There's increasing alarm that retailers will not be ready for new payment checks that must be applied from 14 September 2019 ("strong customer authentication" or "SCA"). The checks apply to electronic and remote payments, and these can include payments online and at kiosks or other machines. It's feared many aren't aware of the new checks or the potential for failed or abandoned transactions, causing a hit to revenues for retailers and payment service providers alike. As a result, the European Banking Authority says it will allow the Central Bank of Ireland to give payment service providers some extra time to comply with the SCA requirements, but only “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users." PSPs must also have an agreed migration plan and execute it swiftly - which the CBI must monitor.
The EBA has also listed the types of features that will (and will not) enable compliance with SCA - which requires two checks based on what the customer is, what the customer possesses, or what the customer knows.
There is also guidance from the EBA on how to satisfy the additional requirements for "dynamic linking" (to ensure the SCA elements link the transaction to an amount and the specified payee when initiating the transaction); and that the SCA elements are independent of each other.
The EBA issued an earlier opinion and a Q&A on how SCA applies, but it remains to be seen how many retailers are aware of the new requirements at all, let alone the potential impact on customer experience and 'conversion' (customers dropping out at the payment step when asked to complete one or more additional authentication steps - or failing the checks).
Whether payments are affected can be a complex question. Firstly, this depends on whether they are within the scope of the EU directive on payment services ("PSD2"), as transactions may be out of scope based on currency or location. Even if the transactions are within the scope of PSD2, they may benefit from a specific exclusion. Assuming PSD2 applies, then SCA will apply if the transaction is remote or electronic (and initiated by the payer rather than being a 'merchant initiated transaction'). Even transactions that are in scope of the SCA requirement may be excluded from the need for SCA checks if the issuer of the payment instrument (not the merchant or acquirer) decides to apply any of the following potential exemptions:
Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
Unattended terminals: only for paying transport fares or parking fees;
Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
It's feared many aren't aware of the new checks or the potential for failed or abandoned transactions, causing a hit to revenues for retailers and payment service providers alike.