With less than a month until the final deadline of Strong Customer Authentication (SCA), fears around preparedness are still prevalent and firms are trying to ensure there will not be a fall in payments come September 14.
The regulation requires a significant change to payment infrastructures, leaving many merchants with an uphill battle to get ready in time. Once September 14 comes, online payments made in the EU will need to be backed by two-tier authentication. This means consumers will need to input a combination of verification types. There are three possible options for merchants to utilise: knowledge-based verification such as a password or a PIN, an item in possession like a credit or debit card, and finally biometrics which is most commonly a fingerprint.
However, not everyone feels ready for the final step of the EU’s Revised Payment Service Directive (PSD2). Payment processing giant Stripe recently completed an investigation in the potential impact of SCA in Europe following its implementation. Its study was compiled of responses from 500 qualified payment professionals at businesses and 1,000 customers across UK, France, Germany, the Netherlands, and Spain. According to the report, only one in two European businesses expect to be compliant for day one.
Similarly, the open banking platform Tink called in August for regulators to postpone the deadline as its own research had showed that too few people were ready for SCA.
In response to the market’s outcry on the lack of preparedness, the European Banking Authority has given national competent authorities (NCAs) the power to postpone the implementation of the regulation. The UK’s Financial Conduct Authority and the Central Bank of Ireland have been two of the regulators to hold off implementation – in the UK it could be a further 18 more months.
Not all financial regulators are making use of this new power and a majority of merchants across Europe will need to be ready. Germany’s Federal Financial Supervisory Authority (BaFin) has made a partial suspension on compliance, with new temporary rules which will allow online credit card payments to be made without SCA adherence. However, all other online payment methods will need to meet compliance following the September 14 deadline.
Adding in extra verification steps is likely to add more burdens on consumers during their checkout experiences. Customers can be impatient and if these processes become too much of a kafuffle it is safe to assume several consumers will just give up. So how can merchants minimise a drop-off in the amount of payments after the deadline? The research from Stripe estimates there could even be a fall of €57bn in economic activity within the first 12 months.
Stripe general manager UK and Ireland Iain McDougall told FinTech Global, “74% of Gen Z shoppers have abandoned an online purchase in the past six months due to a bad checkout experience. And over half [or 52%] of online shoppers who abandon a purchase end up completing the transaction with a competing merchant. SCA will exacerbate low consumer tolerance for inconvenient checkouts. Therefore, maintaining a frictionless flow will be essential to minimizing business impact of SCA. Merchants should look for a partner to help them manage SCA exemptions dynamically and optimize for conversion.”
Come implementation, if a merchant has failed to ensure their systems are compliant, card issuers may be obliged to decline certain e-commerce transactions. Global Payments, which offers electronic processing services around the world, has offered advice to merchants to ensure their ready ahead of the SCA deadline.
The enterprise recommends that merchants review their website and existing payment methods and update their payment methods to support 3D-Secure (3DS), at a minimum, or 3DS2. Additionally, merchants should work with a partner to support the technology implementation and inform customers of the change and benefits of 3DS1 or 3SD2 to online shopping. Finally, Global Payments suggests that if a merchant owns their own terminal or rents it from another supplier, they should contact the provider and check the requirements.
3DS authentication was initially released to lower the instances of fraud for online transactions. The concept is to get a cardholder’s bank to verify the shopper attempting to make a digital payment with their debit or credit card. The system works by a buyer being redirected to their card provider’s website where they are required to enter a previously agreed password, or they enter an authentication code sent via mobile text. If this is successful, the payment is completed.
Global Payments president and managing director, UK&I Nick Corrigan told FinTech Global, “Although 3DS1 meets the requirements of [SCA], it can cause some friction in today’s online payments environment. For example, if the in-line window takes too long or doesn’t load properly, customers are likely to abandon the purchase completely. Additionally, many card issuers require customers to create and remember their own passwords to complete the process. With people requiring multiple passwords for lots of different accounts, these passwords are easy to forget and again can lead people to abandon the transaction.”
3DS2 is the updated version of the system, upgraded to make use of newer technology and lower friction. It was designed by EMVCo, a global payment standards body comprised of Visa, Mastercard, American Express, Discover, UnionPay and JCB. Over 100 data points are monitored from the merchant to the issuer, authenticating players in the background. Additional cardholder verification is only needed for the riskiest transactions. The system also powers alternative authentication structures including biometrics, enabling customers to verify themselves via fingerprints, common technology on mobile phones.
Corrigan said, “In fact, when customers use biometric verification, the check-out time has been shown to decrease by up to 85%, which reduces cart abandonment by an estimated 70%. The in-line payments window can also be removed, providing a smoother experience for mobile and digital wallet payment methods.”
While implementing 3DS as a way to meet compliance, it is not the only option available. Merchants could also decide to build an in-house payments engine or rely on a third-party supplier.
McDougall added, “There are three main ways companies can prepare. The first option is for businesses to systematically apply 3D-Secure (3DS). While the easiest solution to implement for merchants, it is also the riskiest – according to Stripe’s estimates, businesses would leave 14% of total turnover on the table, due to the additional checkout friction and not making use of the various scenarios when SCA is not necessary.
“A second option is to build a complete in-house payments engine. The moving pieces, cost and complexity of building and running this, however, makes it unrealistic for 99,99% of European businesses. Thirdly, businesses can rely on a modern third-party solution that is SCA-ready.”
Providing consumers with a laborious and inefficient online checkout system could see them stop and look for alternative providers. SCA is not just a worry for merchants, it’s a lot wider than that. Retailers, rideshare companies, crowdfunding platforms and everything in between will need to be compliant. Furthermore, issuing banks will need to make sure their processes have been adapted enough to accept SCA.
McDougall concluded, “While there will be a grace period, we have yet to see how national regulators will use this opportunity and whether it will be applied harmoniously across the different EU countries. But despite all the uncertainty and complexity, companies should ensure they are prepared for SCA to prevent customer migration to other providers.”
Copyright © 2019 FinTech Global
Copyright © 2018 RegTech Analyst