The e-commerce-led recovery is under threat: here’s what we can do about it
As summer has given way to autumn, merchants across Europe have seen their customers navigate ever-changing restrictions on movement implemented by governments getting a grip on a global pandemic.
E-commerce has become their lifeline. Consumers opted to forgo shopping in-person on the advice – and at times the orders – of health officials. In response, merchants have rallied to ensure consumers have access to goods and services, in many cases moving entire businesses online virtually overnight. As a result, 14 European nations have seen online payments climb at least 20% compared to pre-pandemic levels.1
Yet thousands of merchants face being “almost cut off” from online trade when sweeping new European payment regulations come into force at midnight on 31 December, according Mark Nelsen, Senior Vice President of Europe Products and Solutions at Visa. The regulations, which arguably amount to the largest shake up of e-commerce in Europe to date, risk catching scores of merchants by surprise as they focus their efforts on servicing customers and clients amid the disruption caused by the outbreak.
SCA: The to-do list for issuers
Industry collaboration is critical to ensuring European consumers and merchants can still pay and be paid online once Strong Customer Authentication is enforced (from 31 December 2020 for most of Europe, and 14 September 2021 for the UK). Here are some of the steps issuers can take to ensure their customers can still use e-commerce seamlessly and securely
- When SCA is enforced, issuing banks will need to be able to ask consumers for verification that they are the correct cardholder. One of the most suitable technologies available to do this is called EMV 3D Secure. It is created by EMVCo, optimised for SCA, and more adapted for use on mobile devices and modern technology such as games consoles and home assistants. Issuers should enable this sort of technology as soon as possible.
- When asking consumers to identify themselves, it’s important to choose something that is easy for them to provide, but robust enough that a fraudster couldn’t easily imitate it. The choice issuers make here will be crucial – it could be what determines if the consumer completes or abandons their purchase. In our view, one of the best choices is to use biometrics, such as fingerprints, as they are both highly secure and convenient. By contrast, passwords can sometimes be easy for fraudsters to imitate, and consumers can find them inconvenient. In regions where local regulations mean one-time-passcodes (OTPs) must be accompanied by passwords, issuers should make an extra effort to ask consumers to use their banking apps and fingerprints. Issuers are also recommended to explore behavioural biometrics as an alternative authentication factor.
- Not every transaction requires SCA – meaning many payments can be processed without the need for consumers to perform extra steps at checkout. Understanding and applying the exemptions to SCA may help to minimise friction and improve the customer journey. Additionally, issuers should familiarise themselves with the types of transactions that fall “out of scope” of the regulation and do not require further action from consumers.
Avoiding widespread declines
“If you’re a merchant and you don’t know what this is, or you haven’t deployed the technology, you might not be able to trade online come 1 January,” says Nelsen. “That’s the reality and it’s as bad as it seems.”
The overhaul is part of the EU Revised Directive on Payment Services (PSD2) that implements Strong Customer Authentication (SCA) – an extra security step for most online and in-store purchases that regulators believe will cut down on fraud and make online payments more secure. The technology Nelsen says merchants must deploy is 3D secure (3DS), and ideally an optimised version known as “EMV 3DS”, which is essentially a system that sits behind checkout platforms to assess how risky transactions are. It is also the technology that enables banks to ask for more information from the cardholder if needed.
The implementation of SCA, which takes place on 31 December across most of Europe and 14 September 2021 in the UK, means purchasers must pass security checks that fall into two of three categories; something a consumer knows, like a password or code; something they have in their possession, like a phone or card reader; and something they are, like a fingerprint or facial recognition usually entered via a mobile banking app. Merchants must have 3DS (or the optimised version, EMV 3DS) enabled, allowing this process to take place, or they can expect their customers’ banks to decline purchases.
After the deadlines, “if a consumer is trying to buy something from you in the online environment, the transaction will go to the consumer’s bank, and the bank will say ‘I’m going to decline that transaction because basic tech isn’t there for us to do our job,’” says Nelsen. “The banks have to comply with the regulation, so merchants that don’t have the technology in place might not be able to conduct business online.”
That’s likely to sound alarming to companies that are increasingly reliant on e-commerce, but the process of becoming compliant is straightforward and could be completed ahead of the end-of-year deadline if they initiate the process immediately.
Every merchant in Europe uses a payment gateway that enables purchases, so any business yet to prepare for SCA simply needs to contact their gateway provider and request to have 3DS switched on, adds Nelsen. And gateway providers and acquirers in turn need to be “shouting from the rooftops” to remind merchants that they need to make that request.
Providing the best experience
However, merchants are only one piece of the puzzle. Issuers will play a crucial role in ensuring SCA doesn’t result in a negative experience for consumers and the subsequent drop-off in sales that would follow.
On that front, there is also cause for concern, says Nelsen. Many banks that are SCA-ready intend to apply one form of authentication to every customer. That’s perhaps understandable as banks grapple with the operational challenges presented by the pandemic, but it is likely to cause problems amid a surge in levels of e-commerce and the increased diversity of shoppers that comes with it.
“There’s never really a one size fits all, yet that’s what the banks have largely done,” says Nelsen. “That’s going to become a breaking point because some customers are going to get left behind. It’s going to create all these broken experiences.”
Where banks have deployed the technology, many have opted for a “clunky” experience that could increase the risk of cybercrime, says Nelsen.
