EXCLUSIVE: ‘Safe journeys’ – Mike Cowen, Mastercard in ‘The Fintech Magazine’
With online fraud a major industry concern, there has been a raft of developments, from both the private sector and regulators, which bring together the various elements of security and authentication. Here, Mastercard’s Mike Cowen discusses the roll-out of SCA, 3DS2, and what Click To Pay adds to the picture
Online card security is a hot topic. The revised Payment Services Directive (PSD2) has ushered in the enforcement of Strong Customer Authentication (SCA), which means that payment services providers are battling with the complexities of security protocol 3D Secure (3DS) and its younger sibling, 3D Secure 2 (3DS2), which have been introduced to reduce friction for users.
SCA has now been joined by Click To Pay, an industry standard for online payments which, like 3DS2, is managed by EMVCo (a card consortium consisting of Europay, Mastercard, Visa, JCB, American Express, China UnionPay and Discover). Click To Pay allows customers to pay with a single click, using stored payment information for all of their credit and debit cards. The service supports, and is supported by, Visa, Mastercard, American Express and Discover.
These major developments are in response to the global uplift in e-commerce, a trend further driven by the pandemic, and the accompanying rise in online fraud.
“Those who are less tech-savvy are more vulnerable to certain forms of fraud,” says Mike Cowen, Mastercard’s head of digital solutions for the UK & Ireland. “Over the course of the last year, we’ve seen massively- accelerated growth in the shift of payments to online, but also a demographic shift, so that more people who haven’t shopped online previously are starting to, and those people are less comfortable and familiar with shopping online, and potentially more at risk.”
UK Finance has highlighted that unauthorised financial fraud losses across payment cards, remote banking and cheques, totalled £784million in 2020, while research by TransUnion picked up on a 14-per-cent spike in online fraud during the last holiday season. It is feared online fraud will continue to boom throughout 2021.
Meeting the demands of SCA
“Fortunately, there are a number of initiatives that are helping us to fight these issues,” says Cowen. “One example would be SCA, which has been driven by regulation and basically means that, when somebody is carrying out a transaction online, the bank, or the card issuer, will have a much greater degree of certainty that it’s a legitimate cardholder that’s completing that transaction.”
SCA has been specifically designed to ramp up online security, and therefore significantly reduce fraudulent transactions, providing an extra level of protection for both consumers and companies. Despite the challenges of introducing a new protocol amidst COVID-19, many commentators believe it has come at the right time.
J.P. Morgan, for example, claims that, in recent months, e-commerce transaction fraud has actually been reducing among its own merchant clients. The banking giant attributes this to an increasing consumer awareness of online fraud, but also an increase in merchants installing 3DS2, which accepts a wider range of authentication methods, including biometric and SMS data, and integrates better with mobile devices.
“We do, indeed, now have very convenient ways of authenticating ourselves, things like fingerprint scanners and facial ID on mobile phones,” says Cowen. “We can harness that technology, and, even though we’re making people jump through more hoops in order to authenticate themselves, they can do it in a way that suits them.”
However, despite the promises of 3DS2, there are also widespread concerns about the inevitable contradiction between the concept of frictionless customer experience and the imposition of more steps in the authentication process demanded by SCA. These concerns appear justified by data from fraud prevention platform Forter’s global e-commerce merchant and acquirer network, which provides a clear view on the negative impact PSD2 has had on conversions over the past 12 months. Conversion rates for 3DS transactions, compared with non-3DS transactions, expose the negative impact of 3DS on overall conversions hroughout Europe, with a 25-30 per cent decrease in the UK and a 50 per cent decrease in Germany, France, and Italy.
Since many consumers are still unfamiliar with the 3DS process, merchants worry there’s a higher chance of abandonment during authentication. Users may also choose to abandon a transaction simply because it gives them more time to contemplate whether they really need to make the purchase. If the consumer successfully completes 3DS, the transaction will continue to authorisation, but even here there are opportunities for the transaction to be lost. A legitimate transaction may be declined, for example, if an issuer perceives the transaction as high risk. The issuer may then choose to decline the transaction to avoid chargeback liability. This is because, when 3DS is completed successfully, the chargeback liability shifts to the issuing bank.
There are therefore a number of issues for the industry still to iron out, including worries about consumers being liable for exempted transactions. But Cowen is confident it improves consumer protection.
“Mastercard offers cardholders what we refer to as ‘Zero Liability’. This means that, as long as the consumer has exercised reasonable care, and reported it promptly if their card is lost or stolen, they will not be held liable for any fraudulent transactions that may arise as a result,” he says. “Obviously, what constitutes reasonable care will evolve over time. As we give people more tools with which to protect themselves, the consumer also has an obligation to use those properly, and, obviously, banks have a responsibility to educate them about how to do so.”
Matching the Big Techs?
Click to Pay is a standardised payment experience based on the Secure Remote Commerce specifications, both managed by EMVCo. The relationship between Click to Pay and SRC is similar to that between Chip and PIN and EMV chip specifications. Users first have to enrol their card and personal details in Click To Pay, either by going to a card issuer’s site or app, or at the point of making their first payment on a merchant’s site.
Thereafter, they can pay via the Click To Pay button on any site that accepts the type of card they’ve registered, and use their email address to authenticate themselves. They then receive a one-time code by email to enter. It’s anticipated that the Click To Pay initiative will help to bring the idea of tokenisation, unfamiliar to many, further into the mainstream.
“In terms of making online payment security more robust, there are two things really,” explains Cowen. “The first is SCA, which we’ve covered, and the second is around securing the transaction itself through tokenisation.
“Tokenisation, essentially, is two things; it’s swapping out the real card number for a surrogate one, which is only used in certain scenarios, and secondly, cryptographically authenticating the use of that card number. Right now, we’re in the middle of tokenising cards that are stored by retailers in their systems – so a tokenised card-on-file, or tokenised credential-on-file. The final piece of the puzzle is when people type in card numbers online, and tokenising that,” says Cowen
While there are still certain elements of friction, there are also clear upsides in terms of security for the consumer and less risk for the merchant. Click To Pay eliminates the need for a guest checkout process, for instance, so customers don’t have to enter any of their personal details and merchants don’t have to store any customer information. Cowen emphasises that this advanced technology relies on analytics and biometrics to identify legitimate cardholders.
In the US, where SCA isn’t required, Click To Pay has been described as the card schemes’ answer to Amazon’s one-click buying process, but it’s fair to say Amazon’s is a much smoother journey at present, albeit limited to certain sites and apps. With a solution that works on every channel that chooses to provide a Click To Pay checkout option, Mastercard and its peers are clearly setting their sites high.