Online card fraud is huge and according to Finextra Research, between 2017 and 2018, £4.1 billion was stolen as a result of this type of theft. To illustrate how personal the problem is, the firm quotes a survey commissioned by comparethemarket.com of 2,000 UK adults which showed that 22 percent of those surveyed were defrauded in the last year this way.
Europe has, for some time, been worried about the problem of card fraud. As part of the fight back, from 14 September 2019 a new process known as strong customer authentication (SCA) made under the Revised Directive on Payment Services (PSD2) will be in place.
The new process
SCA is an extra layer of security designed to prevent payment fraud. It ensures that online card transactions become more secure through “multi-factor authentication” – a second check to demonstrate that both the transaction and cardholder are genuine.
The aim of SCA is to be the “chip and pin” of the online world; and rather like chip and pin, SCA will apply to transactions over a certain value (€30). But while SCA targets the online transaction, Mark Nelsen, Senior Vice President, Risk and Authentication Products at card processor Visa, says that banks and merchants may also need to regularly check that contactless payments are made by the correct cardholder too – by asking for a PIN. “This might occur after a contactless card has been tapped five times in succession, or when €150 has been spent using only contactless taps,” Mark explains.
How will it work?
SCA could mean any one of numerous authentication methods: an online PIN or password, or a device that only the cardholder can authenticate. This could also include smartphones, or biometric traits such as fingerprints or facial recognition.
SCA is going to mean a marked change to how practices sell (or take payments) online and how an estimated 420 million customers in Europe – including the UK – buy at a distance. And for some there are worries that this extra layer of protection will add unnecessary complexity which will irritate customers who subsequently abandon their “shopping carts” part way through the buying process – leading to lost sales and delayed payments.
In the context of veterinary practices, those that allow bills to be paid online will have to ensure that their systems can cope with the change.
What is PSD2
As the name suggests, PSD2 is an update on the original Payment Services Directive (PSD) that was brought into force in 2007. Its stated goals were to create a single market for payments with easier and more efficient cross-border payments. This would mean that it wouldn’t matter if a payment was made to another member state, within the same member state or to a party in a different member state.
PSD2 expands on PSD by permitting third parties to access an individual’s account information via the “Open Banking” protocol; enhancing consumer rights, especially in relation to currency charges; and enhancing cardholder security via SCA.
Why now?
Change was clearly needed. According to a UK Finance report in 2018 entitled UK Payment Markets, in 2017 there were 3.1 billion credit card payments – an increase on the previous year of 13 percent. In the same report, it is stated that by 2027, there will be 3.9 billion credit card payments a year. By way of comparison, there were 13.2 billion debit card payments in 2017 (up 14 percent on the previous year) and 2027 could see some 19.7 billion debit card payments.
And with rising levels of card use come increasing risks of fraud. The European Central Bank, in its fifth report on card fraud, published in September 2018, found that cards issued within Europe saw fraudulent transactions to the tune of €1.8 billion in 2016, and that 73 percent of that sum related to card not present transactions.
What does this mean for veterinary practices?
Compliance with the new regime is mandatory. There will be no exceptions and if the business doesn’t comply, all transactions will be automatically declined by the card-holder’s bank when they attempt to make a purchase. Further, by not planning ahead and developing authentication processes that offer the least friction to consumers, businesses could see falls in sales as consumers switch off and march with their feet.
Considering that, according to Ecommerce Europe in its European Ecommerce Report 2018 Edition, the European business-to-consumer online economy was worth around €602 billion in 2018 (up from €307 billion in 2013), if only 10 percent of consumers – let alone the potential 25 percent that could walk – abandon a transaction because of complexity or irritation, then firms may stand to lose huge sums.
A study from 451 Research backs the point. It reckons that Europe could lose €57 billion in economic activity in the first 12 months after the implementation of SCA. Its findings are based on “surveys conducted with 500 qualified payment professionals at online businesses and 1,000 consumers in the UK, France, Germany, the Netherlands and Spain.”
But with new rules, there may also be new opportunity. This change could be a chance for practices to market themselves to customers as both being secure and trust-worthy, as well as having the simplest way possible of complying with the new rules.
The rollout won’t be easy. While EU demands compliance, every member state will see different interpretations of PSD2. Whether that’s from the banks, card issuers or central bank, there will be differences. On top of this there is the €30 exemption to take into account.
Worryingly, the 451 Research study reported that three months before SCA implementation, preparedness remains remarkably low. It appears that only 40 percent of businesses who said that they were aware of SCA felt prepared to address its requirements. That means, quite simply, that most businesses will now be racing against the clock to become compliant as only 44 percent expect to be ready by 14 September 2019.
The research also found that SCA is less well known among smaller firms. 60 percent of businesses with fewer than 100 employees either didn’t know about SCA or weren’t planning on being compliant before implementation. In contrast, firms with 5,000 or more staff saw only 4 percent being in the same position.
What changes should practices make now?
Clearly then, the first step for practices is to set systems to recognise when transactions need to abide by SCA (because they are above the €30 threshold) and when they do not (because they are below the threshold). Further, recurring payments will be exempt from the regime, so that needs to be noted by the system.
Allied to this is the option for a customer to “whitelist” a business with their card issuer so that future purchases made from that business fall outside of the multi-step authentication regime. That said, some banks won’t permit this and with the sheer number of banks in Europe (6,250 in 2017 according to the European Banking Federation’s 2018 Facts & Figures report), this may not even be an option for all but the largest of traders.
The second step is to consider how SCA is to be operated. Is it to be by text, smartphone, email, biometric trait or another option? Given the size of some firms, such as Amazon, the options are many. But for the smaller independent, a text- or email-based process is likely to be more appropriate.
Visa suggests that for transactions that require SCA, firms should have what is known as 3-D Secure 2.0 (3DS) in place to enable them to apply exemptions such as low-risk transaction analysis or perform two-factor authentication when needed. The benefit to practices of 3DS is that it allows issuing banks to verify credit card owners during the transaction process; this means that those using this protocol can transfer liability for fraud disputes away from themselves.
Lastly, practices need to think about whether they want to implement SCA internally – and so become “expert” themselves – or hire in third party help to undertake the task. A conversation with the merchant acquirer would be time well spent.
In summary
SCA is coming and any veterinary practices selling or taking payments online need to plan ahead. If they are not compliant, businesses may face a catastrophic meltdown as a huge chunk of their business will be denied from mid-September.