DIGITALEUROPE proposes 5 key recommendations for a successful implementation of Strong Customer Authentication (SCA)
DIGITALEUROPE welcomes regulatory and market initiatives that make electronic payments more secure and advocate the principle behind the regulation on Strong Customer Authentication (SCA). DIGITALEUROPE believes that safe and secure electronic payments are the cornerstone of a successful European digital economy, where the consumer is protected both through law and industry practices.
DIGITALEUROPE understands that full, efficient and effective implementation of the regulation on SCA requires an unprecedented effort from the whole industry, including the majority of European consumers and merchants. However, if the regulation on SCA were to be strictly applied and enforced as of the 14th of September 2019, the whole European economy, and especially the digital economy, would suffer a shock which Europe cannot and should not afford. The European e-commerce industry has been growing at a sustained pace for years. It is expected to reach a turnover of 621 billion euros in 2019 and keep double-digit growth rates of over 13 percent. More than 75.000 companies in Europe are part of this industry. Many of them are small and dependent on e-payment services.
size of the European e-commerce industry
The SCA implementation requires important but major changes at all levels – the technology, the infrastructure, but also our habits and existing processes. The industry has been working hard since the announcement of the Regulatory Technical Standards in order to bring about this change. DIGITALEUROPE believes, in agreement with the majority of market participants, that a lot of work is still ahead of us. Namely, not only are there payment service providers (PSPs) lagging behind in their preparations to meet SCA requirements, but many merchants across Europe are also not ready to use the new solutions and infrastructures, all while consumer awareness is still very low.
In light of the above, DIGITALEUROPE welcomes the opinion of both the European Banking Authority (EBA) and an increasing number of National Competent Authorities (NCAs) that, instead of hard enforcement of the SCA rules, a transition period should be provided by the relevant authorities in order to ensure a smooth and effective transition for the long tail of all affected stakeholder groups. We understand, however, the challenges of providing such transition period, with the biggest challenge of them all being the threat of market fragmentation and inconsistency across Europe. In addition, DIGITALEUROPE calls on policymakers to consider introducing a permanent and targeted exemption for remote and unconnected environments. This is in line with EBA’s rationale of establishing an exemption where the use of strong customer authentication may not always be easy to apply due to operational reasons. In the section below, DIGITALEUROPE would like to point out some key aspects and requirements, along with our recommendations, in order to ensure an effective and harmonised European approach to the phased implementation of SCA rules.
DIGITALEUROPE’s recommendations
Recommendation 1: A harmonised, European transition period, with a duration of 18 months
By far the biggest challenge and fear with regards to a transition period for SCA implementation is a potentially fragmented European market, which could harm cross-border e-commerce transactions and make it extremely difficult for merchants operating in several countries to adapt to the various national approaches. Therefore, DIGITALEUROPE strongly recommends a harmonised, European approach to provide a transition period with the same deadlines in all EU member states. Based on discussions with the industry, DIGITALEUROPE considers a duration of 18 months (with a final deadline of 14 March 2021) to be a reasonable, compromise solution which would allow all relevant European stakeholders to get ready, including the onboarding of the long tail of merchants and consumers.
Recommendation 2: Harmonised and monitored roadmaps
Apart from providing a clear and harmonised final deadline for compliance across the whole of Europe, the relevant authorities are encouraged to draw up a simple, harmonised roadmap with interim milestones and deadlines, to be applied uniformly in all EU member states and monitored by National Competent Authorities (NCAs). DIGITALEUROPE recommends the following simple roadmap:
- By 14 September 2019, all PSPs shall prepare and submit to their respective NCAs communication plans, based on which they will reach out to all their merchants and consumers with all relevant and necessary information on SCA.
- By 14 March 2020, all PSPs shall fully have executed their communication plans to the industry.
- By 14 September 2020, all PSPSs shall have fully operational SCA solutions and systems readily available and functioning properly, while all merchants shall be technically ready to use the systems on their end.
- By 14 March 2021, all European consumers shall be enrolled in at least one SCA-compliant solution.
Recommendation 3: Permission not to use SCA or to use legacy solutions for SCA during the transition period
Even with the best of intentions, it will be extremely difficult to achieve full harmonisation across Europe. Furthermore, some PSPs and merchants will inevitably be ready earlier, while some later. A certain discrepancy in the level of readiness will necessarily exist. In order to move from a non-SCA world to an SCA world as smoothly as possible, and in order to avoid unnecessarily or mistakenly declined transactions, all NCAs shall allow all PSPs (irrespective of their level of readiness and speed of becoming ready):
- not to decline transactions which are sent without the data and information necessary for SCA;
- to use legacy/existing authentication solutions without changing current provisions on the allocation of liability for fraud between merchants and PSPs
until the final compliance deadline of 14 March 2021.
Recommendation 4: Clear and timely communication by NCAs and the EBA
As the regulation on SCA soon takes effect, all relevant stakeholders need a clear communication from their respective authorities on what they should expect with regards to the enforcement of the regulation. It is understandable and reasonable that achieving harmonisation across Europe in such a complex matter takes a lot of time and effort from all parties involved, thus full clarity is difficult to expect before 14 September 2019. However, in order to avoid a high transaction decline rate, the industry needs a strong and clear signal from all NCAs in all countries whether flexible enforcement will be granted. It also needs to clearly understand what to expect after the regulation takes effect. A good example of this practice is in the recent announcements of the Italian and the Dutch central banks, as well as in an earlier announcement in France. Furthermore, the EBA and the NCAs are strongly encouraged to communicate their final and fully comprehensive decisions in a timely manner.
Recommendation 5: Introduce a permanent and targeted exemption for remote and unconnected environments.
The provision of online connectivity and online sales on board aircraft, ships and other remote areas, such as oil platforms, is a growing service sector. At present, there are no technological solutions able to effectively address all potential methods banks may utilise to comply with SCA. As a concrete example, if SCA rules were to apply in remote, unconnected environments such as airplanes, a passenger that intends to purchase a Wi-Fi package onboard would first need to receive a verification code (called dynamic link) via SMS/email/push notification that verifies the legitimacy of its transaction, before the Wi-Fi service is purchased. If the passenger cannot receive the verification code due to connectivity issues in the plane, the SCA rules will require the cardholder’s bank to decline the transaction. This would result in passengers unable to purchase in-flight Wi-Fi and in substantial revenue losses for several actors in the value chain. Applying SCA rules in remote and unconnected environments is also difficult considering that card issuers are free to choose their preferred method of secondary authentication. Providing the means for all possible authentication methods at all times is not feasible.
A second and equally important challenge is about passenger payments in an unconnected (offline) environments where no external connectivity is available. Giving passengers the option to purchase a variety of onboard goods and services (food, drink, Pay-Per-View) via their personal electronic device or inflight entertainment system is increasingly popular. The market for infotainment content is growing. However, if SCA were to apply in unconnected environments such as airplanes, providing these infotainment services would become impossible. Only a permanent and targeted exemption for remote and unconnected environments, similar to the one granted to unattended terminals for transport fares and parking fees, would bring clarity in the industry and properly recognise the legitimacy of such payment environments. We, therefore, urge policymakers to consider this exemption and implement it as soon as possible.
