People get themselves into a terrible tangle about trade-offs in payments. They think that if convenience is prioritised, it must be traded off against security. Likewise acceptance trades off against security, and convenience against acceptance.
It’s akin to a game of rock-paper-scissors where each attribute trumps another. In truth, we need them all and the context determines to what degree: a right-enough level of convenience, fit-for-purpose security and acceptance at places where buyers and sellers trade. The factors are balanced, rather than traded off against each other – writes Radi El Haj, CEO, RS2.
This issue is very much top-of-mind at present following the European Banking Authority’s (EBA) consultation on strong customer authentication. The proposals and their implications are wide-ranging and could mean the end of frictionless online check-out in Europe.
Strong customer authentication, as defined by the EBA, is two or more out of something you know, something you have and something you are. These factors must be independent and dynamically linked to the amount and payee for remote electronic payments.
The EBA wants the authentication procedure to “remain fully in the sphere of competence of the ASPSP (account servicing payment service provider),” i.e. the issuer for card payments. With very few exceptions, issuers are required to perform strong customer authentication on every transaction. Exceptions include contactless card payments under €50, card-not-present payments under €10 and payments to a payee that have been specifically white-listed.
Merchants, acquirers and other businesses would not be able to perform customer authentication. This is problematical because, as the British Retail Consortium argues in its official response to the EBA, “a competent merchant can be as well positioned to control risk as a card issuer.” Retailers have access to “large amounts of equally predictive customer data relevant to their individual businesses.”
The proposals do not enhance and actually go against current practices, including risk-based authentication. “Mandating a blanket application of strong customer authentication does not reflect the actual risk for customers when using payment services online,” argues PayPal in its official response.
End users may be unwilling to transact online or abandon purchases, which is detrimental to both e-commerce activity and the European digital single market. Evidence how cumbersome authentication procedures act as a barrier to transacting, PayPal cites figures from Q1 2016. They show that on average an additional 40 percent of transactions were abandoned following the introduction of 3-D secure. In Germany, this rose to 51 percent.
Elsewhere the EBA faces accusations that its proposals are too prescriptive, are not technology neutral and stifle future innovation. They may already be out of date with regard to wearables, which do not have a strong customer authentication fallback, and Internet of Things/M2M payments, where transactions are initiated by a machine rather than a human end user. Elsewhere there are concerns around terminology, scope and the regulatory technical standard (RTS) going beyond the requirements of PSD2.
The EBA is expected to publish the next draft of its RTS in late February/early March 2017, whereupon the European parliament and council of ministers will have three months to challenge the text.
Readers are advised to take action within their organisations and communities. Lobby local trade associations and members of the European parliament. The proposals are significant and the future must be determined by those who understand the consequences before they happen, rather than those who need to wait to see the evidence.