It seems that European payments regulation may be forcing the cards market to take a step backwards. We appear to be moving away from the frictionless online payment environment that so many of us use day to day, towards a much higher friction world where
every transaction over €10 is actively issuer authenticated. This blog explores some of the implications of the tough stance taken by the European Banking Authority on consumer authentication in the European cards market.
Today many retailers side-step issuer authentication in order to allow their customers to use one-click check-outs (Amazon, Apple), pay for monthly subscriptions (Spotify, NowTV), or take taxis without getting out a wallet (Uber). In this process merchants
take on transaction risk by virtue of liability shift (a principle embodied in the PSD2). In addition, issuers in some markets (like the UK) have invested extensively in Risk Based Authentication (RBA)
which has enabled issuers to accept transaction risk by not requiring a 3D Secure challenge in 90%+ of transactions. Issuers, consumers and merchants are happy with this arrangement. Issuers actively authenticate
only 5-10% of higher risk transactions, merchants reduce basket drop-out rate, and consumers pay more easily.
On 23rd September 2016, the EBA held a Public Hearing as part of its role to define some of the implementation rules associated with Strong
Customer Authentication (SCA) as part of its role to define some of the more detailed aspects of the Second Payment Services Directive (PSD2). The PSD2 sets out that SCA requires
payment account providers (issuers) to authenticate by combining two out of the three following elements: something you are (eg fingerprint), something you have (eg a plastic card, or token generator) and something you know (eg a PIN/password). In the Hearing
they also addressed the issue of risk based and in-channel authentication.
Until this point the cards market was not too worried by the PSD2's SCA requirement because we believed:
- The current 3DS process could be adapted to accommodate the SCA requirements
- Merchants still had a liability shift option not to request additional authentication
- The investment in issuer RBA meant that only 5-10% of transactions should generate a security challenge away
It became apparent in the EBA's meeting however that these assumptions may prove false. Follow-up presentations by the EBA in other markets have served to reinforce this perception. It looks likely highly that the EBA will require:
- SCA may be mandated for ALL transactions over €10
- Merchants are unlikely to be able to take on risk, and accept liability shift, by not asking for authentication (ie issuers would be obliged to decline transactions that were not strong authenticated)
- Merchant cannot allow consumers to authenticate in app - they have to be transferred to a separate authentication window (eg 3Dsecure), app or platform (ie initiation and authentication are isolated)
- Issuers cannot apply RBA, so all transactions over €10 may need to be challenged
This outcome is a backwards step for the European cards market. It degrades the consumer experience at the point of payment, frustrates merchants who wish to allow customers to check-out easily, and annoys issuers who are promoting cards as a form of easy
Our worry is that this smells of a political initiative by the European Commission to "level the playing field" between credit transfer and card based payments by removing many of the current advantages of the latter (eg risk based authentication, card on
file etc.). It is worth noting at this point that in 2015 cards account for 56% of eCommerce spend across Europe, while credit transfers account for only 9% of spend. This effort would seem to be potentially undermine up half European eCommerce
spend, in order to promote a minority payment type. For more detail on this and the topic of alternative payments see our recent presentation here.
Given that consumers and merchants have got so used to frictionless card based payment online, what could merchants consider as a fall back option? Below are some of our early thoughts:
- Accept SCA: For providers who predominately interact with consumers on smartphone with biometric authentication this may be an option. However, it still requires an app redirect and separate authentication process. For those using a PC
where SCA may involve separate pop-ups and passwords, this is likely to remain unattractive.
- Use Direct Debits: Direct Debits are not covered by SCA. However this would require migrating a whole customer base from cards to Direct Debit, a product which also has some unattractive customer protection characteristics. Interestingly
some new payment schemes use a form of Direct Debit, so it will be interesting to see how the regulations apply as this may be source of innovation.
- Identify card based alternatives: These would need to be explored with care, but may present some interesting options. For example, although, in theory, one-leg in transactions are covered by the PSD2 this aspect of legislation is very
difficult/impossible to enforce. There may be a growing market in card products issued outside the EU where one-click check-out is still possible.
- Keep transaction amounts under €10: For merchants selling digital goods, or those using a subscription model this is a credible option. In this case, merchants would only need to use SCA every tenth transaction.
We are hoping, along with the rest of the cards market, that the EBA softens its position in this area. This regulation has a significant risk of distorting the market and pushing online merchants and consumers, for whom frictionless check-out is increasingly
important, into new less regulated payment types. Merchants, issuers, acquirers, card schemes and gateways should unite to lobby against this regressive move. It is good to see that this process has already started in the merchant