The European body representing the interests of payments service providers for merchants calls for 18-month extension to SCA rules under PSD2

The European trade association (EPSM) fears that the uncoordinated delegation of the migration plan responsibilities to national competent authorities will lead to a very heterogeneous situation within the European Union.

Therefore, EPSM recommends that „all regions should agree an additional timeframe of 18 months for standard applications, as well as up to 36 months for challenging applications, such as those in the travel and hospitality sector.”, according to a press release.

„EPSM is aware that migration plans are currently being negotiated by payment industry participants, together with their respective national authorities. The aim is to find appropriate solutions for solving technical and operational challenges posed by remote card payments – for merchants, card holders, issuers, and acquirers.”

It is envisaged that Transaction Risk Analysis (TRA) can become a powerful exemption. According to the TRA exemption, a transaction can be flagged as a low-risk-transaction in case the fraud rate of the respective PSP is below a certain threshold and a real time analysis has not revealed any risk. In case the issuer agrees, this transaction can be exempt from SCA.

As the issuers have the final say whether the exemption is granted, uncertainty remains on how extensively this exemption will be applied in the future. An interesting article can be found here.

According to a restrictive reading of the RTS by EBA, the online payment method ‘Remote card payment using OTP, 3DS and card data’ will not be allowed without e.g. an additional password or biometry, even if secured by EMV 3DS 2.x (the highest security level possible).

„This would lead to significant market disruptions.”, according to EPSM. Consumers would not be allowed to pay with this very secure payment method anymore. Therefore, a number of solutions are in discussion, to prevent a disaster for consumers and PSPs:

. Grant grace period for certain requirements – allow fall-back solutions

. Acknowledge that the combined use of the following elements is a valid SCA method: Card data – knowledge (EBA opinion: not compliant), OTP – ownership (EBA opinion: compliant), EMV 3DS – inherence (EBA opinion: not compliant).

EPSM said that a number of dialogues with the respective authorities are taking place these days illustrating the importance and possible impact. Unfortunately, there are no public statements available, but positive feedback (either by granting grace periods or by considering card data respectively EMV 3DS as 2nd factor) have been reported in the following markets: Belgium, Bulgaria, Denmark, Estonia, France, Hungary, Italy, Poland, Norway, Portugal, Slovakia, United Kingdom

Strong Customer Autentication (SCA), to be introduced September 14, 2019, requires robust additional security authentications for a majority of online transactions over EUR 30 (GBP 26.95). The rules are being introduced in a bid to tackle payment fraud.

When SCA needs to be applied, a two-factorauthentication (2FA) shall take place:

. Possession: Something only the user possesses (a card, a mobile phone, etc.).

. Knowledge: Something only the consumer knows.

. Inherence: Something the user is (biometric identification like fingerprint, iris or voice recognition, etc.).

The 2FA shall result in the generation of an authentication code (AC). The AC shall be only accepted once by the PSP when the payer uses the AC to access its payment account online, to initiate an electronic payment transaction or to carry out any action through a remote channel which may imply a risk of payment fraud.

In order to comply with the RTS on SCA, the schemes and EMVCo developed EMV 3DS 2.x. PSPs need to support it by September 2019 at the latest.

Regulatory technical standards (RTS) for SCA were adopted by the European Parliament in March 2018. The aim is to increase the security of electronic payments over by introducing two-factor authentication (2FA) – for all transactions over EUR 30 that fall under the scope of the rules. These include credit transfer via online banking, standard ecommerce card payments, card payments at POS (chip-and-pin) and more.

Yet the EPSM claims many questions about implementation remain unanswered, saying that “a lot of questions regarding the interpretation of the legal texts have been addressed to EBA [European Banking Authority]. Unfortunately, only a small number has been answered and a high level of uncertainty remains.

About the EPSM

The European trade association EPSM represents the interests of payment service providers for merchants, like acquirers and internet PSPs for the payments acceptance. As a non-profit organization, it provides a costeffective interest representation and general information exchange on payment topics to its members.

Since its founding in April 2005, the specialized EPSM has grown to 67 members with headquarters in 16 European countries (AT, BE, CH, CY, CZ, DE, FR, GR, HU, IE, IT, LU, LV, NL, SE, UK). There are 38 voting (ordinary) member (like acquirers, payment network operators, and internet payment providers) and 29 nonvoting (extra-ordinary) members like payment schemes, service providers, and terminal manufacturers.

The association has been in contact with the European Commission, the ECB, the EBA, and other European and national organisations and has actively taken part in several consultation proceedings. EPSM representatives are also active in the EU Payment Systems Market Expert Group (PSMEG) and the global PCI SSC Board of Advisors (PCI BoA).