Last updated on: 2020/03/04
LATEST NEWS ON PSD2 / SCA
Updated information on SCA migration deadlines is provided in the country information in this section.
COVID Crisis SCA enforcement delays
Last month, the EBA published their response to the Coronavirus (COVID-19), which includes a Statement on consumer and payment issues in light of COVID-19, published 25 March 2020. The EBA has stated they will monitor the impact of COVID-19 on the industry’s readiness to implement SCA.
The UK is the first country extending the delay in enforcement with 6 months due to the COVID crisis. The new deadline is 14 September 2021
EBA Opinion 16th October 2019
On October 16th 2019 the European Banking Authority (EBA) has published a new Opinion on the migration and timeline of PSD2 SCA. In it, the EBA states that they allow national supervisory bodies to not enforce the regulation until 31 December 2020.
PSD2 Strong Customer Authentication (SCA)
After publishing the EBA Opinion on the elements of Strong Customer Authentication, the EBA has left some control to the national CAs (Competent Authorities) on the manner and timelines of post-PSD2 SCA enforcement.
It is important to note that an issuing bank may still decide to require SCA/3DS even though the country will not enforce PSD2. That is why the advice to all merchants is still to be ready to do SCA on all transaction in scope of PSD2. Adyen will, then, in most integration types skip 3DS where the bank does not need it (yet), and use it where it is needed, with our RevenueAccelerate Authentication Engine.
If you're currently not offering 3D secure, please start integrating now.
Below we'll provide an exhaustive list, for informational purposes only. This list will be updated continuously as the landscape develops. Note that 'parties' refers to Acquirers and Issuers, and not to merchants directly, unless where otherwise stated by the regulators themselves. It is not necessary for Adyen nor for a merchant to actively request an extension with non-Dutch supervisory bodies, as the only relevant supervisory body for Adyen is the DNB in the Netherlands.
PSD2 Scheme information
Amex issues their own cards, which means that they can control fully whether authorizations are going to be declined yes or no. American Express has confirmed that they do not plan for any disruption as of 14 September. They are still working on more detailed timelines and a new "deadline". Merchants are still encouraged to move ahead with their SCA efforts.
Visa published several mandates and deadlines to achieve EEA SCA market readiness before 31 December 2020:
- 14 March 2020:
Issuers must be live on EMV 3DS 2.1. From this date, merchants will receive fraud liability protection on both EMV 3DS authenticated and attempted authentication transactions when European issuers are not live on EMV 3DS. At this point, all European issuers are expected to be able to respond with an EMV 3DS authentication response, and the issuer will assume any liability for fraud.
- 1 July 2020
Visa is introducing an issuer behavioural fee for abandoned EMV 3DS transactions. The fee will initially apply per each abandoned transaction above a 15% threshold, and will be reduced over time to a 5% threshold. The abandonment rate used in the calculation will exclude incidences where merchants choose not to pass a challenge to a consumer.
- 14 September 2020
Visa will extend performance program monitoring to include risk-based authentication, SCA exeption and SCA exemption and out-of-scope.
- 20 September 2020
Merchants should support the highest EMV 3DS version supported by the issuers, 2.2 in this case. Step Up can be done with EMV 3DS 2.1 or 2.2.
Mastercard published the following deadlines for all parties in the EEA to achieve market readiness for 3DS2:
- 01 July 2020
From July 2020 merchants should support EMV 3DS 2.1+.
PSD2 Country specific information
Confirmed delay in enforcement
The NBB (National Bank of Belgium) has announced that while the deadline of 14 September is still valid, enforcement will be delayed until a sensible migration plan is finalized and agreed upon. Belgium issuers will start soft declining non compliant transactions from 25 August 2020 in a phased approach, starting with transactions > EUR 1,500. They will gradually lower the amount for Soft Declines until they reach EUR 0,00 at 17 November 2020. Belgium adheres to the 31 December 2020 deadline to be fully SCA compliant.
The CBC (Central Bank of Cyprus) announced that they do not intend to take supervisory enforcement action against licensed institutions which have not implemented SCA in remote electronic card transactions by 31 December 2020, provided that these institutions have submitted a migration plan to the Central Bank of Cyprus.
This announced follows a previous announcement that regulated entities which currently support a non-reusable and non-replicable element for online card transactions, will be granted a limited migration period for the purpose of adequate preparation for the introduction of SCA in remote electronic card transactions.
The FinantilSysNet (Financial Regulator) has announced an 18-month delay. The Danish FSA will now, together with all card issuers and card issuers in Denmark, translate the implementation plans that have been discussed with the players in the market into concrete, operational milestones for how the players will ensure compliance with the rules by 14 March 2021. This after having announced previously that no delay would take place.
