SCA extension divides market

Calls for an extension to the revised Payments Services Directive (PSD2)’s strong customer authentication (SCA) deadline have met mixed receptions from the market. A number of participants suggest pushing SCA live on September 14 could cause a great deal of harm to the market, while others say those in the payments ecosystem should have been prepared long ago.

“The need for a Europe-wide consistent approach to deadline extension is an absolute must,” said Jackie Barwell, director for product management at ACI Worldwide, in an email. “Complying by the tight deadline of September 14 would have caused unwanted disruption for merchants, payment service providers (PSPs), acquirers, issuers and above all, consumers. It needs to be managed correctly, managed incorrectly it could potentially leave the doors open to fraudsters to exploit weaknesses.”

Simon Wilson, director of payments at Icon Solutions adds: “The actual legislation came into play in January last year, and PSD2 has been in the pipeline for a very long time. The ‘lots of our members aren’t ready, give us more time’ [argument] is a bit baffling to me. They’ve had a lot of time.”

The regulatory technical standards (RTS) for SCA were adopted by the European Parliament in March 2018. SCA aims to increase the security of electronic payments through the introduction of two-factor authentication (2FA) for all transactions over €30.

The European Association of Payment Service Providers (EPSM) has recommended an 18-month delay to the introduction of SCA. The organization, which counts 67 payments firms among its members, also suggested a 36-month delay for implementation in the travel and hospitality sectors.

The EPSM has also called on the EBA to change the rules of the RTS, and recognise that card data, one-time passwords and EMV 3D Secure are valid SCA methods for 2FA.

“There are still many transactions that if you take the very strict definition of EBA are not SCA compliant,” says Nicolas Adolph, chairman of the EPSM. “If it is compliant it’s often not in a very user-friendly way. A user-friendly solution, EMV 3DS2.2, will become available for deployment at the earliest only next year.

“Some issuers across Europe might be ready but for others there might be delays. The acquirers could not really test this for the whole European issuer market. The merchants have to be ready now. It’s a whole chain and if one element in the chain does not work then the whole process will not work.”

Migration plans

In June the European Banking Authority (EBA) published an opinion paper on SCA in response to what the regulator called “continued queries from the market actors”. The EBA introduced a discretionary extension to the September 14 deadline in reaction to what it called “concerns about the preparedness and compliance of some in the payments chain.” The extension will only be granted if an applicant shows that it has a migration plan in place.

“The flexibility offered by EBA in its opinion from June 21 is very good on the national level,” says Adolph, “but let’s say you are an acquirer for card payments across Europe and you have 28 different national migration plans for issuers, it’s impossible to set this up within two months of the deadline.”

For Barwell, leaving the decision to apply extensions to NCAs could be problematic. “This could mean one country applying, say, an 18-month extension, and another applying no extension at all.

“The number of questions posed to the EBA by the industry players and sectors since the introduction of PSD2 indicates the desire to ‘get this right’ first time, and with some opinion papers only having been issued as recently as June 21 it indicates just how much is yet to be fully understood so close to the original deadline. Education of consumers needs more thought and time to be sure we all continue to enjoy the ecommerce experience, even with the more stringent security measures.”

Icon’s Wilson believes that industry collaboration between regulators and the industry is not particularly effective. “I think, as an industry, including the regulator, we don’t seem to be able to do these things very well.

“If the European government really wants to challenge the duopoly of Visa and MasterCard, which they have openly said that they do, they need to make the whole process a lot better from a customer experience perspective.

“I’ve seen on a personal level communication from some of the financial institutions I work with about [SCA]. But I imagine very few people actually read that. It won’t be until they are hit by the experience of trying to pay that things will really sink in.”

Related reading