It's quite exciting that stolen payment card details will lose most of their value for Internet purchases in the EEA soon. Long overdue I think, it's practically a backdoor to the whole Chip and PIN security system. (Though so are transactions with signature or magstripe, but those are also slowly being tackled…)
My main bank account is with Nordea, a big Nordic bank, one of Sweden's big four. They are currently quite paranoid about Internet purchases and outright do not permit any such transaction if it does not have that kind of two-factor authentication — if the merchant doesn't support it, you must log in with the app or Internet bank and temporarily turn this off for one hour. But with support for two-factor authentication bexoming obligatory in the EEA, I guess it will only be non-EEA merchants where this is a problem. :)
Verified by Visa with an appropriate implementation is one way to fulfill the requirement for Strong Customer Authentication. All Visa cards in the EEA will have to either implement Verified by Visa in a compliant way, or use some other method such as a randomised CVC you can find out via a mobile app.
SMS 2FA sucks for those who travel to other countries and switch SIMs to avoid data roaming costs. One bank I work with had an interesting solution. If you have their mobile banking app open (authenticated) when you get the verified by visa page, you simply click submit (enter no SMS) and it goes through.
...well crap. Time to update my side projects to handle this new flow. I wasn't aware this was even coming. Looks like there are a lot of exemptions (my side project costs customers less than 30 euros), but it's ultimately up to the customer's bank.
I guess I'll move to Stripe checkout instead of my custom form.
I built Quaderno to deal with the VATMOSS nightmare on Stripe. More information at https://quaderno.io/integrations/stripe/. Let me know if you have any questions. Glad to help.
I've tried Quaderno in the past for a simple SaaS I built but found it didn't really work, it was a while back so I may be misremembering but I believe you couldn't use Stripe Billing's built-in free trial system with it, because the Quaderno checkout would create a new customer.
As security practices improves, reducing fraud, does the industry reduce its costs and pass the savings to consumers or is the trend to increase their own profits? I have an assumption as to what the answer is, however I'm wondering if anyone here in the industry may have a solid understanding?
Based on history and other industries, I'm gonna say they'll take the profits. At the very least, any savings they pass on to consumers won't be proportional to what they experience.
eBooks save money on printing and distribution but often aren't any less expensive than printed books.
eTickets save money on processing but ticket platforms charge a "convenience fee" on top of the ticket price.
When oil/fuel is at record lows, do airlines lower ticket prices in line? No.
Is reduced fraud even creating meaningful savings? The simple fact that these changes are driven by government regulation rather than internal efforts makes me think not. I think the main benefit to consumers is that they don't have to deal with identity theft as often.
In this case, government regulation makes SCA required; but in Europe most banks already practiced SCA. For free.
Here payment card fees are also far far lower because we don't have a credit card mentality of always seeking that tiny percent cashback, so these are much rarer in Europe. We also have banks themselves competing with Visa and MasterCard, for example in Belgium with bancontact. The banks offer merchants even lower fees for these.
So yes in some worlds the fees are passed down to the consumers. In other worlds, you have the United States.
What's interesting to me is that, in my experience, it seems that SCA not being used is more of a merchant than a bank problem. My previous bank (NatWest in UK) and my current bank (Nordea in SE) both support it, but a lot of merchants, especially UK ones, don't bother, which undermines the system.
Here in Finland essentially all local web merchants have used Verified By Visa and Mastercard SecureCode for at least 10 years now (authentication via bank credentials that use one-time codes or nowadays other 2-factor methods).
But I don't think I've ever seen them used on foreign stores.
Also: Local merchants here tend to use local payment service providers instead of Stripe etc. as the merchants need support for local payment methods, like "bank buttons" which have traditionally been the most common payment method (and much cheaper to merchant than cards).
The article mentions "“There was a 25 percent drop in sales overnight when the changes came into effect in India,” he said in an interview. “So we think SCA is a huge deal.".
I highly doubt that 25% is anywhere close to the long-term impact, but any fraud detection that increases friction decreases the number of impulse purchases. If it's not clear that reduced fraud creates a bigger benefit than lost purchases the industry won't implement it. Add the sometimes weird incentives (chargeback fees etc) and something that's beneficial to the consumer might never be implemented willingly by payment providers.
If the friction from better fraud detection reduces impulse purchases it might be detrimental
Profits equal the difference between what customers are willing to pay for a product/service minus what it costs to provide that product/service. When you find a new way to deliver something valuable at a lower cost -- meaning less time & material resources -- you enjoy profits. Profits are then used to do things like hire people, invest in tech improvements, and acquire companies like Touchtech. Without profits, people would pay for things at cost which sounds great in the short term, but would result in no money left for further improvements much less incentivizing hard work, which is very bad in the medium and long terms.
