Updated (September 14, 2019): SCA requirements have gone into effect in Europe. However, the by-country positions below still apply. Braintree is actively monitoring bank activity.
Updated (September 10, 2019): Croatia, Cyprus, Czech Republic, Estonia, Finland, Hungary, Lithuania, Luxembourg, Portugal, Slovakia, Slovenia, Spain, and Sweden have been added to the list of countries that confirmed their views in favor of a transition period.
Updated (August 30, 2019): Belgium, Greece, Ireland, Malta, and Norway have been added to the list of countries that officially confirmed their views in favor of a transition period.
Understanding if, when, and how Strong Customer Authentication (SCA) applies to your business can be confusing -- especially with all the rumors circulating and changes being announced by the European Banking Authority (EBA) and national regulators.
As the commerce platform for large and fast-growing enterprises that are building the most innovative commerce experiences globally, Braintree is committed to keeping you informed about the latest news and information regarding SCA requirements.
Below we’ve compiled up-to-date information on both the requirement and enforcement timelines. We’ll be updating this post as new announcements are made, so you may want to bookmark it and check back periodically to see if there are any changes that may affect your business.
In which cases will SCA apply?
The way SCA will need to be applied will vary by transaction. It will depend on both the location of your acquiring bank and the location of the bank that issued your customer’s credit card -- not necessarily where your business is domiciled. Please refer to this list to see which countries are affected by SCA requirements.
What are the most recent announcements regarding SCA enforcement timelines?
On June 21, 2019, the EBA announced it will allow national regulators to work with payment service providers, acquirers, issuers, and merchants to decide a transition plan beyond the September 14, 2019 deadline in their respective countries.
So far, one national regulator has officially agreed to an 18-month transition period and 25 national regulators have confirmed their views in favor of a transition period. In addition to the respective country announcements, given that the EBA is expected to provide further guidance on the acceptable duration of a transition period, Visa has officially announced that it will extend Europe’s EMV 3DS activation date to March 14, 2020. No national regulators have expressed a view against a transition period.
Here’s the breakdown:
United Kingdom (UK): On August 13, 2019, the UK’s financial regulator officially confirmed an 18-month transition period beyond the September 14, 2019 deadline to enforce SCA with banks and merchants.
Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, and Sweden: Regulators in these countries have announced that they are in favor of a transition period beyond the September 14, 2019 deadline, but not all have communicated specific transition details regarding the length of a transition period or who would be impacted. These details have been deferred to the EBA by the respective regulators.
Bulgaria, Iceland, Latvia, Liechtenstein, and Romania: Regulators in these countries have not made any official announcements, but have not expressed a view against a transition period beyond the September 14, 2019 enforcement date.
What does this mean for my business?
An announcement of an extension by the country in which your business is domiciled doesn’t necessarily mean your transactions are exempt from SCA requirements. As mentioned, enforcement depends on your acquirer relationship and where the cards you process were issued. With each country setting its own deadline, your transactions may not be completely exempt from SCA requirements.
What do I need to do?
Given these by-country nuances and an ever-evolving enforcement landscape, we strongly recommend you integrate Braintree’s 3D Secure 2 (3DS2) solution. If you do not integrate, you’ll risk increased declines on card transactions that are in scope for SCA.
What else do I need to know?
Braintree’s 3DS2 solution has been built to support both 3D Secure 1 and 2 authentication protocols. That means if issuers aren’t ready for 3DS2, Braintree will automatically divert your transactions to 3DS1 to help ensure your transactions are SCA compliant.
Where can I learn more?
For instructions on how to integrate, refer to our 3D Secure developer docs.
If you have already integrated 3DS, make sure you have the latest SDK with the most up-to-date features. For details, refer to our 3DS2 migration guide.
To see how SCA will apply to different transaction types, including recurring transactions, read How SCA Applies to Common Payment Scenarios.
If you are still unclear about the details of SCA, or would like an overview on the mandate and its requirements, read PSD2: Strong Customer Authentication Explained.
For more information on the background and benefits of the 3DS2 protocol, as well as how Braintree’s solution works, read 3D Secure 2: Next-generation Authentication.
As always, we’re here to help. If you have questions or need help with your integration, contact us.