Capital Markets Corporate

March 22, 2019

A shift in payments regulation is coming – but has it been communicated?


This autumn, new online payment rules stemming from PSD2 will come into force that could have the same seismic effect as Chip & Pin did more than a decade ago. But are banks and payment providers, their merchants and the general public ready?

Many readers may not have even heard about Strong Customer Authentication (SCA), but all of us will be affected by it after September 14th. As part of the European-wide PSD2 directive, payment providers (such as banks and card issuers) have to enact a new set of stringent rules alongside merchants so as to increase security and mitigate against online card fraud.

Unfortunately, online card fraud is now ubiquitous. Just last week a fraudster attempted to buy £700 of jewellery using a clone of my own debit card. Most likely, my card details were taken by hackers as part of the many data breaches we constantly hear about in the news and posted onto the ‘dark web’ for sale. Then, they were bought by a fraudster and used to create a new debit card. Thankfully, my bank spotted the crime in time, but many people are not so lucky.

Online card fraud, known as Card Not Present (CNP) fraud, is big business. In 2016, CNP fraud accounted for 73% of total fraud perpetrated across Europe, totalling more than €1.3bn. Figures this week from UK Finance found that CNP fraud was up by 46% in 2018, with thieves stealing £500m using stolen card information.

To mitigate this, new EU rules (which the UK will be a part of, regardless of Brexit) require payment providers such as banks and card issuers to work closely with merchants to collect and disseminate more information about every online transaction to ensure against fraudulent activity.

Online transactions currently use ‘3D Secure’ to authenticate a transaction. You will have noticed this extra page when you make an online card payment, and very occasionally you will have been asked to enter in an additional password tied to your debit or credit card. And while this authentication protocol has helped mitigate against CNP fraud, it hasn’t stopped it.

So starting in September, systems will be upgraded with ‘3D Secure 2.0’, a new shift in authentication. Payment providers may now demand merchants collect more than just a pre-registered password – more likely, many more online payments will require us to enter a password or a pin, a one-time code sent via SMS or even a biometric factor such as a fingerprint.

This will likely result in a huge change in behaviour. We are all now used to making online payments with ‘1-click’ or simply entering a password, often saved within our browsers or apps. Initial estimates suggest authentication demands will double for online payments going forward.

Communication around this change has been limited. A recent survey by Mastercard found that only one in four merchants were aware of the changes, with fewer than half of those being made aware by their bank or payment provider.

The clock is ticking and many businesses – and certainly most consumers – are not aware that come September, online spending habits may change. Businesses will likely experience a higher rate of dropouts as people struggle to complete their online transactions when faced with additional authentication demands.

Back in 2003, banks, retailers, building societies and card issuers joined forces to launch the “safety in numbers” Chip & Pin awareness campaign to prepare the nation for the switch in 2004. This included high profile ads from Saatchi & Saatchi, as well as first-of-its-kind informational alerts on ITV News. While the upcoming changes are likely to have a more subtle effect on behaviour, it still may be time for the industry to raise its voice once again.

‘Frictionless’ payments has become the gold standard for online transactions in the last decade as we have shifted our spending habits online. Merchants such as Amazon have revolutionised how we spend by making it as easy as possible to buy online. But, to keep people spending and to keep us online, banks and payment providers must be leading the way to ensure everyone is aware of a shift in how we will spend online in the future.