Learn from Fast Growing 7-8 Figure Online Retailers and eCommerce Experts

EPISODE 196 21 mins

EU Online Retailers, Prepare Your Checkout for Two-factor Authentication

Posted on 5th July 2019 ,
by Kunle Campbell

About the guests

Milan Gauder

Kunle Campbell

Milan Gauder is Executive Vice President of Services, for Europe at Mastercard.
After joining Mastercard back in 2005, Milan has held a number of positions within the company and currently oversees the development and implementation of innovative new products in digital authentication, fraud prevention, digital identity, card benefits and reward systems. He also oversees Mastercard’s strategy and consulting efforts across the region

If you’re an online retailer or you work for an e-commerce business in the EU, it’s essential that you listen to today’s podcast and take note. This September, there are new regulations coming into effect that will affect the way that card payments are made online. That’s why I’ve brought in one of the leading experts, Milan Guarder of Mastercard, to give us some golden advice.

Milan points out that Europe generally has a good track record when it comes to security and fraud prevention for online payments. As a customer, if you try to complete an online transaction, it’s likely that you’ll have to authenticate it after receiving a text message code or even via a biometric verification method. However, the authentication method tends to vary from region to region and there are several discrepancies in current regulations.

Strong Customer Authentication (SCA)

A new payment standard known as Strong Customer Authentication (SCA) will be coming into effect in September. It’s designed to make online payments even more secure while ensuring that the continent’s booming e-commerce sector continues to flourish. 2-factor identification will become the norm and any retailers who haven’t updated their systems could find themselves in breach of regulations.

SCA will ensure there are consistent standards, and will also determine when authentication is specifically required. There may be certain exceptions to SCA, such as recurring subscription models and other transactions. However, when it comes the initial payment (or permission) from the customer, authentication will generally be required.

SCA Impact on Online Retailers

If you’re an online merchant and have any doubts as to whether you’re ready for September, Milan recommends that you contact your internet gateway provider or credit card supplier.

Do you have a necessary pop-up window for customers to authenticate? Does 3DS messaging function properly when customers are trying to check out? These are things that should be reviewed and tested beforehand.

It could be that you already have adequate systems in place, or you need to update the coding on your checkout page. However, it’s always better to be safe than sorry.

SCA Impact on Customers

SCA not only impacts business, but can affect the actions of consumers. That’s why it’s wise to ensure your customers are educated to avoid any sudden surprises when they’re making purchases. For example, consumers should ensure that they have the latest version of their bank’s app on their mobile, and that their bank has their updated mobile number.

Even though most online shoppers are already familiar with the need to authenticate, making sure you have an adequate online chat facility can also be a particularly useful tip the follow, as you’ll be able to answer urgent queries during the checkout process.

This way, you’ll ensure that you won’t be unnecessarily missing out on sales and losing customers at the checkout


3:27 – Intro to SCA
4:19 – Milan’s intro
4:49 – Current state of online payments in Europe
7:50 – The impact of SCA on shoppers and e-commerce retailers
10:25 – SCA and subscription models
12:08 – Authentication types
15:49 – Advice for retailers
17:53 – Advice for consumers
19:20 – A final tip



The eCommerce GrowthAccelerator Mastermind Facebook Group has just launched.
It is a community…

✔️ for founders and experts passionately involved in eCommerce
✔️ for the truly ambitious wanting to make an impact in the markets they serve
✔️ for those willing and open to help and share with other members

Here is where to apply to join the Facebook group


This episode is brought to you by:


If you’re looking to grow your business there is only one way—by building real, quality, customer relationships. Most marketing software will claim they do this, but will never deliver on their promises. You need to demand more from your marketing software that’s where Klaviyo comes in. Klaviyo helps you build meaningful customer relationships by listening and understanding cues from your customers, allowing you to easily turn that information into valuable marketing messages.
That’s why 10,000 innovative brands have switched to Klaviyo.
What’s their secret to building customer relationships? Tune into Klaviyo’s Beyond Black Friday docu-series to find out and unlock marketing strategies you can use to keep momentum going year-round. Just head on over to klaviyo.com/beyondbf for more.

