Call for extension to European payment security standard deadline

Payments processors across Europe have called on the continent’s banking regulator to extend the deadline for meeting the Secure Customer Authentication (SCA) security standard as the Covid-19 crisis strains resources.

Businesses are directing all resources possible to surviving the current global crisis, with limited resources left for projects such as SCA compliance. This is being made worse by lockdowns and staff cuts.

On behalf of non-bank payment processors, which it represents, the European Payment Institutions Federation (EPIF) – made up of the likes of Visa and Mastercard – has written to the European Banking Authority (EBA) asking for more support, including a six-month extension to the deadline.

SCA is part of the EU’s Payment Services Directive 2 (PSD2). It means that any online payments worth more than €30 would require two methods of authentication from the person making the payment, such as a password, biometic authentication such as a fingerprint, or having a phone that can identify them.

The EU’s PSD2 enables third parties to access the customer data held by banks via application programming interfaces (APIs), if customer consent is granted, and offer services using this information.

Payments could be initiated by third-party suppliers and account information viewed via them, or both. This would mean a third party could build services on top of an account and allow the consumer to use these rather than those offered by the bank.

Under the current timeline, payment processing merchants in Europe must meet the SCA rules by the end of December this year, but the PIF is calling for more time.

In its letter to the EBA, the EPIF asked the authority and the European Commission to introduce measures to support organisations meeting the deadline given the strain that the Covid-19 pandemic has put on resources.

“In light of Covid-19, this should also include the possibility of an at least additional six months for the market to be fully SCA ready. It is now clear that the Covid-19 crisis has significantly reduced the capacity available to progress SCA development and implementation,” said the EPIF.

“During the pandemic, companies have had to focus their efforts on business continuity, prioritising business critical activities targeted at maintaining stability and supporting consumers though the crisis.

“Many have had to change their operations to service new and pressing customer needs which, in many cases, includes relaxing their normal business terms. This all requires redeployment of resource to manage this activity and the governance and controls surrounding it.

“For many merchants, this also has to be delivered by a reduced workforce through layoffs arising from falling revenues and necessary social distancing measures.”

The deadline in the UK, which was originally set for September 2019, was extended by 18 months by the Financial Services Authority (FCA), with 14 March 2021 the new deadline.

The FCA said more time was needed to implement SCA given the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”.