Payment regulations are not always front of mind when online retailers are looking for the best ways to control and enhance their checkout processes. However, recent changes to the regulation of the SCA Delegation have delivered a powerful tool that removes payment authentication from banks, and puts it back in the hands of retailers. In short, this not only simplifies checkout, it also increases security and potentially will enhance sales.
Many people across the payments and retail industries are familiar with the concept of 3D Secure. Version 2.0 was due to be introduced in September but a ‘grace period’ allows implementation to take place any time before December 2020. However, there are still many questions about how this mandatory authentication method for enabling credit card payments will work with the new rules on strong customer authentication.
The payments industry is awash with acronyms, but for clarification, it is worth reiterating that 3D Secure (3DS) has been supporting credit card transactions for the e-commerce industry for some time. Recently new rules on strong customer authentication – two-factor authentication (2FA) – have been introduced as a result of Payment Services Directive 2 (PSD2). 3DS 2.0 is the latest iteration of a protocol issued by the major credit card schemes which ensures the secure authentication of card payments. In version 2.0 it fulfils the requirements set up by PSD2 and will become mandatory if retailers are to provide credit card payment facilities to customers.
Following so far? The good news is that Strong Customer Authentication and 2FA are really the responsibility of payment methods such as Visa, PayPal and Mastercard and the card-issuing banks. Online retailers just need to make sure their checkout systems comply. The challenge comes with managing 3DS, and transferring from version 1.0 to version 2.0.
Password problems with 3DS 1.0
Customers may well have experienced difficulties during the processing of credit card payments if they entered the wrong password by mistake, rendering authentication by 3DS as impossible. Finding a way to reset the password quickly was off-putting and if the ecommerce site was unable to offer an alternative payment method, many customers chose to abandon the purchase altogether.
The new 3DS 2.0 authentication method is intended to increase user-friendliness for customers thanks to a refinement of the previous 3D Secure protocol. The hurdles over which customers were being asked to jump previously have been removed and with every credit card transaction a multitude of data elements that form the contractual relationship between the retailer and the customer, or the customer’s account, will be transmitted directly to the payment issuer, eg. a bank. They, in turn, perform a real-time risk assessment. If the transaction is categorised as low-risk, the payment will be authorised instantly and no further interaction from the customer is needed. Indeed, for 95% of transactions, the payment process is completed quickly and seamlessly. It is only if fraud is suspected that the customer will be asked to confirm their identity. Where previously a customer always needed to provide a password, or a PIN number, with 3DS 2.0 this will only be necessary if background authentication can’t take place, and instead passwords and PINs are being replaced by device-generated TANs or biometric authentication.
Simplifying the process for the customer has obvious advantages, reducing how much time is taken and keeping them in the same user interface throughout the entire order process, ideally using highly secure biometric authentication when they log-in.
How do biometrics fit in?
The FIDO standard (which is committed to providing open and free authentication standards) guarantees that the biometric data is processed in encrypted form and that fingerprints or facial scans never leave the devices on which they are queried. It can also be used without passwords, which means customer data can no longer be phished or stolen.
The biometric data is not simply copied to the device on which it is read, but stored as hash values. Even a face scan or fingerprint cannot be stolen, provided the biometric solution meets the required standards. Importantly, retailers can use this biometric authentication to send over a ‘flag’ to the issuer that authentication has already been executed, so the customer is not challenged to provide another authentication request by the bank. These ingenious solutions, therefore, reap rich rewards for online retailers putting them firmly in control, and providing greater consumer confidence and enhanced branding.
And we must also consider data protection issues?
Apart from the benefits of biometric authentication, we also need to consider the rules around data protection because introducing additional data elements within 3DS 2.0 does mean going back to the rule-book. For online retailers, there is a balance to be struck between ensuring the smooth authentication of payments and reducing basket abandonment with the permissibility of sending data elements and being compliant with transparency obligations under GDPR.
There are a number of alternatives that online retailers can consider:
Based on legal grounds for permission. In this context, a case-by-case examination by the retailer and the data protection officer is necessary for individual data elements whereby GDPR can be examined. The review however, may lead to the conclusion that some of the data elements cannot be included in the transmission.
Extension of the general terms and conditions for retailers on which the contract with the customer is based. What this means is that if corresponding contents are included in a retailer’s general terms and conditions, GDPR can be used throughout as a legal basis for all data elements, since the provision of the data elements is made ‘necessary for the performance of a contract’.
Obtaining a declaration of consent under data protection law. This alternative has the same effect as number 2, allowing GDPR to be used as a legal basis for all data elements.
The positives of 3DS
Since online shoppers will no longer be required to enter a 3D Secure code and the majority of credit card transactions will not require additional information from the customer, it’s likely that the new process will have a positive impact on conversion rates during the checkout process. In addition, the individual, data-based risk assessment of each transaction promises even better protection against fraud.
Online retailers who install 3DS 2.0 will also benefit from significantly improved usability with mobile and in-app purchases. Input windows for 3DS queries can now be displayed in a format adapted to the respective device, eg. a smartphone. At the same time, the new process is no longer browser-based, but can now be integrated into retailer shopping apps using preconfigured software development kits.
Ralf Gladis is chief executive of Computop