Skip to main content

Will you be ready for Strong Customer Authentication in online payments?



United Kingdom

As the e-commerce world continues to evolve, retailers are facing challenges about online payment security, both in dealing with their banks and under the latest EU payments laws coming into force in September this year.

First, a January 2019 report from consumer group Which? flagged a number of UK banks which it saw as falling short of best practice in online account security and their use of two factor authentication. Two factor authentication (2FA) uses checks with the customer based on two elements from things they possess, such as a mobile device, things they know, such as passwords, and things they are, such as biometric information.

Secondly, looking ahead, 2FA (also known as strong customer authentication) will become mandatory for online payments from September 2019. This is a result of the regulatory technical standards (RTS) introduced under the Second Payment Services Directive (PSD2). Under the new RTS laws, payment service providers (PSPs), such as merchant acquirers, will be obliged to use two factor authentication for most e-commerce transactions and online payments: this requirement will apply in EU member states and in the U.K., even after Brexit (with a deal or no deal). Many retailers and franchise businesses are looking at how this new requirement is likely to affect the customer experience, as some see the prospect of increased friction in the e-transaction process and reduced prospect conversion rates. Where this is a concern, retailers are discussing with their PSP the range of exemptions available, which would allow the PSP to avoid using 2FA and hence keep the current customer experience.

Potential exemptions include low value payments, recurring payments, corporate payments and the so-called "transaction risk analysis" which focuses on the fraud percentage of the PSP's payments history, as well as the circumstances of the online payment. So PSPs will be looking at how they can stay within the appropriate fraud rates and use the transaction risk analysis - this will feed through into their agreements with retailers. Some exemptions need specific planning ahead: where the corporate payments exemption is to be used, PSPs should provide the Financial Conduct Authority with the appropriate operation and security risk assessment information at least 3 months ahead of using the exemption.

So retailers should be planning to engage with their PSPs and discuss how best to deal with these new authentication requirements and how far it makes sense to use one of the applicable exemptions. The changes may also lead to amendments to the PSP's agreements, so both retailers and PSPs should ensure the amendments reflect the appropriate risk balance in light of the new laws.

If you would like more information on this topic, please contact your usual Fieldfisher contact and they can put you in touch with our Payments and Cards team, which has been advising clients on PSD2 issues across Europe, including the impact of the RTS and 2FA requirements and Brexit