SCA Confusion Over Member State Ramp Ups

Share this post

National competent authorities have taken an ambiguous position on their enforcement deadlines for strong customer authentication — which has left the market unsure about how much flexibility there is, sources say. 

Since the start of the year, national competent authorities in the EU are supposed to have been fully enforcing strong customer authentication (SCA), a requirement of the second Payment Services Directive, at the behest of the European Banking Authority (EBA).

However, some authorities have taken a unilateral approach to the regulatory requirement by implementing a gradual transition to full enforcement through different transaction levels.

SCA, which is meant to tackle card payment fraud, was originally set to be enforced from September 2019. However, the EBA chose to show flexibility, migrating this deadline to December 31, 2020, due to readiness concerns.

However, countries such as Spain and France, as well as those in the Benelux region, have taken a relaxed approach to their implementation of SCA, according to a source familiar with the payments industry. “The idea is saving the Easter holidays, they want to make sure people can shop online,” they said.

While the Banque de France has previously told VIXIO that it is not fully enforcing until July, the Banco de España, Spain’s responsible authority, has said that it is fully enforcing SCA.

However, VIXIO understands that Spain is pursuing a ramp-up strategy.

This comes at the same time as claims that the EBA is also taking a more relaxed approach — even if this is not an attractive prospect for them. “They could see that the industry was hitting a wall,” the source told VIXIO.

Previously, the EBA has warned that countries pursuing ramp-up strategies will face repercussions such as legal action. However, any sanctions or censures are yet to be imposed by the banking watchdog.

Italy and Spain have struggled to adapt to the new compliance requirements set out by SCA, according to data released by the payments consultancy, CMSPI.

“On an EU basis, what we’ve seen in February is an average failure rate of 31 percent across Europe, which isn’t far off what we were seeing with SCA testing data in 2020,” said Callum Godwin, chief economist at CMSPI.

Italy and Spain, however, have significantly higher rates, at an estimated 47 and 37 percent, respectively. “Our data in February so far shows little change, so there is a long way to go,” he added.

When approached for comment, the national competent authorities of Spain and Italy said that they were enforcing SCA, but did not delve into more detail.

“Please take note that the level of adoption of SCA in Italy is satisfactory,” said a spokesperson for the Banca D’Italia. “The situation is monitored with the aim of ensuring both the security and the smooth functioning of remote payment card transactions.”

Commenting on the impact of SCA in the Spain, Juan Salvador Ubeira Ruiz, sales director at the fintech start-up, Feedzai, told VIXIO that in general, Spanish banks had been expecting a delay, as had been the case in France.

This meant any preparations were done in a rush, and conversion was lost, he said.

In addition, there was very little awareness of SCA before it was enforced, he pointed out. “None of the banks did any campaigns and this meant that the first few weeks were a mess,” Ubeira Ruiz said.

“However, now it is in place, I expect adaptation to be quite fast. SCA will be ready by the summer,” he predicted, adding that the market has transitioned to the security protocol, 3D Secure version 2.1 (3DS 2.1) with ease.

In neighbouring Portugal, SCA has been fully enforced and is going well, according to Banco de Portugal. “Some fine-tuning is inevitable in a process of this dimension and involving so many players,” a spokesperson for the central bank told VIXIO, continuing that they have not received any complaints yet regarding non-compliance.

“Overall, there was a considerable effort from the Portuguese market to be fully prepared for the implementation of SCA requirements,” the spokesperson continued, pointing out that issuing payment service providers have now migrated the majority of their cards to the 3DS 2.1 protocol after work in 2020, while any remaining efforts continue this year.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?