How SCA Impacts EU Merchants' Authentication

How SCA's Deadline Is Impacting EU Merchants' Authentication Approaches

The deadline to comply with SCA is Sept. 14, and European payment providers and merchants will have to either sink or swim. Unfortunately, the former is looking more likely for many businesses, especially those that want to transact internationally. These companies not only have to prepare for SCA, but also must deal with a dizzying array of approaches from regulators, card issuers and acquirers – firms that determine countries’ readiness as well as the authentication tools and methods merchants can use to meet the legislation.

EU merchants are at the mercy of the card acquirers and issuers that bracket online transactions and are responsible for determining how customers will be authenticated under SCA. These providers can choose from a number of verification strategies, including SMS passcodes and biometrics, as long as they fulfill two of the three SCA categories: knowledge, possession and inherence. Paul Rodgers, chairman of European payments membership forum Vendorcom, noted that merchants will be left with a flood of unanswerable questions until providers make their choices.

“The real challenge is, what do merchants communicate to their customers at the moment?” Rodgers said in a recent interview with PYMNTS. “Because merchants are essentially passengers in this process, they’re passengers on somebody else’s journey. Frankly, they’ve gotten on board the SCA card payments Titanic.”

SCA has been something of an “almighty iceberg” for EU merchants, even this close to the deadline, Rodgers explained, adding that the regulation is holding eCommerce merchants “below the waterline.” This change in authentication standards is still necessary to protect customers from an increasingly complex online payments world, however.

SCA Authentication Challenges and the Deadline Problem 

How merchants can approach authentication depends entirely on their home countries’ approaches, which are highly fractured across the region. Some regulators have not responded to the EBA’s most recent statement on the subject, while France and the U.K. have proposed staggered rollouts over three-year and 18-month periods, respectively.

Both plans were designed to remain compliant with what the EBA has termed a period of “supervisory flexibility” that enables countries to roll out the rule slowly in the face of massive non-preparation. There is not an exact definition for that term, Rodgers said, but it does allow regulators like the U.K.’s Financial Conduct Authority (FCA) to ease merchants and payment providers into compliance.

“If that period of supervisory flexibility is adhered to by the banks and the issuers, then hopefully we won’t see a kind of payment Armageddon [on] Saturday,” Rodgers said. “I’m fairly hopeful that will be the case.”

The FCA’s plan for authentication proposes a two-phase rollout, with the first implementing one-time passcodes sent through SMS messages and the second involving slightly more secure methods, such as smartphone-based biometrics, Rodgers said. It is one of the more robust plans in Europe, especially considering regulators in other countries have yet to make even cursory statements on SCA. The FCA’s rollout does not deliver on 2FA, however, which is required under the rule.

The SMS phase also comes with a few problems. Approximately two million U.K. consumers will lack the ability to receive SMS messages at some point during the day due to the country’s phone networks.

“Ironically, being based in the FCA’s offices in London means you can’t receive SMS messages in most of their offices,” Rodgers explained. “[The method] is very excluding.”

Merchants will continue to wait on card acquirers and issuers, which can let end customers and cardholders know what to expect from SCA – but even that is not yet standardized.

“What [end customers are] expected to do [to authenticate] isn’t just a product of what the issuer decides they’re going to have to do,” Rodgers said. “It is also a product of how the acquirer, processor, gateway and … merchant implement the communications protocols that allow the authentication credentials to be transmitted. You could have as many different communications as there are issuers in Europe – and there are many hundreds.”

Bracing for SCA's Impact

Payment providers, banks, FinTechs and merchants are going to have to deal with this mess of payment regulations, rollouts and authentication requirements as the SCA deadline finally drops.

“To be perfectly honest, it is anybody’s guess what we will see [on] Saturday,” Rodgers said. “But I do fully expect that we will see declined transactions that merchants will be surprised by, and I think most of those will happen in cross-border payments where the merchant is in one European country and the issuer is in another.”

Protecting customers from the complexity of payments innovation is still a must as banks and regulators take charge of the payments ecosystem. Whether SCA will turn out to be a payments iceberg is still an open question, but it is clear that the EU payments world is bracing for some type of impact.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.