23 September 2017
Christopher Jones

Chris Jones - PSE Consulting

Christopher Jones - PSE Consulting

8Posts 56,609Views 0Comments

EBA Strong Customer Authentication - The End of Frictionless Card Payments?

06 October 2016  |  6574 views  |  2

It seems that European payments regulation may be forcing the cards market to take a step backwards. We appear to be moving away from the frictionless online payment environment that so many of us use day to day, towards a much higher friction world where every transaction over €10 is actively issuer authenticated. This blog explores some of the implications of the tough stance taken by the European Banking Authority on consumer authentication in the European cards market.

Today many retailers side-step issuer authentication in order to allow their customers to use one-click check-outs (Amazon, Apple), pay for monthly subscriptions (Spotify, NowTV), or take taxis without getting out a wallet (Uber). In this process merchants take on transaction risk by virtue of liability shift (a principle embodied in the PSD2). In addition, issuers in some markets (like the UK) have invested extensively in Risk Based Authentication (RBA) which has enabled issuers to accept transaction risk by not requiring a 3D Secure challenge in 90%+ of transactions. Issuers, consumers and merchants are happy with this arrangement. Issuers actively authenticate only 5-10% of higher risk transactions, merchants reduce basket drop-out rate, and consumers pay more easily.

On 23rd September 2016, the EBA held a Public Hearing as part of its role to define some of the implementation rules associated with Strong Customer Authentication (SCA) as part of its role to define some of the more detailed aspects of the Second Payment Services Directive (PSD2). The PSD2 sets out that SCA requires payment account providers (issuers) to authenticate by combining two out of the three following elements: something you are (eg fingerprint), something you have (eg a plastic card, or token generator) and something you know (eg a PIN/password). In the Hearing they also addressed the issue of risk based and in-channel authentication.

Until this point the cards market was not too worried by the PSD2's SCA requirement because we believed:

  1. The current 3DS process could be adapted to accommodate the SCA requirements
  2. Merchants still had a liability shift option not to request additional authentication
  3. The investment in issuer RBA meant that only 5-10% of transactions should generate a security challenge away

It became apparent in the EBA's meeting however that these assumptions may prove false. Follow-up presentations by the EBA in other markets have served to reinforce this perception. It looks likely highly that the EBA will require:

  1. SCA may be mandated for ALL transactions over €10
  2. Merchants are unlikely to be able to take on risk, and accept liability shift, by not asking for authentication (ie issuers would be obliged to decline transactions that were not strong authenticated)
  3. Merchant cannot allow consumers to authenticate in app - they have to be transferred to a separate authentication window (eg 3Dsecure), app or platform (ie initiation and authentication are isolated)
  4. Issuers cannot apply RBA, so all transactions over €10 may need to be challenged

This outcome is a backwards step for the European cards market. It degrades the consumer experience at the point of payment, frustrates merchants who wish to allow customers to check-out easily, and annoys issuers who are promoting cards as a form of easy online payment.

Our worry is that this smells of a political initiative by the European Commission to "level the playing field" between credit transfer and card based payments by removing many of the current advantages of the latter (eg risk based authentication, card on file etc.). It is worth noting at this point that in 2015 cards account for 56% of eCommerce spend across Europe, while credit transfers account for only 9% of spend. This effort would seem to be potentially undermine up half European eCommerce spend, in order to promote a minority payment type. For more detail on this and the topic of alternative payments see our recent presentation here.

Given that consumers and merchants have got so used to frictionless card based payment online, what could merchants consider as a fall back option? Below are some of our early thoughts:

  1. Accept SCA: For providers who predominately interact with consumers on smartphone with biometric authentication this may be an option. However, it still requires an app redirect and separate authentication process. For those using a PC where SCA may involve separate pop-ups and passwords, this is likely to remain unattractive.
  2. Use Direct Debits: Direct Debits are not covered by SCA. However this would require migrating a whole customer base from cards to Direct Debit, a product which also has some unattractive customer protection characteristics. Interestingly some new payment schemes use a form of Direct Debit, so it will be interesting to see how the regulations apply as this may be source of innovation.
  3. Identify card based alternatives: These would need to be explored with care, but may present some interesting options. For example, although, in theory, one-leg in transactions are covered by the PSD2 this aspect of legislation is very difficult/impossible to enforce. There may be a growing market in card products issued outside the EU where one-click check-out is still possible.
  4. Keep transaction amounts under €10: For merchants selling digital goods, or those using a subscription model this is a credible option. In this case, merchants would only need to use SCA every tenth transaction.

We are hoping, along with the rest of the cards market, that the EBA softens its position in this area. This regulation has a significant risk of distorting the market and pushing online merchants and consumers, for whom frictionless check-out is increasingly important, into new less regulated payment types. Merchants, issuers, acquirers, card schemes and gateways should unite to lobby against this regressive move. It is good to see that this process has already started in the merchant community.

 

TagsPaymentsRisk & regulation

Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 October, 2016, 19:33

Yet another regulator sitting in an ivory tower and who, I'm sure, uses cash for daily payments and hasn't heard of things like friction.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Christoph Strauch
Christoph Strauch - not provided - Frankfurt | 07 October, 2016, 06:57

Hi Chris,

good post, let me add some thoughts....as regards direct debits, on should read carefully no. 18 in EBA's consultation paper. It may appear that also direct debits are affected to some extent.

It is particularly astonishing that EBA takes so much emphasis on pull payments like cards. Just recently, the british consumer organisation Which put forward a super complaint regarding better protection of victims of fraud in push payments. In its reasoning, Which proposed the view that for pull payments like cards and direct debits, liability is allocated appropriately and banks have approaches for reducing risk. So, at least the consumer organisations seem to be happy with the current procedures......

In my view, the EBA draft does not sufficiently reflect the essential features of push payment schemes and pull payment schemes respectively. Whereas a multi layered security (merchant, gateway, acquirer, issuer) is inherent to  pull payment such as cards, security in push payment schemes draws primarily on the authentication of the payer through its bank.

Accordingly, security requirements which may be indispensible for push payment schemes may be considered as inproportionate for pull payment schemes......EBA is mandated to apply "business model neutrality" but this does not mean to ignore the essential features of different sorts of payment schemes.

 

JM2C

 

Christoph

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Christopher

PSD2 and EBA Update: The Good News and The Bad

21 February 2017  |  8308 views  |  8 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

EBA Strong Customer Authentication - The End of Frictionless Card Payments?

06 October 2016  |  6574 views  |  2 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

Pressure for Chargebacks on Consumer Credit Transfers?

03 October 2016  |  5885 views  |  1 comments | recomends Recommends 0 TagsCardsPayments

Brexit: Further Clarity for Consumer Payments?

23 September 2016  |  8119 views  |  0 comments | recomends Recommends 0 TagsPaymentsBrexit

Christopher's profile

job title Director
location London
member since 2016
Summary profile See full profile »
PSE are one of Europe's leading payments consulting firms. We provide advisory services to Europe's leading payments firms. I help run their innovative services function, and provide insights to our c...

Christopher's expertise

Member since 2005
6 posts0 comments
What Christopher reads
Christopher's blog archive
March 2017 (1)February 2017 (1)2016 (6)

Who's commenting on Christopher's posts

David Andrzejek
Ralf Ohlhausen
Ketharaman Swaminathan
Tom Hay
Christoph Strauch