Mastercard: SCA Update for EU Retailers

Attention Online retailers in Europe.
A new payments standard, known as SCA or Strong Customer Authentication will come into force in September 2019.

Mastercard research shows that up to 75% of e-commerce merchants in Europe are potentially unaware of this coming into effect. SCA is a new regulatory requirement that is designed to help retailers and issuers make digital payments more secure. The challenge is to create or keep a frictionless check-out experience for online shoppers.

SCA will allow for biometric technology and dynamic passwords to create a more secure and improved online shopping experience.
Mastercard’s Identity Check is fully compliant with SCA requirements and facilitates shopping experiences we can all trust, allowing us to securely pay online using features such as our fingerprint.

To find out more on Identity Check visit the Mastercard website here: https://newsroom.mastercard.com/eu/



Hi 2Xers. Welcome to the 2X eCommerce podcast, I'm your host Kunle Campbell, and this is the show for growth, you know, eCommerce growth. So if you're on online retail looking to scale by two, three X or even ten X, I hand-pick my guests to come on the show to share their expertise, and experience. On today's episode it's like super special, especially if you're in Europe, because there are some new directives come September, that will impact eCommerce and the checkout experience basically in Europe, more or less to tackle online fraud. And yeah, it's super interesting. If you haven't heard about it, you must listen in if you're based in the EU.

And without further ado, I would like to welcome my guest to the show who is Milan Gauder, he's the executive president of Mastercard in Europe, and he's been around since 2005. He joined even 2000 [inaudible 00:04:38] responsible for overseeing the development implementation of innovative new products, such as digital authentication for prevention, digital identity. Without further ado, I'd like to welcome Milan to the show. Welcome, Milan.

Thank you very much for having me. Hello, everyone.

Great stuff. So Milan, let's talk about digital identity today. Pretty much, what is the landscape at the moment in Europe, specifically around security and online payments?

Online payment in Europe is obviously a very fast growing segment and in some countries in the northeast of Europe like the UK or Norway or so, eCommerce has already amassed its share from the total commerce of 20 to 30% very high. But all across Europe, it's the fastest growing, and in some countries, the only growing segment of commerce. So of course it's a very important have a payment that's happening there. And cards has a message share overall from how the payment is happening when it comes to eCommerce. And what the consumer benefits from that paying by card is that today, pretty convenient, and for the consumers, a totally safe way. Because there is zero liability rules and those of the European Union have several rules of the maximum exposure a consumer can have. For the consumer, it's a pretty seamless and easy way to pay. But, a new regulation is coming there.

Okay, what's this new regulation? Is it something we should look forward to, come September?

Yes, the new regulation is called Payment Service Directive Two. It was in the making for years, and the name shows the second version. There was a first one a decade ago, and this new one has multiple elements, and what it's trying to steer is steering competition with open banking. And the other big objective is to further reduce financial fraud in the world of eCommerce and when you do any remote payment or access your bank account. So the objective is clear, although Europe has pretty good track records in terms of fraud on eCommerce payment because it had already implemented tons of security tools and fraud prevention tools.

But the regulator believes that okay, there's further way, and further room for improvement. So in the three what comes this change and is trying to keep the right balance of having further security elements, but in the same time, keep up the very all [inaudible 00:07:31] gross of eCommerce payment of card payment and eCommerce. Over the years, by implementing of course state-of-the-art solutions, and user-friendly authentication methods to do everything both safe, and smart, and convenient.

Okay, interesting. So this a fraud prevention directive set up by the EU. It's called Strong Customer Authentication. So we're in the month of June or July, depending on when you listen to this, in 2019. So come September, for eCommerce merchants, eCommerce store owners, who are listening to this episode now, what would fundamentally change in the way shoppers buy in the EU in their stores?

