PSD2 reality check

Strong customer authentication without conversion loss

One thing is certain: from 1 January 2021, every online merchant will have to use strong customer authentication for card payments. Not all online merchants are sufficiently prepared for this and many fear negative effects on their conversion. The news and analysis platform The Paypers together with Netcetera, Aite Group and Nok Nok Labs provide information in the following article.

There are good reasons why the EU Commission and the European Banking Authority EBA prescribe Strong Customer Authentication (SCA) under the current Payment Services Directive PSD2. Payment fraud is a growing problem for online merchants: European merchants alone now spend a total of $29 billion a year on fraud prevention. Nevertheless, they lose 1.9 percent of their e-commerce turnover only through payment fraud on domestic orders. Strong customer authentication serves to maintain consumer and merchant confidence in e-commerce. However, this means that consumers are increasingly being asked to authenticate themselves with a second factor, such as a one-time password (OTP) or a biometric feature, in more and more transactions.

Strong customer authentication reduces fraud

The Aite Group has conducted an analysis of the impact of strong customer authentication. In this analysis, 37 percent of those surveyed expect SCA to reduce fraud by more than 50 percent. This would mean direct savings of around $750 million for online merchants. In addition, there would also be indirect savings because they could reduce their fraud management efforts.

However, strong customer authentication also poses a risk for e-commerce conversion. Additional authentication steps make the checkout more uncomfortable for consumers. As a result, online merchants could experience an increase in abandoned purchases and lost sales. About half of the respondents in the Aite study assume that SCA will lead to a 5 percent decline in online sales; 31 percent fear a drop in sales of more than 10 percent.

There are various ways to significantly reduce the risks associated with strong customer authentication. As a first step, customers can be offered unregulated payment methods such as online direct debit. In addition, if a transaction risk analysis (TRA) is used, such low-risk card payments may be made without SCA. And finally, it is possible to filter out those transactions for which one of the SCA exemptions can be used. Ron van Wezel, Senior Analyst at Aite Group: "With such measures, in the end only about 50 percent of the transactions for which strong customer authentication is required remain. It is then important to provide the best possible user experience. EMV® 3-D Secure 2.x is a suitable technology for this purpose".

Biometrics improve user experience

Other effective technologies to avoid shopping cart abandonment are biometric procedures. Figures from Nok Nok Labs confirm this. While static passwords lead to aborted purchases in 30 percent of cases, the figure is still 15 percent for one-time passwords via SMS and less than 5 percent for biometric procedures.

Anyone who wants to use biometric procedures should do so based on the standards of the FIDO-Alliance (Fast Identity Online). The FIDO standards for biometric authentication are supported by American Express, Mastercard and Visa as well as by the most important OEMs and software providers (e.g. Microsoft, Samsung, Facebook, Apple, Google). For example, an online purchase on a smartphone can be confirmed simply by fingerprint.

Technologies for seamless checkout

With Card on File (COF) and Delegated Authentication, online merchants can use technology that enables them to meet the requirements of PSD2 while offering their customers a seamless checkout experience.

Many large online merchants can already identify their customers and also store information on payment procedures. With Card on File based on tokenization by networks such as Mastercard or VISA, they can permanently store card data in the form of tokens (numbers that replace the original card number). Tokenization ensures that the data is always up-to-date and cannot be used for misuse in the event of theft. Kurt Schmid, Marketing & Innovation Director for Secure Digital Payments at Netcetera: "Experience shows that an online merchant can improve its conversion rate by a good 6 percent with network tokenization compared to Card on File".

Finally, the information available at online merchants about their customers can also be used for Delegated Authentication. If a merchant has already securely registered its customers using a FIDO-compliant procedure, the login to the merchant's customer account can be used as authentication for payment transactions. Authentication via the card issuer is then no longer necessary. Merchants and card issuers can agree on this type of authentication through bilateral contracts. However, it seems more sensible and simpler to use the services of Mastercard and Visa as "Delegated Authentication Brokers".

For the checkout, this means that customers are no longer pushed back and forth between the merchant app and the bank app but can complete payment with a single click – regardless of whether they shop via PC or smartphone.

Kurt Schmid: "There are a number of practical solutions for online merchants that enable them to offer their customers security and convenience at the same time. The requirements of PDS2 and strong customer authentication can be met without jeopardizing conversion and without having to fear a loss of sales".

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.