Fraud has soared to record levels in the UK, with the national fraud prevention service Cifas recording 189,108 cases totalling £1.12 billion last year. In a bid to staunch the flood of crime, the EU is set to introduce new regulation on September 19 that aim to increase the security of online shopping.
The change means that for payments totalling more than £30, customers will be prompted to provide an extra form of authentication beyond card information to complete a purchase.
However, not everyone is happy. The European Payment Service Providers for Merchants (EPSM), a non-profit trade association representing vendors that provide payment services to companies, has requested a delay in the introduction of the measures. The retailers just aren’t ready.
And due to the obscure nature of the EU regulation means a vast amount of shoppers aren’t ready for the change. One survey has estimated almost 70 per cent of UK adults think there is already enough or even too many checks on online card payments. How will the implementation of PSD2 affect the payments landscape?
So what exactly is happening?
It’s because of PSD2 – the piece of legislation that introduced open banking to the UK. PSD2 is the European legislation proposed by the European Banking Authority (EBA) that stipulates new requirements for authenticating online payments among other things.
These set of requirements are also known as Strong Customer Authentication (SCA) solutions. Their intended effect is to increase the safety of online payments and reduce the amount of fraud. Online retailers will have to comply with these regulations from September, meaning that if they don’t, customers’ payments will be declined.
This regulation requires the introduction of two-factor authentication in the checkout process. Much like two-factor authentication that’s used to help secure social networks and other online platforms, it will require a user to prove it is really them trying to pay for an item.
In particular, for online shopping customers will be challenged to supply at least two of the following three elements: something they know (for example, a password or PIN); something they have (for example, a phone or hardware token); or who they are (for example, biometric information like fingerprint or face recognition). It will be up to the card issuer to decide on which methods of authentication it chooses to leverage.
This requirement for extra authentication will apply to payments over €30 (£26.96), bringing online payments in line with in-store transactions, where customers can only use contactless cards for payments under £30 in the UK.
The new legislation threatens to make the checkout experience a little more onerous by necessitating extra checks and balances to complete the transaction. This will apply to ‘customer-initiated’ transactions, which covers one-off payments on ecommerce websites. Direct debits, will not fall under the new regulation as they’re initiated by the payment service.
The new rules will apply to transactions where the business and the cardholder’s bank are located in the European Economic Area, and this is expected to be the case despite which way Brexit goes.
However, the slight nuisance of two-factor authentication might be balanced by the newly released payment standard. At present, the 3D Secure payment standard – which customers will likely be familiar with under its branded names such as Visa Secure or Mastercard Identity Check – prompts an additional step in the payment process to reduce the risk of fraud. Even this, though, can be sufficient to dissuade people from buying.
The newest version of this standard, out in 2019, promises to help streamline transactions. There will be more sophisticated designating of risky or non-risky transactions, meaning customers won’t have to complete the additional step indiscriminately. They’ll also have more choice–newer ways of verifying identity such as entering biometric information will be supported to a greater extent in the newest iteration.
For their favourite online retailers, customers will be able to whitelist several ‘trusted beneficiaries’, meaning they won’t be prompted for additional authentication required under SCA each time. If you always buy from Next, it may be possible to mark it as a favourite.
However, some shoppers have signalled opposition to the need to provide extra authentication information. A Fico survey found that in the case of a bank asking a customer to provide a phone number to authenticate a transaction, although 53 per cent would happily hand it over, 37 per cent say would respond negatively, such as refusing to provide it or complaining.
But for these customers, there may be options. In a statement a spokesperson for the Financial Conduct Authority said: “We would encourage anyone concerned about their ability to verify online payments to speak with their bank or provider, to ensure their contact details are up to date and discuss what alternatives may be available.”
Why are the payment providers asking for a delay?
EPSM, the 67 strong member body for payment provider services has assured regulators that a delay to the introduction of the legislation is vital to avoid “significant market disruptions” and “a disaster for consumers and PSPs [payment service providers]”. The body is advocating for an additional extension of 18 months for standard applications and 36 months for challenging applications such as those in travel and hospitality.
EPSM advocates for smaller businesses in the EU – rather than the likes of Amazon or Paypal – and is acting to support these businesses “survive the PSD2-SCA”.
“Currently, our main “tool” for helping smaller merchants is to plead to a pragmatic and EU-wide delay – at least for the card market,” says Nicholas Adolph, chairman of EPSM. “In many cases, the technology is just not available, not ready for deployment or not user-friendly.”
In the UK, in light of these concerns, the FCA now supports a delay in the enforcement date for some firms that are struggling to meet the September deadline. “Given the FCA’s statement on a proposed migration plan, we believe that a managed, timely migration to SCA will result in the best outcomes for consumers while effectively balancing both convenience and security,” the organisation said in a statement.
Currently, 3D Secure is the most widely used authentication standard employed by EU based companies. This generally adds another step after the checkout experience where customers are prompted by their banks to enter additional information such as a one-time code sent to their phone or their fingerprint to verify the transaction.
A newer version of this payment standard, a more ‘user friendly’ version, EMV 3DS 2.2, will only become available next year. This new standard promises to smooth out some of the friction embedded in the customer experience. However, Adolph says that the 2019 launch date is a further complicating factor for merchants seeking to become compliant with the new EU regulation.
More great stories from WIRED
🕵🏿 It’s time you ditched Chrome for a privacy-first web browser
🚕 London’s minicabs have a cunning plan to beat Uber
🎉 A vaccine for Alzheimer’s is on the verge of reality
🤦🏽 Reddit’s ‘Am I the Asshole’ is your new guilty pleasure
📧 Get the best tech deals and gadget news in your inbox