By Ralf Gladis, CEO and co-founder of Computop
Retailers had accepted that with the Payment Service Directive 2 (PSD2) regulations, they had been effectively forced to hand the management of authentication in credit and debit card payments over to the card issuing banks. They argued that this made the checkout process complex, and lengthened the time it takes for customers to complete their purchase, so increasing the number of basket abandonments.
Recent changes to the regulation of the Strong Customer Authentication Delegation, however, have delivered a powerful shot in the arm for merchants. 3DS 2.0is the latest iteration of a protocol issued by the major credit card schemes which ensures the secure authentication of card payments. In version 2.0 it fulfils the requirements set up by PSD2 and will become mandatory if retailers are to provide credit card payment facilities to customers. What it does is to potentially remove payment authentication from banks and instead place it back at the point of purchase with retailers who are enrolled. This not only makes checkout easier it also improves security and will potentially boost sales.
The new 3DS 2.0 authentication method will provide retailers with a smoother, more user-friendly interaction with their customers because the previous 3D Secure protocol has been refined. Customers will no longer be expected to move through a variety of processes for every credit card transaction because the multitude of data elements that form the contractual relationship between the retailer and the customer, or the customer’s account, will be transmitted directly to the payment issuer, eg. a bank. They, in turn, perform a real-time risk assessment. If the transaction is categorised as low-risk, the payment will be authorised instantly and no further interaction from the customer is needed.
As well as the user interface for SCA in 3DS 2.0 being much more harmoniously integrated into the payment process than in 3DS 1.0, the embedding of the retailer’s SCA in the checkout also reduces the risk of basket abandonment substantially. Those retailers that don’t have SCA delegation will find themselves having to ask their card-holding customers to authenticate themselves twice in certain cases — the first time to log into their customer account with the retailer and secondly to initiate the payment. This becomes an even more unwieldy processif the customer is using a mobile device.
The consideration for retailers who are resistant to the idea of using SCA delegation is that this additional hurdle in payment could result in their customers turning to other retailers where checkout is smoother, or in customers demanding other methods by which they can complete their payment. Customers are interested in convenience and expect the retailers they shop with to ensure their payment is made securely and speedily, particularly when they are shopping on the go.
Fortunately, the major credit card companies are supportive of authentication moving from issuers to retailers and they can help with the integration process, but the responsibility for ensuring it is in place and working properly does fall with the retailer. A significant advantage, however, for larger retail operations with customer call centres is that they will no longer need to support dozens of different authentication methods. To be most successful, retailers should seek payment service providers that deliver the necessary infrastructure to set up the SCA delegation for both smartphone and Internet browser payments.
Depending on biometrics
An important element of SCA, particularly for consumers who like to purchase via mobile devices, is the biometric authentication options that are being used when they log-in.
The FIDO standard (which is committed to providing open and free authentication standards) guarantees that the biometric data, which could be a fingerprint or a facial scan, is processed in encrypted form and that this data never leaves the device on which it is queried. Use of biometrics also means that passwords are not necessary thus reducing the incidence of customer data being phished or stolen.
The biometric data is not simply copied to the device on which it is read, but stored as hash values. Even a face scan or fingerprint cannot be stolen, provided the biometric solution meets the required standards. Retailers can use this biometric authentication to send over a ‘flag’ to the card issuer that authentication has already been executed, so the customer is not challenged to provide another authentication request by the bank. This reinforces the control of the retailer, which will undoubtedly have a positive impact on the relationship with customers, and enhance the brand in the market.
When it comes to using SCA delegation in practice, ideally, retailers should integrate the corresponding step at which it takes place as early as possible in the purchasing process, for example, the moment customers log into the retailer’s app or enter the online store. Once this step has been taken, the relevant biometric information can be sent to the issuer together with the other data points relevant for 3DS 2.0 in encrypted form to prove that the retailer has already provided compliant authentication.This gives the retailer an opportunity to further reduce any problems that could occur during the conversion from order to payment.
There is an added bonus to the integration of biometric authentication – it not only protects the customer, but this extends to the retailer too, who would previously have been absorbing many of the negative outcomes of fraudulent activity, from identity theft through to a customer account takeover – effectively creating a win/win for all parties involved.
Retailers would be wise to adopt Delegated Strong Customer Authentication (DSCA)if possible, as the benefits speak for themselves. With retailers “owning” SCA, customers get a more user-friendly experience without having to log in twice to complete a purchase. As a result, retailers can be more successful at driving basket conversions.