PSD2 Strong Customer Authentication

PSD2 Strong Customer Authentication Enforcements. What to do with it?

Strong Customer Authentication (SCA) and PSD2 has been one of the most discussed topics of 2020 in the payments industry, considering the impact on merchants and online consumers.

For many, this seems to be a never-ending story, with the original enforcement date of 14th Sep 2019 postponed to the end of 2020 due to the considerable lack of market readiness in 2019.

National Competent authorities have been following different approaches and have decided to allow transition phases with the introduction of soft declined transactions above certain thresholds. BaFin (the German regulator) is one of the main national authorities to recently align with this approach.

In this post, we summarize what has been the main country approaches about the transition towards PSD2 and Strong Customer Authentication and what payment service providers or merchants should keep in mind.

Financial Conduct Authority (United Kingdom)

After initially postponing the deadline to 14 March 2021, On 30 April 2020 the FCA announced an additional 6 months delay for SCA enforcement due to the exceptional circumstances of the COVID crisis. The new deadline will shift 14 September 2021 with a progressive ramp-up with soft declines from 1st June 2021 until the SCA deadline on  14th September.

BaFin (Germany)

Bafin has initially announced that SCA will not be enforced until 31st December 2020. This was followed by a communication where is was recommended to issuers to follow a rump-up plan between mid-January 2021 and mid-March 2021 introducing soft declines as per the instructions below:

  • From 15th of January transactions above 250 EUR
  • From 15th of February transactions above 150 EUR
  • From 15th of March for all non authenticated transactions
Banque de France (France)

In France the Activation of soft declines are officially applied since 1st October 2020 and progressively ramping up until 31st March 2021. The latest comunicated transition plan follows the soft-decline timeline below:

  • From October until December 2020 above 2000 EUR
  • From January 2021 above 1000 EUR
  • From mid-February 2021 above 500 EUR
  • From April 2021 progressive extension to transactions below 500 EUR

Travel and hospitality MCCs are exempted until March 31st 2021.

Excluded MCCs
Banca d’Italia (Italy)

On November 2019 Banca d’Italia has announced that the enforcement date will be aligned with the EBA recommendation to 31st of December 2020. On 10th of December an update related to the introduction of a staged transition phase for the introduction of SCA has been communicated, looking as per below:

  • From 1st of January, all in-scope non-authenticated transactions above 1000 euros will be soft-declined
  • From 1st of February, all in-scope non-authenticated transactions above 500 euros will be soft-declined
  • From 1st of March, all in-scope non-authenticated transactions above 100 euros will be soft-declined
  • From 1st of April, the SCA requirements are enforced for all in-scope transactions
Banco de Espana (Spain)

The migration plan was initially targeting the 31st of December as the enforcement date even though the regulator has admitted the market difficulties, no further official statement has been provided. Recently a soft-decline plan was recommended as per below:

  • As from 15th of January: All transactions above 250 EUR
  • As from 15th of February: All transactions above 30 EUR
  • As from 1st of March: Full Enforcement

At Payment Universe, we can help you identifying the best approach and strategy to manage the Strong Customer Authentication transition phase. 

NBB (Belgium)

The NBB (National Bank of Belgium) previously announced that while the deadline of 14 September was still valid, the enforcement date would be delayed. It was later decided that starting with soft-declines for non authenticated transactions above 1500 euros, the following soft-decline plan will be introduced:

  • As from Tuesday, 19 January 2021: All transactions above 1,500 EUR
  • As from Tuesday, 23 February 2021: All transactions above 500 EUR
  • As from Tuesday, 23 March 2021: All transactions above 250 EUR
  • As from Monday, 19 April 2021: All transactions above 100 EUR
  • As from Tuesday, 18 May 2021: Full compliance
Central Bank of Ireland (Ireland)

The Irish Authority has provided a 5 Stage plan in order to fully enforce the SCA mandate starting on 20th of January with a full implementation starting from July 2021.

