/security

News and resources on cyber and physical threats to banks and fintechs worldwide.
New security measures could block one-third of online EU purchases

New security measures could block one-third of online EU purchases

New European rules on Strong Customer Authentication (SCA) could block more than one-third of online purchases and cost merchants more than $100 billion in lost sales, according to an analyis by payments consultancy CMSPI.

The consultancy says problems will arise for e-commerce merchants beginning January with the introduction of 3D-Secure Version 2.0, an authentication protocol developed by the major card schemes.

The CMSPI report describes the technology as “relatively new and unproven”, adding "significant unnecessary friction to the online commerce experience.”

With the new security protocol adding between 60 seconds and two minutes to the checkout process, testing shows 25% of 3DS2 transactions are abandoned by consumers, compared with single-digit numbers without the technology.

Overall, as many as 35% of 3DS2 transactions fail to go through, either because they are declined, abandoned by frustrated consumers or because of technical errors. If not corrected, that would amount to €108.1 billion in lost sales based on 2019 sales volume - 100 times the annual amount of card fraud, says CMSPI.

Large retailers with the resources to minimise delays are likely to win customers from smaller retailers that do not, the report says. Small retailers are expected to be the hardest hit, accounting for €69.4 billion of the total compared with €38.7 billion for large merchants.

CMSPI head of approvals and fraud Toby McFarlane comments: “Both merchants and card issuers have clearly been busy with the pandemic and neither have had the time to give this important new technology the attention it requires. Payment security is one of merchants’ top priorities, but they need the time to do this right. This is particularly bad timing because store shutdowns have made retailers rely on online sales for more of their revenue than ever before.”

Comments: (6)

A Finextra member
A Finextra member 28 September, 2020, 11:471 like 1 like

Fully agree. The new rules are a car crash waiting to happen.

A Finextra member
A Finextra member 28 September, 2020, 12:26Be the first to give this comment the thumbs up 0 likes

Wow! 

Kevin Smith
Kevin Smith - Riskskill - Reading 28 September, 2020, 13:251 like 1 like

Regretably, we have recognised the potential for adverse impact on both merchants and card users as the result of SCA and EMV3DS2.x. Different scheme approaches, different timelines, complex rules and technical requirements, unanswered questions put to the EBA and still managing signficant uncertainty on rules, specifications and technology options. This was supposed to drive greater security, convenience, transparency and user confidence. What have we let loose on payments in Europe?

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 29 September, 2020, 13:171 like 1 like

More like train wreck!

My comment on Thought GDPR was complex? Get ready for SCA! last year is equally relevant here.

Sunil Jhamb
Sunil Jhamb - WL Payments - Amsterdam 30 September, 2020, 14:22Be the first to give this comment the thumbs up 0 likes

Interesting read.

3DS2 is an upgrade to 3DS1, it could and should improve the whole 3DS1 process. With SCA, EU businesses will be forced to use 3DS. Actual estimation of revenue drop with 3DS1 is 10% (varies on verticals).

With 3DS2, this could be significantly reduced.Only a bad implementation of 3DS2 would add 60+ seconds in the complete payment flow. 

Payment companies need to make sure that the customers have the best experience possible and merchants see less fraud.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 30 September, 2020, 17:23Be the first to give this comment the thumbs up 0 likes

As I highlighted in Winners Don't Let Security Screw Up User Experience, even when it's well implemented, 3DS v2 risks causing inconsistent UX, which is a big conversion killer.

It's easy to make motherhood statements. PSPs have been trying - and failing - to ensure high UX and low Fraud for decades. Enough damage has been done by security measures to conversion and sales already. It's high time we shed foolhardy notions of being able to strike a tradeoff between UX / Revenues on the one side and Security on the other, and decided to get behind one or the other. Since Revenues can pay for Security but Security can't pay for Revenues, it's obvious what the right choice is.

Trending