Stringent online payments rules are fast approaching. Now firms want an 18-month delay

But fintech giant Stripe says it’s ‘irresponsible’ to hope for any extension on Strong Customer Authentication.

By Jonathan Keane Reporter, Fora

A TRADE BODY representing several European payments companies has called for an 18-month delay on the EU’s Strong Customer Authentication (SCA) regulations.

The slew of new rules that are due to come into effect on 14 September place greater responsibilities on online merchants and payment providers to verify their users.

However the industry has warned that companies are not fully prepared and it could have an adverse effect on the flow of online transactions in Europe.

In the latest warning, the trade association European Payment Service Providers for Merchants (EPSM) has called for an additional 18-month time frame for “standard applications” of the rules.

Furthermore, it is calling for a 36-month extension for “challenging applications”. The group pointed to the travel and hospitality sectors as examples of the latter.

This additional time frame “should be agreed in a harmonised migration approach” across the EU, it said.

EPSM is a trade association that represents merchants and payment service providers operating in Europe.

Its members include Ingenico, Paysafecard and the Irish bases of Elavon and Bluefin. There are a number of ‘non-voting’ members including Kerry’s Fexco.

Grace period

Fintech company Stripe, which creates payment processing solutions, on the other hand isn’t betting on any extensions.

“It would be irresponsible from us to let merchants hope for a grace period. We’re prepared for SCA, and we are helping our merchants to be ready on 14 September 2019,” a spokesperson said.

Stripe has been rather vocal on the impact of the rules and the need for preparation – it develops and sells tools to help merchants fall in line with these regulations.

The company is running much of its SCA compliance work from its Dublin engineering base and recently acquired Irish startup Touchtech Payments to assist with the efforts.


Strong Customer Authentication is one component of the broader second Payment Services Directive (PSD2), a suite of European regulations that have been gradually introduced into the financial services sector since 2015.

Under this latest addition, merchants, banks and payment processors are required to implement two-factor verification checks on transactions over €30.

Industry players have warned that the stringent rules could make European e-commerce more cumbersome.

In June, the European Banking Authority acknowledged many of industry’s concerns in a published opinion. While the EBA has no clout in implementing extensions, its opinion made the case for some wiggle room.

“NCAs (national competent authorities) may decide to work with PSPs (payment service providers) and relevant stakeholders, including consumers and merchants, to provide limited additional time,” it said.

The relevant authority in Ireland is the Central Bank of Ireland. A spokesperson told Fora in June that it was aware of the EBA’s opinion but did not say if it would provide any additional time.

“We note the EBA’s commitment to ensuring customers will still be able to continue making online payments,” the spokesperson said.

“The Central Bank will continue to engage with industry representatives and financial services firms on this issue.”

Get our Daily Briefing with the morning’s most important headlines for innovative Irish businesses.