Braintree Payment Solutions LLC

08/23/2019 | News release | Distributed by Public on 08/23/2019 13:05

SCA Cheatsheet: Affected Countries and Enforcement Timelines

Understanding if, when, and how Strong Customer Authentication (SCA) applies to your business can be confusing -- especially with all the rumors circulating and changes being announced by the European Banking Authority (EBA) and national regulators.

As the commerce platform for large and fast-growing enterprises that are building the most innovative commerce experiences globally, Braintree is committed to keeping you informed about the latest news and information regarding SCA requirements.

Below we've compiled up-to-date information on both the requirement and enforcement timelines. We'll be updating this post as new announcements are made, so you may want to bookmark it and check back periodically to see if there are any changes that may affect your business.

In which cases will SCA apply?

The way SCA will need to be applied will vary by transaction. It will depend on both the location of your acquiring bank and the location of the bank that issued your customer's credit card -- not necessarily where your business is domiciled. Please refer to this list to see which countries are affected by SCA requirements.

What are the most recent announcements regarding SCA enforcement timelines?

On June 21, 2019, the EBA announced it will allow national regulators to work with payment service providers, acquirers, issuers, and merchants to decide a transition plan beyond the September 14, 2019 deadline in their respective countries.

So far, one national regulator has officially agreed to an 18-month transition period and eight national regulators have officially confirmed their views in favor of a transition period. No national regulators have expressed a view against a transition period.

Here's the breakdown:

  • United Kingdom (UK): On August 13, 2019, the UK's financial regulator officially confirmed an 18-month transition period beyond the September 14, 2019 deadline to enforce SCA with banks and merchants.

  • Austria, Germany, France, Italy, Ireland, the Netherlands, Poland, and Denmark: Regulators in these countries have officially announced they are in favor of a transition period beyond the September 14, 2019 deadline, but have not announced details with regards to the length of a transition period and who would be impacted.

  • Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Finland, Greece, Hungary, Iceland, Ireland, Latvia, Lithuania, Luxembourg, Malta, Norway, Portugal, Romania, Slovenia, Spain, and Sweden: Regulators in these countries have not made any official announcements, but have not expressed a view against a transition period beyond the September 14, 2019 enforcement date.

What does this mean for my business?

An announcement of an extension by the country in which your business is domiciled doesn't necessarily mean your transactions are exempt from SCA requirements. As mentioned, enforcement depends on your acquirer relationship and where the cards you process were issued. With each country setting its own deadline, your transactions may not be completely exempt from SCA requirements.

What do I need to do?

Given these by-country nuances and an ever-evolving enforcement landscape, we strongly recommend you integrate Braintree's 3D Secure 2 (3DS2) solution prior to the September 14, 2019 deadline. If you do not integrate 3DS2, you'll risk increased declines on card transactions that are in scope for SCA after the deadline has passed.

Where can I learn more?

For instructions on how to integrate, refer to our 3D Secure developer docs.

If you have already integrated 3DS, make sure you have the latest SDK with the most up-to-date features. For details, refer to our 3DS2 migration guide.

To see how SCA will apply to different transaction types, including recurring transactions, read How SCA Applies to Common Payment Scenarios.

If you are still unclear about the details of SCA, or would like an overview on the mandate and its requirements, read PSD2: Strong Customer Authentication Explained.

For more information on the background and benefits of the 3DS2 protocol, as well as how Braintree's solution works, read 3D Secure 2: Next-generation Authentication.

As always, we're here to help. If you have questions or need help with your integration, contact us.