Last week, the European Banking Authority (EBA) published its opinion on the deadline and process for completing the migration to Strong Customer Authentication (SCA). The new date that the EBA recommends the requirements will begin to be enforced by national regulators is December 31, 2020.
This unified transition period means that merchants are expected to have additional time to prepare for enforcement. But what exactly is the transition period? And what does it mean for everyone involved?
SCA enforcement: a quick recap
As you may recall, the original date that the EBA identified for enforcement was September 14, 2019. But it was widely known (at least among those closely watching this situation) that there was limited readiness for 3D Secure 2 (3DS2), the industry-standard solution for meeting strong customer authentication requirements. And that limited readiness was not just on the part of merchants: payments service providers, issuers, acquirers, and payment networks were all scrambling to prepare. That’s likely why nearly every country in the European Economic Area (EEA) announced its support of some kind of an extension. Now, a little over a month later, the EBA has agreed, recommending a 14-month pan-European transition period for SCA enforcement.
The EBA made the right decision. To begin enforcing SCA on the original date would have not only been detrimental to the very cardholders the requirements were meant to protect, but may have had widespread negative economic impacts due to SCA-related declines. But the transition period doesn’t let merchants -- or the entire payments ecosystem -- off the hook. SCA is still coming, and next time everyone will need to be ready or face the consequences.
What exactly does ‘transition period’ mean?
By calling this a transition period, the implication is that everyone is moving toward a common deadline, at which point the switch will flip and issuers will all begin to enforce SCA. But the reality is more nuanced. From now until December 31, 2020, individual issuers in specific markets may begin to enforce SCA requirements at any time. That means merchants whose transactions pass through an enforcing issuer will risk increased declines if they do not authenticate according to the requirements.
What do merchants need to do?
To be prepared for and help reduce the risk of declines during this period of potentially disparate authentication requirements, we strongly recommend you integrate and begin testing Braintree’s 3DS2 solution as soon as possible. Our flexible solution has been built to support both 3D Secure 1 and 2 authentication protocols, meaning if a particular issuer isn’t ready to support 3DS2, Braintree will automatically divert your transactions to 3DS1 to help ensure your transactions are SCA compliant. It will also tell you whether SCA is even required by a certain country, so you can make an informed decision on whether to invoke 3DS for your customers.
A word on exemptions
The transition period does not change anything when it comes to exemptions. Issuers, not regulators, have the final decision of whether or not to accept exemption requests or require SCA on any given transaction. As we’ve mentioned before, Braintree’s 3DS2 solution will have the capability to pass flags and indicators when an exemption is requested -- in other words, we will accommodate exemptions if merchants decide to use them. But it’s important to remember that by obtaining an exemption, merchants will miss out on any potential liability shift to the issuer and also likely give up any recourse to successfully challenge disputed transactions.
While we hope that the EBA’s opinion will promote issuers and acquirers to handle things at least somewhat synchronously, being prepared sooner rather than later is the best thing merchants can do to minimize disruption. By testing and having the code ready to deploy -- even if you do not authenticate transactions now -- merchants can address any unforeseen reactions in any given market before SCA requirements are enforced.
For instructions on how to integrate, refer to our 3D Secure developer docs.
If you have already integrated 3DS, make sure you have the latest SDK with the most up-to-date features. For details, refer to our 3DS2 migration guide.
To see how SCA will apply to different transaction types, including recurring transactions, read How SCA Applies to Common Payment Scenarios.
If you are still unclear about the details of SCA, or would like an overview on the mandate and its requirements, read PSD2: Strong Customer Authentication Explained.
For more information on the background and benefits of the 3DS2 protocol, as well as how Braintree’s solution works, read 3D Secure 2: Next-generation Authentication.
As always, we’re here to help. If you have questions or need help with your integration, contact us.