Strong Customer Authentication (SCA) enforcement date

Last updated: 18 October 2019

Strong Customer Authentication (SCA) requirements officially went into effect on 14 September 2019.

To date, few European banks have started enforcing these requirements and declining non-authenticated payments. This is due to a temporary enforcement delay announced by the European Banking Authority on 21 June 2019. On 16 October 2019, the European Banking Authority further announced that the new SCA requirements should be fully enforced by 31 December 2020.

We expect the majority of European regulators to follow this new timeline and for European banks to request additional authentication for online payments by 31 December 2020, at the latest. Prior to this new announcement, the UK, French, and Danish regulators had announced a longer, 18-month enforcement delay. It’s still unclear whether these national regulators will now follow the new deadline or whether enforcement for payments from these countries will run on a different timeline.

How this impacts your business

Given the uncertainty around the enforcement timeline and ramp, we recommend preparing your payment flows to be SCA ready as soon as possible. This will help prevent an increase in declines as enforcement of these requirements ramps across European banks.

Our new payments APIs and other SCA-ready solutions are designed to take this uncertainty into account. If you're using our SCA-ready solutions, we'll only apply authentication and exemptions when they're required by the cardholder's bank—adjusting to each country’s enforcement timeline to minimise friction.

We're closely tracking any change in banks’ behaviour as well as the ongoing regulatory discussions, and we'll continue to update this page with the latest information.