COVID-19 cannot be an excuse to delay making online payments safer

PRESS RELEASE - 06.05.2020

Card schemes and e-merchants are putting pressure on the European Commission and the European Banking Authority (EBA) to postpone the implementation of stronger security rules for online payments.


Strong Customer Authentication (SCA) rules should already have entered into force on 14 September 2019. The EBA since extended this deadline until the end of 2020. Now, card schemes and e-merchants are applying increasing pressure to postpone this deadline once again.

These new rules are part of the EU’s Payment Services Directive (PSD2), one of the main objectives of which is to improve the security of digital payment transactions, particularly online. This enhanced security will benefit both consumers and e-merchants and payment service providers, as consumers will be more confident to shop and bank online.

BEUC Director General Monique Goyens said: “Online fraud was already growing even before COVID-19. With the onset of the crisis, we have seen a significant increase in both e-commerce transactions and unfortunately fraud, particularly around the purchase of health goods. This in itself should be a good reason to accelerate the implementation of stronger security rules for online payments.

“These rules should have already entered into force last year and industry players have been dragging their feet and trying to water down the rules. The industry has had more than four years’ notice about the new rules and so had time to adjust. Any further delay is an unacceptable risk for consumers.

“If certain sectors are, however, temporarily exempted from these rules to allow them more time to adapt due to the crisis - such as the tourism or entertainment sectors - then existing consumer protections must apply. That means if a consumer contests a transaction, they have to be reimbursed immediately by their bank.1 Unfortunately, this rule does not cover fraud cases from fraudulent merchants.”

1 Payment Services Directive 2, article 74.2: “Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently” and 73.2  “shall refund immediately, and in any event no later than by the end of the following business day the amount”