For those that missed the article, PSD II has four key objectives – Market Efficiency and Integration, Consumer Protection, Competition and Choice and Security. One of the components of security was SCA.
SCA requires the use of two independent sources of validation by selecting a combination of two out of the three categories (commonly known as the ‘two-factor authentication’):
It is the issuer that will be required to put in place the measures of authentication of their choice. This opens up the risk that a merchant could have different approaches applied to its customers.
Whilst many participants in the payments sector (banks, card issuers and merchants, businesses) have been ready for the 14 September 2019 deadline, there has been concern over a large proportion that will not be ready in time. In a survey by Mastercard of small merchants, only 42% felt they would be ready by the deadline.[2]
On August 15, the UK Financial Conduct Authority (FCA) announced that it will allow for an 18-month delay to the introduction of SCA rules and that an additional one-year extension would also be given to businesses in the hospitality and travel sector.
Whilst the decision avoids a payments cliff-edge, whereby 25-30 percent of e-commerce transactions made online after September 14 would have been at risk of failing[3], others note the delay will leave payment processors open to fraudulent activity for a longer period.
The announcement from the FCA noted that “We will not take enforcement action against firms simply for not meeting the relevant requirements for SCA from 14 September 2019 in areas covered by an agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
After 14 March 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate.”