Skip to content

Strong customer authentication for e-commerce card payment transactions: an EU harmonised extension of 14 months to be compliant

Related people
Henri Wagner

Partner

Luxembourg

View profile →

Berger Thomas
Thomas Berger

Counsel

Luxembourg

View profile →

Schmidt Carole
Carole Schmidt

PSL-Counsel

Luxembourg

View profile →

Aubry Baptiste
Baptiste Aubry

Senior Associate

Luxembourg

View profile →

11 November 2019

Following its June opinion on the possibility for national competent authorities to work with payment service providers and relevant stakeholders and agree on limited additional time for compliance with the strong customer authentication requirements in respect of e-commerce card payment transactions, the European Banking Authority issued an additional opinion last month in which it set an harmonised deadline and transitioning process for SCA migration.

Introduction

In June of this year, the European Banking Authority (EBA) issued an opinion1 in which it acknowledged concerns about the preparedness and compliance of some actors in the payments chain to comply with the strong customer authentication (SCA) requirements by the 14 September 2019 deadline in respect of e-commerce card payment transactions2. On such basis and even if this legal deadline could not be postponed, it accepted that national competent authorities (NCAs) could work with payment service providers (PSPs) and relevant stakeholders, including consumers and merchants, and agree on limited additional time for compliance3.

In order to ensure harmonisation of administrative practice in that respect at EU level, the EBA issued an additional opinion (expected by NCAs and relevant stakeholders)4 last month (EBA-Op-2019-11, the Opinion)5.

Although the EBA’s Opinion is still primarily addressed to NCAs, it is useful also for PSPs, payment service users (PSUs) and payment schemes.

I. EU harmonised deadline for SCA migration

In the Opinion, the EBA acknowledges that all EU NCAs decided to rely on the flexibility offered in its previous Opinion and also the need, expressed by the various stakeholders, to have consistent and harmonised implementation of SCA for e-commerce card-based payment transactions throughout the EU. 

While a majority of stakeholders seemed to have a preference for an 18 months’ transition delay, the EBA considers that a transition extension of roughly 14 months is sufficient and has therefore set the final deadline for SCA migration to 31 December 2020. The EBA urges all NCAs to stick to this harmonised deadline in order to ensure a consistent approach toward the SCA migration throughout the EU.

The EBA, however, reiterates that this flexibility granted to the relevant stakeholders is not equivalent to a legal postponement in the application date of the SCA requirements set out in PSD II and the RTS: all PSPs not complying with these requirements as of 14 September 2019 are in breach of law. The above flexibility only means that NCAs will not take enforcement/sanction actions against PSPs, provided nonetheless the PSPs have taken all necessary actions in accordance with the transitioning process described below. NCAs are expected to communicate on this point with non-compliant PSPs.

II. Milestones in the SCA transitioning process

While the final deadline for SCA migration is set at 31 December 2020, the EBA expects NCAs to take at least certain actions by pre-defined dates to ensure the smooth and timely transition to SCA6. This implies that issuing and acquiring PSPs will have to provide certain information to their respective NCAs by 31 December 2019, 31 March 2020, 30 June 2020 and 30 September 2020. PSPs are also expected to take ongoing educational measures towards PSUs and e-merchants respectively. A quarterly reporting to NCAs in that regard is expected starting 14 December 2019.

The details of the transitioning process are set out in the below tables.

Table 1. Milestones and expected actions from NCAs towards issuing PSPs

Expected Actions Timeline
1. NCAs should require issuing PSPs to identify the authentication approaches that they are currently making available to their customers and separate them into two categories: those that fulfil the requirements of SCA under PSD2 and the RTS and are in line with clarifications provided by the EBA and those that are not. 31.12.2019
2. NCAs should obtain information from issuing PSPs on the authentication approaches (which should include new authentication approaches and those specified under row 1) and the SCA exemptions they intend offering to ensure compliance. NCAs should also request from issuing PSPs plans for the expedited migration, including PSUs’ enrolment into these authentication approaches. These plans should contain clear migration targets of the progress made for adoption of SCA-compliant authentication approaches and the SCA exemptions (eg on the stages of implementation, testing and rollout). The migration plans should be based on a risk-based approach taking into account the types of transactions and the fraud rates. 31.12.2019

3. NCAs should take stock of the overall readiness of issuers to meet the SCA requirements in terms of the:
a) number of payments transactions where SCA was requested divided by the total number of initiated transactions;
b) number of payment transactions where an SCA exemption was applied divided by the total number of initiated payment transactions;
c) number of out-of-scope of SCA payment transactions (such as payee initiated transactions) divided by the total number of initiated payment transactions divided by the total number of PSUs; and
d) number of PSUs enrolled to initiated SCA-compliant payment transactions dividend by the total number of PSUs.

