Will Enforcement of SCA in Europe be Pushed Back Again?
The UK’s Financial Conduct Authority (FCA) recently suggested that milestones related to ensuring Strong Consumer Authentication (SCA) compliance by March 31, 2021 may need to be postponed due to the COVID-19 pandemic. The European Banking Authority (EBA) has maintained their December 31, 2020 deadline but will continue to monitor the events and reassess.
Previously schedule to go into effect in September, 2019, SCA requirements for card-based eCommerce transactions were delayed until the end of 2020 in the European Economic Area and to the end of Q1 2021 in the UK. While it was clear PSPs and issuers wouldn’t meet the initial deadlines, more recent uncertainties and the reordering of priorities during the COVID-19 pandemic places even more stress on the organizations striving to complete this transition.
SCA requirements mandate the use of two-factor authentication for eCommerce while 3-DS 2.0 programs, also known as EMV 3DS, satisfy these requirements for payment card transactions. Upgrading to 3-DS 2.0 means supporting up to 150 data fields that allow issuers to make more authentication decisions without requiring an authentication step from the cardholder, known as passive or frictionless authentication. When an authentication step is required this can no longer be a static password, rather a mobile OTP or biometric reading. Issuers, acquirers and PSPs have made efforts to meet these requirements while many merchants may need to implement new payment risk vendors. As more employees work from home and merchants across many impacted industries struggle to stay afloat, priorities have changed. It may be that many organizations fail to meet the deadlines if not postponed.
For more information: