COVID-19, PSD2, and the consequences for payments-21

Improve conversion and reduce risk with current technologies 

The COVID-19 pandemic is causing more and more people to buy more and more online. Despite previous reservations about ecommerce, many consumers have started shopping online for the first time. Before COVID-19, global ecommerce sales were expected to increase by 15% in 2020 compared to 2019. Now, it appears that this year’s sales growth will be 25%. Therefore, it’s of utmost importance to improve the conversion by making the checkout process as smooth as possible and at the same time use state of the art technology to reduce the risk. 

However, the strong growth in ecommerce sales also carries with it an increased risk of fraud. In its latest report on card fraud, the European Central Bank reported that almost 80% of the total damage caused by card misuse was attributable to the card-not-present (CNP) sector, i.e. mainly to card transactions in ecommerce. Compared to 2017, card fraud in ecommerce has increased by almost 18%. This is one of the reasons why the EU Commission and the European Banking Authority (EBA) are making Strong Customer Authentication (SCA) mandatory under the current Payment Services Directive PSD2. This is intended to strengthen the confidence of consumers and merchants in ecommerce. However, this also means that consumers are increasingly being asked to authenticate themselves with a second factor, such as a one-time passcode (OTP) or a biometric feature.

Solving the contradiction between security and convenience 

Until now, the contradiction between the highest possible level of security on the one hand and the smoothest possible user experience on the other seemed difficult to resolve. Now, the right technologies are available to meet the requirements of Strong Customer Authentication while providing customers with a simple and convenient checkout experience. This is particularly important for those consumers who are shopping online for the first time. 

There are three simple and important processes: 

1. The 3-D Secure process for card payments should be made as simple and streamlined as possible by optimising user procedures and also taking advantage of all available exemptions. 

2. Tokenization offers an additional opportunity to increase the security of card payments in ecommerce. 

3. With delegated authentication, online merchants can handle the authentication themselves and thus offer their customers a one-click checkout. 

The use of exemptions using the 3DS 2.x protocol 

In the context of PSD2, several possibilities exist to avoid Strong Customer Authentication to a large extent; for example, low value transactions with small amounts are excluded from SCA. The same applies for payments to merchants that are whitelisted by their customers. In addition, if a transaction risk analysis (TRA) is used, low risk card payments may be made without SCA. Finally, a 3-D Secure SDK is available to obtain additional data for risk management.

With 3-D Secure, it is also important that all parties involved – merchants, PSPs and issuers – are aware of their respective responsibilities. To support online merchants in the transition to the latest version of 3-D Secure, Netcetera and Mastercard have set up a Merchant Testing Platform. This enables end-to-end tests to be carried out without much effort. 

Network tokenization for a secure checkout 

Many large online merchants already have extensive information about their customers. With card-on-file tokenization, they can permanently store card data in the form of tokens (a reference number that replaces the original card number PAN). Until now, PSPs used their own proprietary tokenization. However, it makes sense to use the network tokenization services offered by American Express, Mastercard, and Visa, as they offer a whole range of advantages. First of all, an end-to-end connection between card issuer and merchant can be established, which has a positive effect on the approval rate. Moreover, the checkout can display the customer’s original card – not only the card number but also the card image to increase customer confidence. Security will be significantly enhanced by an additional cryptogram (as known from card present transactions). Experience to date shows that online merchants can improve their conversion rates by approximately 6% with network tokenization compared to normal card on file. 

Delegated authentication for a PSD2 compliant one-click checkout 

Online merchants can also use existing customer information for Delegated Authentication. As PSD2-compliant authentication methods for merchants, the FIDO-Alliance (Fast Identity Online) solutions are ideal. The FIDO standards for biometric authentication are supported by Mastercard and Visa as well as by the most important OEMs and software providers (e.g. Microsoft, Samsung, Facebook, Apple, Google). 

If a merchant has already securely registered its customers using a FIDO-compliant procedure, the login to the merchant’s customer account can be used as authentication for payment transactions. Authentication via the card issuer is then no longer necessary. Merchants and card issuers can agree on this type of authentication through bilateral contracts. However, it seems more sensible and straightforward to use the services of Mastercard and Visa as Delegated Authentication brokers. 

For the checkout, this means that customers are no longer pushed back and forth between the merchant app and the bank app, but can complete a payment with a single click, either via online or mobile channel only. 

The bottom line is: there is a whole range of practical solutions available to online merchants that enable them to offer their customers both security and convenience. There is no doubt that all major online retailers will make consistent use of these new solutions. All other online merchants should follow as soon as possible in order to remain competitive. 

The conclusion can be summed up as follows: if the right technologies are used and processes are optimised, the requirements of PDS2 and Strong Customer Authentication can be met without jeopardising conversion and without having to fear revenue loss.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Kurt Schmid

Since 2020, Kurt Schmid is Marketing & Innovation Director Secure Digital Payments at Netcetera. Previously he has been responsible for the Digital Payment Division of Netcetera since the beginning of 2017. This resulted from the takeover of Nexperts GmbH, an Austrian mobile payment and NFC specialist founded by Kurt Schmid, who was CEO. 

About Netcetera

As market leader for payment security, we offer innovative digital payment solutions with a strong focus on convenience, security, and mobile use. Our customers rely on our high-quality, scheme certified products for 3-D Secure, mobile contactless payment, digital wallets, risk-based and convenient authentication or digital banking apps for optimised banking.