Blog article
See all stories »

The Merchant View: Let's Please All Agree on SCA Enforcement Timelines

Since the European Banking Authority (EBA) published its Opinion in June  on the strong customer authentication (SCA) requirements of the revised Payment Services Directive (PSD2), I've been thinking and talking about it with colleagues, peers and — especially — with merchants.

In particular, we've been discussing the opportunity given to national regulators to provide for a transition period, giving relevant stakeholders more time to get ready for SCA.

So What Happens Now?

In the months since the Opinion, national regulators have been making announcements about their transition periods. But the merchants (and others) that I've spoken to are worried that the result may be a number of substantially different national plans, which could result in an inconsistent customer experience in the EEA.

Put yourself in the shoes of a small UK eCommerce merchant with limited resources to understand and implement the changes that will support frictionless SCA. In a positive move for this merchant (and for the UK eCommerce and payment industries overall), the UK regulator has announced an 18-month transition period, judging that it's a reasonable amount of time for the UK industry to get ready. Let's assume that the merchant we're thinking of will only be ready towards the end of the 18-month period.

So what's the problem? Well, small as this UK merchant is, it still has important customers in other countries in Europe. If some of those countries are planning to transition to full SCA enforcement in, say, 12 months, then the merchant's customers from those countries are potentially in for six months of a poor customer experience (as the merchant may not be ready for their issuers' attempts to invoke SCA).

I think we can all agree that this kind of scenario would be a backwards step for eCommerce. Any effort to add security to the payments ecosystem must be delivered in a way that still allows merchants to sell and consumers to buy – quickly, and easily. If not, it could not only impact commerce and the economy, but might also drive consumers towards less safe methods in search of convenience.

It is not only small merchants who might be impacted by a variety of different SCA timelines. SCA readiness is complex enough for all of them, without having to worry about their SCA plans affecting customers from different countries in different ways. Multinational merchants could also find themselves in a situation where their acquirers in different countries are working towards different SCA deadlines, which again can only make their own SCA plans more complex.

Let's Get Together

So, on behalf of merchants everywhere and their European customers, I really hope the payment industry can come together to agree on a unified transition plan.

Ideally, we'd find agreement not just on overall timelines, but on the phases that get us there. The UK and French regulators, for example, have worked with industry stakeholders to agree broadly similar 18-month plans. If we look at the UK's managed rollout plan as an example, it has several phases defined, allowing for step-by-step progress to full SCA enforcement by issuers, with time for awareness-building among small merchants. It includes specific industry actions such as an EU-wide card scheme mandate by September 2020 to incentivise merchant adoption of 3-D Secure (3DS) 2.

This is the kind of plan we need to get behind as an industry across the EEA, if we want to continue to put a seamless experience for customers at the heart of decisions about SCA.

Advice for Merchants

Whatever happens, it's still imperative for merchants to continue working with their payment service providers and acquirers on an SCA strategy, and to become SCA-ready as soon as they can.

The surest way to avoid potential adverse impacts of SCA, such as poor user experience on mobiles or issuer declines, is to implement 3DS 2 as soon as possible. This should be done in line with acquirer and payment gateway readiness for 3DS 2, since it's not just merchants that need to make 3DS 2-related process and system changes, but acquirers and payment gateways too.

If you have any comments or questions about anything relating to PSD2, SCA or 3DS, do comment below.


Comments: (4)

Andrea Feinberg
Andrea Feinberg - RS Components - London 02 October, 2019, 12:101 like 1 like

As Payments Product Owner at a large retailer, this is indeed a real nightmare. Not only for the reasons mentioned in this article and each country following different deadlines, also because in the end it is each individual issuing bank that will decide on whether to automatically decline all non-authenticated transactions or not. Just to take the UK as an example (although we face this all over Europe!), within these 18 months, the FCA is suggesting a step up increase from March 2020, so this will most likely result in declines gradually rising from around March onwards. Merchants need to try and implement 3DS v2 asap but this is not easy when you operate globally and with legacy systems and integrations that do not support our vision. Not all PSPs are ready to support merchants which makes our tasks extremely difficult.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 02 October, 2019, 15:341 like 1 like

"Frictionless SCA" is an oxymoron. Sorry to put so much focus on a small portion of an otherwise great blog post but, IMO, all other challenges for the merchant pale into insignificance if merchants expect SCA to be frictionless.

In the case of other quasi-oxymorons like paperless office, branchless banking, cashless economy, decentralized Blockchain, and the like, over time it's possible to strive towards less paper office, fewer branch banking, and so on, but I'm not sure if the same is possible with SCA / 2FA because payments suffers from one unique security design challenge:

My PSP should let me access my money with ease. At the same time, it should block anyone else from accessing my money, no matter how hard they try. How will my PSP know who is trying to access the money in it? Obviously, it needs to do something to distinguish between me and a fraudster. It's in designing that something without causing too much friction that the payment security design challenge lies.

Many have attempted but none has succeeded in making online 2FA card payments frictionless. I concede that online A2A payments must support SCA and that SCA is reasonably frictionless in that case but the challenge there is, in markets having high credit card penetration, why would a common man forego credit card payment benefits like rewards, float, superior fraud protection, repudiation, and credit history and opt for a bank-account linked payment method.

It's not only me. Strong Customer Authentication - a Litmus Test for Europe 

Mari-Anne Bayliss
Mari-Anne Bayliss - CyberSource, a Visa solution - Reading 04 October, 2019, 12:43Be the first to give this comment the thumbs up 0 likes

Thank you for your comment, Andrea Feinberg. I agree. SCA readiness is complex for all the parties.

Ketharaman Swaminathan, thank you for your thoughts. Additional step-up to authenticate a legitimate transaction can result in additional friction. However, it doesn't have to feel like friction to the end customer, if done well. For example, biometric authentication - using my thumbprint on my phone feels so natural that I wouldn't call it a friction. Using additional time wisely to get this right is extremely important for the industry.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 04 October, 2019, 18:09Be the first to give this comment the thumbs up 0 likes

@Mari-Anne Bayliss:

Totally agree but the operative term is "if done well".

Good you brought up biometric authentication. You probably have a high-end smartphone if you don't face any friction from fingerprint. I have a midrange smartphone and it takes an attempt or two for fingerprint authentication to work. I found the friction intolerable and disabled fingerprint authentication for opening the lockscreen. On my company blog, I've published a post titled Hardware Matters. In that post, I explain the high friction involved in fingerprint authentication, caused primarily by not-so-high-quality fingerprint scanner. 

While the common man may expect everybody to use “high quality” for everything, it’s not practical for large scale use cases to invest in high-end fingerprint scanners. With the kind of entry-level fingerprint scanners used in many of these applications, it’s very rarely that a user is authenticated on the first try. Ergo lot of friction.

"If done well" is right but, when it comes to compliance matters, there's too much temptation caused by cost pressures to NOT do it well. 

Then there are problems even on high end smartphones that are outside the control of the user. I know people who had a frictionless experience of Apple Pay with fingerprint ID now facing a lot of friction with Face ID from iPhone X onwards. They didn't ask for Face ID.

Mari-Anne Bayliss

Mari-Anne Bayliss

Director, Payment and Fraud Solutions, EMEA

CyberSource, a Visa solution

Member since

02 May 2018



Blog posts




This post is from a series of posts in the group:

The future of Payments in Europe

With an increase in regulations and growing involvement from multiple players, the world of payments is undergoing a disruption across the region

See all

Now hiring