Extension beyond 14 September 2019 of the deadline for compliance with the strong customer authentication (SCA) requirements of Commission Regulation (EU) No 2018/389 for e-commerce card payment transactions

The Law of 20 July 2018 amending the Law of 10 November 2009 on payment services and transposing into Luxembourg law the European Directive (EU) 2015/2366 on payment services (PSD2), as well as the European Commission’s (EU) delegated regulation 2018/389 on technical regulatory standards for strong customer authentication and common and secure open standards of communication (RTS on SCA and CSC), require payment service providers (credit institutions, payment institutions, electronic money institutions) to put in place, by 14 September 2019, strong customer authentication (SCA) solutions that ensure secure access to their online payment accounts and secure initiation of electronic payment transactions.

The CSSF is aware of the complexity of the required compliance changes in the field of e-commerce card payment transactions, taking into account the nature and number of stakeholders (card schemes, issuing and acquiring payment service providers, IT service providers, online merchants, payment service users) that need to take measures to be able to apply or request strong customer authentication.

Thus, following the Opinion of the European Banking Authority (EBA) of 21 June 2019, which allows the competent national authorities to extend the implementation period of the SCA if necessary and in order to minimise the risk of unintentional disruptions in the sensitive e-commerce sector, the CSSF grants the entities concerned an extension of the implementation period of the SCA beyond 14 September 2019. This extension applies only to the category of ecommerce card payment transactions.

Given the cross-border nature of e-commerce, the adoption of a common and harmonised European compliance deadline is considered essential. The CSSF will therefore participate in future discussions on an EU-wide timetable to be specified by the EBA (after the collection and processing of national individual data) and announced in the last quarter of this year.

The concerned entities supervised by the CSSF that wish to make use of this additional period are required to inform the CSSF and must submit a detailed migration plan to it, in accordance with the timetable to be indicated by the EBA. This plan should include, among other things, the entity’s planned communication initiatives to inform and involve its merchants and/or users (consumers and businesses) in the migration to SCA.

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes