In a new report by CMSPI it calculates that €108 billion worth of online sales are at risk across Europe in 2021, as a direct result of the Strong Customer Authentication (SCA) mandate and cliff-edge implementation on December 31st, 2020.
SCA is one of the key mandates of the second Payment Services Directive (PSD2), entering into force on 13th January, 2018.
The ultimate goal of SCA is to reduce fraud and to make online payments more secure through enhanced customer authentication. To meet SCA requirements, banks must authenticate their customers for each ‘remote transaction’ via at least 2 of 3 defined elements of identification: knowledge, inherence, and possession.
The initial deadline for SCA compliance was September 14th 2019. This was delayed due to a lack of industry readiness. A new deadline was set at 31st December 2020 by the European Banking Authority in October 2019, prior to the COVID-19 pandemic.
Due to the prominence of EMVCo members Visa, Mastercard, American Express and Diners Club in the European market, EMV 3DS2 has been selected as the solution to bring European card payments SCA compliance.
While specifications were accelerated beyond normal timeframes, the technology remains relatively new and unproven – and crucially adds significant unnecessary friction to the online commerce experience.
To gauge the preparedness of the industry and to monitor the extent to which SCA implementation by issuers presents as smooth and frictionless a journey as possible for their customers, European merchants have engaged in SCA testing.
While issuing banks might implement solutions that are compliant, European merchants need solutions that are both compliant and consumer friendly to maximise security and minimise the potential disruptions caused by SCA.
This is where reliable testing becomes even more important for merchants as, by evaluating metrics like challenge success rates, abandonment rates and frictionless success rates, merchants can adequately assess and adjust to ensure these solutions are consumer friendly.
Merchants, however, face challenges when conducting these tests mainly due to the lack of industry readiness. If an issuing bank has not yet implemented 3DS2, then it would be impossible for a merchant to test transactions with that bank’s customers.
To tackle this, the card schemes have auto enrolled issuers for stand-in processing so that issuers who are not yet ready with their own implementations of EMV 3DS can rely on, for example, Visa and Mastercard for authentication.
Authorisation approval rates differ significantly between issuer authentication and authentication stand-in, which therefore makes it difficult for merchants to truly anticipate what the effect of issuer implementation of 3DS will be for issuers currently relying heavily on authentication stand-in.
Testing carried out to date by European merchants indicates that abandonment rates through 3DS are 25%+ across most European markets, compared to typical abandonment in the single-figures once a customer has clicked ‘pay’ today.
In addition – according to CMSPI sources and retailer testing figures – even successful authentications can take upwards of 60 seconds, and in some instances average over 2 minutes. This presents a significant risk to sales and will have a substantial impact on all types and sizes of retailers.
In fact, it is likely that small merchants will be worst affected by these abandoned transactions. Customers often associate long loading times and errors with the merchant, and if smaller merchants with less IT resource available are unable to offer frictionless customer checkouts then it is likely the largest merchants across Europe – with the capability to devote significant resource to optimising payments flows – that stand to win those customers.
CMSPI calculates that €108 billion worth of online sales are at risk across Europe (excluding the UK) in 2021 alone, as a direct result of the Strong Customer Authentication mandate and cliff-edge implementation on December 31st, 2020.
These sales are at risk of transactions failing, technical errors occurring, and ultimately good customers being forced to cancel their purchases.
The key reason for this significant disruption to online commerce is due to the performance of EMVCo 3D-Secure version 2 (3DS2): an authentication protocol that has been selected to support all online card transactions in Europe (€320.9 billion in 2019).
Many card issuing banks do not yet support the protocol and are unlikely to be ready before the December 31st deadline: even where issuers do support 3DS2, the customer experience is often poor.