The retail explosion spurred on by COVID-19 is a golden opportunity for the industry – if it can collaborate over payment security, says G+D Mobile Security’s Vice President Jukka Yliuntinen.
Hands up if delivery services like Amazon have become your fourth emergency service during lockdown. The biggest example of an online retailer stepping in to help consumers access supplies and stave off boredom during months out of social circulation, this megalith of ecommerce isn’t the only one to come into its own as a result of COVID-19.
In fact, the unprecedented circumstances sparked by the pandemic, which has characterised much of 2020 so far, have sent an already significant trend towards ecommerce spiralling upwards.
Thanks to increasing numbers clicking to source everything from household essentials to entertainment since March, Goldman Sachs has revised its growth predictions for ecommerce upwards – from 16 per cent per year for the next three years, to 19 per cent. In its July report, the US bank stated that ‘we’ve seen an acceleration in innovation over the course of the crisis as companies have rolled out curb-side pick-up programmes, contactless checkout and personalised consignment deliveries, and retailers and marketplaces have adapted to reflect the shifting needs of consumers focussed on the new essentials’.
Meanwhile, in the UK, footfall in retail stores is less than 50 per cent of last year’s levels, suggesting that those businesses still here are also conducting more of their sales online. All of which is pushing online payments, and the associated need to ensure payment security, right to the top of the finance industry’s agenda.
Yet, just as the requirement for enhanced security becomes stronger than ever, regulators like the UK’s Financial Conduct Authority have been forced to re-think
their implementation deadlines for the introduction of the new Secure Customer Authentication (SCA) regulation, which will help to provide that protection – from 31 March to 31 September, 2021. The main issue forcing this delay is a lack of industry consensus around how it should be achieved, with the one-time passcodes (OTPs) currently being used by many organisations widely viewed as cumbersome and inadequate, and different organisations favouring widely varying solutions, from biometrics to tokenisation.
The complexity and cost involved in bringing their online operations up to spec means many smaller merchants have been slow to respond, which is understandable, given they are still focussed on survival. Balancing seamless user experience with
the necessary security uplift is no easy task for the processors either, with authentication hurdles oft-cited as a major cause of shopping cart abandonment.
Meanwhile, as these implementation crinkles are being ironed out, an already burdensome fraud problem is accelerating rapidly. Enter key players like mobile security expert Giesecke+Devrient (G+D), which has experience in the security of all payment types and is working closely with issuers and merchants, as well as card networks, to find solutions that provide a virtually imperceptible payment experience while keeping payments secure.
Founded in 1852, G+D offers both physical and digital security technologies used by millions of people, worldwide, every day, to pay by cash, card or smartphone, interact with their cars or use their identity documents while travelling.
It has led development of biometric cards, and a relationship with Crédit Agricole on a combined chip and fingerprint recognition solution is one of a number of productive partnerships it has established to push this technology forward. Card giants Mastercard and Visa are also both active in this area, using G+D technology to offer their Visa Ready and Mastercard Biometric, fingerprint-based solutions.
Tokenisation and dynamic card verification are among the other SCA-related developments taking place – where banks can turn account numbers into tokens placed into physical devices or ecommerce systems and mobile transactions, to bar access to fraudsters.
In July, G+D was approved by Mastercard as a ‘digital activity customer’, enabling it to onboard and make technical and commercial services available to third party businesses wishing to enable digital payments in fields like Internet of Things (IoT) and card-on-file (where ecommerce providers store customers’ chosen payment details to enable uninterrupted transactions) through the Mastercard Digital Enablement Service (MDES).
While card-on-file solutions are becoming more prevalent, they aren’t without risk as significant hacking incidents over the past 12 months, including the Easyjet breach last May which saw nine million customers’ details stolen, have shown.
G+D has supported widespread calls across the industry for more discussion and collaboration over SCA implementation, as studies show the average person has 90 different online accounts and needs to authenticate themselves 45 times a day.
Agnostic about which payment method it supports, G+D offers security solutions for all of them but is part of a collaborative industry movement calling for universal standards to bridge the usability/security gap.
Up for the challenge
Jukka Yliuntinen is responsible for G+D’s digital product portfolio development. He says: “Online payments have seen phenomenal growth over the last decade, but even more during the last couple of years. Retailers and merchants have seen a huge increase in capabilities for offering their services online, and there is increasing consumer demand for online shopping because it’s so easy and they can pick and choose, compare, and get home delivery.”
And for these online providers, trying to ensure SCA compliance while opening up their APIs for authorised third-party access to customer data, collaboration is key.
“We’ve traditionally been about helping issuers provide means of payment, from cash to cards, including payment devices in the field,” says Yliuntinen. “With digital, the same applies. We enable issuers to have their digital payment cards enabled in different types of wallets and endpoints.
“But merchants are increasingly making the decisions about how payments will be made available and in that sector we now provide services for digitising cards on-file, where there is a big market.
“For example, Amazon recently announced that, together with Mastercard, it will tokenise all its cards-on-file [in 12 countries including North America, Latin America, the Middle East and Europe], which is consumer-friendly because, beyond the payment, no details are stored and, even if the merchant database is compromised, you’re not compromising the original card.
“The other area is authentication, especially SCA, because it’s essential to know who is making a payment. It needs industry-wide networks of issuers, acquirers and vendor communities, like us, contributing to that security, user-friendliness and performance,” says Yliuntinen.
G+D is taking its own steps to help solve this industry-wide dilemma. “We recently, announced that consumers can use their Europay, Mastercard and Visa (EMV) contactless card as a second form factor for strong authentication, to increase security by combining smart card-level hardware with tapping their own near-field communication phone rather than a point-of-sale terminal,” he adds.
Working at every stage in the payments value chain gives G+D a privileged perspective on stakeholders’ relative strengths and weaknesses.
“From the security point of view, you cannot do it alone, you are always dependent on somebody else,” says Yliuntinen. “The issuer is dependent on how the whole transaction flow goes from acquiring back to them. And then there are the devices and software or hardware, that need coherent, end-to-end security. Big techs and IT giants like Apple, with its Apple Pay, Apple Cash and now Apple Card have a really strong position and are gaining market share. Internet is enabling payments and online shopping, and these players have the means to do it, from enabling the devices, such as mobile phones and tablets, through to the software and services.
“Traditional players like issuers, acquirers and the banking community have a chance to compete, but they need to act much faster, to offer trust, which is the advantage they have. They have fairly good solutions, and are, ultimately, the ones that have our money deposited with them.”
As co-chair of Mobey Forum’s Digital ID Expert Group, he urges banks to wake up to this opportunity to be the guardians of payment security. Last year, the Forum called for banks to take charge of national identity systems. It renewed that call in the context of track and trace systems for combatting coronavirus this summer.
The reasoning is clear: inherent consumer trust makes banks the ideal guardians of digital data verification schemes that protect consumers during data gathering to support everything from ecommerce payment verification, to coronavirus infection control. Whether banks are willing to step into such a potentially politically charged role remains to be seen.
But, notwithstanding the challenges around getting SCA right, Yliuntinen believes it could help the whole economy – not just the big guys. “It could pave the way for an etail explosion, with more, and smaller, retailers getting involved,” he says.
That’s not to deny the resource, cost and technical challenges they face in doing so, but, given the current threat to the survival of traditional stores, do they have a choice?
“Online will be dominating, including new services created by COVID, like ordering lunchboxes online, which made a big difference for small restaurants. Small businesses have found that this new way of selling could be very good for them.”
It could, in fact, be a lifeline.