The EU's Second Payment Service Directive (PSD2) was set to enforce Strong Customer Authentication (SCA) for digital payments on 14 September 2019. In June 2019, the EBA issued a delay in order to fulfill the objectives of PSD2 and achieve migration across the EU. As of October 2019, the EBA announced the new set deadline for SCA enforcement to 31 December 2020.
There are many layers to the PSD2 SCA delay. We’re going to run through some of the most commonly asked questions, pertaining specifically to the extension of the PSD2 SCA compliance date.
Q: Why is the effective date for PSD2 SCA no longer being enforced?
A: There was a strong feeling in the European Economic Area (EEA) and around the industry that urging merchants, issuers, payment service providers and others to comply by the original date – September 14 – would’ve significantly hampered digital commerce in the affected regions. Since this forecasted effect is antithetical to everything this mandate is trying to accomplish, the competent authorities in individual counties began submitting extension plans for more time to ensure their readiness.
Q: What is the time frame of the PSD2 SCA compliance plan that’s been proposed in certain EEA countries?
A: The European Banking Authority (EBA) has published a new Opinion on the deadline for the migration to SCA under PSD2. The EBA Opinion announces a new set deadline to 31 December 2020 and advises competent authorities to take immediate action toward SCA during the migration period. Several countries are expected to follow this proposed time frame.
Some countries have indicated that they are delaying the enforcement of this mandate for an additional 18 months after September 14, 2019, which would take us into March 2021. In total, there have been approximately 20 countries who have either acknowledged or announced that a temporary extension is necessary. Most of these countries, however, have not fully defined the length or exact scope of the delays yet.
Q: Is there going to be a new uniform effective date?
A: We do know that Visa and Mastercard have publicly come out in favor of a harmonized approach across all EEA countries for PSD2 SCA compliance, rather than the singular approach that individual countries are employing right now. Visa and Mastercard were also backed by the European Association of Payments Service Providers for Merchants (EPSM), the European Tourism Association (ETOA), the European Hotel Forum (EHF), the European Payment Institutions Federation (EPIF), Ecommerce Europe and EuroCommerce.
Q: Are there any other important dates on the calendar that we should know about?
A: Now that you mention it, there are! Visa has collaborated with the industry to recommend an 18-month transition period across all member states, which would provide sufficient time for all parties to make the necessary technical changes. Taking any additional time, beyond September 14, 2019, to get ready will depend on the position of the European Banking Authority (EBA) and your local regulator(s). The SCA requirement went into effect on September 14, 2019. But the EBA has accepted that local regulators may decide to work with PSPs and other stakeholders, to provide a transition period that gives all parties more time to get ready. More and more local regulators have publicly stated that SCA compliance will not be enforced on September 14, 2019.
We understand that your number one priority is successfully selling to your customers with a seamless purchasing experience. Visa is working with clients and regulators to ensure the industry moves in the right direction, even taking the steps to revise the requirements to ensure all clients are ready.
Visa has created an 18-month roadmap to accelerate the ecosystem with key milestones that all clients need to achieve (subject to the 18-month transition period being adopted by the EBA and your local regulator(s):
Q: Are there some countries that are still abiding by the original effective date?
A: Since all of the countries in the European Union (EU) have been granted the freedom to approach this delay however they see fit, there may still be some places that require SCA on Card-Not-Present transactions directly after the original effective date – September 14.
However, they can adopt the Visa roadmap that was recently released if they agree to. In the meantime, merchants and issuers should follow network communications, at least until their local competent authorities formally acknowledge or submit individual plans for approval by the EBA.
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.