Long reads

SCA: With weeks to go until Europe’s deadline, is the industry prepared?

Brian Gaynor

Brian Gaynor

Head of Product and Strategy, EU Merchant Services , JP Morgan

With just weeks to go before the 31 December 2020 deadline for Strong Customer Authentication (SCA) implementation in Europe , it’s worth taking a look at at the industry’s position within the rollout of this far-reaching new requirement.

Final Call for Implementation

After 31 December 2020, subject to prescribed regulatory exemptions, merchants will need to secure multi-factor authentication for their online transactions. The European Banking Authority (EBA) allowed extensions to be granted to the original deadline of 14 September 2019. Industry participants from merchants to issuers, regulators, acquirers like ourselves, and consumers, will be required to adjust to comply with SCA requirements. The extensions provided some breathing space to many industry players, who have had to chart a very unpredictable path through the global events of 2020.

The European Banking Authority has confirmed that 31 December 2020 will be the final date for compliance. So, will the e-commerce ecosystem be ready come New Year’s Day?

Passing the Test

The emergence of COVID-19 earlier this year created additional pressures on merchants, and may have impacted their ability to secure the third-party developer time needed in order to get SCA site coding installed or implemented. The final deadline of 31 December  may now have hardened the resolve of many to be ready in time. In our experience, despite the constraints on budgets and staff presented by the pandemic, there has been a huge amount of work undertaken by merchants to ensure they will be prepared for SCA. At J.P. Morgan, we began working with our merchant clients long before 2020, briefing them and helping to ensure they could meet requirements.

However, there appear to be some issues outstanding.Not all merchants may be ready yet. Some may have completed the site coding needed to enable SCA, but haven't necessarily turned it on, or haven't turned it on permanently. Some issuers in different countries haven't fully switched on SCA functionalities either. This means even if a merchant has launched SCA on its site, its customers may not be receiving the 3-D Secure 2.0 (3DS2) identification challenges that enable SCA from the issuer.

Rollout Will likely be Uneven, so Make Sure You’re Ready, Even if Others Aren’t

Delivering a cohesive, integrated rollout of SCA will be difficult—simply because there's so many different moving parts and players. When talking to clients, I’ve compared this to everybody preparing to play a new sport together. We have all been given the rule book, we have all been told that everyone is due on the field on 1 January 2021, but none of us have played this before. Is it all going to work?

Based on our intelligence, SCA is not going to just appear ‘everywhere’ online on 1 January. Right now, what we're actually seeing is a gradual ramp-up of initiation across Europe. Different issuers across Europe are starting to implement SCA, particularly for high-value transactions. We are observing card challenges happening within the ecosystem where we haven't seen them before. This glide path towards a much higher level of transaction queries and challenges is going to continue between now and December 31. Of course, there will be a big jump in SCA compliance on 1 January 2021, but between then and now, be prepared for some unpredictability as we shift into a whole new era of payments authentication.

Comments: (1)

A Finextra member
A Finextra member 22 December, 2020, 14:391 like 1 like

I must admit that I really don't understand why the EBA made SCA so precriptive. The costs of implementing it must be huge - significantly higher than the fraud losses it's aimed at reducing. Similarly, consumers will largely be unaware of the new requirements and those that are aware are (like me) finding it a real pain and a deterrent to shop. Gone is the seamless, smooth customer journey, soon to be replaced by an ad-hoc, inconsistent approach by different issuers and merchant card acquirers.

As a consumer, if my card was declined I'd go to my card issuer to ask for an explanation, post January, who do I go to? Card Issuer, Card Acquirer, Merchant? It could be any one of them.

Im my view, the EBA should have set the industry a target to reduce fraud from x% to y% by z date and left it to the industry to work out the best, and least disruptive way to deal with it.

I suspect come January, the blame game will start....