Payments sector divided over SCA deadline

The European payments industry is at odds over whether the December launch of secure customer authentication (SCA) should be maintained.

“Pushing back the deadline for the migration to SCA standards makes sense during these exceptional circumstances. The financial impact of coronavirus on many organisations will likely mean that many will have reduced workforce and reduced budget to invest; delaying the deadline for migration to SCA will allow for a period of financial and resource recovery,” said Amanda Mickleburgh, director of fraud management, ACI Worldwide in an email.

“To avoid a ‘clunky’ roll out of SCA it is important that all members of the payment value chain are ready. The current pandemic clearly inhibits this and will place delays on businesses being able to complete deployment,” she said.

On April 24, the European Payments Institutions Federation (Epif) signed a joint industry letter to the European Banking Authority (EBA) and the European Commission (EC) requesting a delay on SCA of at least six months due to the pandemic. Cosignatories included Ecommerce Europe, Visa and Mastercard.

According to an EBA spokesperson, the authority is not envisaging any additional measures regarding SCA. Daniel Ferrie, EC spokesperson for banking and financial services, said via email that the commission will respond to the letter in due course.

But in the UK, the Financial Conduct Authority (FCA) announced on April 30 that it would delay the deadline for SCA implementation from March 2021 to September 2021. According to Chris Stephens, head of banking solutions at authentication provider Callsign, different global roadmaps create an “added layer of complexity” in the payments space.

“Despite the deadline for SCA being pushed, it’s unlikely that businesses will be ready in time. Cards in particular present a greater challenge for banks when it comes to SCA compliance due to the complexity of the payment ecosystem, not just working across different card providers but also multiple technology vendors,” he said via email.

Other commentators do not see jurisdictional differences as an added complication.

“EU and UK regulators have been preparing for the possibility of mistimed and mismatched implementation since the beginning of the process of the UK leaving the EU. No doubt, additional delays on either side have been accounted for when planning,” said Krishna Subramanyan, CEO, payments consultancy Bruc Bond in an email.

But the delay of SCA is not universally supported. Many market participants believe a further delay will do more harm than good.

“Any additional delay to the SCA implementation deadline spells additional trouble down the road. Any delay will only increase the problem of identification in the future … What’s more, the longer we draw out the implementation period, the more uncertainty we have regarding the final form of the regulation,” said Subramanyan.

Several payment service providers (PSPs) agree, as coronavirus brings e-commerce security to the fore.

“In my view, coronavirus makes SCA a bigger priority, not less of one,” said Alex Reddish, chief commercial officer, Tribe Payment via email.

“A month ago, the National Fraud Intelligence Bureau revealed that it had uncovered 500 coronavirus-related scams and over 2,000 phishing attempts by criminals seeking to exploit fears over the pandemic. This number will have increased dramatically in the last four weeks.”

Reddish points out that the deadline has already been moved once – from September 2019 to December 2020 – and that merchants and payment firms have been preparing for the deadline for a long time. Part of this process has been an adoption of 3D Secure 2 (3DS2) by merchants, a way to authenticate online payments.

Europe’s Second Payment Services Directive (PSD2), the directive behind SCA, was a reaction to a growth in fraud according to Henning Brandt, head of communication at Computop, a PSP. According to Brandt, SCA needs to be prioritised now more than ever.

“We, like other PSPs, are already working with merchants to encourage them to upgrade to 3DS2 in card payments, change their processes and implement the necessary measures. Frankly, another delay would cause a set-back in our activities, and theirs, to become more secure. All that a delay will do is give banks and issuers more time and send a signal to merchants that they don’t need to prioritise SCA.”

Related reading

People’s Bank of China deputy governor: Digital, not crypto currency