So what is already happening today in a pretty big percentage of the cases when you do an eCommerce transaction, you are asked to authenticate yourself. We call it sec, VIDA calls it verify by VIDA, which practically means, that before the transaction goes through, you need to prove that you are who you say you are. And how you do it varies a lot country by country. In some countries, you get that SMS from your bank with a special code, and that you need to type into the merchant homepage or to the page which pops up to authenticate yourself. In other countries you have a password which you type in. In again, certain countries, you have some kind of biometric authentication using your mobile phone, and fingerprint reader, and the list goes on. They have various ways of authenticating yourself.

According to the new regulation, this authentication will now be regulated. So while so far it was driven by the needs, and the country, and the banks, what they wanted to implement, what they found required. In the future, the regulators says two thing. One is that there should be a strong customer authentication, which means two factors, so two independent factors should be used. Be one knowledge factor, the other is an ownership factor, the third is an inherence factor. Two of these three should be used. And the second that it also regulates when such authentication should be used. And they are certain rules, basic rules, that it should be used always, except, and there's a list of potential exception, when the risk is low, the amount is low, or the merchant is reliable, or the bank has very good track record, and for prevention, then they are useful exceptions.

Makes sense. What about subscription businesses? Where you put in your card details once, and then there's a monthly charge.

So for example, that has an exception dedicated for recurring payment, and the other for merchant-initiated payment. The difference between the two is that recurring payment is defined in a way when exactly as you said, a subscription model, when you subscribe for something, for a newspaper, for a service, which for in every month or every weeks or in a predefined, regular time period, it's charging you the same amount. That doesn't require a Strong Customer route. I think it should be because obviously, you get that order now, and every month at the same time, maybe in the middle of the night, you will be charged. But you pre-agreed of that charge, so you don't need to authenticate yourself every time.

Similarly, merchant-initiated payments, when it's the same thing, but with variable amount, meaning if you gave your card number to someone, and gave the order or the approval to the merchant the [inaudible 00:11:37]. Whenever, for example, hotels I said, “Okay, here's my card number. And seven days before the time when I booked a hotel room, feel free to charge my card.” And so that's what happened exactly seven days before, so maybe again middle of the night, or when I'm in the Tube or something when I cannot really authenticate my self promptly. So that again, that's exemptive from Strong Customer Authentication.

Okay, makes a lot of sense. Let's talk about the authentication types. Consumer side, from what I understand, there's the biometric, which could be a fingerprint or giving face ID, for an Apple, dynamic passwords, two-factor authentication with mobile phone, you know, IDs. Which is your preferred mode or are we going to empower consumers to choose the authentication type, or will that be directed by financial institutions?

The solution will be provided by financial institutions. Typically, there is even more solutions because depending that whether you have the mobile banking app of the bank, whose credit card or debit card you own, or if don't have but you have a mobile phone, and you can receive an SMS, or if you have some kind of other authentication application, then you have different solutions.

So, what is the most typical in Europe, for example, in Austria, you get an SMS with a code, you type in that code, and then you are also asked the authentication question of what is your favorite pet, or whatever, so a knowledge-based question. What we believe and what the research shows is that people prefer the most biometric authentication, meaning that when you are attempting to do a transaction on your laptop, and then when you hit the button 'pay', and then you type in of course your details, and then the application pops up or an EQuIS pops up on your mobile phone and says, "Hey, Milan. Do you really want to buy this flight ticket at British Airways for this amount? And if yes, please push your thumb against the fingerprint reader." And then I push it there and I say, "Yes, approved." And then, on the BA homepage, it will appear that, "Thank you for authenticating yourself. All goes fine." And then, the authorization goes to my bank to check whether I have enough money for that, but that's the usual [crosstalk 00:14:16] kind of process.

That's super interesting because I think it's going to solve two problems. Well, one problem it's going to solve for sure is reduce fraud from a consumer standpoint. And I guess consumers with stats, they're already getting used to it you know, in terms of authentication. So once they're learning to become very seamless, you know, going forward.

