What is it & why has it been delayed
After prolonged delays and protracted planning SCA finally came into effect on 14th September 2019. However up until 31st December many European banks were not abiding by these requirements and it was only then that the new SCA requirements were widely and fully endorsed. And yet there are two exceptions falling outside this, being: UK and Ireland – The UK and Ireland regulators have stuck to its initial decision to maintain a prior announcement of an 18 month delay in requiring the additional authentication for online payments. The deadline for the UK is March 2021.
France – France has announced it will maintain an extra 3-month grace period on a case-by-case basis.
Essentially SCA is a new set of rules designed to assist in the fight against card fraud. SCA is part of the Revised Payment Services Directive (PSDS2), published a year prior to the implementation of SCA. Strong Customer Authentication aims to improve the security of payments. Online sellers will be forced to implement far stricter methods of making sure that any payment they take is genuine and comes from the owner of the card or payment method, or is otherwise authorised. This, in effect, means that customers will need to approve online payments via a new layer of authorisation, so long as the cardholder’s bank and the company providing the goods or service are located within the European Economic Area.
The type of authentication that this will entail will involve the verification of the identity of the customer through two of these elements:
1. Credit card; mobile device or smart card
2. A password or pin
3. Biometrics such as finger print or facial scan
This measure means that the security of online payments will be more akin to ‘in-person’ payments (i.e. card possession and pin).
What does SCA mean for online consumers?
The new SCA system for verification could result in frustration for consumers, as while it is meant to protect both customers and retailers from fraud it also makes the checkout procedure of shopping a little more complicated. The extra step in the process will usually result in customers having to enter codes on laptops or use biometric authentication via banking apps when making online payments via mobiles.
As with anything there will be exemptions. If your payment is a recurring one or falls under the 30 Euro threshold it will normally not be subject to these new regulations. And yet the exemption is not quite so straightforward as if a customer makes several payments in one day adding up to 100 Euros, it would be an accumulation that may trigger the new authentication process.
Why was SCA delayed?
SCA was partly delayed because of the difficulty in agreeing a timeline between all of the European countries (as seen this has led to two countries being further behind). Looking from the UK and Ireland’s point of view, the FCA delayed implementation over concerns that banks, merchants and payment service providers were unprepared for the change. This has, at least given consumers and merchants alike a little window to familiarise themselves with the latest security concerns and to get prepared for the changes.