SCA requirements take effect on Sept. 14, meaning banks, issuers and merchants have just over a month to become compliant. Noncompliance could have a serious impact on merchants’ conversion rates, as transactions that cannot be properly authenticated could stall or get declined and frustrate both merchants and end consumers.
Implementation of SCA standards is still moving slowly throughout the EU, with just 40 percent of merchants claiming they are ready for the deadline. This leaves the remaining 60 percent scrambling to adjust their authentication and payment processes, and these eTailers have their work cut out for them: They will have to introduce security protocols like 3DS, learn which authentication methods are SCA-compliant and integrate those methods onto their platforms.
The EBA has revisited SCA requirements and how banks and merchants are prepping for it in light of this lack of preparedness. The EBA did not — and cannot — legally extend the deadline for SCA compliance, but it did acknowledge the complexity of the EU payments market. The regulatory body also announced SCA exemptions that may be made for certain merchants on an “exceptional basis.”
Meeting SCA requirements and understanding exemptions has become critical for online merchants as the deadline approaches. These exemptions could provide an essential buffer for merchants that are unaware of the rule or otherwise unprepared for the deadline.
Merchants and the exemptions to the rule
It is important to discuss issuing banks’ roles under SCA before examining what these exemptions are and how merchants can best approach them. Regulators have yet to come up with a standardized process that determines whether merchants or transactions are eligible for exemption, as that decision currently rests in the hands of the issuer. The transaction’s potential risk, the technical infrastructure in place to process it and the amount that is being paid are factors the issuer can use to accept or reject an exemption under SCA.
There are a few different SCA exemptions merchants can claim when consumers make certain transactions, such as low-value, recurring and corporate payments. SCA exemptions also apply to transactions processed via platforms that consumers have deemed trustworthy.
Transactions under €30 are already exempt from SCA, but there is a limit to how many can be approved consecutively without requiring 2FA. The rule currently states that issuers will need to determine whether authentication is required if a customer makes five low-value transactions with the same payment method. Recurring transactions such as monthly subscriptions can hit snags, however, as they are only exempt if the payment amount and recipient remain the same each time. The issuer will again need to determine whether authentication is necessary if those factors change.
Exemptions for corporate payments and for trusted beneficiary designations are more complex. Corporate payments may have their own security protocols and processes that could eliminate the need for SCA, but only for certain cases and specific corporate cards. Consumers can also list merchants as trusted entities for transactions, implying a level of trust between both parties and thus giving merchants an advantage. This does not allow consumers to have the final say over whether SCA is necessary, however.
Merchants can claim exemptions in each of these categories, significantly reducing the time it takes for transactions to settle. The lack of regulatory standards for SCA exemptions also means that merchants may have to work more closely with issuers, especially as the September deadline remains firmly in place.
SCA and changing regulations
EU regulators may very well develop standards for these exemptions in the future, changing how merchants and issuers approve and deal with online transactions. The strictness of these potential standards and how they will impact existing exemptions is still up in the air.
SCA exemptions are an important component for merchant success and operation, but the main problem with compliance continues to be the lack of awareness. Merchants that remain unaware and unprepared will likely suffer a decline in conversion rate revenue, leading to further struggles when implementing the necessary authentication methods for SCA. Educating and working with merchants to make sure they are as ready for SCA as possible is thus a priority for EU regulators, especially as the deadline grows nearer.