Yes. As I said, it's not something unknown or uncommon in Europe. So, I think comparing to the United States where this kind of authentication is very rare, in Europe, it's only happening one out of five times. So it's not unheard of. Some banks need to change the methods, because as I said, the regulator expected to factor authentication in some banks in Europe still use a static password, which is not compliant with the regulations. So some of the place need to upgrade their system, and of course, educate the cardholders that from now on, that password is not enough, but you will also get that SMS message and you need to 'copy' 'paste' five-digit password or series of number to this homepage. So there's a need for change in some cases, and education of the cardholders, but it's not something totally new for a typical European eShopper.

Okey dokey. Before I let you go, on a final note, what should retailers do to prepare? Do we contact our credit card providers? Our merchants? Our account holders? Or do we just sit tight and let consumers be educated with the financial institutions?

So, yes. At [inaudible 00:16:09] industry there's a lot of work ongoing for a while because this regulation came out one and a half years ago. And also, before, it was in the making, so the only thing new about that, so there have been a lot of work been done to upgrade the systems to be able to manage in a proper way all these authentication flows. So most of the merchants work together closely with their internet gateway or their acquirer to upgrade their system to be able to make this pop-up window work, so-called the free DS message work, I chose the echo system. If you are a merchant who haven't yet done that, then you should give a call to your internet payment gateway provider or your acquirer and discuss, "Hey. Am I ready? Do I need to do anything more? Do I need to do some coding in my checkout page to be fully ready for September to be able to handle these new [inaudible 00:17:15] authentication.

I think that's the most important new message for listeners tuning in to this and listening here. So if you serve the European market, you need to check your checkout and you need to check your credit card provider to see if you're compliant or not. Because you don't want anything broken in your checkout com Q4. You know, September starts the busiest period of the year for [crosstalk 00:17:47] most, so get on board and start checking right now. It's better to prepare ahead of September.

Any final [crosstalk 00:17:55] points?

Yes, the same on the consumer side. So if you are an eShopper and you use your card regularly for internet shopping, make sure that you do download your bank's mobile banking app. Or you refresh whatever mobile phone number the bank stores to you because they may want to communicate you your SMS.

So for example, my bank in the UK asks me to check whether the phone number what they have for me is the latest and is the one what I use most often. So I had to update that and so my bank is communicating to me, I just need to listen because with banks' communication often I just say, "Oh, there's a technical update there, I don't care." This time, we do need to care and we do need to make sure that we have all updated what the banks asked us to be updated. Because then on the 15th of September, we don't want to be surprised at, hey, they are asking for a call or something, but we don't know where to find. So read what the banks communicate to us. And if they don't, give a call to our bank in the remaining three months, or two months, when you listen to this podcast, to make sure that we have the right general to be authenticated.

Thank you so much, Milan. It's super, super, super useful for listeners. One more tip- make sure you have your online chat facility. I know you can tab online chat 24/7. Not everybody can, some people do. Some stores have. Just make sure you have the online chat facilities so if any of your shoppers are encountering any difficulties, especially pertaining to authentication, you can educate them right there, live, with your live chats, at checkout.

Thank you so much, Milan. It's super useful and I just want to thank you.

Thank you very much. It's a pleasure talking to you.


So, that was a wrap on this week's episode of 2X eCommerce. Remember, you can catch me every week. And also send your questions and comments on Twitter using the hashtag, #2xeCommerce. Keep yourself in the loop by subscribing to this podcast on iTunes or your favorite podcast center app. It only takes a few seconds, and it means you'll get the most up-to-date episodes to help you grow your online store. Do have a good one 'til I catch you on the next show. Bye-bye.

About the host:

Kunle Campbell

An ecommerce advisor to ambitious, agile online retailers and funded ecommerce startups seeking exponentially sales growth through scalable customer acquisition, retention, conversion optimisation, product/market fit optimisation and customer referrals.

Learn from eCommerce Entrepreneurs & Marketing Experts

Get Free Email Updates by Signing Up Below:

Podcasts you might like