The BF (Bank of France) has announced that a migration plan will be pending. The timeline announced covers 18 months. Additionally, non 2FA authentication solutions will be progressively forbidden for a 'large majority' of customers before December 2020. In March 2021 all merchants should connet to the new 3DS infrastructure.
On 28th of October France publised a press release stating that the final deadline will be 31st of December 2020 both for authentication solutions for consumers as well as for merchant to connect to the new 3DS infrastructure.
The Observatoire de la sécurité des moyens de paiement published the French SCA migration plan which states that the final deadline for SCA enforcement is 31 March 2021.
BaFin (Federal Financial supervisory authority) has announced a delay in enforcement for PSD2. This statement was followed by a press release) stating that they will not enforce SCA until the 31 December 2020 provided certain milestones are met.
Bank of Greece has announced a a delay in enforcement for SCA until 31 December 2020
MNB (Bank of Hungary) has announced a 12-months extension plan for SCA migration. The timeline covers 12 months starting from the 14th of September 2019, and more details will follow.
The Central Bank of Ireland has announced a delay in enforcement for all payment methods during a limited migration period. No specific timeline was announced.
Banca d'Italia (Bank of Italy) has announced a migration period. It recommends parties that want to use such migration period to present a detailed migration plan. The deadline for the migration period is 31 December 2020.
Lietuvos Bankas (Bank of Lithuania) has announced a migration period. It recommends parties that want to use such migration period to present a detailed migration plan. No specific timeline was announced.
The CSSF (Surveillance Commission of the Finance Sector) has announced an extension of the implementation period for SCA for all payment methods. They mention an interest in harmonization of the migration plan with the EBA and requires parties that want to make use of the additional period to submit a detailed migration plan. In December 2019 the CSSF announced that PSPs should be compliant with SCA on 31 December 2020.
The Central Bank of Malta has announced an extension of the SCA enforcement period after 14th of September. In October 2019 they announced that the SCA provision will come into force on 31 December 2020.
The DNB (Dutch Bank) has announced an extension of the SCA enforcement period after 14th of September. DNB encourages market parties to cooperate in order to ensure that the phased introduction of SCA proceeds in an orderly fashion and that it is completed on 31 December 2020.
Starting April, Dutch issuers will soft decline unauthenticated high risk card transactions that are otherwise rejected. Merchants should re-submit them as authenticated using 3-D Secure.
Starting September issuers will gradually introduce SCA compliant behavior: transactions without SCA that would previously have been approved, will now be soft-declined to force authentication. Merchants should make sure their implementation or their service provider is ready to support the new, mandatory transaction flows that include 3DS authentication. Failing to implement and test the new transaction flows may impact merchants’ conversion from this date.
The Finanstilsynet (Financial Supervisory Authority) has announced an extension of the SCA enfocement period. Parties wishing to make use of this extension would need to reach out to the Finanstilsynet. The Supervisory Authority allows for a migration period until 31 December 2020.
The KNF (Financial Supervisory Authority) has announced an extension of the SCA enfocement period. Parties wishing to make use of this extension would need to reach out before 14 september. No specific timeline was announced.
On 17th October 2019 Banco de Portugal announced that the deadline for banks/PSPs to fully apply the strong customer authentication requirements in e-commerce card-based payment transactions is 31 December 2020.
The BdS (Bank of Spain) has announced an extension of the SCA enfocement period. The Spanish SCA migration plan described the phased roll-out of SCA and the roll-out deadline of 31 December 2020.
Parties can request an extension, but the supervisory body will otherwise enforce the regulation. It is currently not known which banks have filed for an extension.
The FCA (Financial Conduct Authority) has announced an 18-months extension plan for SCA migration. The timeline covers 18 months starting from the 14th of September 2019, and more details will follow.
On January 28th 2020 the UK Financial Conduct Authority (FCA) published the enforcement date for the UK market. The new enforcement date is 14 March 2021 in the UK and 31 December 2020 across the rest of the EU. As a result, UK card issuers will be required to decline all non-SCA-compliant transactions after 14 March 2021.All UK based merchants, acquirers, gateways, and issuing banks or payment service providers must be ready to support SCA from this date, to avoid consumers experiencing declined e-commerce transactions. The FCA has confirmed that there will be no further extensions to this deadline. More information can be found here.
On 30 April 2020 the FCA announced an additoinal 6 months delay for SCA enforcement due to the exceptional circumstances of the COVID crisis. The new deadline will shift from 14 March 2021 to 14 September 2021. After this date, any merchant that fails to comply with the requirements for SCA will run the risk of lower authorization rates.
Countries with no clear position
Although the following countries have not publicly commented on SCA migration deadlines, it is expected they will follow the EBA deadline of 31 December 2020:
- Czech Republic