Blog article
See all stories »

Supporting Merchants with PSD2 SCA as the EBA Sticks To the Deadline

In a statement released on 25th March, the European Banking Authority (EBA) has confirmed that, for the moment, the December 31st 2020 enforcement deadline for PSD2 Strong Customer Authentication (SCA) remains in place. This is despite the universal disruption caused by the COVID-19 pandemic. The confirmation comes at the end of a wider set of recommendations on steps Financial Institutions and PSPs should take in response to the crisis, including raising the contactless transaction limit to €50.

e-commerce merchants have other urgent priorities

The fact that the EBA is sticking with the deadline (note in the UK the FCA has set a later cut-off of 14th March 2021), is unwelcome news for a payments and retail industry struggling with multiple challenges resulting from widespread lock downs on top of already aggressive timescales for PSD2 SCA adoption.

Most e-commerce merchants will have very different priorities for the foreseeable future. Those in sectors such as grocery are having to rapidly re-engineer systems and processes to cope with massively increased demand, while trying to ensure that they can genuinely serve priority vulnerable customers.

Elsewhere many will be focussed on short term survival and recovery once the worst of the crisis is over. A study just released by Ecommerce Europe reports that 65% of respondents believe the pandemic will lead to a decline in sales, partial or complete closure of the business during quarantine periods and release of staff.

Updating systems to support PSD2 SCA is unlikely now to be a high priority for many retailers.

Easing the burden on e-commerce retailers

Unfortunately, the biggest challenge in the national SCA migration plans now taking shape is educating merchants and getting them on board.

Acquirers, payment gateways and 3DS vendors will be playing the pivotal role in making this happen.

There are some key things they need to do to keep things as simple as possible for pressurised merchants:

  1. Reach out and educate all merchants. Use simple messaging and clear collateral to explain exactly what PSD2 SCA is and the minimum things merchants need to do to ensure that SCA can be applied and that transactions are not declined after the enforcement deadlines hit.
  2. Focus on getting all of your merchants on to 3-D Secure – preferably 3DS 2.2, as early as possible. Explain that 3DS is the industry standard for applying SCA and that 3DS 2.2 minimises checkout friction. Help merchants to understand how they support 3DS, through a 3DS server and the SDK, if they have a mobile app.
  3. Ensure merchants understand and can recognise out of scope transactions, notably Merchant Initiated Transactions or MITs and can submit these with the right flags to ensure they don’t get challenged or declined.
  4. Make sure merchants can recognise and respond to “soft declines” – or requests by issuers to resubmit transactions without SCA via 3DS.
  5. Help merchants with more sophisticated transaction risk screening to take full advantage of the acquirer TRA exemption and other options for minimising the potentially negative impact on the consumer experience.

Detailed guidance is available from Visa, MasterCard, UK Finance and other industry bodies, however the trick is breaking this down into clear and simple steps and removing the complexity for merchants who currently have urgent conflicting priorities. Even if the EBA does relent and relax the deadline in response to industry and local regulator concerns, it is unlikely to be for long and conflicting demand on merchants will still be significant.



Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 April, 2020, 13:14Be the first to give this comment the thumbs up 0 likes

America's FFIEC announced 2FA guidelines for online payments in 2005, reissued them in 2012. USA still does not have 2FA for online payments. Sky hasn't fallen with fraud. RBI mandated 2FA for online payments in India 10-12 years ago. Friction increased. Payments failed. Conversion nosedived. Fraud reduced but at the cost of transactions not happening in the first place. A couple of years ago, RBI-administered NPCI launched UPI, which makes one factor implicit by moving it to the payer's mobile phone. With some sharp implementations, many popular payment apps obfuscated the second factor as well for a vast range of usage scenarios. As a result, digital payments have become frictionless and adoption has skyrocketed.

By now, it should be clear to any regulator that 2FA is a conversion killer and blood pressure booster. If any of them is still pushing through with its mandate, I can't help believe it's only to save face. 

Now hiring