Strong Customer Authentication is now live across the EU. All transactions within the EU of value exceeding € 30 need to be authorized via SCA as of 14th September 2019, unless an allowed exemption applies.
PSP have more time to implement SCA
However, on 21st June 2019 the EBA issued an opinion that allowed National Competent Authorities (NCA) of each Member State to provide a transition period in the application of SCA to PSPs that requested an extension to get ready. PSPs need to agree with the relevant NCA a roadmap to expedite implementation of SCA.
Who is liable for any fraud during the transition period?
That is a benefit to PSPs to be able to get ready in a more comprehensive structured manner without incurring a penalty from a NCA, but it should be clearly understood and the liability rules stated in art. 74(2) of the PSD2 fully apply during the transition period, so the relevant PSPs bear the same liability as if the transition period were not provided.
What elements are SCA compliant?
Another important note is related with the elements of SCA that the EBA value as compliant. In particular in the 21st June opinion the EBA indicates that card details printed on a payment card are not a compliant possession element/factor as they are easily used by anyone in the event the card is lost/stolen. We share this opinion; however, this make a burden on issuers as they would need to rely on a different possession element and in a number of instances create a new one, and educate their customers as a consequence.
In our opinion, another reason for doing so is to stimulate non-card payment methods as most payment cards run on non-European schemes and the EU would be happy to stimulate EU-based payments methods, such as instant payments.
SMS OTP not secure
A second comment is the use of OTP sent via sms, which the EBA values as a compliant SCA possession element. We are surprised with this decision as sms have been violated several times in Europe (see attachment) so sms are a weak element to protect from fraud. We recommend in-app authentication in lieu of sms as the enhanced security promised by SCA may be at risk.
The CleverAdvice Team