It seems that European payments regulation may be forcing the cards market to take a step backwards. We appear to be moving away from the frictionless online payment environment that so many of us use day to day, towards a much higher friction world where every transaction over €10 is actively issuer authenticated. This blog explores some of the implications of the tough stance taken by the European Banking Authority on consumer authentication in the European cards market.
Today many retailers side-step issuer authentication in order to allow their customers to use one-click check-outs (Amazon, Apple), pay for monthly subscriptions (Spotify, NowTV), or take taxis without getting out a wallet (Uber). In this process merchants take on transaction risk by virtue of liability shift (a principle embodied in the PSD2). In addition, issuers in some markets (like the UK) have invested extensively in Risk Based Authentication (RBA) which has enabled issuers to accept transaction risk by not requiring a 3D Secure challenge in 90%+ of transactions. Issuers, consumers and merchants are happy with this arrangement. Issuers actively authenticate only 5-10% of higher risk transactions, merchants reduce basket drop-out rate, and consumers pay more easily.
On 23rd September 2016, the EBA held a Public Hearing as part of its role to define some of the implementation rules associated with Strong Customer Authentication (SCA) as part of its role to define some of the more detailed aspects of the Second Payment Services Directive (PSD2). The PSD2 sets out that SCA requires payment account providers (issuers) to authenticate by combining two out of the three following elements: something you are (eg fingerprint), something you have (eg a plastic card, or token generator) and something you know (eg a PIN/password). In the Hearing they also addressed the issue of risk based and in-channel authentication.
Until this point the cards market was not too worried by the PSD2’s SCA requirement because we believed:
It became apparent in the EBA’s meeting however that these assumptions may prove false. Follow-up presentations by the EBA in other markets have served to reinforce this perception. It looks likely highly that the EBA will require:
This outcome is a backwards step for the European cards market. It degrades the consumer experience at the point of payment, frustrates merchants who wish to allow customers to check-out easily, and annoys issuers who are promoting cards as a form of easy online payment.
Our worry is that this smells of a political initiative by the European Commission to “level the playing field” between credit transfer and card based payments by removing many of the current advantages of the latter (eg risk based authentication, card on file etc.). It is worth noting at this point that in 2015 cards account for 56% of eCommerce spend across Europe, while credit transfers account for only 9% of spend. This effort would seem to be potentially undermine up half European eCommerce spend, in order to promote a minority payment type. The chart below provides a further breakdown of the payment types used in Europe. For more detail on this and the topic of alternative payments see our recent presentation here.
Given that consumers and merchants have got so used to frictionless card based payment online, what could merchants consider as a fall back option? Below are some of our early thoughts:
We are hoping, along with the rest of the cards market, that the EBA softens its position in this area. This regulation has a significant risk of distorting the market and pushing online merchants and consumers, for whom frictionless check-out is increasingly important, into new less regulated payment types. Merchants, issuers, acquirers, card schemes and gateways should unite to lobby against this regressive move. It is good to see that this process has already started in the merchant community.
If you would like to hear more about issues relevant to the European payments acceptance community, please look at our November conference line up here.