September 14 2019, the official date for when Strong Customer Authentication (SCA) requirements were to be brought into force, has now passed, without causing the kind of disruption that was initially expected.
You may be left wondering why there was so much coverage, why your business had to invest time and effort in getting ready, and why you received communications from your payments providers and your own bank about SCA.
So what’s next and when will SCA actually be enforced?
Who makes the decisions & who do they influence?
The European Banking Authority (EBA) is the entity that helped draft up the Regulatory Technical Standard for Strong Customer Authentication that the industry has been working to. They also advise and provide instructions to the National Competent Authorities (NCAs) in each of the European Economic Area (EEA) countries on how this regulation must be enforced.
Each of these NCAs is then responsible for enforcing the regulation on the PSPs (i.e. the Acquirers and Issuers) under their jurisdiction.
Card Issuers are the ones who will ultimately be responsible for declining transactions that are not compliant, once enforcement begins. As such, each NCA’s position will only influence the behaviour of the Issuers in that country. For example the NCA for the UK, the Financial Conduct Authority (FCA) only have influence over the behaviour of UK Issuers and Issuers outside of the UK are unaffected by the FCAs decisions.
In June of this year, the EBA announced some large clarifications on SCA and advised that NCAs can, under strict criteria, delay the enforcement of SCA to ensure industry readiness and avoid unnecessary negative impact on consumers. This has freed up the NCAs to outline timelines and roadmaps for a transition period to reach full SCA compliance.
What position are the NCAs taking?
By September 13 2019, 26 of the EEA NCAs had indicated they were in favour of a transition period including the UK, Ireland, France, Spain, Germany, Italy and The Netherlands.
A total of 21 of these NCAs had confirmed this in writing or through a spokesperson, including all of the above mentioned countries. Only 2 NCAs had not expressed a position - Latvia and Bulgaria.
The only NCA that expressed a somewhat negative position was Sweden who will not provide a general transition but for e-commerce will grant a transition on a case-by-case basis subject to individual notification.
The FCA were the only NCA who outlined a roadmap and timeline prior to Sept 14. They decided upon an 18 month plan with key milestones along the way for the industry to hit. However, issuers will start to implement over this period of time, so early adoption where possible should still happen. The first milestone is in Q1 2020 targeting a rate of 30% of transactions to be compliant.
The EBA have recently met with all of the NCAs to discuss a unified approach and is due to publish guidance on the duration of a transition period across Europe, in the coming weeks. The EBA may consider taking a different view than that proposed by some of the NCAs to date. Once published, this should clarify the future impact across Europe.
Three key facts to know
- There has only been a delay to the enforcement of SCA - it has been written to law and will be enforced fully once the transition period has passed.
- Implementation timelines may vary across countries depending on how their NCA has interpreted the delay. NCAs may also have their own different milestones during the transition period and this could result in some degree of enforcement earlier on.
- The extra time that has been granted provides you with a great opportunity to test and fine tune your payment flow and ensure you have the right SCA solutions for your business.
So what are the next steps and what do you need to do?
While the SCA deadline of September 14 is not being enforced, the long term implications of SCA have not gone away. Instead these changes present an opportunity for merchants to implement the right solutions to make their business SCA ready when the regulation is enforced.
Firstly, businesses need to understand how they currently take payments as this will help them to identify all the scenarios that need to be solved for when it comes to SCA. The Global Payments Help Centre provides you with best practice guides for how to make sure all your transactions are compliant, covering online, mobile and in-store transactions
The next step is to ensure you have the best solutions to help you with becoming SCA compliant.
Face to Face Transactions
- Chip and PIN transactions already comply with the SCA requirement for two factor authentication. i.e. Your customer is in possession of their card and know their PIN.
- Transactions made using a mobile device, like a mobile phone also comply with SCA as the customer is in possession of their phone, and use a fingerprint to uniquely identify themselves.
- Contactless transactions don’t fulfil the requirement for two factor authentication but are exempt from the SCA requirement. However, there are limits to the use of this exemption and additional security requirements may be requested by the card issuer. A new decline code is being introduced that will ask the cardholder to complete a Chip and PIN transaction where that extra security is required.
- The Global Payments 3D Secure Solution provides you with all the tools you need to perform authentication using both 3DS 2 and 3DS1. You can dynamically switch to the most appropriate solution depending on Issuer support.
- For mail order/telephone order (MOTO) transactions you’ll need to ensure your Online Terminal supports the correct flaggingto make sure these transactions remain out of scope of SCA.
- If you process recurring or subscription payments you’ll need to ensure these remain out of scope and using Credential on File flagging for merchant initiated transactions.
Global Payments has a range of solutions that can prepare you for these new regulations and ensure your business succeeds.
Conor Tweed, Product Manager at Global Payments
Conor is a Product Manager on the Digital Product Solutions team at Global Payments Inc. and is responsible for the customer authentication and fraud management product suite. His current role includes driving the Strong Customer Authentication strategy for Global Payments e-Commerce.
Before joining Global Payments in 2015, Conor completed his B.Sc. (Hons) in Computer Applications, Software Engineering at Dublin City University.
He has a keen interest in all things product and technology and is an avid supporter of West Ham United in his spare time.