It’s estimated that global online retail will hit $6.77 trillion this year. This figure has more than doubled in the last five years and looks likely to continue. These ecommerce transactions typically take place using the Card-Not-Present protocol. The customer enters their card details when checking out on the website.
Card-not-present fraud typically accounts for over 80% of all card fraud while Mastercard estimates it at 10 times in-store card fraud. Given the sums involved, it’s not surprising that there is a lot of effort going into reducing this type of fraud.
The European Commission has launched a new ruling which it hopes will reduce these fraud rates. There is a broad revised Payments Service Directive (PSD2) combined with a narrow technology called Strong Customer Authentication (SCA). SCA comes into law across Europe on 14th September 2019.
SCA will change how all customers across Europe authenticate their payments. It will involve a two step authentication process that makes use of a password or a biometric authentication such as a fingerprint. PSD2 involves a broad set of rules. These define the consumer experience when making payments - i.e. what customers are shown and in what way and at what point during the transaction.
These new SCA rules mean that banks, merchants and payment processors will have to implement additional verification on all electronic transactions over £30 or €30. The rule is that the two step verification will require any two of the following three sources of information:
- Biometric ID, such as a fingerprint or iris scan,
- Something the consumer owns, such as a smartphone, or
- Something the consumer knows, such as a password.
What ecommerce managers need to do
In short, talk to whoever looks after your website. Most of the changes should be (may be) done by the payment service provider that you already use (e.g. Braintree, Sage or Worldpay). Once your business is PSD2 compliant you may consider adding yet another trust mark to the site to confirm that you are helping reduce ecommerce fraud.
Finally, for those with an interest in the politics of Brexit, my understanding of the law within Europe is that PSD2 requires both the bank and business accepting the transaction both to be based within the European Economic Area. The UK currently dominates European ecommerce. There are tens of thousands of ecommerce traders based here that sell internationally. The UK Government has undertaken a partial analysis of how these regulations will ultimately impact ecommerce business across the UK. I found it worrying that the analysis pays little attention to the business impact on small and micro businesses. These are particularly prevalent in Scotland. Here is an example of where Scotland needs its own specialist organisation that’s capable of getting to grips with the subject and laying out a policy that’s in our best national interests.