Without change, the most common form of authentication is likely to be a password and a one-time-passcode (OTP). In other words, a consumer would be prompted to enter a password they have previously registered with a bank that they must remember. These are particularly vulnerable to phishing attacks, with sophisticated criminals easily able to find the personal information required to move through a forgotten password process, Nelsen adds.
The bank must also have the customer’s current mobile phone number on file in order to send the OTP. At the check-out page, both must be entered correctly in order for the purchase to be successful.
“That sounds simple but it isn’t in reality,” says Nelsen. “For starters every bank needs every customer’s correct mobile number on file. Getting 100% to go through is always complicated at scale.”
Besides, the research suggests consumers prefer alternative forms of authentication – particularly fingerprints. In fact, a consumer survey conducted by Visa found that a fingerprint is the most favoured form of biometric authentication in France, Germany, Italy, Spain, Switzerland and the UK.2 The process banks choose is likely to be a differentiator when the flood of e-commerce starts meeting the SCA methods selected by each institution.
“There are going to be banks that do a much better job and consumers are going to flock to those because everyone values better experiences over bad experiences,” says Nelsen. “That will become a very competitive differentiator.”
So for merchants, enabling the basic technology upon which SCA relies could avert a drop in online sales. For banks, a smooth process will set them apart from competitors that have opted for a more clunky process that threatens to increase the failure rate of online sales.
SCA: The to-do list for acquirers and PSPs
Industry collaboration is critical to ensuring European consumers and merchants can still pay and be paid online once Strong Customer Authentication is enforced (from 31 December 2020 for most of Europe, and 14 September 2021 for the UK). Here are some of the steps acquirers and payment service providers can take to ensure their customers can still use e-commerce seamlessly and securely:
- European merchants need to “switch on” 3-D Secure, and preferably the optimised version, EMV 3DS, before 31 December 2020 – otherwise they risk losing online transactions. Many small merchants have not done this – indeed, some merchants have even heard of SCA or have any idea that they require this technology. Acquirers and payment service providers (PSPs) should be working with their merchants to help prepare them for the regulation – particularly as against the backdrop of COVID-19 some merchants rely on e-commerce as the only way they can accept customer payments.
- Issuers are currently preparing for SCA by testing systems. They may let you know that the only reason a payment is being declined is because it is not compliant with SCA requirements – called a “soft decline” – giving the merchant a chance to ask the consumer for authentication instead of losing the transaction. Acquirers and PSPs should pass this information on to help merchants prepare for the regulation.
- In general, Visa recommends using the latest version of 3D Secure, known as EMV 3DS – a version that is optimised for SCA. However, although the majority of European issuers are ready, not all issuers use this latest version yet. If merchants have enabled EMV 3DS, they’re advised to use whichever version matches the customer’s bank – which might be the older version of 3D Secure – just to keep the customer journey as smooth as possible. Acquirers and PSPs can help them do so.
- The latest version of 3D Secure – EMV 3DS – requires more data than the earlier version of 3D Secure. This is one of the reasons it is better at detecting fraud, and helps issuers to make informed decisions. Poor data quality or inconsistency could lead to the authentication “failing”, or mean more payments require further steps from customers at the checkout. Acquirers and PSPs are strongly advised to work with their merchants to provide accurate and consistent data.
- Understanding which payments do and do not require SCA will help merchants to offer their customers a seamless customer journey. Acquirers are strongly advised to look at which payments could be exempt or out of scope for SCA, and discuss these strategies with their merchant customers. In particular, merchants may make several payments where cardholders aren’t available to verify their identity – such as subscription payments, which are made on the consumer’s behalf. It is essential that these payments are identified correctly so the issuer understands that SCA need not apply.
- Due to COVID-19, many merchants have started taking orders over the phone and processing them on their payment terminals. Once SCA is enforced, these payments could be declined if not properly identified – as the consumer is not physically there to provide their verification. To avoid this, acquirers should work with these merchants to ensure these payments are identified as “mail order telephone order” (MOTO) payments, which are out of scope.
Supporting economic recovery
However, the biggest beneficiaries could be consumers, for whom e-commerce has become a vital tool enabling access to goods from groceries to medical supplies. At the time of writing new restrictions on movement were being introduced across Europe as the continents’ leaders run out of options3 to control the outbreak. In a lockdown scenario, e-commerce becomes the only channel by which huge numbers of consumers would be able to safely buy goods.
As a result, the stakes are high, but the prize for getting it right is also significant: the continued growth in e-commerce that could support a Europe-wide recovery from the worst economic crisis in a century.
“What used to be optional now has become mandatory to live,” says Nelsen. “But if banks, payment service providers and merchants get this right, we’ll see an e-commerce-led recovery with less fraud, and perhaps most-importantly, we’ll have better tools in place to adapt to any future crises, whatever they may be.”
Mark Nelsen is Senior Vice President at Visa Inc. where he is responsible for leading Europe’s product and solutions organisation, and is the global leader for Visa’s Open Banking capabilities.
Click here to learn about ways to maintain today’s e-commerce conversion rates in the wake of new Strong Customer Authentication regulation.
1 Europe Visanet data, September 2020
2 Fabrizio Ward, LLC research on behalf of Visa (April 2019), Biometric survey with online panel of credit cardholders
3 ‘European Leaders Driven to New Lockdowns by Surge in Virus’, Bloomberg, 1st Nov 2020, https://www.bloomberg.com/news/articles/2020-11-01/european-leaders-driven-to-new-lockdowns-by-surge-in-virus-cases
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.