> "Without profits, people would pay for things at cost which sounds great in the short term, but would result in no money left for further improvements much less incentivizing hard work..."
note that profit (without qualifiers) == net income (as opposed to gross profit or operating profit)
so it's not true that no money is available for further improvement. profit is what's left over after re-investment (and other costs).
it's also not strictly true that it doesn't inventivize hard work. if the owners take money out of the company as salary and benefits, or they derive satisfaction from the quality of their work and/or pride in building an organization, they may be very well incentivized.
to actually answer the original question, you'd need to understand how value gets distributed in a value chain (including customers). it depends on the relative power of the various actors in the chain. if customers have a lot of power, they'll extract most of the value of the value chain (likely in the form of lower prices). if suppliers have the most power, they'll retain most of the excess value in the value chain as profit. based on a quick read in this case, the supplier has lots of power, so stripe will likely retain most of the profits.
Reduced fraud does have benefits to merchants either way by (a) less income lost in chargeback fees, and (b) time saved not having to fight chargebacks.
There's more to that. Anti-fraud mechanisms that require additional action on user's side, lower the conversion rate.
For example 3DSecure mechanism redirects customer to another site where user has to put a number received in a text message. My phone is in another room upstairs. I cancel the payment and tell myself I'll do it later. Of course I might do it, but I might forget about it or change my mind.
Another example: (in Europe) from time to time, when making a transfer/payment, I have to generate an OTP using a physical device that I received from my bank. I find it extremely irritating, and I don't take this device with me everywhere, so if I'm making a payment and I'm expected to use this device, I cancel the payment.
I've worked in a place where we introduced 3DSecure mechanism for our payments, and in certain countries it dropped conversion rate while in others (where people are used to such mechanisms) it remained the same
The implementations of 3DSecure I've seen were so terrible that I'm not surprised there is a drop in conversion rates. I would consider the user interface and the massive breakage as actively user-hostile. The redirects, terrible UI with blurry crappy bank logos, ugly dialog, and then I have to copy the code from my phone. And incidentally, SMS is a particularly bad method of authentication.
Yeah 3dsecure is a pretty big hit to conversion rates.
It kind of stinks being a vendor. Stripe charges extra for certain security pre-cautions but it doesn't do a great job at protecting against fraud on its own, where as 3dsecure does do a great job but it kills conversion rates since it's something a consumer will see.
In the end, it's the seller that ends up having to pay the price. Either through fees for disputes (which are very expensive, it's $15 per dispute) or having to pay for extra passive services, or lowering conversion rates with 3dsecure or requesting a ton of info to help reduce fraud (full address, etc.) for a digital product that won't be shipped anywhere. That raises suspicion from the consumer and it's a lot more fields to fill out -- plus it's not a sure fire way to prevent fraud.
Those "rewards" aren't savings on fees, passed on to the customer, they are increased fees that are absorbed by merchants. Rewards cards carry higher fees the same way corporate cards have higher fees and the same way Amex in general has higher fees. Larger merchants can have a consistent effective rate on processing fees if their business has a good mix of non-rewards and debit cards (lower rates) in their transactions, but many smaller merchants take a bath on fees if too many of their customers use rewards cards. You'll also see many smaller merchants decline to take an Amex because it simply costs them too much. Your 2% on groceries or 3% cash back on gas doesn't materialize out of thin air and it sure as hell isn't coming out of the processor's or issuing bank's pockets, it is being paid for by the merchants you shop at.
Hopefully, this will be handled in a better fashion in Europe than in India where online transactions dropped two digits after the changes were enforced.
For e-commerce platforms, refunding fraudulent charges is cheaper than a two-digit drop in transactions.
Congrats to Touchtech! Acquisitions are always exciting :)
I'm wondering what this means for multi-factor authentication with regards to payments. Why bio-metrics instead of a physical security key and U2F? Convenience? Customer reach?
If the U.S. implements something like SCA in the future, would it be likely that biometrics will win out over PINs or security keys, given different legal protections for both (https://pilotonline.com/news/local/crime/article_25373eb2-d7...)? What might this mean for future legal precedents regarding biometrics?
My main bank account is with Nordea, a big Nordic bank, one of Sweden's big four. They are currently quite paranoid about Internet purchases and outright do not permit any such transaction if it does not have that kind of two-factor authentication — if the merchant doesn't support it, you must log in with the app or Internet bank and temporarily turn this off for one hour. But with support for two-factor authentication bexoming obligatory in the EEA, I guess it will only be non-EEA merchants where this is a problem. :)