PSD2/SCA
PSD2 SCA (Strong Customer Authentication) requirements were mandated by the European Commission and the deadline for compliance enforcement was December 2020. How did the MRC engage with EU regulators to advocate for readiness-based enforcement date change?
On 14 September 2019, new requirements for authenticating online retail payments were introduced in Europe as part of the Payments Services Directive update (PSD2). The industry was not ready at that time, so the European Banking Authority (EBA) facilitated an extension to the implementation deadline of the regulation, to 31 December 2020.
While the MRC supported the goal of robust implementation of Strong Customer Authentication (SCA), our goal was to work with merchants and issuers to ensure upcoming regulation enforcement did not have a negative impact on the industry.
The MRC has approached 18 EU regulators to request the enforcement date be adjusted by country, based on reports of industry readiness, or lack thereof. Our merchant community, led by Microsoft and Amazon, has published SCA readiness dashboards by country. Through this initiative, we created a deadline dashboard by country and a Slack channel for merchants and issuers to discuss the challenges.
Initiative Highlights
-
The European Commission produced the regulation (PSD2). The regulation specifically relating to SCA has been enforceable since 14 September 2019. In effect, all regulated bodies (banks, credit institutions, etc.) should be compliant since that date. However, on that date, nothing really changed.
The European Banking Authority (EBA) is the enforcer of the regulation in the EU (European Union). They enforce the National Conduct Authorities (NCAs), normally the Central Banks of each nation, to ensure compliance in each nation. It was the EBA, in September 2019, that allowed the NCAs time before which they had to enforce the regulation in each nation. This flexibility ended at the close of 2020.
The Commission and the EBA have noted that all parties have been aware of the regulation since 2017. They are currently not willing to extend the deadline for enforcement for that reason. The FCA was able to make an early decision most likely because of Brexit, i.e., they have left the EU and, as such, are not required to comply with EU regulation, in theory. That said, the UK will wish to remain competitive, so they aim to comply but have allowed another nine months for their regulated bodies (issuers and acquirers) to comply with the regulation.
While each NCA can make its own decision on delaying the date, they are required to enforce the regulation under the EBA. See the MRC SCA deadline chart for details on enforcement date delays.
The European Commission produced the regulation (PSD2). The regulation specifically relating to SCA has been enforceable since 14 September 2019. In effect, all regulated bodies (banks, credit institutions, etc.) should be compliant since that date. However, on that date, nothing really changed.
The European Banking Authority (EBA) is the enforcer of the regulation in the EU (European Union). They enforce the National Conduct Authorities (NCAs), normally the Central Banks of each nation, to ensure compliance in each nation. It was the EBA, in September 2019, that allowed the NCAs time before which they had to enforce the regulation in each nation. This flexibility ended at the close of 2020.
The Commission and the EBA have noted that all parties have been aware of the regulation since 2017. They are currently not willing to extend the deadline for enforcement for that reason. The FCA was able to make an early decision most likely because of Brexit, i.e., they have left the EU and, as such, are not required to comply with EU regulation, in theory. That said, the UK will wish to remain competitive, so they aim to comply but have allowed another nine months for their regulated bodies (issuers and acquirers) to comply with the regulation.
While each NCA can make its own decision on delaying the date, they are required to enforce the regulation under the EBA. See the MRC SCA deadline chart for details on enforcement date delays.
-
For information on how Microsoft built its scorecard, see the following articles:
See details in Microsoft's SCA November 2021 scorecard or access scorecards from Adyen, Amazon, and Google.
For information on how Microsoft built its scorecard, see the following articles:
See details in Microsoft's SCA November 2021 scorecard or access scorecards from Adyen, Amazon, and Google.
-
The MRC has called on the EBA and the European Commission to use their influence to encourage all NCAs (National Conduct Authorities) to adopt a flexible approach to the implementation of SCA and give industry scope beyond the 31 December deadline. The MRC also wrote to 18 NCAs directly to suggest the deadline for the operational application of SCA should be pushed out by at least 6 months.
Learn more by reading MRC's correspondence with the European Commission, European Banking Authority, the Commission's responses, and a joint letter from the European Payment Institutions Federation signed by MRC, Visa, Mastercard, the European Hotel Forum, and many more.
The MRC has called on the EBA and the European Commission to use their influence to encourage all NCAs (National Conduct Authorities) to adopt a flexible approach to the implementation of SCA and give industry scope beyond the 31 December deadline. The MRC also wrote to 18 NCAs directly to suggest the deadline for the operational application of SCA should be pushed out by at least 6 months.
Learn more by reading MRC's correspondence with the European Commission, European Banking Authority, the Commission's responses, and a joint letter from the European Payment Institutions Federation signed by MRC, Visa, Mastercard, the European Hotel Forum, and many more.
-
The MRC has also engaged European consumer associations to ensure they are fully informed on the impact on consumers from 1 January 2020, when card issuers are forced to decline transactions that do not appear to be SCA compliant. In some countries, the reports show this figure could be up to 50% of transactions.
The MRC has produced an SCA deadline dashboard by country to note the enforcement deadlines for European countries. See it here.
The MRC has also engaged European consumer associations to ensure they are fully informed on the impact on consumers from 1 January 2020, when card issuers are forced to decline transactions that do not appear to be SCA compliant. In some countries, the reports show this figure could be up to 50% of transactions.
The MRC has produced an SCA deadline dashboard by country to note the enforcement deadlines for European countries. See it here.
-
The MRC heard from card issuers and merchants that it is tough to test for and debug problems highlighted when processing SCA-ready transactions, so we established a Slack channel where the community works together to solve issues. If you wish to join the Slack channel (open to merchants and card issuers), contact slack3ds@merchantriskcouncil.org
To sign up for testing with Visa, email Visa at gct3dssupp@visa.com. To sign up for the Mastercard test platform, visit https://3dss.netcetera.com/mastercard-psd2-testing/.
The MRC heard from card issuers and merchants that it is tough to test for and debug problems highlighted when processing SCA-ready transactions, so we established a Slack channel where the community works together to solve issues. If you wish to join the Slack channel (open to merchants and card issuers), contact slack3ds@merchantriskcouncil.org
To sign up for testing with Visa, email Visa at gct3dssupp@visa.com. To sign up for the Mastercard test platform, visit https://3dss.netcetera.com/mastercard-psd2-testing/.