Strong Customer Authentication
SCA: With weeks to go until Europe’s deadline, is the industry prepared?
With just weeks to go before the 31 December 2020 deadline for Strong Customer Authentication (SCA) implementation in Europe, it’s worth taking a look at the industry’s position within the rollout of this far-reaching new requirement.
Final call for implementation
After 31 December 2020, subject to prescribed regulatory exemptions, merchants will need to secure multi-factor authentication for their online transactions. The European Banking Authority (EBA) allowed extensions to be granted to the original deadline of 14 September 2019. Industry participants from merchants to issuers, regulators, acquirers like ourselves, and consumers, will be required to adjust to comply with SCA requirements. The extensions provided some breathing space to many industry players, who have had to chart a very unpredictable path through the global events of 2020.
The European Banking Authority has confirmed that 31 December 2020 will be the final date for compliance. So, will the e-commerce ecosystem be ready come New Year’s Day?
Passing the test
The emergence of COVID-19 earlier this year created additional pressures on merchants, and may have impacted their ability to secure the third-party developer time needed in order to get SCA site coding installed or implemented. The final deadline of 31 December may now have hardened the resolve of many to be ready in time. In our experience, despite the constraints on budgets and staff presented by the pandemic, there has been a huge amount of work undertaken by merchants to ensure they will be prepared for SCA. At J.P. Morgan, we began working with our merchant clients long before 2020, briefing them and helping to ensure they could meet requirements.
However, there appear to be some issues outstanding. Not all merchants may be ready yet. Some may have completed the site coding needed to enable SCA, but haven't necessarily turned it on, or haven't turned it on permanently. Some issuers in different countries haven't fully switched on SCA functionalities either. This means even if a merchant has launched SCA on its site, its customers may not be receiving the 3-D Secure 2.0 (3DS2) identification challenges that enable SCA from the issuer.
Rollout will likely be uneven, so make sure you’re ready, even if others aren’t
Delivering a cohesive, integrated rollout of SCA will be difficult—simply because there's so many different moving parts and players. When talking to clients, I’ve compared this to everybody preparing to play a new sport together. We have all been given the rule book, we have all been told that everyone is due on the field on 1 January 2021, but none of us have played this before. Is it all going to work?
Based on our intelligence, SCA is not going to just appear ‘everywhere’ online on 1 January. Right now, what we're actually seeing is a gradual ramp-up of initiation across Europe. Different issuers across Europe are starting to implement SCA, particularly for high-value transactions. We are observing card challenges happening within the ecosystem where we haven't seen them before. This glide path towards a much higher level of transaction queries and challenges is going to continue between now and December 31. Of course, there will be a big jump in SCA compliance on 1 January 2021, but between then and now, be prepared for some unpredictability as we shift into a whole new era of payments authentication.