Securing payments by the European Union A Threat To E-Commerce Industry – Assessment By Eu.

While strong authentication devices are only tools that allow e-traders to manage their risk and fraud rates, it would seem that they become mandatory by 2018.

Unquestionably, Internet payments are at the heart of the concerns of European regulators. Indeed, while this type of payment is growing [1] driven in particular by the growth of e-commerce, it is also the one that knows the highest rate of fraud [2].

This is not a new observation, and regulators have for several years been watching closely the evolution of remote payments and are increasingly imposing measures to reduce the rate of fraud. By 2014 already, the EBA (European Banking Authority) published guidelines on the security of payments on the Internet. These guidelines constituted the first step towards a strong authentication [3] whose aim was to be generalized and clarified by the Directive on Payment Services [4].

Even though strong authentication seems to be a bulwark against fraud in the e-commerce world, it is not systematic. Thus, according to the Fevad [5], only 66% [6] of e-merchants are equipped with a strong authentication device, mostly via the “3DSecure” system. Currently, the strong authentication systems proposed by e-merchant banks leave the choice to the latter to apply strong authentication or not according to their own risk analysis.

A choice that seems necessary in view of the impact of the 3DSecure on the shopping route, since the rate of abandonment during a purchase is much higher when this mechanism is activated [7]. The effects of the SMS on the fluidity of the customer journey explain this reticence (obligation to have his mobile at hand, obligation to have enrolled his mobile beforehand with his bank, unavailability of a telephone network, etc.).

While strong authentication devices (via 3DSecure in particular) are, until now, only tools that enable e-traders to manage their risks and fraud rates, it would appear that these will become mandatory by 2018. At least if one believes the latest version of the RTS (Regulatory Technical Standards) on strong authentication being finalized by EBA. The purpose of these RTSs, which is framed by DSP2 [8], is to specify, among other things, the requirements for strong authentication and possible exemptions from this authentication.

Indeed, the DSP2 imposes a strong authentication, when the payer initiates an electronic payment transaction [9], but it also provides for exemptions from this strong authentication requirement, which have been specified in the last document The EBA on the subject [10]. As far as payments on e-commerce sites are concerned, the only possible derogation identified concerns payment transactions with an amount of less than € 10 (up to € 100).

EBA simply excludes the possibility of exempting strong authentication based on risk analysis (whether by the bank of the bearer, the bank of the e-merchant or thee- Trader himself). It also states that the use of this type of exemption would contradict certain objectives pursued by the DSP2 and in particular the protection of customers’ funds. [11] The directive also stipulates that banks carrying out the acquisition for e-merchants will be obliged to impose on them a strong authentication device without any possible disconnection, so that the buyers’ banks [12] can trigger the mechanisms Enabling strong authentication (once an amount of € 10 has been exceeded) [13].

The impact is therefore considerable and not just for e-merchants. This obligation will also affect credit institutions [14] in their remote banking services [15]. The European Payment Council (EPC) [16] expressed its response to the Consultation Paper [17] and radically contested the EBA’s decision not to allow strong authentication to be exempted on the basis of Risk analysis. From a legal point of view, the EPC states that by excluding the RBA (Risk-Based Analysis), the EBA would go beyond its mandate. The same position was taken by FEVAD, which also responded to this consultation to defend the interests of e-traders [18].

The stakes are high ! Indeed, some e-merchants thanks to their expertise and customer knowledge have developed high-performance security devices that allow them to boast a much lower-than-average fraud rate without applying strong authentication. They have also been able to develop “friendly” payment practices such as “one-click”, whose durability is strongly questioned with the DSP2.

Will these answers to the Consultation Paper and any lobbying be enough to weaken the EBA and cause a change in the RTS? The final version of the EBA text will be made public in January 2017 and will have to be validated by the European Commission and the European Parliament. At best, these RTS would come into effect in October 2018.

Whatever the content of this text, banks, and e-traders will have to re-examine their security system at least, and “in the worst-case” will completely overhaul it [19].

Chronicle Written In Collaboration With Bruno Joanides
[1] +850,000 buyers on the channel of distance selling in one year (source: Fevad)

[2] In 2015, 0.228% vs. 0.009% for proximity and automated payments (source: 2015 annual report of the Payment Card Security Observatory).

[3] For simplicity, this is authentication based on 2 of the following 3 elements: possession, knowledge, and inherence.

[4] Published at the end of 2016.

[5] Federation of e-commerce and distance selling.

[6] Source

[7] For example, according to a survey conducted by Ingenico ePayments in the online travel sector, using 3DSecure would increase the dropout rate by 10% (according to 61% of respondents).

[8] Article 97 (3) of the DSP2.

[9] But also when the payor accesses his online payment account or when he performs an action, using a means of remote communication, likely to involve a risk of fraud (excluding e-commerce scope).

[10] Consultation Paper on the draft RTS specifying the requirement on strong customer authentication and common and secure communication under PSD2.

[11] See Paper on Strong Customer Authentication (5.1 E-Assessment and preferred options).

[12] Payment cardholder.

[13] Recital 19 (b) of the Paper on Strong Customer Authentication Consultation.

[14] And payment institutions and electronic money.

[15] As a reminder, a strong authentication will also be necessary when the customer accesses his account online (except exemptions provided for in the RTS).

[16] Representative of European payment service providers.

[17] Source

[18] The Merchant Risk Council (representing European e-merchants and payment professionals also responded to this consultation)

[19] Although strong authentication solutions based on biometrics (inherence criteria) are emerging, they could have little impact on e-merchants.

More informative articles are coming your way. Subscribe today at our blog for more updates. Keep Visiting Ranking Solutions

Leave a Comment

Your email address will not be published. Required fields are marked *