A new process for handling online card payments could soon stop customer purchases if traders don’t comply with the new rules. Adam Bernstein explains the change.
Online fraud is huge and according to Finextra Research, between 2017 and 2018, £4.1bn was stolen as a result of this type of theft. And to illustrate how personal the problem is, the firm quotes a survey commissioned by comparethemarket.com of 2,000 UK adults which showed that 22% of those surveyed were defrauded in the last year this way.
Europe has, for some time, been worried about the problem of card fraud and a new process known as Strong Customer Authentication (SCA) made under the Revised Directive on Payment Services (PSD2) will eventually be in place. Originally set for 14 September, in common with other EU states, the UK has postponed introduction for 18 months to give firms more time to prepare. SCA is going to affect how the trade sells online.
SCA is to all intents and purposes an extra layer of security designed to prevent payment fraud. It ensures that online card transactions become more secure through “multi-factor authentication” – a second check to demonstrate that both the transaction and card holder are genuine. The aim of SCA is to be the ‘chip and pin’ of the online world; and rather like chip and pin, SCA will apply to transactions over a certain value – €30. But while SCA targets the online transaction, Mark Nelsen, Senior Vice President, Risk and Authentication Products at card processor Visa, says that banks and merchants may also need to regularly check that contactless payments are made by the correct cardholder too – by asking for a PIN. “This,” he says, “might occur after a contactless card has been tapped five times in succession, or when €150 has been spent using only contactless taps.”
As to how it’ll work, SCA could mean any one of numerous authentication methods such as an online PIN or password, a device that only the cardholder can authenticate – say a smartphone, or a biometric trait such as a fingerprint or facial recognition that is clearly very personal.
SCA is going to mean a marked change to how firms sell online and how an estimated 420m customers in Europe – including the UK – buy at a distance. And for some there are worries that this extra layer of protection will add unnecessary complexity which will irritate customers who subsequently abandon their ‘shopping carts’ part way through the buying process – leading to lost sales.
Just as the GDPR revolutionised how data protection is managed and individuals access their information, so SCA is going to change how retail works.
What is PSD2?
As the name suggests, PSD2 is an update on the original Payment Services Directive (PSD) that was brought into force in 2007. Its stated goals were for a single market for payments with easier and more efficient cross 
border payments so that it mattered not if a payment was made to another within the same member state or to a party in a different member state.
PSD2 expands on PSD by permitting third parties to access an individual’s account information via the ‘Open Banking’ protocol; enhancing consumer rights, especially in relation to currency charges; and enhancing card holder security via SCA.
Why now?
Change was clearly needed. According to a UK Finance report in 2018, UK Payment Markets , in 2017 there were 3.1bn credit card payments – an increase on the previous year of 13%. The same report reckons that by 2027 there will be 3.9bn credit card payments a year. In comparison, there were 13.2bn debit card payments in 2017 (up 14% on the previous year) and 2027 could see some 19.7bn debit card payments.
And with rising levels of card use come increasing risks of fraud. The European Central Bank, in its Fifth report on card fraud, published September 2018, found that that cards issued within Europe saw fraudulent transactions to the tune of €1.8bn in 2016 and that 73% of that sum related to card not present transactions.
That said, it’s worth noting that not everyone is in favour of SCA. In 2016, card processor Visa argued that the new process would risk disrupting online shopping while not necessarily increasing security . The point is well made from its perspective as its fortune naturally depends on transaction volume.
Changes online businesses need to make
Compliance with the new regime is mandatory. There will be no exceptions and if the online trader doesn’t comply then all transactions will be automatically declined by the cardholder’s bank when they attempt to make a purchase. Further, by not planning ahead and developing authentication processes that offer the least friction to consumers traders could see huge falls in sales as consumers switch off and march with their feet.
Considering that, according to Ecommerce Europe in its European Ecommerce Report 2018 Edition, the European business to consumer online economy is worth around €602bn in 2018 (up from €307bn in 2013), if only 10% of consumers – let alone a potential 25% that could walk – abandon a transaction because of complexity or irritation then firms stand to lose huge sums.
But with new rules comes opportunity – a chance for firms to market themselves to customers as both being secure and trustworthy as well as having the simplest way possible of complying with the new rules. Of course, consumers want protection, but in today’s modern world, they also want simplicity and they want it now.
The rollout won’t be easy. While EU demands compliance, every member state will see different interpretations of PSD2. Whether that’s from the banks, card issuers or central bank, there will be differences. On top of this there is the €30 exemption to take into account.
Clearly then, the first step for any online trader is to set their systems to recognise when transactions need to abide by SCA (because they are above the €30 threshold) or when they don’t (because they’re below). Further, recurring payments will also be exempt from the system so that needs noting by the system. Allied to this is the option for a customer to ‘whitelist’ a business with their card issuer so that future purchases made from that business fall outside of the multi-step authentication regime. That said, some banks won’t permit this and with the sheer number of banks in Europe (6250 in 2017 according to the European Banking Federation) this may not even be an option for all but the largest of traders.
The second step is for a business to consider how SCA is to be operated within its trading platform. Is it to be by text, smartphone, email, biometric trait or other option? Given the size of some firms such as Amazon the options are many. But for the smaller independent a text- or email-based process is likely to be more appropriate. Visa suggests that for transactions that require SCA, businesses should have what is known as 3-D Secure 2.0 (3DS) in place to enable them apply exemptions such as low-risk transaction analysis or perform two-factor authentication when needed. The benefit to traders of 3DS is that it allows issuing banks to verify credit card owners during the transaction process – this means that those firms using this protocol can transfer liability for fraud disputes away from themselves.
A conversation with a firm’s merchant acquirer would be time well spent.
In summary
SCA is coming, like it or not, and those selling online need to plan ahead else they face a catastrophic meltdown as a huge chunk of their business will be denied.
More information: https://bit.ly/2IxQikN
