Strong customer authentication (SCA)

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA will take effect on 14 September 2019 and require that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.

The SCA has caused a lot of questions and uncertainty for merchants and other stakeholders across Europe.

In late June, The European Banking Authority (EBA) issued an opinion regarding the implementation of the SCA. The Opinion acknowledges that the complexity of the payment’s markets across the EU and the challenges arising from the change that are required. In order to avoid negative consequences for payment service users the EBA accepted to allow national regulators to work with relevant stakeholders, such as payment service providers, acquirers, card issuers and merchants, to provide additional transition time. The flexibility is available under the condition that there is a migration plan in place agreed with the relevant national regulator.

In a letter sent to the European Commission and European Banking Authority (EBA), a number of card schemes, retailers and other stakeholders argued EU-wide consistency is essential “to maintain market stability”.

According to the EBA opinion it is up to the national regulators to delay the SCA enforcement date. The EBA has however not yet set out how long this transition period could last. So far, only one regulator has agreed to an 18-month transition period. The Financial Conduct Authority (FCA) announced on 13 August that it will not take enforcement actions against firms if they do not meet the relevant requirements for SCA from 14 September 2019 where there is evidence that stakeholders were taking steps to comply with an agreed implementation plan. Today 12 national regulators have officially confirmed their views in favor of a transition period.

The different approach by individual national regulators adds a layer of complexity to this new regulatory requirement. Without a harmonized approach across Europe this could mean that payments in one jurisdiction will need to apply the SCA requirements and other won´t. Rapyd will continue to follow up on the enforcement of the SCA and keep you updated about the process.

Countries that have confirmed or are in favor of a prolonged transition period:

United Kingdom, Ireland, Italy, Denmark, France, Germany, Greece, Malta, the Netherlands, Norway, Poland, Austria and Belgium.

A Card Held Over A Card Reader Representing The Security Of Contactless Payments.
The security of contactless payments: What to tell your customer.
Read Blog Post
Woman Holds Credit Card While Shopping On Laptop And Wonders If Her Card Is PCI Compliant
Your Complete Guide to Understanding PCI Compliance
Read Blog Post
Cheerful Woman On Video Call At Home Depicting Secure Online Payment Processing
10 Best Practices for Secure Online Payment Processing
Read Blog Post

Subscribe Via Email

Thank You!

You’ve Been Subscribed.

More Payments
In More Places

Get one platform for all the ways the world pays.

GET STARTED