Extension beyond 14 September 2019 of the deadline for compliance with the strong customer authentication (SCA) requirements of Commission Regulation (EU) No 2018/389 for e-commerce card payment transactions

The Law of 20 July 2018 amending the Law of 10 November 2009 on payment services and transposing into Luxembourg law the European Directive (EU) 2015/2366 on payment services (PSD2), as well as the European Commission’s (EU) delegated regulation 2018/389 on technical regulatory standards for strong customer authentication and common and secure open standards of communication (RTS on SCA and CSC), require payment service providers (credit institutions, payment institutions, electronic money institutions) to put in place, by 14 September 2019, strong customer authentication (SCA) solutions that ensure secure access to their online payment accounts and secure initiation of electronic payment transactions.

The CSSF is aware of the complexity of the required compliance changes in the field of e-commerce card payment transactions, taking into account the nature and number of stakeholders (card schemes, issuing and acquiring payment service providers, IT service providers, online merchants, payment service users) that need to take measures to be able to apply or request strong customer authentication.

Thus, following the Opinion of the European Banking Authority (EBA) of 21 June 2019, which allows the competent national authorities to extend the implementation period of the SCA if necessary and in order to minimise the risk of unintentional disruptions in the sensitive e-commerce sector, the CSSF grants the entities concerned an extension of the implementation period of the SCA beyond 14 September 2019. This extension applies only to the category of ecommerce card payment transactions.

Given the cross-border nature of e-commerce, the adoption of a common and harmonised European compliance deadline is considered essential. The CSSF will therefore participate in future discussions on an EU-wide timetable to be specified by the EBA (after the collection and processing of national individual data) and announced in the last quarter of this year.

The concerned entities supervised by the CSSF that wish to make use of this additional period are required to inform the CSSF and must submit a detailed migration plan to it, in accordance with the timetable to be indicated by the EBA. This plan should include, among other things, the entity’s planned communication initiatives to inform and involve its merchants and/or users (consumers and businesses) in the migration to SCA.