Strong Customer Authentication Across Europe: When Merchants Need to be Ready

30th November 2020
Callum Godwin
Callum Godwin

National competent authorities across Europe have been given jurisdiction over the implementation of Strong Customer Authentication in their territories – here’s when merchants will need to be ready.

The deadline for enforcement of SCA is looming for most European merchants. Despite its good intentions, we estimate that the legislation’s current enforcement timeline places €85 billion of annual sales at risk across Europe. As merchants and their issuing banks scramble to prepare amidst global crisis, some national authorities have intervened to give their retailers – especially those online – the time to prepare.

What is SCA?

The second Payment Services Directive, or PSD2, came into effect on 13th January 2018 in Europe. The legislation included a provision intended to improve the security of transactions known as Strong Customer Authentication. To be SCA compliant, issuers must reject any transaction that fails to satisfy two of the three elements of knowledge, inherence, and possession. In the face-to-face environment, this requirement can be met through chip-and-pin card transactions, while there is an exemption covering contactless transactions. However, ecommerce transactions will need to pass through 3D Secure, an authentication protocol developed by a consortium of the largest global card networks known as EMVCo. Its second iteration, 3DS Version 2, is expected to be superior to its earlier counterpart in allowing for risk-based authentication, a more sophisticated system that improves user experience for low-risk transactions. However, not only are many European issuers not ready for use of 3DS2, but the protocol is also estimated to add between 60 seconds and two minutes to checkout time – a delay likely to be blamed on merchants by frustrated customers online.

When does it come into force?

The European Banking Authority’s initial deadline for SCA compliance was September 14th 2019. However, due to this lack of industry readiness, it was extended until 31st December 2020. Even with the economic shock of the covid-19 pandemic, the European Commission has confirmed that merchants will be granted no further time to prepare. CMSPI’s report on the impact of SCA suggests that this deadline places €85bn (Estimated based on 2019 transaction volumes) worth of online sales at risk across Europe. This huge cost comes from the increased likelihood of failed transactions, technical errors, and cancellations arising as a direct result of the mandate.

What can be done?

Despite their announced deadlines, the EBA is not the only body to which merchants can appeal; the legislation gives national authorities discretion over implementation dates, meaning that some countries have chosen to extend the deadline further or are inviting merchants to apply for their own exemptions. 

The table below gives updated implementation deadlines for European economies.

Country Deadline Update
Austria Gradual enforcement, with full SCA for transactions over €250 since 15th January 2021
Belgium No current enforcement.
Bulgaria No current enforcement.
Croatia No current enforcement.
Czech Republic Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.
Denmark Full enforcement on purchases subject to multi-factor authentication since 12th January 2021.
Estonia No current enforcement.
Finland Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.
France Gradual enforcement, with full SCA required on transactions over €1000 since 14th January 2020.
Germany Gradual enforcement, with full SCA for transactions over €250 since 15th January 2021. Enforcement will begin for transactions over €150 from 15th February 2021, and for all transactions from 15th March 2021.
Greece No current enforcement.
Hungary Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.
Iceland No current enforcement.
Ireland No current enforcement.
Italy Gradual enforcement. Full SCA required on transactions over €1000 since 1st January 2021. Enforcement on transactions above €500 from 1st February 2021, lowered to €100 from 1st March 2021, and to €0 from 1st April 2021.
Latvia No current enforcement.
Liechtenstein No current enforcement.
Lithuania No current enforcement.
Luxembourg No current enforcement.
Malta No current enforcement.
Netherlands Gradual enforcement, with full SCA required for transactions over €250 since 6th January 2021.
Norway Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.
Poland Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.
Portugal No current enforcement.
Republic of Cyprus No current enforcement.
Romania No current enforcement.
Slovakia No current enforcement.
Slovenia No current enforcement.
Spain Gradual enforcement, with full SCA for transactions over €250 since 14th January 2021.
Sweden Gradual enforcement, with full SCA for transactions over €250 since 14h January 2021.
United Kingdom No current enforcement. Deadline extended to 14th September 2021, with staggered deadlines from February 2021.

Any extension to the implementation deadline gives issuers and merchants alike time to optimize their payments arrangements for SCA. For example, in Spain, the region with lowest issuer readiness at just 7%, we estimate that delaying the deadline to January 2022 would reduce the sales at risk by €12.26 bn. There is indeed room for movement on this; merchants’ campaigning efforts have meant that countries such as the United Kingdom have extended their deadline as far as 14th September 2021 in response to the demands of the covid-19 crisis.

What can merchants do in the absence of a delay?

Even without these extensions, however, there are actions that merchants can take to minimize the negative impact of SCA on their sales. Beyond detailed analysis of their own approvals data, merchants will need to engage with their suppliers and issuing banks to ensure an industry-leading response to SCA. This is partly because the legislation comes with a number of potential exemptions designed to improve consumer experience for low-risk transactions. By employing sophisticated exemption strategies, CMSPI’s projects to optimize SCA solutions for many large European merchants have achieved a 10% average reduction in failure rates. Such holistic strategies need to balance the risk of fraud and its associated liability whilst maximizing approvals and exemptions.

In the absence of an extension, most European merchants have no time to waste before doing the same.

Blog updated: 21/01/2021

You Might Also Be Interested In These...

Strong Customer Authentication (SCA) – Impact Assessment – February 2021

Our analysis of February data illustrates significant transaction failure with the estimated European failure rate on transactions at 31% compared to 33% in January 2021.

Read More >
COVID-19: The Catalyst That Put Payments at the Top of the Agenda for Merchants

The COVID-19 pandemic has proved to be a huge catalyst for change. In this article, we identify and analyse three main areas in which we’ve seen change in merchant payments.

Read More >
VIDEO: Capture More Transactions and Boost Your Ecommerce Sales

Capture more transactions and increase your ecommerce sales with CMSPI’s unique data and expertise.

Read More >
Strong Customer Authentication (SCA) – Impact Assessment – January 2021

Our reporting started back in August – analysis suggested that the average failure rate was 35% across Europe, fast forward to January, we’re seeing 33%.

Read More >
Want to prepare now for the SCA deadline?