Last updated on: August 28, 2020
LATEST NEWS ON PSD2 / SCA
Updated information on SCA migration deadlines is provided in the country information in this section.
Covid Crisis SCA enforcement delays
18 June 2020
The European Commission (EC) responded to the EPIF letter where cross-section stakeholders in the card payments market requested EBA to grant an 'at least additional six months' for enforcing SCA due to COVID. The EC acknowledges the challenges that the pandemic is causing to the retail business and the difficulties to adapt IT systems in the current circumstances. However, they are of the opinion that the industry was granted enough time to comply with the SCA obligations. In light of this the EC would not support any further delay of the full application of SCA.
30 April 2020
The UK is the first country extending the delay in enforcement with 6 months due to the Covid crisis. The new deadline is 14 September 2021
25 March 2020
The EBA published a statement on consumer and payment issues in light of COVID-19.The EBA stated they will monitor the impact of COVID-19 on the industry’s readiness to implement SCA.
EBA Opinion 16th October 2019
On October 16th 2019 the European Banking Authority (EBA) has published a new Opinion on the migration and timeline of PSD2 SCA. In it, the EBA states that they allow national supervisory bodies to not enforce the regulation until 31 December 2020.
PSD2 Strong Customer Authentication (SCA)
After publishing the EBA Opinion on the elements of Strong Customer Authentication, the EBA has left some control to the national CAs (Competent Authorities) on the manner and timelines of post-PSD2 SCA enforcement.
It is important to note that an issuing bank may still decide to require SCA/3DS even though the country will not enforce PSD2. That is why the advice to all merchants is still to be ready to do SCA on all transaction in scope of PSD2. Adyen will, then, in most integration types skip 3DS where the bank does not need it (yet), and use it where it is needed, with our RevenueAccelerate Authentication Engine.
If you're currently not offering 3D secure, please start integrating now.
Here we provide an exhaustive list of country-specific migration plans, for informational purposes only. This list will be updated continuously as the landscape develops. Note that 'parties' refers to Acquirers and Issuers, and not to merchants directly, unless where otherwise stated by the regulators themselves. It is not necessary for Adyen nor for a merchant to actively request an extension with non-Dutch supervisory bodies, as the only relevant supervisory body for Adyen is the DNB in the Netherlands.
PSD2 Scheme information
Amex issues their own cards, which means that they can control fully whether authorizations are going to be declined yes or no. American Express has confirmed that "SCA rules will be fully enforced from 31 December 2020". Merchants are still encouraged to move ahead with their SCA efforts in an earlier stage.
For France, Belgium and the Netherlands Amex is following migration plans and guidance from the National Competent Authorities (e.g. national central banks) when applying SCA PSD2-compliance logic including soft declines. You can find those plans here.
Note that for other EU countries, excluding the above and the UK, American Express will follow the guidance and migration plan from the Spanish NCA, Banco de España, who until now has not presented a migration plan yet.
Additionally American Express is actively approaching mutual merchants to make sure they activate at least SafeKey 1.0 (3D Secure 1.0). If a merchant has not yet done this and they are already enrolled with Amex, they can ask Tech support to have 3DS/SK1 activated for them.
Visa published several mandates and deadlines to achieve EEA SCA market readiness before 31 December 2020:
- 14 March 2020:
Issuers must be live on EMV 3DS 2.1. From this date, merchants will receive fraud liability protection on both EMV 3DS authenticated and attempted authentication transactions when European issuers are not live on EMV 3DS. At this point, all European issuers are expected to be able to respond with an EMV 3DS authentication response, and the issuer will assume any liability for fraud.
- 1 July 2020
Visa is introducing an issuer behavioural fee for abandoned EMV 3DS transactions. The fee will initially apply per each abandoned transaction above a 15% threshold, and will be reduced over time to a 5% threshold. The abandonment rate used in the calculation will exclude incidences where merchants choose not to pass a challenge to a consumer.
- 14 September 2020
Visa will extend performance program monitoring to include risk-based authentication, SCA exeption and SCA exemption and out-of-scope.
- 20 September 2020
Merchants should support the highest EMV 3DS version supported by the issuers, 2.2 in this case. Step Up can be done with EMV 3DS 2.1 or 2.2.
General guidance from Visa is that merchants are advised to be ready to receive soft declines and authenticate where necessary as soon as possible irrespective of which market they process in.
Besides that, Visa issuers are mostly following migration plans and guidance from the National Competent Authorities (e.g. national central banks) when applying SCA PSD2-compliance logic including soft declines. You can find those plans here.
Mastercard published the following deadlines for all parties in the EEA to achieve market readiness for 3DS2:
- 01 July 2020
From July 2020 merchants should support EMV 3DS 2.1+.
Besides that, Mastercard issuers are mostly following migration plans and guidance from the National Competent Authorities (e.g. national central banks) when applying SCA PSD2-compliance logic including soft declines. You can find those plans here.
Diners and Discover will provide a solution for soft declines per 14 October 2020. There is no further information on when those will be applied.
China Union Pay
No information available.
No information available.
A soft-decline ramp-up plan has been published by Banque de France that will be followed by all Cartes Bancaires issuers. Find more information here.