31.03.2020
The above data should cover the period between 14 September 2019 and 13 March 2020.
4. NCAs should require issuing PSPs to report on the progress made from 14 March to 13 June 2020 and from 14 June 2020 to 13 September 2020 by providing updated information under item 3 above. This reporting should be such that it provides a reliable picture of the change in the types of transactions and the fraud rates, the progress of adoption of ADS2.X protocol where it is envisaged, and other metrics depending on the authentication approaches, for instance percentage of customer telephone numbers obtained to the total number of customers for SMS-OTP based approaches. 30.06.2020
and 
30.09.2020
respectively
5. NCAs should require issuing PSPs to inform PSUs about the SCA-compliant authentication approaches, the SCA exemptions and out-of-scope of SCA transactions they intend offering, and to establish educational campaigns as needed. Continuous
6. NCAs should require issuing PSPs to make available to their NCAs information about the communications with PSUs under item 5 above. Every 3 months starting 14.12.2019
7. NCAs should require issuing PSPs to have completed their migration plans. 31.12.2020
8.  EBA to develop a report on the status of SCA-compliance by the issuing PSPs based on consolidated information provided by NCAs. Q1 2021
 

Table 2. Milestones and expected actions by NCAs towards acquiring PSPs

Expected Actions Timeline
1. NCAs should require acquiring PSPs to identify the technologies through which hey allow issuing PSPs to request PSU authentication that they are currently making available to merchants and separate them into two categories: those technologies that support SCA-compliant authentication and the SCA exemptions and those that do not. 31.12.2019
 
2. NCAs should obtain information on the plans of acquiring PSPs for the expedited migration, including migration by e-merchants to technologies that support SCA, the SCA exemptions and/or the out-of-scope of SCA transactions. These plans should contain clear migration targets of the progress made towards:
a) adoption of technologies that support SCA, the SCA exemptions and the out-of-scope of SCA transactions, if applicable; and
b) the implementation of these technologies by merchants. The migration plans should be based on a risk-based approach taking into account the types of transactions and the fraud rates.
31.12.2019
 

3. NCAs should take stock of the overall readiness of acquiring PSPs to meet the SCA requirements, and should do so by requesting the following figures:
a) number of payment transactions where SCA was applied divided by the total number of acquired transactions;
b) number of payment transactions where an SCA exemption was applied divided by the total number of acquired payment transactions;
c) number of out-of-scope of SCA payment transactions applied (such as payee initiated transactions) divided by the total number of acquired payment transactions;
d) number of e-merchants that support SCA divided by the total number of e-merchants to whom acquiring PSPs provide services;
e) number of e-merchants that support the SCA exemptions divided by the total number of e-merchants to whom acquiring PSPs provide services; and
f) number of e-merchants that support the out-of-scope of SCA transactions divided by the total number of e-merchants to whom acquiring PSPs provide services. The above data should cover the period between 14 September 2019 and 13 March 2020.

31.03.2020
4. NCAs should require acquiring PSPs to report on the progress made from 14 March to 13 June 2020 and from 14 June to 13 September 2020 by providing updated information under item 3 above. This reporting should also reflect the change in the types of transactions and the fraud rates, the progress made by the different types of merchants and the progress of adoption of 3DS2.X protocol where it is envisaged. 20.06.2020
and
30.09.2020
respectively
5. NCAs should require acquiring PSPs to inform the e-merchants they work with about the necessary changes that need to be introduced to the existing technologies used to support SCA, the SCA exemptions and the out-of-scope of SCA transactions. Continuous
6. NCAs should require acquiring PSPs to provide information about the communications to e-merchants under item 5 above. Every 3 months starting 14.12.2019
7. NCAs should require issuing PSPs to have completed their migration plans. 21.12.2020
8. EBA to develop a report on the status of SCA-compliance by acquiring PSPs based on consolidated information provided by NCAs. Q1 2021
 
 

 

Should you wish to obtain assistance for your SCA transitioning process or know more about the position taken by the NCA in your jurisdiction in respect of this flexible approach, please contact the experts identified in the "Related people" section of this page.

 

Footnotes

  1. EBA-Op-2019-06, https://eba.europa.eu/documents/10180/2622242/EBA+Opinion+on+SCA+elements+under+PSD2+.pdf.

  2. Pursuant to Article 97 of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD II) and the Commission Delegated Regulation 2018/389/EU of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the RTS).

  3. Please refer to our previous e-Alert for more information: https://bit.ly/2Co1wpj

  4. For instance, the Luxembourg regulator of the financial sector, the CSSF, accepted to grant an extension to the relevant stakeholders for the implementation of SCA for e-commerce card payment transactions but did not set a national deadline. On the contrary, the CSSF stated that it would align with the harmonised compliance deadline expected at EU level. Please refer to our previous publication for more information: https://bit.ly/36N9HJB

  5. To access the full text please use the following link: https://bit.ly/2CqObww

  6. NCAs can, however, request more elements than the elements listed in the Opinion.