- Wrong not to consider the impact of COVID-19
- Spain and France are well behind Ireland, UK
- Workaround easier to implement than SCA
Several EU countries are too far behind in their preparedness to be ready in time, according to the payments industry, as the strong customer authentication (SCA) deadline comes next month.
“It’s quite clear that the industry at large is nervous about the big start. If research is to be believed, billions of sales are at risk due to the SCA cliff edge,” said Alexis Waravka, digital and competitiveness head at Independent Retail Europe.
With little time left, the payments ecosystem is not confident of an easy transition.
“Since summer, our testing shows there hasn’t been a lot of change. We haven’t seen the improvements that we hoped for,” said Dean Jordaan, payments director at Microsoft.
Disruption risks are quite high and if you add the pandemic to that, the two together could make for a bad mix, Waravka pointed out. “However, not all countries nor industries are equally struck by this and some are more ahead than others.”
Two countries struggling most are Spain and France, according to Jordaan. For example, Spain still has not enabled the second version of 3D Secure (3DSv2), he said.
“If they do enable at this late stage and enforce from January 1, we’ll be in a bad place,” he continued.
In France, an access control server is showing up in Microsoft’s testing with major problems, he explained. “So far, they’ve indicated they will deploy fixes in January, which is quite late.”
Member state issues are likely a result of a lack of a coordinated approach in the worst affected countries, said Una Dillon, European managing director for the Merchant Risk Council (MRC), noting that Portugal, Italy and Norway are also performing poorly.
Two countries performing well are Ireland and, ironically, the UK, where the compliance deadline has been pushed back to September, insiders have said.
“The lack of communication has been a weakness,” said Dillon, adding that this has been from the top down. “Small businesses, as well as consumers, haven’t really heard anything about SCA and the related payments industry changes,” she continued. To help counter this, the MRC has created a Slack channel for issuers and merchants to discuss issues.
A lack of awareness will leave consumers and small retailers bewildered, opposite of what the European Commission wants, which is consumer confidence in the EU payments systems, Dillon said.
Big retailers are more or less ok, but it is hard to say because testing has not worked under real-life conditions, said Neil McMillan, advocacy director at EuroCommerce. “Dummy tests haven’t always worked either,” he added.
“You now have potentially millions of merchants urgently needing to get their system to work with their banks’ systems. Getting the multiple handshakes needed for SCA to work isn’t an easy task,” McMillan continued.
“I hope the European Banking Authority (EBA) has made the right decision, but the experience and feedback we have had is that there are still problems and a lack of precise information,” he said. “We are very much afraid that the interfaces between the banks’ and merchants’ systems aren’t ready.”
It is the least convenient time for online sellers who are struggling with COVID-19, exploding online demand and card use and not to mention the Christmas rush, to discover that their transactions are collapsing, he pointed out.
“Large e-commerce markets, such as the UK, could be hit quite badly,” McMillan speculated.
“The reasons that we asked for this delay haven’t changed. We were not ready, but what we were experiencing was the first wave of the COVID-19 crisis,” said Waravka.
Now in the midst of a second wave, these issues remain the same, according to Waravka. “Many retailers, especially the smaller ones, are failing to get new investments to help solve some of the problems with SCA.”
“The EBA must recognise the pandemic did have a detrimental impact on projects that were running well until March 2020, with a target deadline of the end of the year,” said Dillon. “With people forced to work from home and losing access to systems, project teams, and support, the restrictions imposed put a big spanner in the works.
“While SCA was described in the Payment Services Directive four to five years ago, the technical standards to deliver SCA were unknown for some time,” she continued, pointing out that many payments organisations sought clarity from regulators on the technical requirements for several years, and that the first of these published by the EBA failed in providing that.
Attention has now turned to whether national competent authorities (NCAs) will step beyond the EBA’s deadline, and how strictly they will enforce.
“All countries wish to see enforcement done sensitively and it’s unlikely that fines will begin from day one,” said McMillan. However, he added that this will not solve SCA problems. “If a bank is insisting on SCA and merchants are not able to get their systems working, then transactions won’t be able to happen,” he warned.
It will come down to the extent the NCAs are willing to act independently of the EBA by allowing their banks an enforcement ramp-up period, said Jordaan, advocating that a ramp-up period could allow NCAs and banks to measure results and take pragmatic decisions.
Otherwise, he suggested: “A potential mitigation is to switch traffic from an EU to a US acquirer. In the spirit of the regulation I don’t want to do this, but it seems clear that hard enforcement is going to negatively impact the economy. I’m surprised that the EBA is maintaining a hard line given the evidence.”