Transactions on mobile, one click, atypical sectors… Less than two months before the entry into force of strong authentication, there are still (big) imperfections to work on.
We are almost there. The entry into force of strong authentication is scheduled for May 15 in France. From this date, all online transactions over 30 euros will be verified using at least two of the following three authentication elements: a password that only the user knows, a device. (phone, smart card, etc.) that only the user possesses, a personal characteristic of the user (fingerprint, facial recognition, etc.). But this new system rejects certain types of transactions. Every week, a task force organized by the Banque de France brings together all the players concerned (merchants, payment providers, card networks, etc.) to unravel the problems that risk causing merchant conversion rates to drop.
According to the merchant association Mercatel, strong authentication on mobile payments is not at all developed at some merchants. While the share of mobile sales is increasing month by month. “In theory, app-to-app redirection is the one that works best. In theory. Because that’s what works least well. The abandonment rates of carts are very high,” said Jean-Michel Chanavas, director delegate of the association, without giving precise figures. When a consumer makes a purchase on mobile and strong authentication is applied, they see a notification from their mobile banking application. He clicks on it, which switches him to this app. So far so good.
“Apple Pay, Google Pay and Samsung Pay are natively suitable for strong authentication”
Once it has successfully authenticated, there are two possibilities: either there is an automatic redirection to the payment site or nothing happens. In this second case, the most seasoned Internet users will manage to return to the payment page of the e-commerce site while the others will remain empty-handed. “If you want to buy a train ticket and it doesn’t work, you’ll go about it several times or try to place the order on your computer. If you’re on an app like Veepee, which is more about impulse purchases , you will give up by telling yourself that you are saving money, ”points out Bertrand Pineau, in charge of payment matters at Fevad, the federation of e-merchants. The Banque de France task force would like to produce indicators on the success rate in strong authentication, distinguishing between mobile and desktop.
For their part, merchants must look at their mobile journeys and in particular ask themselves the question of integrating a wallet, if it has not already been done. “Apple Pay, Google Pay and Samsung Pay are natively adapted to strong authentication”, indicates Antoine Grimaud, CEO of the payment provider PayPlug. “This will probably push the development of these solutions among merchants for online shopping,” he adds.
Strong authentication involves two authentications, therefore two manual operations. This goes against payment in one click (which does not require you to enter the CVV code of your bank card each time). “I don’t know how Amazon and the other merchants concerned are going to do it, because adding a step in a one-click journey loses all its meaning,” said Antoine Grimaud. Some industry experts believe that the merchants concerned will request a maximum of exemptions (a list of exemptions is provided for in the regulations such as the possibility of putting a merchant on a white list), to avoid the systematization of strong authentication.
Areas under radar
Merchants from certain sectors are not aware or are not even aware of European regulations since card transactions are not the majority among them. “They therefore did not prioritize this site”, confirms Jean-Michel Chanavas. Among these sectors, that of insurance, energy, collection or the offices of HLM. Even if some merchants only have a few percentages of card transactions, imagine the amount that can represent for a large electricity supplier… “We have underestimated the complexity and the number of use cases of the bank card . However, many cases must be tested to be sure that everything works before the entry into force of strong authentication “, warns the leader.
Strong authentication is a European puzzle, not a French-French one. Merchants who have developed a presence on the Old Continent should look at the calendars in each of the countries concerned and identify which banks are ready. As a reminder, they are the ones who reject or validate a transaction (it is no longer the merchant). “Most of the issuers are not in Europe, except in the UK. Small issuers still have big problems, as do the big ones. In the Netherlands, the country’s biggest emitter still has not implemented. the 3DS2 (the new security protocol, editor’s note) “, says Bart Sprietsma, payment specialist at Dutch service provider Mollie.
“Most European issuers are not ready, big and small”
“Some countries are experiencing very significant variations in the success rate of transactions. The rate may drop suddenly and rise again two weeks later”, notes Grégoire Bourdin, CEO of HiPay, which has a strong presence in Spain, Portugal and Italy. Consequence: providers must constantly adjust their rules to prevent transactions from being rejected. It is also necessary that the payment provider is close to the issuer. “In Norway, for example, we have very little contact with transmitters, which makes it difficult for us to have information in real time”, testifies the boss of Hipay.
If a consumer places an order for two products on a marketplace, there is technically one payment but two transactions. If the two products purchased have amounts greater than 30 euros, they can both be authenticated. If one is refused, so will the global order. “The transmitters should be flexible and allow retrying quickly,” said Bertrand Pineau.
The top 100 merchants in France represent 70% of the flow of e-commerce sites, according to Fevad. These large merchants have well anticipated European regulations since they have the necessary internal resources. And the little ones are not the worst off. “The 180,000 very small traders have signed 3DS2 contracts with service providers or banks. They have packaged solutions and therefore have nothing to do.
The concern is rather on the side of Tiers 2, the medium-large merchants who have good volumes of transactions but are not equipped with electronic banking, “warns Bertrand Pineau.” The historical PSPs, which still have a large customer base of Tiers 2, have older legacy systems than the new entrants and are therefore not necessarily ready for strong authentication “, indicates Antoine Grimaud. If a merchant notices a high rate of failure of his transactions, he should consider changing his PSP in an emergency, not at all ideal. “The competition will be even more fierce,” said the CEO of PayPug, who stands ready.