The EU’s revised Payment Services Directive (or PSD2), a major overhaul of international payment rules, is now technically in effect. However, European regulators pushed back the deadlines for the adoption of key facets of the law.
The Strong Customer Authentication (SCA) practices required under the legislation, for instance, were last scheduled to roll out on September 14, 2019. However, the European Banking Authority (EBA) recently advised giving merchants a pretty substantial extension to meet that deadline.
According to an opinion issued on October 16, the EBA now advises regulators to allow for some supervisory flexibility when enforcing SCA rules in the EU market. Now, businesses have until December 31, 2020, to complete implementation and testing for SCA compliance practices.
SCA is a Game-Changer for Customer Verification
As I explained in a recent post, SCA principles are a core component of the new PSD2 regulations. The rule mandates an additional layer of verification during the online checkout process as a means of preventing fraud. In essence, SCA rules require online sellers to verify at least two of these three factors:
- Possession: Something the buyer possesses, like a payment card with a card number, CVV code, and expiration date.
- Knowledge: Something the buyer knows, like a 3-D Secure code, PIN, or account password.
- Inherence: Something the buyer inherently “is;” examples could include a biometric reading, like a fingerprint or facial scan.
That doesn’t seem like a big deal at first glance. However, it fundamentally transforms how merchants and banks conduct payments.
The rules are seen as something of a mixed bag. For instance, online fraud is a leading concern for everyone in the eCommerce space. But, if a customer can complete a transaction with only limited information, like a card number, then we clearly have a problem. The idea behind SCA requirements is to better-verify users, thus preventing this from happening.
That said, many organizations, both inside the EU and abroad, find compliance with SCA guidelines difficult. Some point to challenges with verifying compliance due to their use of third-party contractors. In other cases, merchants involved in a transaction may occupy gray areas which can make it hard to establish consistent compliance.
Businesses could be in violation of SCA rules without even knowing it. Depending on the circumstances, an organization may be entirely unaware that the rules even exist.
Get Ahead of the Game
In response to these and other concerns, the European Banking Authority decided to cut payment service providers (PSPs) and merchants some slack. Let’s be clear, though: the EBA’s opinion advises pushing-back the compliance deadline. That does not, however, mean a delay in the actual implementation of Strong Customer Authentication requirements.
The rules are now in place and are on the books. The EBA is merely asking authorities to focus on monitoring migration plans instead of pursuing immediate action against payment service providers in violation of the rules. The EBA also recommends that the “national competent authorities”—typically the central bank, or central bank analogue, of each EU member state—take a consistent approach to enforcement.
The EBA’s ruling is a fairly-evenhanded solution to this problem. After all, the goal isn’t to punish businesses for noncompliance; instead, the goal is to help the adjustment of common practices to foster widespread compliance.
But, while there will be some flexibility over the next year, merchants and PSPs shouldn’t treat this as a reprieve from PSD2 rule enforcement. Rather, think of this as an opportunity to acclimate to the new requirements without hefty punishment for innocent procedural mistakes.
It’s wise to get ahead of the game by trying to maintain rule compliance as soon as possible. You’ll find it much easier to work out issues now, rather than when you’re facing potential penalties for noncompliance. The bottom line is that SCA requirements are still coming. The sooner you’re prepared to comply with these rules, the better positioned you’ll be.