With the huge growth in e-commerce and online shopping in recent years, one factor that’s taking on increasing importance is the issue of security when making online payments.
Card-not-present fraud continues to be a major challenge in the online space. Given the large number of security breaches reported by major brands in the last couple of years, it may be straightforward for a criminal to gain access to an individual’s card details from one of these incidents.
Meanwhile, it was recently claimed that hackers could take advantage of flaws in the security protections of some cards to uncover card numbers, expiry dates and CVV codes by way of a brute force attack.
Therefore, it’s understandable that the industry and regulators are keen to do more to guard against this type of activity and ensure the online payment space is as secure as possible. But could the latest proposals from the European Banking Authority (EBA) do more harm than good?
What are the proposals?
Under the strong customer authentication (SCA) plans put forth by the EBA earlier this year, consumers making a payment online would need to enter additional security details for any transaction over €10. This may be in the form of an extra password, code, a biometric check or the use of a card reader.
This would effectively make two-factor authentication mandatory for a huge range of online transactions. But while it would certainly make card-not-present fraud more difficult to accomplish, the trade-off could be to make such transactions much more time-consuming and inconvenient.
What do the card providers say?
One organisation that certainly takes that view is Visa, which has warned the rules could create huge disruption for online shoppers in particular. For instance, it stated the rules would mean the end of express online checkouts, such as one-click options which allow consumers to complete a purchase without re-entering personal and financial details.
Research conducted by the card provider found more than six out of ten consumers (61 percent) say they would abandon a purchase if they had to go through more steps at the checkout phase.
It could also have an impact offline as well, with Visa suggesting it could lead to longer queues at locations where identity checks such as PINs are not required, like parking and toll booths. It warned that in France alone, where such systems are commonly used on the country’s network of toll roads, this would impact more than 500 million journeys a year.
An overly inflexible regulation?
Peter Bayley, chief risk officer, Europe, at Visa, said that while the company supports efforts to improve payment security, the EBA proposals will bring a wide range of complications and inconveniences.
“The planned one size fits all approach tips the balance too far one way, making it difficult for consumers to make purchases wherever, whenever and on whatever device they want,” he said. “It will annoy consumers and damage businesses’ potential to sell their goods and services.”
Visa isn’t the only industry player to express skepticism over the proposed moves. Paypal, for instance, stated in its response to the EBA’s consultation that “unfriendly” additional checks would have an impact on almost any digital payments, regardless of how much risk is actually involved. Mastercard also raised concerns that an “overly prescriptive approach” would undermine the goals of the plans.