Strong Customer Authentication is coming soon!
For long, accepting payment is a matter of risk management or, in other terms, finding a balance between making the transaction easy for the customer and protecting the merchant against payment fraud.
eCommerce goes through a permanent improvement process on this point as was demonstrated by Fernand Collart, from MasterCard, last week during Trustech. As of now, he said, transaction approval level reaches 97% for physical commerce while it lags at 86% for online commerce. Fraud in eCommerce remains 10 times higher than in physical commerce. Our secure transactions industry is working at the same time at improving customer journey and making transactions as frictionless as possible, and at making payment more secure for the merchants.
To improve security, from September 2019, the PSD2 (2nd Payment Service Directive) will impose a Strong Customer Authentication (SCA) for eCommerce payments. A PSD2-approved SCA transaction requires a combination of two or more of something the users know, such as a password or a PIN, something he/she owns such as his/her handset or a smart card and something he/she is, proven by biometrics.
As a consequence, the industry, led by EMVCo and payment schemes, is evolving from 3D Secure to 3D Secure 2.0. This new specification is more open than the previous one: either customers will feel little change in the way their transactions are processed, when they are asked to provide a two-factor authentication code received via email or SMS, or they will be required to go through a biometric authentication based on fingerprint or face recognition.
As mentioned during the speech, 3DS 2.0 deals with ten times more data than 3DS. This way, merchants are able to build a risk score based on these data. In addition, 3DS 2.0 allows to share more data between banks and merchants.
However, the PSD2 also includes provisions for SCA exemptions: low value and low risk transactions, subscriptions and recurring transactions, whitelisted merchants, corporate cards, and MOTO (mail order, telephone order) which are not considered electronic transactions, thus excluded from the scope of this regulation.
The implementation of these new rules will take place along 2019 in Europe, before being extended to the rest of the world, under the impulsion of payment schemes.
However, in Europe, still 75% of the 800,000 European eCommerce merchants have not heard of PSD2, according to Fernand Collart. At the same time, merchants generally focus more on making their customer journey frictionless. This demonstrates the extent of merchant education that remains ahead of us!