A little-talked about EU directive could be poised to slow online sales, as banks roll out two-stage payment authentication using mobile to confirm the purchase.
The PSD2 Open Banking-based directive – which comes into force in September 2019, but which has been adopted already by some banks in the UK – means that banks are sending passwords or passcodes to mobile phones to confirm online purchases.
While great for security, it does mean that ecommerce could soon be reliant on both a good internet connection and a good mobile signal.
Under the rules, when shoppers spend £27 (€30) or more online, payment providers will be required to ask for an extra form of verification, usually sent as a one-time password by text to the shoppers mobile phone. The same will apply once £90 in total has been spent on a particular card, or if five separate payments of £27 are made.
Some exemptions are also possible: if a retailer decides that a purchase is low risk, for example, or if the bank can prove to the regulator that it has a good record on fraud, it can allow exemptions on payments worth up to about £450 (€500).
But retailers, banks and consumers groups are all concerned that the system is flawed and will make things slower and more tricky for shoppers and could be a barrier to ecommerce sales.
For starters, not everyone has a mobile and not everyone has a good mobile signal. Additionally, not everyone has a wifi enabled smartphone. For those that have connectivity issues, how can any online purchase be verified? Equally, how will purchases made on mobile be authenticated?
UK Finance – the trade body for the UK retail banking industry – has told its members that they need to find other ways of verifying their customers’ identities, such as by phoning them on their landline, or by using biometric data – such as using a finger-print on the bank’s app, for example.
And, while it is inconvenient and time-consuming, customers can always phone their bank to get a one-off approval for a particular transaction.
Or, as one bank said with some irony, they could always use PayPal.
The regulations come into force on 14 September 2014 and banks are being urged to start now to communicate the changes to both consumers and retailers now, so that work can start on making sure that ecommerce isn’t interrupted.