The revised Payment Services Directive was introduced back in September 2019 (and gives online merchants until 2021 to fully implement its requirements). However, the story of Strong Customer Authentication goes even further back than this.
The SCA regulation is based on three key areas from 2007 EU legislation. Then as now, the most important considerations were:
- Strengthening consumers’ rights in payment transactions.
- Creating equal conditions of competition with the regulation of third-party access to account information.
- Improving security for all parties involved.
These considerations were implemented in the first version of the Payment Services Directive. Since then, payment technology has developed at an astounding pace, and there’s been an increase in the number of online payment gateways and third-party providers (TPP). These providers offer consumers new possibilities for quickly and easily making payments but also open possibilities for vendors to access customers’ account information.
Access to consumer accounts was thus more or less open, leading to increased security risks. The EU’s reaction came relatively quickly in the form of clear regulations on the ways that TPPs and online payment gateways can gain access to customer accounts.
Strong Customer Authentication is the next step in reducing fraud in online transactions. Its application to merchants outside the European Economic Area is complex and depends heavily on where a business and its subsidiaries are headquartered. Businesses based outside the EEA should carefully check whether they are subject to SCA regulations.
A European law that potentially affects parties outside the EEA - this is one of the aspects that makes the new SCA regulations so complex in their implementation. Therefore, payment service providers have requested postponement of the deadlines for implementing PSD2 SCA. And indeed, a binding deadline has yet to be set.