Compliance with the strong customer authentication (SCA) requirements of Commission Regulation (EU) No 2018/389 for e-commerce card payment transactions

Reference is made to the press release of 30 August 2019 by which the CSSF announced that it had made use of the flexibility offered by the EBA concerning the implementation by payment service providers (PSPs) of the SCA beyond 14 September 2019 for e-commerce card payments transactions.

The CSSF informs these PSPs that it will start the expected actions foreseen by the new timetable proposed by the EBA at European Union level. PSPs, which need the additional time acknowledged by the supervisory flexibility made available by EBA to be fully compliant, should  migrate gradually to the SCA for e-commerce card payments transactions in order to fully achieve the objective of complying with the strong customer authentication (SCA) requirements of Commission Regulation (EU) No 2018/389 by 31 December 2020 at the latest.

The CSSF will regularly monitor the state of preparation of the Luxembourg market and the progress made to ensure that this new deadline is met.

Finally, the CSSF reminds the PSPs that the liability regime provided for in Article 74 of the PSD2 applies without delay. Issuing and acquiring PSPs are responsible for payment transactions and it is therefore in their own interest to migrate to solutions and approaches that comply with SCA requirements in an expedited way.