Visa slams European plans for stronger online transaction authentication rules

Visa slams European plans for stronger online transaction authentication rules

Visa has lashed out at European Banking Authority (EBA) plans to toughen up authentication rules for online transactions over EUR10, claiming that they will lead to more declined transactions, complicated checkouts and abandoned purchases.

In January the EBA will publish its final proposed standards in response to the requirements of the Payment Services Directive, which mandates strong customer authentication (SCA) for all electronic payments.

SCA means that for every transaction over EUR10, online shoppers will have to go through additional steps - such as entering passwords, codes or using a card reader - at checkout.

Visa says that this means the end of the kind of one-click checkouts seen at sites such as Amazon and no more fast, automatic in-app payments where cards are already stored.

With Visa data showing that, across Europe, express online checkouts currently make up half of all today’s total e-commerce sales, the card giant says the changes will prove a massive setback for retailers and shoppers.

The firm has commissioned a survey which shows that just over half of Brits would abandon purchases if more steps are added to the checkout process.

International websites selling to European consumers will also have to follow the new rules or purchases will be automatically declined. Meanwhile, we could also see longer queues and issues using cards at places like toll booths and parking where PINs are not required today.

Peter Bayley, chief risk officer, Europe, Visa, says: "These new proposals threaten to seriously disrupt the way we all shop. The plans will bring a host of complications and inconveniences including more declined transactions and longer and more complicated checkout experiences with little if any benefit to consumers.

"Managing payments is always about balancing security and convenience. If you tip the balance too far one way, you end up making it either too difficult or too risky for consumers to make purchases wherever, whenever and on whatever device they want. Either way it annoys consumers and damages businesses’ potential to sell their goods and services."

Bayley says that there is not even any evidence that the SCA rules will cut fraud, claiming that the current risk-based authentication system works, with fraud on Visa cards at less than five cents in every EUR100 spent.

Comments: (7)

A Finextra member
A Finextra member 22 November, 2016, 21:25Be the first to give this comment the thumbs up 0 likes

Are bridge or road toals really over 10EUR?

This will push people to use Samsung Pay, Apple Pay, and other one-time token systems.  I've never used them, but it's very interesting.

A Finextra member
A Finextra member 22 November, 2016, 21:293 likes 3 likes

Visa has been providing e commerce payments for 20 years without building authenticated, secure paymnet means. Last week my friend got his Visa card blocked by the issuer since somebody was using ny card no for unauthenticated e comm transactions leaving him without the card while travelling abroad. Luckily I could pay for him...Why should one need to risk getting the card blocked every now and then or need to file complaints on fraudulent transactions posted to the account, file police reports, wait for refunds, just because card schemes want to avoid the investment cost for e comm authentication while milking fees from issuers and acquirers for unsecure e comm payments? Obviously the "risk based authentication" is not working - if it even exists. Look at the rapid growth of e commerce fraud.

A Finextra member
A Finextra member 22 November, 2016, 22:471 like 1 like

PSD2 is all about giving payment providers direct access to accounts. No reason why a retailer couldn't do this, or a Payment initiation service provider on their behalf. Much of this will run on the new coming Instant Payment rails. Not a coincidence I suspect... leveling the security playing field will help bring transactions back to the banks and off the Visa rails. 

Edward Leong
Edward Leong - DistruptiveHut - Singapore 23 November, 2016, 06:12Be the first to give this comment the thumbs up 0 likes

Perhaps is good time to migrate to use digital secure remote payment and EMV 3DS2.0 for online transaction. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 November, 2016, 09:042 likes 2 likes

I thought Visa recently told Europe to be ready for strong authentication via 3DS (Source). Now it's protesting strong authentication proposed by EBA. Maybe it's only me but there seems to be a contradiction.

Steven Murdoch
Steven Murdoch - University College London - London 23 November, 2016, 13:17Be the first to give this comment the thumbs up 0 likes

Visa also request that they have the option to not perform strong authentication, and instead accept liability for fraud. However this doesn't take into account that there are wider costs of fraud, that just refunding the customer will not deal with. Furthermore the draft regulations allow providers to keep the security audit of authentication systems secret, and so leave victims of fraud in a difficult position to argue that they were not negligent. I pointed both of these issues out in my own response to the EBA consultation.

Eli Talmor
Eli Talmor - ID-Bound - Haifa 25 November, 2016, 10:13Be the first to give this comment the thumbs up 0 likes

I , respectfully, disagree with VISA .My key point: strong customer and payment authentication must be in-merchant-app. You are welcome to see my presentation , quoting VISA objections :