Blog Post - Andrew Waugh, Jul 25 2019

New payment security measures set to add friction at checkout

New payment security measures set to add friction at checkout

A new EU directive will soon require digital retailers to add extra authentication steps at checkout for the majority of online payments. The move is part of ongoing efforts to crack down on digital fraud by making it harder for criminals to complete transactions using stolen cards or bank details. Whilst the initial deadline of 14th September has now been ditched in response to concerns about the industry's ability to comply within that timeframe, a new date will be set that allows for harmonisation across the European Economic Area.

In short, it's coming. And it's coming at a time when the direction of travel in digital commerce is to try to eliminate points of friction from the purchasing journey, new authentication measures threaten to cause delays in processing payments and frustration for customers.

Strong customer authentication - what's it for?

The changes are part of the second Payment Services Directive (PSD2). The requirements on payments are known as Strong Customer Authentication (SCA) and apply to what are being defined as "customer initiated" online payments and bank transfers. This means the new rules apply to the majority of instances where a customer makes a one-off payment via a digital basket, included within registered accounts, but not to "merchant initiated" repeat billing like Direct Debits.

SCA is built on the principle of multi-factor authentication, which means more than one method of verification must be used. The directive specified that banks should decline payments if two of the following three methods of authentication are either not available or not successful:

  • A customer password or PIN
  • Third-party verification via banking app, SMS or hardware token
  • Face or fingerprint recognition

The intentions behind the SCA are undoubtedly sound. As more and more of the world's economic activity takes place online, digital theft and fraud are becoming increasingly common problems. One of the easiest ways for cyber-criminals to defraud consumers and businesses alike is by stealing personal details, like debit or credit card numbers or bank account information, and using them to pay for goods and services online.

As the sophistication of hacking and identity theft has accelerated, the fallback of quoting the CV2 security code on the back of a card is no longer adequate, as criminals can get hold of these easily. Multi-factor authentication, which matches payment and account details to a real-time verification system, whether it is biometric recognition or a code sent via SMS, is now widely recognised as the best way to combat the fraudulent use of personal payment details. The SCA simply seeks to make this mandatory for all online payments.

What impact will SCA have on digital retail?

The downside of such measures is the fact that they add extra steps to the purchasing process. Digital retailers will obviously have to face the technical challenge of setting up appropriate authentication processes. But arguably a greater issue is making these as friction-free and clear as possible for the customer.

Digital shoppers increasingly prioritise convenience and ease on their purchasing journeys – as the latest Future Shopper survey confirms - meaning they want as few steps and potential points of friction as possible. The growing popularity of online subscription services, ‘Zero UI’ shopping via smart voice assistants social commerce and Programmatic Commerce™ all signal the future in digital shopping trends. The intentions behind SCA might be sound, but there is little doubt multi-factor authentication adds snag points for consumers.

It is not difficult to imagine the potential pain points - customers, who may already have had to use a password or PIN to log into their account, forgetting their payment PIN, or using the wrong one. Or perhaps they lose the hardware token supplied by their bank, or they don’t have signal and can’t receive an SMS. Or, as is still the case for the majority of people, they don’t have a smartphone capable of facial or fingerprint recognition.

In the short term, we can expect SCA to lead to an increase in shopping cart abandonments and a decrease in conversions. When average abandonment rates continue to stubbornly cling around the 75% mark, this will not be welcome news to digital retailers.

However, with the directive all set to come into force, it is something shoppers and the digital commerce industry alike are going to have to learn to cope with. It is likely that any negative impact on cart abandonments and sales will be short-term, partly because solutions will emerge to make multi-factor authentication less disruptive to the flow of a shopping journey, partly because consumers will in time come to accept it as a normal part of their shopping journey. Ultimately, making digital commerce more secure is in everyone’s best interests – and something that will build trust between retailers and their customers.

What can retailers do to prepare?

The obvious answer is to make sure that your payment systems will be compliant with SCA and have the appropriate authentication tools in place. This does not necessarily mean adopting entirely new systems. The 3D-Secure protocol used by the likes of Visa, MasterCard and American Express for their branded verification services is getting an upgrade ready for SCA, 3DS 2.0. If you already use this system, you may be set up for SCA already, but you will need to check with your payment service provider.

In terms of getting customers on board with the changes, the best strategies are education and choice. Most shoppers will not be aware of the changes in regulations and may be surprised the first time a pop-up asking them to verify their identity during check-out pops up. There is even the risk that, if it is not well communicated, they may fear it is some sort of phishing scam and therefore abandon the cart. Make sure you have plenty of well sign-posted information on your site, such as:

  • a dedicated landing page you can direct customers to, from your shopping cart, before the authentication process starts
  • pop-ups explaining what is happening when it does get triggered
  • FAQs in your community section
  • a blog post announcing the changes

Be sure to explain the benefits to your customers - these are measures intended to make it harder for people to steal their online identities and spend money in their name.

Finally, consumers are likely to feel less put out by an extra authentication step if they are given choices about how they can go through it. A single 3DS password system might make you compliant, but it won’t please those customers who already hate having to remember too many passwords. Giving shoppers the option of passwords, codes via SMS or authenticator apps and biometric scans will help to make them feel more in control of the process