Preparing for SCA in the EEA and UK
What is SCA?
Strong Customer Authentication (SCA) is a new set of rules that change how customers confirm their identity when making purchases online. The rules will help reduce fraud and enhance the integrity of the overall payments ecosystem.
SCA does this by providing additional protections to ensure that customers are safe when purchasing online to protect their money better. For example, a customer’s issuing bank may verify purchases and the customer’s identity via text message, phone call, card reader, or a smartphone app.
SCA enforcement is right around the corner
The SCA rules will come into force on:
- December 31, 2020, in the EEA
- September 14, 2021, in the UK
From these dates, merchants must receive, process, and pass on authentication data to their payment provider.
European merchants must be ready ahead of time as issuers in different countries may comply with additional national authorities’ milestones and 'soft decline' non-SCA compliant transactions earlier. Additionally, merchants will want to minimize the changes they’re making to their payment infrastructure and processes during the busy holiday period.
While the EC/EBA has excluded any further extension to the SCA non-enforcement period, some countries will extend the transition period beyond December 31, 2020.
In the UK, the Financial Conduct Authority (FCA) has extended the SCA transition period for e-commerce transactions until September 14, 2021. The FCA’s migration plan provides a ramp-up with soft declines as of June 1, 2021.
EEA-UK transactions will require SCA compliance as of September 15, 2021, or when SCA requirements are enforced in the UK—unless an exemption or exclusion applies.
Between December 31, 2020, and September 15, 2021, SCA is not enforceable in the UK. However, merchants should apply it on a best-effort-basis for EEA-UK or UK-EEA transactions — when a UK-acquired merchant is involved in an e-commerce transaction with an EEA issuer and vice versa.
Some issuers can identify UK-acquired merchants and will accept non-3DS authorizations between January and September 2021. Some may not, however. And these issuers may soft decline non-3DS authorizations.
It's recommended that as of January 2021, UK acquired merchants accepting EEA cards either support soft declines (and retry with 3DS) or always use 3DS.
The Banque de France has implemented a progressive ramp-up with soft declines. They’re applying three different approaches.
Issuers must soft decline non-compliant transactions according to the following timeline:
- October 2020 — soft decline of transactions > EUR 2,000
- January 2021 — soft decline of transactions > EUR 1,000
- Mid-February 2021 — soft decline of transactions > EUR 500
- April 2021 — progressive soft decline of transactions < EUR 500
Banque de France will require issuers to intensify soft declines if the SCA migration’s quantitative targets are not met.
The Banque de France has asked issuers not to apply soft declines for the T&E sector, at least until March 31, 2021, except if the soft decline substitutes a hard decline.
In Germany, the BaFin will formally maintain the EBA deadline of December 31, 2020. But it’s considering a progressive — 2.5 months or possibly longer — ramp-up of the use of soft declines.
Transition from 3DS 1.0.2 to EMV 3DS (2.x) and liability shift
Card schemes will stop supporting 3DS 1.0.2 in all regions on:
- Visa 3DS1 Verify by Visa processing will stop on October 14, 2022
- MasterCard 3DS1 SecureCode processing will stop on October 14, 2022
Merchants will no longer receive fraud liability protection using 3DS 1.0.2 on:
- Visa 3DS1 Verify by Visa transactions will stop having liability shift protection on October 14, 2021
- MasterCard 3DS1 SecureCode will stop having liability shift protection on October 1, 2021
Find out how you can make the new SCA regulations work for your business.