While it’s no secret that the pandemic has supercharged digital payments adoption, the scale of the change in ecommerce is still breath-taking. Global ecommerce retail sales totalled $3.5 trillion in 2019. In 2021, they are forecast to reach almost $5 trillion.
This represents a significant opportunity for the payments industry. The growth will also highlight some of the industry’s challenges.
Right now, the average British online shopper abandons online baskets worth £30 a month, which represents £18 billion in lost sales annually. Transaction abandonment rates for online shopping are double those of in-person retail.
This suggests that there are still too many points of friction along many online journeys.
And a looming regulatory change—Strong Customer Authentication (SCA)—is poised to create further friction and disruption. SCA rollout has already begun, with full enforcement scheduled for 14th March 2022 in the UK, as per the new date provided by FCA.
What SCA means for ecommerce
SCA is a mandate from the revised Payment Services Directive 2, which shifts the liability for fraud to the issuing bank and requires that customers go through two-factor authentication for in scope ecommerce transactions to increase confidence in the customer’s authenticity.
SCA require all customers to authenticate ecommerce transaction with two out of three authentication factors:
- Possession – something only the user has, like a credit card
- Knowledge – something only the user knows, like a password or PIN
- Inherence – something only the user is, like the owner of particular retinas or fingerprints
To avoid disruption, merchants will need to prepare for technological and operational changes and ensure that their payment gateway provider can support new authentication requirements.
Not all ecommerce transactions are in scope of the directive. Some of them (Table1) are defined as out of scope for all participants, others can be exempt depending on the issuer’s solutions (Table 2).
So far, most issuing banks have prepared for SCA with a mobile-first strategy that prioritizes customer authentication through their existing mobile channels. A few Tier 1 issuers are looking at using behavioural biometric solutions for non-mobile customers.
The rest of the industry has pursued separate knowledge elements alongside one-time text message passwords into their authentication processes.
Considerations for merchants
SCA holds great potential for reducing fraud in ecommerce, but it also has the potential to introduce more friction into the customer journey. Ecommerce merchants must respond—not only to avoid declined transactions but also to minimize (or even eliminate) potential additional friction.
In our view, a strong response to SCA requires three elements:
- The first focuses on compliance. To avoid transaction declines, merchants need to make sure their payment gateway provider can support 3DS-enabled authentication requests.
- The second is leveraging available exemptions. Merchants should review their existing ecommerce flows to learn how their current transaction profile is covered by available exemptions, and make sure that their gateway provider will support new exemptions under SCA. This will not only streamline the customer journey but also lower processing costs for merchants.
- The third is exploring one-click payment propositions. Merchants who depend on one-click payment flows should consider ‘delegated authority’ to authenticate the customer on behalf of the issuing bank.
Immediate next steps
SCA will transform the ecommerce journey for both merchants and issuers. If not implemented correctly, it will lead to not only serious disruption of the customer journey, but also lost revenue and increased costs on the merchant side caused by significant number of declined transactions. But adapting for SCA with a right solution can also be a springboard for changes that not only reduce fraud, but also improve the customer experience and ultimately boost sales.
Of course, the looming deadline— March 2022 will be here before we know it, and full enforcement with it—lends urgency to ensuring compliance with the new requirements. Therefore we recommend an two step approach to e- commerce SCA transformation that starts with building a “minimum viable product” (MVP) to meet compliance requirements.
Merchants can then innovate top of this MVP offering to improve the customer journey.
If you’d like to discuss your organization’s ecommerce journey, I would love to hear from you. You can reach me on LinkedIn.