New European ecommerce rules to tighten up the security of online checkout threaten to make buying things on mobile – and on desktop – much more time consuming and could see an end to all forms of express checkout.
The European Banking Authority (EBA) has brought forward proposals for how it will implement what is called strong customer authentication (SCA). The plans include a “one size fits all” approach where every online transaction over €10 will require additional steps at checkout such as entering passwords, codes or using a card reader.
Independent consumer research carried out in five European countries on behalf of Visa, highlighted that 95% of European consumers spend more than €10 when shopping online, via mobile, apps and desktop, meaning that these measures would affect millions of shoppers.
These steps would be felt most strongly in the UK, however, as UK consumers are the most prolific online shoppers of those markets surveyed – 63% regularly shop online, compared with the European average of 51%.
For UK online shoppers and retailers, the changes are likely to lead to more frustration and more cart abandonment. In fact, the survey found that more than half (52%) of consumers would abandon purchases if more steps were added to the checkout.
“The extra steps of authentication will be required for every online purchase made using web-based and mobile wallet services through either a browser or retailer’s app,” says Kevin Jenkins, UK & Ireland Managing Director at Visa.”In practice, this means no more express checkouts or quick in-app payments from mobile.”
This would includes one-click checkouts even at stores where consumers shop regularly, and no more fast, automatic in-app payments where cards are already stored. Across Europe, express online checkouts currently make up half of all today’s total e-commerce sales, according to Visa’s data.
The proposals also mean that international websites selling to UK or European consumers will have to follow the new European rules or purchases will be automatically declined. This will impact 50% of UK shoppers who shop online from retailers outside the EU, according to the survey.
It would also add a layer of problems to places where payment is made without the PIN such as toll booths and car park payments via text.
Across Europe, the changes will potentially impact approximately €6bn of transactions, according to Visa’s data.
Peter Bayley, Chief Risk Officer, Europe at Visa, explains: “These new proposals threaten to seriously disrupt the way we all shop. The plans will bring a host of complications and inconveniences, including more declined transactions and longer and more complicated checkout experiences with little if any benefit to consumers.”
He continues: “Managing payments is always about balancing security and convenience. If you tip the balance too far one way, you end up making it either too difficult or too risky for consumers to make purchases wherever, whenever and on whatever device they want. Either way it annoys consumers and damages businesses’ potential to sell their goods and services.
“E-commerce has been a European success story in a time of weak overall economic growth but this initiative threatens to slow that growth and reduce the competitiveness of European businesses against competitors from other parts of the globe.”
The EBA will publish its final proposed standards on 12 January 2017. These standards are in response to the requirements of the Payment Services Directive (PSD2), which mandates SCA for all electronic payments.”
Rory Maguire, MD of trade body the Association for Interactive Media and Entertainment – which has done a lot work on mobile payments with the EU and PSD – says: “The strong authentication requirements are laid out in PSD2 to be compatible with the level of risk and is designed to make the consumer more aware of their transaction commitment as well as preventing phishing. It requires the use of devices that the consumer has in their possession such as card readers and mobile phones.
“While it does require additional procedure on behalf of the payment service providers, I am not sure it will affect checkout conversion as the payment aspect occurs after the consumers purchase commitment. It will add an extra step into the equation afterwards such as a SMS PIN loop or logging onto a secure App to generate a one-time password. For home, it will be a card reader.
“I think the EBA ‘one size fits all approach’ is OTT. Amazon for example allow one-click payments only for logged in users with delivery to the registered address. Change the address (where fraud occurs) and they take you through a new security loop. They could improve the security with a text based PIN loop, but it depends if the EBA will allow the one-click to remain while the users delivery details are unchanged.”
Visa’s Bayley adds: “All of this inconvenience comes with no evidence that it will actually reduce fraud. We have a system today that works, what we call risk-based authentication. This enables intelligent decisions about whether a particular purchase is low risk taking into account things like the device that’s being used and previous shopping patterns.
“Fraud on Visa cards today is low, tracking at less than 5 cents in every €100 spent. And consumers are protected from fraud losses anyway – all the risk is taken by the merchants and banks. They are prepared to accept that risk to give a seamless experience to their customers as they know this makes sales more likely and it’s what people now expect.”
For more information on Visa’s response to the EBA, visit https://www.visaeurope.com/about-us/policy-and-regulation/