As the European Banking Authority (EBA) develops its Regulatory Technical Standards, and as the EU Member States consider the detail of PSD2, any regulation governing online payments should enable and encourage the e-commerce sector to balance the twin considerations of risk and convenience (otherwise growth would be stifled and costs would increase).
A new Visa Europe white paper says the sector should be free to take a risk-based approach to the use of strong customer authentication (because, if you have already determined that a transaction is legitimate, there is absolutely no need to force a customer to authenticate themselves)
Across Europe, the e-commerce sector is large, it’s disproportionately significant, and it’s growing rapidly. Across Europe the B2C e-commerce sector is valued at more than €432 billion, and employs around 2.5 million people. It’s growing ten times faster than the wider economy (14% compared with 1.4%) o As a proportion of the EU economy it’s forecast to more than double within the
next five years (from 2.45% to 6% of GDP). In just one year, the number of transactional B2C websites leapt from 650,000 to 715,000 and the number of parcels sent went from 3.7 billion to 4.0 billion.
Online payments are a huge market for Visa Europe. Already, they account for more than 21% of Visa Europe volume. In the past year, they grew at 17% – more than twice as fast as our face-to-face volumes and, according to some estimates, more than half of all online transactions are now initiated using mobile devices.
Given the scale, the significance and the security profile of online payments, they have attracted the attention of the regulators – and a new set of EU-wide security requirements are due to be enshrined in law.
Back in 2013, the Eurosystem published a series of initial recommendations. The European Banking Authority (EBA) turned these recommendations into a set of guidelines for Payment Service Providers which became applicable on 1 August 2015 In parallel, a new Payment Services Directive (PSD2) has been finalized, which is tasking the EBA to further refine these guidelines, by establishing a definitive set of Regulatory Technical Standards.
The principle of Secure Cardholder Authentication (SCA) is central to these developments – but, needless to say, the devil is in the detail of exactly where, when and how SCA should be applied.
SCA involves at least two factors of authentication – in practical terms, this means that a transaction should be authenticated with some form of a passcode (although, if the technology were easily accessible, a transaction could be authenticated with some form of biometrics). PSD2 requires that the ability to perform SCA should be supported by all payment service providers and should apply across electronic payments (irrespective of the channel). PSD2 does, however, acknowledge that it is not necessary nor appropriate to perform SCA on every transaction, and that the requirement can be foregone depending on: the level of risk entailed; the amount and/or the recurrence of the transaction and the channel being used. But much of the detail is yet to be resolved as part of the Regulatory Technical Standards being developed by the EBA.
Visa Europe says they fully support the principle of SCA – after all, they developed the technological architecture that makes it possible (3DSecure, on which Verified by Visa is based), and have been incentivizing its adoption for more than a decade (e.g. through liability shifts). They are strong supporters of SCA, and have been advocating many ways to ensure its integrity (including the move from static to dynamic passcodes)
Visa Europe says it is engaged actively with payment service providers and retailers, encouraging them to support Verified by Visa) and advising them how to deploy it effectively. But, with a decade’s experience of SCA (via Verified by Visa) we know all about its dangers and limitations. Used in the wrong way, in the wrong place, it becomes a conversion killer (and any blanket requirement to use SCA would inhibit the growth of Europe’s e-commerce sector).
For data, background and forecasts on SCA: Search CardWeb.com’s CardFlash® Library of more than 58,000 archived articles; Access CardWeb.com’s CardData® for current and historical Performance, Portfolios, Profiles, etc. Visit RAM Research® (ramresearch.com) for quarterly and annual forecasts covering more than 150 metrics. [complimentary or deeply discounted access to CardWeb.com subscribers].
Additional database resources include CardWeb.com’s CardExecs® – comings & goings of payments movers & shakers; CardWeb.com’s CardWatch® – ears & eyes on marketing globally (57K items); and CardWeb.com’s CardPixes® – form & function of card design (7K items).