According to the statistical office of the European Union, 60% of EU individuals made an online purchase last year.
Looking specifically at the UK, that figure rises to 83%.
This trend is increasing and whilst online sales growth brings opportunity, it is not without consequences. Criminals are moving into digital channels to the extent that online fraud is now the most common form of crime in England and Wales, according to the Office for National Statistics.
Strong Customer Authentication
This time last year the EU adopted the General Data Protection Regulation (GDPR). It was a much-hyped piece of legislation created to force companies to protect an individual’s data.
Launched with threats of large fines for offenders, which failed to materialise, GDPR is probably best known for its annoying pop-up windows all over the web.
So, in a bid to provide further security, PSD2 regulation will be introducing Strong Customer Authentication (SCA).
Applied across Europe, the SCA regulation aims to reduce online fraud by increasing the number of payments subject to two factors of authentication.
So, from September 14th 2019, when you make an online payment the transaction will be authenticated based on the use of two or more different factors:
Something you know – such as a password
Something you have – such as a mobile phone or smartwatch
Something you are – such as facial recognition or a fingerprint
Not all transactions are required to adhere to SCA. Key exemptions include:
Payments under €30
Transactions below €30 will be considered “low value” and may be exempt from SCA. Banks will, however, need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100.
Recurring payments exemption
Recurring payments of the same value to the same business (such as subscriptions and membership fees) may be exempt, although SCA will be required for the customer’s first payment.
However, payments such as a utility bill where the value changes each time will not benefit from the exemption.
If a transaction is considered to be low risk, an exemption could apply. However, it comes with a complex set of conditions.
When a payment has been authenticated, the individual may have the option to ‘whitelist’ a business to avoid having to authenticate future purchases. Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication.
While exemptions will ease friction, the individual’s bank retains the final authorisation decision, as they do today.
The changes introduced by this new regulation will affect online business in Europe. As an indication, India introduced a similar regulation in 2014 and overnight conversions dropped by 25% due to the additional authentication steps.
However, while shopping basket abandonment and conversion rate decreases are concerns, the prospect of improved authorisation rates and a reduction in fraud losses should be viewed as positive.
In this online world moving rapidly towards mobile devices, SCA will encourage the adoption of biometric security in wallet services like Apple Pay and Google Pay and will no doubt lead a charge towards more user-friendly authentication experiences.
Although SCA presents further regulation changes that businesses must adapt to, the long term benefits of reducing cybercrime are worth the short term pain.