Many European merchants are grappling with unanswered questions regarding PSD2 Strong Customer Authentication (SCA) compliance, even with the regulation’s implementation nearly a month away. Online retailers are unsure which version of 3D Secure (3DS) they are supposed to use or how to authenticate consumers who do not have mobile phones, given that 2FA is now a requirement.
Peter Robinson, payments advisor for European retail, wholesale and international trade association EuroCommerce, noted that these concerns are putting more pressure on card acquirers — the main party responsible for making sure merchants are ready for and informed about SCA and its incoming authentication and online transaction restrictions. The association includes retail members all across Europe, including Carrefour, Coop and Amazon.
Robinson stated that large merchants focused on SCA’s exceptions when the European Banking Authority (EBA) first outlined the rule.
“With the deadline fast approaching, merchants are largely dependent on their card acquirers to inform them, liaise with them and help them achieve compliance to whatever the requirements are,” he said.
This merchant-acquirer relationship is only going to become more important for online retailers that want to remain competitive in post-SCA Europe. eTailers need to be as prepared for SCA as possible as authentication and payment regulations change next month.
EBA Holds Firm on Deadline While Many Merchants Remain Unaware
SCA’s potential impacts on merchants are only just now coming to light, though discussions continue regarding how the rule will impact real-world scenarios. Merchants that are noncompliant may find themselves unable to clear simple transactions: Card issuers could decline them due to improper verification, for example. This and other problems are pushing retailers to ask more questions.
Robinson believes that SCA confusion has lessened since it was first conceived, when merchants were flagging questions for acquirers that turned to networks like Mastercard and Visa. The card networks then fired those questions off to regulatory bodies like the EBA for clarification. These concerns resulted in lobbying campaigns on the part of all the stakeholders involved in the payments chain.
“Retailers were excluded from PSD2 completely,” he said. “Their views weren’t taken into account. Merchants were still waiting for answers from card acquirers as to what they needed to do.”
Some retailers improved their authentication processes with the implementation of 3DS, but Robinson noted that many were unaware that they needed 3DS 2.2, which was still under development, to benefit from all SCA exemptions. This resulted in some merchants delaying testing until all questions were answered.
A significant portion of European eTailers and their customers remain unaware of SCA or what they need to do to meet compliance — a critical piece of the regulatory puzzle that needs to be addressed. This group may see all their transactions declined if nothing changes when SCA is put into full effect.
“The banks [and] the card schemes were awaiting answers to [their questions] so they could deploy [fixes, which] they only wanted to do once in order to avoid multiple deployments which would just add further cost and complexity,” Robinson said.
The EBA has agreed to provide a limited amount of time to let issuers become compliant with SCA.
“Reading into that now, while the September 14 [deadline] still stands for payment services providers to comply with the requirements of SCA, some flexibility is now being shown,” he explained. “So, the pressure is on issuers not to reject a transaction simply because it doesn’t have the appropriate SCA flags on it.”
This means each European state is now responsible for creating its own SCA compliance road map, he added.
Additional Merchant Challenges
Such a path may grant merchants and their end customers more time to catch up on compliance, but it also opens up some new challenges.
“What you don’t want is a fragmented approach to compliance with some member states declaring readiness and enforcing compliance when other member states aren’t,” Robinson said. “If that were to happen, you’d wind up with customer confusion. … So, we really want to try and get all member states aligned and agreeing to a date by which everyone will be ready. That’s where we’re focusing our attention now.”
Making sure each country is matching its SCA requirements with the rest of the EU’s member states will be the next major challenge to getting SCA up and running, he noted. Many retailers will, unfortunately, remain locked in the same kind of regulatory limbo experienced with PSD2 as these requirements continue to form.