are looking at how to use the available exemptions to simplify the transition to the new regime and to reduce the need for significant changes for cardholders/customers.
For all involved in online payments, the challenge is to work out how to manage the differing requirements (which may vary among issuers and acquirers, even within one member state) and how to avoid increasing confusion among customers who may just want to find the card offering the simplest user experience. Since SCA was intended to provide a single harmonised framework for online payments across Europe, perhaps the best solution would be a new set of clarifications from the EBA, to resolve the current uncertainty.
The Fieldfisher Payments and Cards team has been supporting many clients in their SCA preparations and implementation plans across Europe.
Sign up to our email digest