New Security Measure Could Block One-Third of Online EU Purchases, Cost Merchants More Than €100 Billion29th September 2020
European merchants struggling with the coronavirus pandemic risk losing more than €100 billion in online sales next year if not given more time to prepare for a new two-factor authentication mandate intended to reduce credit and debit card fraud, according to research released today by independent payments consulting firm CMSPI.
“We have to accept the fact that 2020 has been an exceptional year,” CMSPI Head of Approvals and Fraud Toby McFarlane said. “Both merchants and card issuers have clearly been busy with the pandemic and neither have had the time to give this important new technology the attention it requires. Putting these barriers up when the industry has not been able to properly prepare is going to result in frustration for millions of consumers and lost sales for retailers at a time when they can least afford it. Payment security is one of merchants’ top priorities, but they need the time to do this right. This is particularly bad timing because store shutdowns have made retailers rely on online sales for more of their revenue than ever before.”
Beginning in January, EU banks that issue payment cards will be required to comply with the Strong Customer Authentication mandate, an EU banking regulation intended to make online payments more secure, and will begin using 3D-Secure Version 2.0, an authentication protocol developed by the major card schemes. Merchants that accept online card payments will be required to support 3DS2.
But CMSPI’s new SCA Economic Impact Assessment report says the technology “remains relatively new and unproven” and “adds significant unnecessary friction to the online commerce experience.” While banks may be satisfied that 3DS2 is compliant with SCA, “European merchants need solutions that are both compliant and consumer friendly,” the report said.
Transactions are rejected if the customer fails to provide the required two of the three steps – knowledge, inherence, or possession associated with the mandate – and the process adds between 60 seconds and two minutes to the checkout process. Testing shows 25 percent of 3DS2 transactions are abandoned by consumers, compared with single-digit numbers without the technology.
Overall, testing shows 35 percent of 3DS2 transactions fail to go through, either because they are declined, abandoned by frustrated consumers or because of technical errors. If not corrected, that would amount to €108.1 billion in lost sales based on 2019 sales volume, the report said. Ironically, that is almost 100 times the annual amount of card fraud – the problem SCA and 3DS2 are intended to solve. The number excludes transactions made with digital wallets such as Apple Pay or PayPal, which have their own SCA-compliant solutions that add significantly less friction to checkout.
Consumers often blame retailers for online delays, and large retailers with the resources to minimize delays are likely to win customers from smaller retailers that do not, the report said. Small retailers account for €69.4 billion of the sales at risk, compared with €38.7 billion for large merchants.
The deadline was set by the European Banking Authority before the outbreak of COVID-19, and only 65 percent of EU banks that issue payment cards are ready, according to the report. Most merchants are only in the testing stages, and the lack of more banks being ready makes reliable testing with those banks’ customers impossible. The United Kingdom has pushed back compliance until September 2021 because of the pandemic but EU officials have refused.
The 22-page report breaks out the impact of SCA on France, Germany, Italy, Spain, Belgium, Netherlands, Poland, Sweden, Denmark, Finland, Iceland and Norway.