The introduction of 3Ds and SCA2 on credit cards was intended to make transactions more secure for the shopper and the merchant. This was in reaction to a flood of fraud visited upon merchants where they had to do their own checks on the quality of the payment card being presented.
3Ds introduced the liability shift, where the merchant if they accept a verified 3D card are covered even if the transaction is later found to be fraudulent.
The card issuers work on the premise that if the card holder has passed their PIN to some one else or had it exposed its the card holders fault and not the bank nor the merchants.
So to protect the customer each card issuing bank has developed their own “system” for card verification. I call it a “system” because banks are not software houses and their systems are built to do traditional tasks in traditional ways because these are what get by compliance and oversight. These span from simple SMS messages with codes to more complex mobile apps that require pre-approval and post approval for a transaction. All require at least three extra steps in the transaction.
- message from the processor to the acquiring bank
- message from the acquiring bank to the card holder
- bank may have outsourced the verification process so its sent to a 3rd party that the customer nor the merchant ever sees.
- card holder then enters a challenge code
- acquiring bank determines if the code is good or bad
- message is sent back to the processor
- message is sent from the processor to the website.
- website delivers the result to the shopper.
We know extra steps in the transaction leads to a high rate of cart abandons. 8 steps is ridiculous and was developed without appreciating the risk of cart abandonment.
“The typical shopping cart abandonment rate for online retailers varies between 60% and 80%, with an average of 67.91%. It is claimed that the best optimised checkout process has an abandonment rate of 20%.”
“Payment friction accounts for over 50% of cart abandons “
As the security is increased for the shopper and merchant and the issuing bank now has passed the security responsibility to the card holder – the checkout experience has been reduced to a shambles.
So this has opened the door for other processors. PayPal have pushed PayPal express to make it easier but it still requires a verification via SMS in the journey. This is because all PayPal accounts are linked to a credit card – and all credit cards are linked to an issuing bank that will have 3d secure.
When the banks verification system is down – it is the card processor who pushes the error to the client. This has the effect of it making it look like the processor is failing and many merchants will report this as the issue to their web developers. They are mistaken – because the issue at the card issuing bank or one of their outsourced verification service providers or the payment provider themselves. Trying to get to the root cause is almost impossible. If a developer is lucky to have many installations running they can usually detect a pattern and know instinctively if its a payment processor or a bank verification issue. If its a bank verification issue chances are by the time the bank will move to investigate it will be fixed – and it will not be reported. This results in an unstable payment process that the merchant or the web developer has any control over.
This leaves a really big gap for a new payment type model that is not a credit card or linked to one but is still secure. Enter Apple Pay and Google Pay. They are what we would call one-half the deal. They too are linked to a credit card. To be totally frictionless the next generation payment methods need to be based on a deposit system, where the shopper pre funds a payment method and then shops with this. Revolut and other new generation banking models have this in place.
In reality most customers are honest and will not mind verifying their cards and payment methods but it has to be easy and effortless. Fraudsters hate traceability and prefer to use methods that allow them to hide.
All mobile devices come with cameras and finger print readers so this is the ultimate biometric verification of the card. Use a combination of the two to verify a payment. Its pretty simple and fool proof. Its like where the photo is a username and the finger print is a password. Both are unique and pretty hard to fake unless you are leaving bowls of hot wax and cameras around the place for people to interact with !
Mobile payments have been hastened with covid where its more hygienic to pay with a phone than a card, using the keypad every one else has mauled. As for cash there is a reason its called filthy 😉 Mobile payments verified on the spot using a finger print, with nothing touching.
Systems like IDPal are used by some banks for verification – but the amount of personal data they require is frightening in their attempt to verify the customer. Again its all stuck in the past, looking for passports, bills with home addresses etc. Don’t get me started on using mothers maiden name as a security question. A quick google will find this !
Its opened the door for payments 3.0 that no longer require a traditional bank but a SpaceX type of finance house that can develop at speed and take no influence from traditional banking. We are not talking about bitcoin here. We are still talking currency and value but a faster more secure and traceable movement of value.
eCommerce stores need to provide a bigger selection of payments, shipping and checkout are converting more. Customers want choice because they may have already chosen their favourite payment method, shipper etc. Merchants are reluctant to offer the choice because it fragments their systems and increases overheads.
Conclusion : With the introduction of 3ds and SCA2 on credit cards the issuing banks may have started and hastened the demise of the traditional credit card for ecommerce and for everything, because technically they applied traditional methods to a technical solution and botched it. The merchants will dictate the rules when a new method arrives.
Other blog posts on credit cards.
https://www.willows-consulting.com/how-hackers-steal-credit-cards-from-ecommerce-sites/
https://www.willows-consulting.com/what-is-carding/
https://www.willows-consulting.com/what-is-psd-sca2/
About the Author :
Sean Owens has been building – developing and designing ecommerce since 2002. He is an expert in his field specializing in eCommerce when people thought Amazon was a river ! and Kenny’s Books Shop in Galway was the largest online book seller in the world. He has a vast experience across a multitude of sectors and platforms and is available for consulting and speaking engagements.