The European Banking Authority (EBA) published an opinion on strong customer authentication (SCA) under the revised Payment Services Directive (PSD2), acknowledging that implementing the new standards might be difficult for some merchants.
Businesses and banks have expressed their concerns over the EBA’s new standards that require “strong customer authentication” for all electronic payments over €10 (around $10.50). While these new rules aim to make online transactions safer for the consumer, they can also slow down the process and possibly lead to fewer online sales.
“The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019,” according to a press release from the EBA.
Despite concerns, the EBA explained that it cannot legally postpone the deadline for compliance that has been set by the EU law, adding that businesses and banks have had sufficient time to prepare, given that it was explained back in 2015.
“However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA’s technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019,” the agency stated.
With that in mind, when an “exceptional basis” is proven, “NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.”
The extensions will be granted only if PSPs have set up a migration plan, have agreed to a plan with their CA, and carry out the plan in an timely manner.