  • From 1st of March soft-declines above 750 euros
  • From 1st of April soft- declines above 500 euros
  • From 1st of May soft-declines above 250 euros
  • From 1st of June soft-declines above 150 euros
  • From 1st of July full-enforcement
FinanstilSysNet (Denmark)

After initially expecting readiness by 1st of January 2021, to ensure a stable payment processing and considering the implementation problems, such as IT release freezing periods, the Danish FSA expects that strong customer authentication will be used for all payments by 11 January 2021 at the latest.

FMA (Austria)

After initially postponing the enforcement date to 31st December 2020, during December 2020, the FMA presented a migration plan to Austrian issuers as per below:

  • Starting 15 January: SCA enforcement on transactions above 250 EUR
  • Starting 15 February: SCA enforcement on transactions above 150 EUR
  • Starting 15 March: SCA enforcement on all transactions
DNB (Netherlands)

The Dutch National Bank has confirmed the 31st of December 2020 with a migration plan which has included soft-declines starting in October 2020.

Dutch Issuers SCA roadmap

Other Regulators with clear position

CountryPSD2 Enforcement Date & Public Communication (if available)
Bulgaria31st December 2020
Cyprus (Central Bank of Cyprus)31st December 2020
Czech Republic31st December 2020
Finland (FSA)31st December 2020
Greece (Bank of Grece)31st December 2020
Hungary (Magyar Nemzeti Bank)31st December 2020
Lithuania (Lietuvos Bankas)1st April 2020
Luxembourg (Surveillance Commission of the Finance Sector)31st December 2020
Malta (Central Bank of Malta)31st December 2020
Norway (Finanstilsynet)31st December 2020
Poland (KNF)31st December 2020
Portugal (Banco de Portugal)31st December 2020
Romania31st December 2020
Slovenia (Banka Slovenije)31st December 2020
Sweden14th September 2019
(with the possibility for issuers to ask for extensions)
Card Schemes

The main card schemes are introducing measures to encourage merchants to support 3DS2. Mastercard is planning to decommission 3DS1 in October 2022, while VISA in Europe will remove liability shift starting in October 2021.

What is key for Payment Service Providers?

Such a fragmented scenario brings complexity and payment service providers have introduced, or need to introduce, some measures to mitigate the risk of payment disruption and massive soft-declines for merchants.

  • It is expected to see some merchants sending initiating non-3D Secure transactions in the scope of PSD2. It is important to monitor soft-decline behaviours and proactively make merchant aware if this happens.
  • When the payment checkout is controlled by the Payment Gateway (i.e. hosted payment pages) the PSP should consider offering 3DS reattempts in case of an initial soft-declined transaction.
  • During the migration towards 3DS2 and Strong Customer Authentication, a key recommendation is to constantly monitor Issuer Country and singular issuer BIN performances on both 3DS2 authentication and authorization level, considering temporary downgrades to 3DS1 for bad 3DS2 performing issuers.

What is key for Merchants?

Unless your business is accepting transactions only from a specific european country, reacting on singular country initiatives might just not be the best idea.

  • If you are not yet ready, the best recommendation to merchants is to just be ready as soon as possible. If 3DS2 has not yet been implemented, and it cannot be done before the enforcement, we strongly advise to use 3DS1, still considered a compliant SCA solution. Nevertheless, 3DS1 does not cover some specific PSD2 use cases such as storing credentials on-file or submitting the first transaction from a subscription plan, where SCA needs to be performed as mandatory.
  • If, and we hope this is your case, you are supporting 3DS2 we strongly recommend to build an advanced monitoring KPI framework to be sure that you are not being negatively affected by technical issues during the transition phase. This is the best approach to dynamically update your strategy according to market performances.

3DS2/ PSD2 Readiness Trends

Some payment service providers have started to provide weekly/monthly trends related to countries or issuer PSD2 readiness and SCA migrations:

If you need assistance with PSD2 implementations or you need to establish an advanced PSD2 monitoring framework, contact us today to schedule an introductory call.

Last Updated: 3rd January 2021