Strong Customer Authentication Across Europe: When Merchants Need to be Ready30th November 2020
National competent authorities across Europe have been given jurisdiction over the implementation of Strong Customer Authentication in their territories – here’s when merchants will need to be ready.
The deadline for enforcement of SCA is looming for most European merchants. Despite its good intentions, we estimate that the legislation’s current enforcement timeline places €85 billion of annual sales at risk across Europe. As merchants and their issuing banks scramble to prepare amidst global crisis, some national authorities have intervened to give their retailers – especially those online – the time to prepare.
What is SCA?
The second Payment Services Directive, or PSD2, came into effect on 13th January 2018 in Europe. The legislation included a provision intended to improve the security of transactions known as Strong Customer Authentication. To be SCA compliant, issuers must reject any transaction that fails to satisfy two of the three elements of knowledge, inherence, and possession. In the face-to-face environment, this requirement can be met through chip-and-pin card transactions, while there is an exemption covering contactless transactions. However, ecommerce transactions will need to pass through 3D Secure, an authentication protocol developed by a consortium of the largest global card networks known as EMVCo. Its second iteration, 3DS Version 2, is expected to be superior to its earlier counterpart in allowing for risk-based authentication, a more sophisticated system that improves user experience for low-risk transactions. However, not only are many European issuers not ready for use of 3DS2, but the protocol is also estimated to add between 60 seconds and two minutes to checkout time – a delay likely to be blamed on merchants by frustrated customers online.
When does it come into force?
The European Banking Authority’s initial deadline for SCA compliance was September 14th 2019. However, due to this lack of industry readiness, it was extended until 31st December 2020. Even with the economic shock of the covid-19 pandemic, the European Commission has confirmed that merchants will be granted no further time to prepare. CMSPI’s report on the impact of SCA suggests that this deadline places €85bn (Estimated based on 2019 transaction volumes) worth of online sales at risk across Europe. This huge cost comes from the increased likelihood of failed transactions, technical errors, and cancellations arising as a direct result of the mandate.
What can be done?
Despite their announced deadlines, the EBA is not the only body to which merchants can appeal; the legislation gives national authorities discretion over implementation dates, meaning that some countries have chosen to extend the deadline further or are inviting merchants to apply for their own exemptions.
The table below gives updated implementation deadlines for European economies.
|Austria||Gradual enforcement, with full SCA for transactions over €250 since 15th January 2021|
|Belgium||No current enforcement.|
|Bulgaria||No current enforcement.|
|Croatia||No current enforcement.|
|Czech Republic||Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.|
|Denmark||Full enforcement on purchases subject to multi-factor authentication since 12th January 2021.|
|Estonia||No current enforcement.|
|Finland||Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.|
|France||Gradual enforcement, with full SCA required on transactions over €1000 since 14th January 2020.|
|Germany||Gradual enforcement, with full SCA for transactions over €250 since 15th January 2021. Enforcement will begin for transactions over €150 from 15th February 2021, and for all transactions from 15th March 2021.|
|Greece||No current enforcement.|
|Hungary||Gradual enforcement, with full SCA required on American Express transactions over €250 since 4th January 2021.|
|Iceland||No current enforcement.|
|Ireland||No current enforcement.|
|Italy||Gradual enforcement. Full SCA required on transactions over €1000 since 1st January 2021. Enforcement on transactions above €500 from 1st February 2021, lowered to €100 from 1st March 2021, and to €0 from 1st April 2021.|
|Latvia||No current enforcement.|
|Liechtenstein||No current enforcement.|
|Lithuania||No current enforcement.|
|Luxembourg||No current enforcement.|
|Malta||No current enforcement.|
|Netherlands||Gradual enforcement, with full SCA required for transactions over €250 since 6th January 2021.|
|Portugal||No current enforcement.|
|Republic of Cyprus||No current enforcement.|
|Romania||No current enforcement.|
|Slovakia||No current enforcement.|
|Slovenia||No current enforcement.|
|Spain||Gradual enforcement, with full SCA for transactions over €250 since 14th January 2021.|
|Sweden||Gradual enforcement, with full SCA for transactions over €250 since 14h January 2021.|
|United Kingdom||No current enforcement. Deadline extended to 14th September 2021, with staggered deadlines from February 2021.|
Any extension to the implementation deadline gives issuers and merchants alike time to optimize their payments arrangements for SCA. For example, in Spain, the region with lowest issuer readiness at just 7%, we estimate that delaying the deadline to January 2022 would reduce the sales at risk by €12.26 bn. There is indeed room for movement on this; merchants’ campaigning efforts have meant that countries such as the United Kingdom have extended their deadline as far as 14th September 2021 in response to the demands of the covid-19 crisis.
What can merchants do in the absence of a delay?
Even without these extensions, however, there are actions that merchants can take to minimize the negative impact of SCA on their sales. Beyond detailed analysis of their own approvals data, merchants will need to engage with their suppliers and issuing banks to ensure an industry-leading response to SCA. This is partly because the legislation comes with a number of potential exemptions designed to improve consumer experience for low-risk transactions. By employing sophisticated exemption strategies, CMSPI’s projects to optimize SCA solutions for many large European merchants have achieved a 10% average reduction in failure rates. Such holistic strategies need to balance the risk of fraud and its associated liability whilst maximizing approvals and exemptions.
In the absence of an extension, most European merchants have no time to waste before doing the same.
Blog updated: 21/01/2021