- EU directive increases the security of online payments
- Transition period expired: from January 2021 the SCA will apply to e-commerce throughout Europe
- Technical requirements must be created by online merchants and service providers now at the latest
- The majority of webshops are not yet ready – non-compliance could lead to loss of sales
Eschborn, 29 October 2020. The transition period has expired: from the first of January 2021 so-called “strong customer authentication” will be mandatory for online shopping across Europe. This is ensured by the EU’s "PSD2” payment services directive, which aims to improve consumer rights and reduce online fraud across Europe. In future payments in e-commerce will have to be confirmed by two factors, whereas up to now the number of the customer’s credit card was sufficient, for example. From the start of the new year onwards, e-commerce merchants and service providers who do not have payments verified by strong customer authentication will risk rejection of the payment by the customer's bank.
The SCA requirement in fact came into force in September 2019, but its application was suspended until 31 December 2020 because many online shops first had to create the necessary technical infrastructure. This transitional period for the SCA will expire at the end of the year.
European Banking Supervisory Authority requirements
No precise figures are available on how many online merchants and service providers are not yet ready to meet the requirements of the European Banking Authority (EBA). According to estimates by market observers, the majority still have some catching-up to do. However, the figures vary considerably across member states and market segments.
"Online merchants now urgently need to ensure that their webshop can handle two-factor authentication," says Jarno-Alexander Stuth, Vice President Large & Key Accounts Hospitality at Concardis, adding: “There are also exceptions to the rule, for example for recurring payments or small amounts, and this can be even more confusing. In such cases the payment service provider is in the best position to advise how the new requirements can be implemented correctly for the individual webshop".
Two factors for authorisation
The directive specifies that in future, in addition to the usual authorisation of payments, for example by means of a password or pin, a second factor must be added in confirmation. The 2-factor procedure is already familiar to many account holders from their bank's login to their online banking service. It is already the case with some online shops, for example, that after the password has been entered the account holder is sent a text message with a number combination, which must then also be entered.
A second factor to enable strong customer authentication can, for example, be requested by the bank from the cardholder in the form of biometric procedures, such as authentication by fingerprint on the smartphone. The major credit card organisations have established a new protocol specifically for this new requirement, the so-called “EMV 3D-Secure” procedure.
No need to fear a higher abort rate in the long term
"We have continuously informed our merchants about the new requirements ever since the directive came into force in 2019," says Stuth. He adds: "Our online payment solution already features all the necessary technical requirements. Those who use the solution will also be on the safe side at the turn of the year".
Many online merchants are concerned that the abort rate at the checkout will be higher if consumers have to take an additional step to approve the payment. This may well be the case in the first few weeks. However, Stuth gives a general reassurance: "The directive is binding for everyone in e-commerce in Europe. This means that customers will get used to it very quickly and it will become a matter of course to first enter a password and then confirm the payment by smartphone, for example". This will provide both merchants and consumers with a high degree of security, and therefore give them additional confidence in making online transactions. "And that will pay off in the medium term," says Stuth.
Further information, including a detailed catalogue of questions and answers on PSD2 and strong customer authentication, is available on the Concardis website.