PSD2 and SCA — What’s Happening in 2021 in Europe
The revised Payment Services Directive (PSD2) came into effect this year in January for many countries across Europe. Banks, Fintechs, and other players in the payment ecosystem have worked hard in the last few years setting up their compliance to the new regulation. Once Covid-19 hit and people resorted to online shopping impacting most businesses, merchants had no choice but to switch to digital-first. This translates to understanding digital risk, fraud, and PSD2 has happened incredibly fast for most companies.
What is SCA and what does it mean?
SCA or Strong Customer Authentication is a European regulation under RTS (Regulatory Technical Standards) in PSD2 to reduce frauds and make online payments more secure. The regulation will go into effect on 14th September 2019 to make customer-initiated online payments more secure in the European Economic Area (EEA). After RTS came into force, every transaction will be authenticated by at least two of the three possible factors:
- Inherence: for e.g. a fingerprint or an iris scan.
- Possession: for e.g. a token or a card.
- Knowledge: for e.g a PIN or a password.
SCA to now come in effect on 14th March 2022
Initially the two-factor authentication (3D secure) was slated to be implemented fully across Europe on 14th September 2019. However, after several series of delays and rolling setbacks, the authentication was said to be in force this year on 14th September 2021.
In a recent statement released by the UK’s Financial Conduct Authority (FCA), there has been a six months’ further delay in the implementation. The strong customer authentication is now going to come into force on 14th March 2022.
The 6-month extension has been given in lieu of the coronavirus crisis. The additional time period given will ensure that there is minimal disruption to the merchants and consumers. When it comes into force, the SCA compliance will be safeguard card-based e-commerce transactions and reduce the chances of online transaction fraud.
SCA and its impact on E-commerce
In a new report issued by CMSPI, it is estimated that that €108 billion worth of online sales are at risk across Europe in 2021. This is in lieu of the Strong Customer Authentication (SCA) mandate illustrated under PSD2.
The merchants in Europe have engaged in SCA testing to gauge the acceptance in the market. The tests are also conducted to monitor the extent of smoothness and friction of a payment. Merchants, however, face challenges when conducting these tests mainly due to the lack of industry readiness.
The key reason for this significant disruption to online commerce is due to the performance of EMVCo 3D-Secure version 2 (3DS2): an authentication protocol that has been selected to support all online card transactions in Europe. If an issuing bank has not yet implemented 3DS2, then it would be impossible for a merchant to test transactions with that bank’s customers.
When we look at the tests which have been successfully carried out by European merchants. They indicate that abandonment rates through 3DS are 25%+ across most European markets in comparison to the typical abandonment in the single-figures once a customer has clicked ‘pay’ today.
Successful authentications can take upwards of 60 seconds, and in some instances average over 2 minutes. This presents a significant risk to sales and will have a substantial impact on all types and sizes of retailers.
