Industry Braces For Chaos On Eve Of Card Security Reforms

European retailers, acquirers and issuers are braced for chaos. This Saturday, highly controversial payment security rules go live across the EU, and although almost all member states have agreed to delay enforcement, there remains a risk of disruption, fragmentation and confusion for online shoppers.

September 14, 2019, has long stood as a landmark date for the bloc’s payments industry. That is the date regulatory technical standards on strong customer authentication (SCA) — a major part of the revised Payment Services Directive (PSD2) — take legal effect and bring in unprecedented changes for firms across the payments chain.

One of the most contentious aspects of the new rules is the demand for two-factor authentication on every online card payment, unless one of a complicated series of exemptions can be used.

For months, the industry has complained that uncertainty over how the rules are interpreted have drastically slowed preparations.

Firms claimed that immediate enforcement from September 14 would make online checkout more burdensome for shoppers, resulting in soaring transaction abandonment rates. Research by Stripe suggested a potential €57bn hit to the EU’s e-commerce industry.

Despite insisting the industry already had almost two years to prepare — member states were supposed to introduce PSD2 by January 2018 — the European Banking Authority (EBA) eventually agreed in June to let national authorities delay enforcement if certain conditions are met.

Since then, 23 of the EU’s 28 member states have either published statements or confirmed to PaymentsCompliance they intend to delay enforcement.

However, most are waiting for further information from the EBA before setting a new deadline, while others have forged ahead with their own timelines. The result appears to be lingering regulatory uncertainty and the risk of fragmentation to e-commerce activity that crosses national borders.

Member States Weigh Up Deadline Extension

The UK’s Financial Conduct Authority was the first national regulator to recognise industry pleas for a delay.

A letter penned by chief executive Andrew Bailey in late May — before the EBA said it would allow flexibility at national level — accepted the case for a transition period and tasked industry group UK Finance with drawing up a proposed roadmap to compliance.

The EBA’s announcement three weeks later took the form of a non-legally binding opinion, prompting a steady stream of responses from national authorities across the union.

France’s central bank was first to set out a timeline, stating that issuers and acquirers were expected to apply strong customer authentication to 60 percent of online card payments by the end of 2020, and full compliance by June 2022. It later set a second accompanying 18-month timeline for the adoption of 3D Secure, a security protocol developed by Mastercard and Visa.

Since then, the UK and Denmark have each agreed to an 18-month extension, while authorities in Hungary are demanding full compliance within one year.

Most member states, however, have chosen instead to delay enforcement but wait for details on timings from the EBA.

Some have not done so publicly.

Latvia’s Financial and Capital Market Commission confirmed to PaymentsCompliance on Thursday it “has decided to provide an extension to the deadline”.

“This extension should be the same for all EU countries and should be agreed by national competent authorities within the EBA framework,” a spokesperson said. “The final deadline is expected to be set by the EBA by the end of the month.”

A spokesperson for the Slovenia’s central bank last week confirmed suggestions it supported a delay, while in late August, Portugal’s central bank said it “will follow the EBA opinion published in June”.

Others have published more detailed statements.

In Poland, the Financial Supervision Authority chose to extend flexibility to contactless card transactions as well as online payments.

In Sweden, meanwhile, the default position is that compliance with the standards is expected — the country’s financial sector already boasts BankID, a widely digital identity system — but firms that do need more time are permitted to submit their own migration plans.

Romania is something of an outlier. As its national transposition of PSD2 has yet to be completed, the regulatory technical standards have no legal effect in the country.

A spokesperson for the national bank acknowledged transition periods agreed in other member states and said “we assume that it would be possible also for the Romanian payments industry to need a delay”, but was unable to commit until it becomes the national competent authority for PSD2.

They stressed that the bank would make its own analysis of industry readiness, but said it is “open to agree, as soon as it will be designated as a competent authority, on migration plans to provide issuers and acquirers addition time” to meet the new requirements.

At the time of writing, the only member states where authorities have not yet set out any position publicly nor responded to queries from PaymentsCompliance are Bulgaria, Croatia, Estonia and Slovakia.

Online Retailers In ‘Last-Minute Rush’

With no EU-wide transition period in place, there is significant uncertainty about the impact on e-commerce from Saturday onwards.

“A lot of merchants don’t really know what to expect, and are preparing to shift transactions from left to right, from acquirer A to acquirer B, as a contingency mechanism,” said Scott McInnes, a payments regulatory expert and partner at Bird & Bird’s Brussels office.

“There’s a last-minute rush to make sure all hell is not going to break loose on Saturday.”

Even though the bulk of member state regulators have agreed to delay enforcement, retailers generally have no direct connection with the thousands of card-issuing banks in operation across Europe.

As it is ultimately issuers that can choose whether to accept or reject a non-SCA transaction, merchants cannot be sure that payments will be completed seamlessly from Saturday onwards.

“Some merchants have no visibility yet on what issuers are going to do, or even that they are aware they might have been given more time by their regulators,” McInnes said.

“A lot of merchants don’t really know what to expect, and are preparing to shift transactions from left to right, from acquirer A to acquirer B, as a contingency mechanism,” said Scott McInnes of Bird & Bird.

Ultimately, most retailers’ chief concern is that forcing two-factor authentication on shoppers before the technology makes that process seamless creates a high risk they will abandon purchases.

UK Finance’s proposed plan, submitted to the Financial Conduct Authority, estimated that applying strong authentication from day one would result in between 25 and 30 percent of online card payments being declined.

The resulting €57bn in lost revenue expected by Stripe, based on a study carried out by New York-based technology consultancy 451 Research, would be equivalent to around 10 percent of all online sales across the EU.

