Changes in online payments related to the implementation of legal requirements for strong customer authentication (#SCA) of users of payments services entered into force on 14 September 2019 (SCA means an authentication procedure developed in a manner protecting the confidentiality of data and involving the use of two or more of the following independent elements: 1. knowledge – something only the user knows; 2. possession – something only the user possesses; 3. inherence – something the user is). The introduction of these changes aims to ensure that payment services offered electronically are performed securely using technologies that can guarantee the secure identification of the user and minimize the risk of fraud. Several exceptions are provided, in which the SCA is optional, e.g. for low value operations, repeated operations with the same recipient and the same size, list of trusted beneficiaries (SCA is needed at the time of establishment of the list or change in the list).

Introduction of SCA has been postponed by several regulators in the European Union for a certain period of time and under certain conditions (e.g. United Kingdom, Germany, Italy, Spain, Denmark, Poland, France, etc.). Bulgarian regulator – the Bulgarian National Bank – has not delayed SCA introduction. Therefore, online retailers who have not yet discussed with their payment service provider the introduction of the new requirements may be jeopardized by the possibility of having their online customer transactions denied. In view of the latter, ambiguities in the chargeback claims of the recipients of funds and disputes may arise. This is an additional touch to the otherwise complicated regulatory environment at the Bulgarian national level in relation to the delayed implementation of Ordinance No. H-18 of December 13, 2006 on registration and reporting through fiscal devices of sales at retail outlets, the requirements for software for their management and requirements to online retailers, as well as changes to the Postal Services Act regarding postal money order and cash on delivery.

The new requirements should also be laid down in the online retailer’s general terms and conditions to inform consumers and comply with consumer protection laws, as well as GDPR.