Under industry pressure, the European Banking Authority has paved the way for some firms, on an "exceptional basis", to get an extension of the September deadline for new Strong Consumer Authentication (SCA) rules for e-commerce transactions.
From September, the SCA regulation under PSD2 will mean that European shoppers will have to authenticate online payments over EUR30 with two of the following: something they know (like a password), are (fingerprint/face ID), or have (phone).
The new rules have faced strong opposition from an industry which is widely seen to not be ready for the switch; a recent study from Stripe found that just half of 500 businesses surveyed expect to be compliant, a picture that could cost Europe's online economy more than EUR50 billion.
In an opinion on the subject, the EBA says the industry has had enough time to prepare for SCA, which was first unveiled in PSD2 in 2015, adding that there has already been an additional 18-month implementation period.
However, the opinion acknowledges that there are particular challenges for actors, such as e-merchants, that are not payment service providers and therefore not directly subject to PSD2.
Bowing to the inevitable, the EBA says that national competent authorities (CAs) may decide to work with PSPs and stakeholders such as merchants and consumer to "provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA...and acquirers to migrate their merchants to solutions that support SCA".
This flexibility is under the condition that PSPs at least have a migration plan agreed with their CAs and the plan is executed quickly.
You can read the full opinion, which also sets out details on the elements of SCA, here:
Download the document now 435.6 kb (Chrome HTML Document)