What is happening with SCA?

October 15, 2019

What is happening with SCA?

What is happening with SCA?

51% of online sellers in the EU would have missed the 14 September 2019 SCA deadline

Blogs were written; letters were sent; emails were read. There were preparations to be made and deadlines to meet.

Now? The SCA go live date has passed by.

And you may be scratching your head as to why there wasn’t some kind of major disruption.

The short answer is that enforcement of SCA hasn’t yet begun. The long answer, including all you need to know about the who, what and when of SCA enforcement, is contained within this blog…

First, a little background…

SCA was drafted by the European Banking Authority (EBA). This body supports and advises the National Competent Authorities (NCAs) throughout each European Economic Area (EEA) – and the NCAs will be the organisations that enforce SCA.

Ultimately your card issuer will be the one that would (and should) refuse non-compliant transactions as soon as SCA enforcement kicks off; and for UK businesses, the Financial Conduct Authority will hold authority over UK issuers.

41% of EU banks missed the original PSD2 deadline

Counting down (again)…

In June of this year, along came some important clarification on SCA. In turn, NCAs were told that, if certain criteria are met, they can choose to delay SCA enforcement if it means that consumers would avoid being negatively affected, and the industry as a whole could be given time to ready itself for SCA.

The NCAs have now created timelines and roadmaps that detail the what and when for reaching SCA compliance.

 

Over to the NCAs…

On 13thSeptember 2019, 26 of the EEA NCAs announced that the same transition period would apply to the UK, Ireland, France, Spain, Germany, Italy and The Netherlands. 21 did so in writing or via an official spokesperson, while two remain yet to dedicate themselves officially to this period – those being Latvia and Bulgaria.

The NCA for Sweden stands alone in not offering a transition period, however it has stated that there will be transition for e-commerce on a case-by-case basis.

The FCA were ahead of the game, as they were the only NCA to put together a timeline and roadmap before this time.

This will run over 18 months with set milestones throughout. Issuers are free to begin implementation prior to this plan, so expect early adoption where issuers can.

The first milestone is Q1 2002, at which point 30% of transactions should be compliant.

Recap – Three things to understand

  1. SCA enforcement has been delayed – but full enforcement will take place after the transition period.
  2. As NCAs are free to define their own timelines, SCA implementation will happen at different times, with some countries facing enforcement earlier than others.
  3. With the extra time, you should test and tweak (if needs be) your payment flow – ensuring that you have an SCA solution in place that suits your business.

In-person transactions

  • Chip and PIN – already compliant with two factor authentication: eg card and PIN.
  • Mobile transactions – already compliant with two factor authentication. eg phone and fingerprint.
  • Contactless transactions – exempt unless over a certain limit, in which case the cardholder will need to provide extra security.

e-Commerce

  • The Global Payments 3D Secure Solution – this authentication uses both 3DS2 and 3DS1.
  • Mail order/telephone order (MOTO) transactions – you should check that your online terminal features the correct flagging to ensure they are exempt from SCA.
  • Recurring or subscription payments – you should check that these remain exempt from SCA and using Credential on File flagging for merchant initiated transactions.