11 June 2021
- The industry reported significant progress over the past 9 months in complying with the requirements for strong customer authentication (SCA) for e-commerce card-based payment transactions.
- This progress coincided with a significant reduction of the volume and value of fraud, for the same type of transactions and the same time period.
- Payment service providers (PSPs) in some jurisdictions are still lagging behind on some indicators.
The European Banking Authority (EBA) published today a Report on the data provided by PSPs on their readiness to apply SCA for the subset of payment transactions that are e-commerce card-based payment transactions. The Report highlights the status of issuing and acquiring PSPs in enrolling online merchants, payment cards and payment service users (PSUs) into SCA-compliant solutions, and in requesting SCA for online payment transactions after 31 December 2020, when the SCA migration period ended.
The EBA tracked the progress made by issuing and acquiring PSPs from September 2019 to April 2021 by monitoring a number of indicators that had been set out in the EBA Opinion of 2019 on the deadline for the migration to SCA compliance for e-commerce card-based payment transactions.
Based on the data collected from those PSPs, the EBA observed that significant progress has been made with regard to SCA -compliance, as highlighted by the following key indicators:
- 99% of EU merchants are able to support SCA;
- 94% of all payment cards in the EU are SCA-enabled;
- 82% of all PSUs are enrolled into an SCA solution;
- 92% of e-commerce card-based authentication requests reported by acquirers are compliant with the SCA requirements; and
- 87% of initiated e-commerce card-based payment transactions reported by issuers are compliant with the SCA requirements.
This progress also coincided with a significant reduction of the volume and value of fraudulent e-commerce card-based payment transactions in the EU over the same period.
Finally, the Report notes that there are still PSPs in some jurisdictions that are lagging behind others in enabling SCA on their payment cards, enrolling PSUs to SCA-compliant authentication solutions or initiating SCA-compliant transactions.
Legal basis and background
The regulatory technical standards (RTS) on SCA and common and secure communication (CSC) underpin the new security requirements under the revised Payment Services Directive (PSD2) and have applied since 14 September 2019. These requirements were introduced to decrease the risk of payment fraud and to ensure the safety of payment service users’ funds and personal data.
In June 2019, with its Opinion on the SCA elements (EBA-Op-2019-06), the EBA granted, on an exceptional basis, supervisory flexibility for national competent authorities (NCAs), not to enforce the RTS on SCA&CSC to allow issuing and acquiring PSPs to migrate to SCA-compliant approaches and solutions for e-commerce card-based payment transactions.
The Opinion on the deadline for the migration to SCA compliance for e-commerce card-based payment transactions (EBA-Op-2019-11) set the deadline for said supervisory flexibility to 31 December 2020 and set out the actions to be taken by NCAs, as well as by issuing and acquiring PSPs, during that period. The Opinion also envisaged for the EBA to develop a Report on the status of SCA-compliance by issuing and acquiring PSPs based on consolidated information provided from PSPs through their NCAs.
- Report on the data provided by payment service providers on their readiness to apply strong customer authentication