Blog article
See all stories »

EBA Strong Customer Authentication - The End of Frictionless Card Payments?

It seems that European payments regulation may be forcing the cards market to take a step backwards. We appear to be moving away from the frictionless online payment environment that so many of us use day to day, towards a much higher friction world where every transaction over €10 is actively issuer authenticated. This blog explores some of the implications of the tough stance taken by the European Banking Authority on consumer authentication in the European cards market.

Today many retailers side-step issuer authentication in order to allow their customers to use one-click check-outs (Amazon, Apple), pay for monthly subscriptions (Spotify, NowTV), or take taxis without getting out a wallet (Uber). In this process merchants take on transaction risk by virtue of liability shift (a principle embodied in the PSD2). In addition, issuers in some markets (like the UK) have invested extensively in Risk Based Authentication (RBA) which has enabled issuers to accept transaction risk by not requiring a 3D Secure challenge in 90%+ of transactions. Issuers, consumers and merchants are happy with this arrangement. Issuers actively authenticate only 5-10% of higher risk transactions, merchants reduce basket drop-out rate, and consumers pay more easily.

On 23rd September 2016, the EBA held a Public Hearing as part of its role to define some of the implementation rules associated with Strong Customer Authentication (SCA) as part of its role to define some of the more detailed aspects of the Second Payment Services Directive (PSD2). The PSD2 sets out that SCA requires payment account providers (issuers) to authenticate by combining two out of the three following elements: something you are (eg fingerprint), something you have (eg a plastic card, or token generator) and something you know (eg a PIN/password). In the Hearing they also addressed the issue of risk based and in-channel authentication.

Until this point the cards market was not too worried by the PSD2's SCA requirement because we believed:

  1. The current 3DS process could be adapted to accommodate the SCA requirements
  2. Merchants still had a liability shift option not to request additional authentication
  3. The investment in issuer RBA meant that only 5-10% of transactions should generate a security challenge away

It became apparent in the EBA's meeting however that these assumptions may prove false. Follow-up presentations by the EBA in other markets have served to reinforce this perception. It looks likely highly that the EBA will require:

  1. SCA may be mandated for ALL transactions over €10
  2. Merchants are unlikely to be able to take on risk, and accept liability shift, by not asking for authentication (ie issuers would be obliged to decline transactions that were not strong authenticated)
  3. Merchant cannot allow consumers to authenticate in app - they have to be transferred to a separate authentication window (eg 3Dsecure), app or platform (ie initiation and authentication are isolated)
  4. Issuers cannot apply RBA, so all transactions over €10 may need to be challenged

This outcome is a backwards step for the European cards market. It degrades the consumer experience at the point of payment, frustrates merchants who wish to allow customers to check-out easily, and annoys issuers who are promoting cards as a form of easy online payment.

Our worry is that this smells of a political initiative by the European Commission to "level the playing field" between credit transfer and card based payments by removing many of the current advantages of the latter (eg risk based authentication, card on file etc.). It is worth noting at this point that in 2015 cards account for 56% of eCommerce spend across Europe, while credit transfers account for only 9% of spend. This effort would seem to be potentially undermine up half European eCommerce spend, in order to promote a minority payment type. For more detail on this and the topic of alternative payments see our recent presentation here.

Given that consumers and merchants have got so used to frictionless card based payment online, what could merchants consider as a fall back option? Below are some of our early thoughts:

  1. Accept SCA: For providers who predominately interact with consumers on smartphone with biometric authentication this may be an option. However, it still requires an app redirect and separate authentication process. For those using a PC where SCA may involve separate pop-ups and passwords, this is likely to remain unattractive.
  2. Use Direct Debits: Direct Debits are not covered by SCA. However this would require migrating a whole customer base from cards to Direct Debit, a product which also has some unattractive customer protection characteristics. Interestingly some new payment schemes use a form of Direct Debit, so it will be interesting to see how the regulations apply as this may be source of innovation.
  3. Identify card based alternatives: These would need to be explored with care, but may present some interesting options. For example, although, in theory, one-leg in transactions are covered by the PSD2 this aspect of legislation is very difficult/impossible to enforce. There may be a growing market in card products issued outside the EU where one-click check-out is still possible.
  4. Keep transaction amounts under €10: For merchants selling digital goods, or those using a subscription model this is a credible option. In this case, merchants would only need to use SCA every tenth transaction.

We are hoping, along with the rest of the cards market, that the EBA softens its position in this area. This regulation has a significant risk of distorting the market and pushing online merchants and consumers, for whom frictionless check-out is increasingly important, into new less regulated payment types. Merchants, issuers, acquirers, card schemes and gateways should unite to lobby against this regressive move. It is good to see that this process has already started in the merchant community.



Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 October, 2016, 19:33Be the first to give this comment the thumbs up 0 likes

Yet another regulator sitting in an ivory tower and who, I'm sure, uses cash for daily payments and hasn't heard of things like friction.

Christoph Strauch
Christoph Strauch - not provided - Frankfurt 07 October, 2016, 06:57Be the first to give this comment the thumbs up 0 likes

Hi Chris,

good post, let me add some regards direct debits, on should read carefully no. 18 in EBA's consultation paper. It may appear that also direct debits are affected to some extent.

It is particularly astonishing that EBA takes so much emphasis on pull payments like cards. Just recently, the british consumer organisation Which put forward a super complaint regarding better protection of victims of fraud in push payments. In its reasoning, Which proposed the view that for pull payments like cards and direct debits, liability is allocated appropriately and banks have approaches for reducing risk. So, at least the consumer organisations seem to be happy with the current procedures......

In my view, the EBA draft does not sufficiently reflect the essential features of push payment schemes and pull payment schemes respectively. Whereas a multi layered security (merchant, gateway, acquirer, issuer) is inherent to  pull payment such as cards, security in push payment schemes draws primarily on the authentication of the payer through its bank.

Accordingly, security requirements which may be indispensible for push payment schemes may be considered as inproportionate for pull payment schemes......EBA is mandated to apply "business model neutrality" but this does not mean to ignore the essential features of different sorts of payment schemes.





Now hiring