Monday, September 16, 2019
The new security rules aim to thwart online payment fraud, which has been skyrocketing now that the EMV security protocol is the norm for card-present transactions worldwide. According to Mastercard, the fraud rate for digital payments in Europe is now 10 times greater than it is for card-present transactions.
A revised Payment Services Directive, known as PSD2, put forth by the European Commission in 2015, regulates payment services and payment services providers throughout the European Union. It put in place rules for competition and participation in the payments sector, as well consumer protections requirements. Key to the consumer protections set forth in the directive were strict new requirements for authenticating online payments known as SCA (for strong customer authentication).
The SCA requirements went into effect on Sept. 14, 2019. Online merchants must now implement authentication procedures that involve at least two of three elements. These are: something a customer knows, such as a password or PIN; something the customer has (for example, a phone or hardware token); and something the customer is (fingerprint or face recognition).
There are exceptions, however, for low-value payments (30 Euros or about $33), recurring payments, and transactions involving customers who have white-listed merchants as trustworthy. “PSD2 changes the rules of the game for the global payments industry and is based on some of the same principles that constituted GDPR [General Data Protection Regulation], enforcing consumer protection and security requirements on companies operating in the EU,” said Aite Senior Analyst Ron van Wezel. “Businesses should be sprinting to get their houses in order.”
But card issuers, merchants and payment services providers appear to be struggling to meet the SCA deadline. In fact, many online merchants remain in the dark about SCA. A Mastercard survey released in December 2018 found that 86 percent of online merchants operating in the EU were not yet supporting SCA, and 75 percent were unaware of the new regulation. Just 25 percent of online merchants in Europe expected to be SCA-ready by the September 2019 deadline.
“It is clear that the industry needs more time before active enforcement of SCA; otherwise the negative impact is likely to be extremely high and painful,” said Mark McMurtrie, director of Payments Consultancy Ltd, based in London. McMurtrie headed up a study commissioned by the Emerging Payments Association. Study findings, released in July 2019 revealed that 75 percent of card issuers in the UK would not be operationally ready for SCA by the September 14 deadline.
Some regulators appear to be heeding calls for more time. The EBA, the central banking regulator for Europe, in June released an opinion letter explaining that national regulators could provide compliance leeway “on an exceptional basis.” The UK’s Financial Conduct Authority was the first to state it would do just that, offering an 18-month compliance reprieve to payments an ecommerce providers in the country.
“The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster,” said Jonathan Davidson, executive director for supervision at the FCA said. “While these measures will reduce fraud, we want to make sure that they won’t cause any material disruption to consumers themselves; so we have agreed to a phased plan for their timely introduction.” Davidson added that the FCA expects all issuers, payment processors and merchants to have completed necessary changes to comply with SCA rules by March 2021.
The Hungarian National Bank extended the deadline for SCA compliance in that country to September 2020. French regulator Bank of France created a multistep migration path for businesses in that country; a majority of services are expected to be SCA compliant by December 2020, and full compliance is expected in 2022, the French banking regulator said. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
