As a follow up to our previous post regarding the “delay” in the SCA legislation, which is not strictly a delay but more of a grace period for those who have a plan but will not have it fully implemented come 14th September 2019, the Financial Conduct Authority (FCA) in the UK, who are the overseeing body have decided to give organisations an 18 month window to fall in line and implement the SCA requirements.
Just to be clear this is still a burning bridge and doesn’t mean that because you are not organised around the implementation of SCA requirements including 3D Secure 2 you have 18 months to relax. In our world, if you’re using a payment processor who’s updated their APIs to use 3D Secure 2 you will need to make the switch/update. And you should make the update because otherwise your customers or donors will feel greater friction at checkout and their payments will possibly fail indefinitely.
Where there is likely to be grace is for those providers moving from 3D Secure 1 to 2, the success of recurring payments and for the banks getting themselves in order, since at the end of the day it will be up to the issuing bank to provide the 3D Secure processes to reduce fraud and shift liabilities.
For example, if you’re using PayPal’s non-hosted payment API you will need to integrate a third party before 14th September to guarantee that your payments will be authenticated with the payer’s bank. If a body further up the chain is enforcing SCA you will need to also.
“However, accepting the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers, the European Banking Authority in June paved the way for some firms, on an “exceptional basis”, to get an extension if cleared by national authorities.
The UK’s FCA quickly indicated that it would give the industry extra time and has now confirmed an 18-month implementation plan for card issuers, payments firms and online retailers. This is in line with recommendations from UK Finance and European trade association EPSM.
Firms will not face enforcement action after September as long as there is evidence that “they have taken the necessary steps to comply with the plan”.”