The travel and hospitality sector has been particularly concerned about the new rules. Agents typically collect a single payment from the end customer, but must then facilitate separate transactions with airlines, hotels and other providers — often at a later date.

Amadeus, a Madrid-based company providing reservation and ticketing services to airlines, this week published the results of a survey of 51 industry representatives.

It found that only a third would be ready to handle transactions that comply with the new rules from September 14. Around 20 percent said they needed until the end of this year, and another 20 percent said they would not be ready until the first half of 2020.

An 18-month transition period such as that offered in the UK “should provide the industry with an appropriate window to implement,” said Jean Christophe Lacour, Amadeus’ head of merchant services.

“However, we are encouraging all players in travel to remain focused and to deliver on SCA at the earliest opportunity.”

Harmony or Fragmentation: What’s Next For SCA?

The next milestone will be the timelines set out by the EBA. The authority has given no indication of when that is likely to take place, but industry insiders anticipate clarity by the end of September.

Industry heavyweights have generally rallied around an 18-month extension, which would be in line with the new schedules in place in the UK and Denmark.

A letter sent to the European Commission at the start of August argued for a final deadline of March 2021, with potentially longer for certain sectors.

The letter was co-signed by Visa and Mastercard, as well as the European Payment Institutions Federation, whose full members are Amazon Payments, American Express, Elavon, PayPal, Paysafe, Western Union and Worldpay.

It was also signed by EPSM, an association representing the acquiring sector, and by four retail industry groups: EuroCommerce; Ecommerce Europe; the European Hotel Forum; and the European Tourism Association.

A separate position paper from Mastercard has also argued for an 18-month delay, and emphasised the need for harmony across the EU.

Even if the EBA agrees to that timeline, however, there are already signs of fragmentation.

Payment providers operating on a cross-border basis already appear likely to face different regimes in the UK, Denmark, France and Hungary.

That could create issues where the issuer and acquirer are in different member states, particularly if the issuer does not know whether or not the acquirer has been granted an extension.

John Worthy, a partner at Fieldfisher and an expert in technology law, said earlier this month it is no small task for the EBA to reconcile the divergent views that have already emerged between different national authorities.

Giving the example of the UK, he said: “Anything less than 18 months and the UK will be an outlier; anything more than 18 months and the UK may be an early adopter. Neither of those are necessarily good for cross-border trade.”

There are also question marks for firms operating in member states where no transition period has been granted at all.

Bird & Bird’s McInnes suggested that payment providers still in the dark should consider contacting their local regulator rather than take the risk of being non-compliant from day one.

“I can’t imagine that any issuer or acquirer in a country where the regulator has not yet published anything would not at least have asked informally about their expectations,” he said.

“You have a legal deadline of September 14, so if an issuer or acquirer doesn’t know what their regulator expects, it would be strange to assume the regulator would be happy if they did not comply from that date.”

Table: SCA Transition Period by Member State

Member State

Details

Austria

21/08: Agreed to delay enforcement of SCA for online card payments, for a limited undefined period.

Belgium

28/08: Acknowledged demands for a "reasonable and acceptable" migration plan. Details and timings have not yet been finalised.

Bulgaria

No details.

Croatia

No details.

Cyprus

02/09: Agreed to “limited migration period”. Migration plans to be drawn up once timings are finalised.

Czech Republic

26/07: Vowed to address industry unreadiness on an individual basis, but said its approach “will be consistent across the sector”.

Denmark

04/09: All issuers and acquirers to be granted an 18-month transition period. Work to begin on setting relevant milestones.

Estonia

No details.

Finland

05/09: Agreed to a non-enforcement period for online card payments. Timelines yet to be defined.

France

11/09: Firms given 18 months to adopt 3D Secure v2 and apply SCA to the majority of transactions. Full compliance by June 2022.

Germany

21/08: Will not immediately enforce SCA requirements. Timelines yet to be defined.

Greece

26/08: Agrees to implement a "short and controlled" transition period for online card payments.

Hungary

10/09: Sets a 12-month transition period for online card payments. Firms must present individual migration plans.

Ireland

08/08: Supports a "limited" transition period but is awaiting a pan-EU position on a new deadline.

Italy

01/08: Agrees to grant an extension “for a limited period” and urges firms to present a detailed migration plan.

Latvia

12/09: Agrees to delay enforcement for online card payments, and favours a common deadline across all member states.

Lithuania

11/09: Agrees to delay enforcement for firms that submit a detailed migration plan. Timelines yet to be decided.

Luxembourg

30/08: Will extend the implementation period for SCA on online card payments. Timelines yet to be decided.

Malta

14/08: Will delay enforcement for firms that provide evidence they are complying with an agreed migration plan.

Netherlands

08/08: Agrees to allow more time for firms unable to meet the deadline. Timelines yet to be decided.

Poland

19/08: Will allow a non-enforcement period for both online and contactless card payments. Timelines yet to be decided.

Portugal

29/08: Will “follow the EBA opinion published in June" as well as any subsequent guidance on timings.

Romania

12/09: Not yet transposed PSD2. Will make own analysis of readiness once legislative process has concluded.

Slovakia

No details.

Slovenia

03/09: Supportive of delaying enforcement for online card payments. Timelines yet to be decided but harmonised approach preferred.

Spain

11/09: Will delay enforcement for firms that present a migration plan. Timelines yet to be decided.

Sweden

04/09: Compliance expected from September 14, but firms permitted to request more time and submit a migration plan.

UK

13/08: Agrees to 18-month non-enforcement period for all issuers and acquirers.

For more information on how authorities in every member state are preparing for the reforms, see PaymentsCompliance’s PSD2: Strong Customer Authentication Tracker.