Strong authentication. Good practices to be implemented
Since June 2021, any online purchase of more than 30 euros must pass strong authentication with two-step factors. This is an essential step to combine security and fluidity of the purchase process.
By Christine Calais
Context. In France, e-commerce and M-commerce continue to show very strong growth. In 2020, Internet sales reached €112.2 billion, up by 8.5% in one year, according to the French E-commerce and Distance Selling Federation (Fevad). The 41.6 million French cyber-buyers made 1.84 billion transactions, up by 5.8% compared to 2019. Yet, according to the Mercatel association, the fraud rate on remote purchases (0.16% in 2020) was 20 times higher than in physical commerce. In order to limit the risk of fraud during online purchases the European Parliament voted in 2015 to pass a European directive on payment services (PSD2), which notably frames the ways of making online payments to merchants within the European Union. This directive has been enforced since May 15, 2021 (with a transition period of 4 weeks), including strong authentication to verify the identity of the user.
E-merchants are well prepared for this. 96% of transactions in value between June 7th and 13th, 2021 and subject to the PSD2 directive were subject to strong authentication.
Two-factor authentication
This strong authentication requires verification for access to online payment transactions with at least two of the following three factors:
– an element that only the user knows (password, code…)
– an element that only the user has (cell phone, smart card…)
– a biometric element (fingerprint, voice recognition, facial recognition…). In practice, strong authentication is achieved through the cell phone in two ways: either via the user’s payment application and their banking application, to which they connect via a password or a biometric factor. Or via the sending of a single-use code, which is less flexible.
Impact on the conversion rate. On the retailers’ side, the major fear is that of shopping cart abandonment, which mechanically reduces the conversion rate. One of the causes, although far from being the only one, is a payment process perceived as more complicated by a potential customer. Another is the absence of the means of payment or exogenous factors, such as cell phone battery failure. According to a study conducted in 2019, 58% of customers had abandoned a shopping cart during the checkout phase. 17% blamed an overly complicated checkout process. 18% abandoned a purchase because their preferred payment method was not offered.
Exemptions
However, the directive does provide for several exemptions, thus offering consumers a frictionless path.
– Low-value, low-risk transactions. The level of risk is evaluated according to the average fraud rate of the payment service provider (PSP) and the issuing bank: 0.13% to exempt transactions under €100, 0.06% to exempt transactions under €250, 0.01% to exempt transactions under €500.
– subscriptions or recurring transactions of fixed amount, from the 2nd occurrence.
– white list: merchants declared as trusted recipients by the consumer to their bank.
– Telephone transactions, not considered as electronic payment, subject to acceptance by the bank issuing the payment.
– Merchant-initiated transactions, after customer approval and initial authentication (e.g., variable amount subscriptions).
– Inter-regional transactions: if the issuer of a payment or the acquirer of the card are not based in Europe.
– Anonymous transactions made with prepaid or corporate cards.
Combine security and fluidity. It is essential to choose a Payment Service Provider (PSP) that has fine-grained exemption engines, in order to keep the level of fraud acceptable while making the purchase process smooth. It is key to combine with a good fraud management engine. All payment players are now working on this.
Points to watch out for. Finally, online payment players must keep certain elements in mind. Banks must respect the principle of fairness, i.e., avoid making the purchase process complex for people suffering from digital illiteracy, or those who do not have a smartphone. They must be able to manage special cases, which represent as many different authentication processes. The e-merchant must also be transparent and educational, explaining to the consumer why he or she is exempt. The idea is that a customer should not be surprised that they did not have to perform a double authentication. Last but not least, mobile shopping paths must be made more fluid, especially by banks, so that consumers can easily switch back to a shopping cart when authenticating via their banking application.
