Security gets tougher for online sales

Europe has, for some time, been worried about the problem of card fraud. As part of the fight back, a new process known as Strong Customer Authentication (SCA) made under the Revised Directive on Payment Services (PSD2) will be in place.

Guillaume Princen, head of Continental Europe at card payment infrastructure firm Stripe, reckons that “SCA increases the likelihood that shoppers will abandon shopping carts in September (see note below) when they encounter unexpected obstacles to everyday online purchases.”

Online card fraud is huge and according to Finextra Research, between 2017 and 2018, £4.1bn was stolen as a result of this type of theft. And to illustrate how personal the problem is, the firm quotes a survey commissioned by Comparethemarket.com of 2,000 UK adults which showed that 22% of those surveyed were defrauded in the last year this way.

New protection

SCA is to all intents and purposes an extra layer of security designed to prevent payment fraud. It ensures that online card transactions become more secure through “multi-factor authentication”, a second check to demonstrate that both the transaction and cardholder are genuine. The aim of SCA is to be the ‘chip and pin’ of the online world; and rather like chip and pin, SCA will apply to transactions over a certain value: €30 (around £27). 

But while SCA targets the online transaction, Mark Nelsen, senior vice-president, Risk and Authentication Products at card processor Visa, says that “banks and merchants may also need to regularly check that contactless payments are made by the correct cardholder too, by asking for a PIN.” 

He adds that this “might occur after a contactless card has been tapped five times in succession, or when €150 (£135) has been spent using only contactless taps.”

As to how it’ll work, SCA could mean any one of numerous authentication methods such as an online PIN or password, a device that only the cardholder can authenticate, like a smartphone, or a biometric characteristic such as a fingerprint or facial recognition.

SCA is going to mean a marked change to how firms accept cards. And for some there are worries that this extra layer of protection will add unnecessary complexity which will irritate customers who may find themselves unable to pay. As Nelson comments, “predominantly SCA will impact e-commerce merchants and contactless use”.

Change was clearly needed. According to a UK Finance report in 2018, UK Payment Markets, in 2017 there were 3.1 billion credit card payments, an increase on the previous year of 13%. The same report reckons that by 2027 there will be 3.9 billion credit card payments a year. In comparison, there were 13.2 billion debit card payments in 2017 (up 14% on the previous year) and 2027 could see some 19.7 billion debit card payments.

Changes firms need to make

Compliance with the new regime is mandatory. There will be no exceptions and if a firm doesn’t comply then all transactions will be automatically declined by the cardholder’s bank when they attempt to make a purchase. 

Furthermore, by not planning ahead and developing authentication processes that offer the least friction to consumers businesses could see payment problems arise and customers switching firms that offer a smoother experience.

The first step, as Nelson explains, is that “businesses need to update their systems to recognise when a transaction requires SCA, and when a transaction is out-of-scope and does not require SCA.” This essentially means having systems recognise where transactions are in relation to the €30 threshold, if transactions are recurring as they too will be exempt from the regime. 

There is the option for a customer to ‘whitelist’ a business with their card issuer so that future purchases made from that business fall outside of the multi-step authentication regime. However, not all of Europe’s 6,250 banks will offer this.

The second step is for a business to consider how SCA is to be operated by the firm. Are transactions to be authenticated by text, smartphone, email, biometric trait or other option? 

Given the size of some organisations, Amazon, for example, the options are many. But for the smaller independent a text- or email-based process is likely to be more appropriate. 

Visa, says Nelson, suggests that for transactions that require SCA, businesses should have what is known as 3-D Secure 2.0 (3DS) in place “to enable them apply exemptions such as low-risk transaction analysis or perform two-factor authentication when needed.” 

The benefit to firms of 3DS is that it allows issuing banks to verify credit card owners during the transaction process. This means that those businesses using the protocol can transfer liability for fraud disputes away from themselves. 

Interestingly, Princen believes that “one in four online businesses are not yet familiar with it [3DS]. Further, for those that are familiar, 24% believe they will only implement it [3DS] after the September deadline.”

Firms need to think about whether want to implement SCA internally – and so become ‘expert’ – or hire in third-party help to undertake the task. A conversation with a merchant acquirer would be time well spent.

In summary

For Nelson, SCA is “a positive change that will make online shopping safer for consumers, merchants and banks across Europe.” It’s going to cause a little disruption but, Nelson reckons that “it is entirely possible to benefit from extra security and still have seamless commerce if firms are prepared ahead of 14 September and apply the appropriate exemptions.” 

A study from 451 Research found that only 44% expect to be ready by 14 September; that SCA is less well known among smaller firms; and that 60% of businesses with less than 100 employees either didn’t know about SCA or weren’t planning on being compliant before implementation.

SCA is coming, like it or not, and firms taking payments online need to plan ahead or else face a meltdown as a huge chunk of their business will be denied from mid-September. 


Note: Following objections from a range of businesses, enforcement of the new regulations is not expected to begin in September, although no new deadline has been confirmed as yet.