How EU Merchants Are Adjusting To SCA

European Union merchants, payment service providers (PSPs) and bankers watched as the September Strong Customer Authentication (SCA) deadline passed — and then went right back to asking authentication questions that regulators have not yet answered.

SCA mandates greater authentication for transactions between merchants and their end customers, but there are almost as many possible exceptions as applications. European countries are individually responding to the dawn of SCA, with France and the U.K. mandating 18-month implementation periods while Sweden is only offering 12 months. PSPs also need to be mindful of technical standards, including how some versions of 3D Secure — payment protocols EMVCo designed to support online payments — may not be compatible with SCA.

These requirements can be complex for merchants that just want to interact with their end customers for simple, clean business, according to Nicolas Adolph, chairman of the European Association Of Payment Service Providers For Merchants (ESPM). The trade association was first conceived in 2005, when the first payment services directive (PSD1) was being discussed. SCA is part of PSD2. EPSM has since grown to include members like Concardis, Elavon, Evo, First Data, Ingenico, Intercard, Payone, Raiffeisen Bank and Wirecard CEE.

Adolph recently told PYMNTS that EU merchants and PSPs still have questions about how the SCA regulation applies to cross-border transactions, which version of 3D Secure to implement and how to manage exemptions. They must also address if market participants will try to coordinate an EU rollout of SCA over the next 18 to 36 months. Businesses need to be further educated on SCA’s intricacies, Adolph said, as the requirement generally does not apply to online bank credit transfers or transactions at the point of sale (POS).

“In detail it can become a bit complicated, especially if you are a typical merchant [transacting] on the internet that just wants to get paid,” Adolph said.

SCA Confusion for Merchants, PSPs

Adolph believes that merchant response to SCA has been slow and a little challenging because many EU merchants still do not fully understand the rule’s implications. Their understanding of SCA can also vary depending on industry or business size, he said.

“If it’s a small, innovative, pure-play eCommerce player who just sells things on the internet, probably there are some that are already adapting,” Adolph said. “It becomes complicated if you have a merchant with more differentiated service offerings.”

PSPs are thus taking more responsibility for merchant readiness, as they will first need to implement the newest 3D Secure version and decide on other tenets of SCA authentication before businesses can rely on them for fully compliant payments. Certain industries will find it difficult to reach 100 percent implementation, however, Adolph added.

“A typical, normal PSP will start to implement EMV 3D Secure versions 2.1 and 2.2 and corresponding exception handling with most of its merchants next year,” he said. “This is why we think the complete rollout might take even longer, especially for challenging use cases in the travel and hospitality industry.”

He went on to explain just why these firms might see further complications.

“Travel firms can have very complex systems with many partners who also use global IT systems, and it is probably not possible to move this whole market within 18 months,” Adolph noted. “They might need some more time if these European firms don’t want to reject card transactions or increase payment decline rates for EU-issued cards in the industry.”

SCA confusion for merchants in hospitality, retail, travel and other industries extends beyond how the rule applies and the need to coordinate with payment providers. Those in these industries are also unclear on the time they have to comply, which can vary drastically. Regulators in Denmark, France, Finland and the U.K. have all decided on 18-month migration periods, but many other EU countries have not yet selected time frames.

EPSM is among the organizations that have issued a joint letter to the European Banking Authority (EBA) calling for a coordinated period of SCA migration that may help merchants and payment providers ease into the requirements. Other signees include the European Payment Institutions Federation (EPIF), hospitality organization Hotrec, Mastercard and Visa. The letter hopes for a harmonized transition period, which may be easier said than done.

“There are 28 national regulators [in the EU] and then there is the EBA, and it’s here that everyone should act in concert, but in practice there might be differences,” Adolph said. “Ultimately, the deciding factor in regulation in the EU will be the country’s national competent authority.”

SCA, Cross-Border Payments and Other Technologies

The list of SCA challenges for EU-based merchants is likely to remain long, especially if different rules apply for cross-border eCommerce payments, which could increase declined transactions. New technologies in this area are turning into a larger topic of discussion now that SCA is in full swing, Adolph said. Biometric authentication solutions and new payment methods like mobile wallets are likely to increase in use over the next 18 to 36 months, but questions will remain.

“It’s still not completely clear if mobile wallets or biometric authentication will be always accepted by the regulators in their present forms,” he explained. “The EBA has never said which biometric solution is SCA compliant. Many people assume biometrics are generally SCA complaint, but if you look into the details, [compliance] can become challenging.”

The year 2020 will likely see detailed industry discussions, debates and collaborations over SCA’s implementation. European merchants will need to be agile if they want to handle the upcoming changes.