Hi 2Xers. Welcome to the 2X eCommerce podcast, I’m your host Kunle Campbell, and this is the show for growth, you know, eCommerce growth. So if you’re on online retail looking to scale by two, three X or even ten X, I hand-pick my guests to come on the show to share their expertise, and experience. On today’s episode it’s like super special, especially if you’re in Europe, because there are some new directives come September, that will impact eCommerce and the checkout experience basically in Europe, more or less to tackle online fraud. And yeah, it’s super interesting. If you haven’t heard about it, you must listen in if you’re based in the EU.

And without further ado, I would like to welcome my guest to the show who is Milan Gauder, he’s the executive president of Mastercard in Europe, and he’s been around since 2005. He joined even 2000 [inaudible 00:04:38] responsible for overseeing the development implementation of innovative new products, such as digital authentication for prevention, digital identity. Without further ado, I’d like to welcome Milan to the show. Welcome, Milan.

Thank you very much for having me. Hello, everyone.

Great stuff. So Milan, let’s talk about digital identity today. Pretty much, what is the landscape at the moment in Europe, specifically around security and online payments?

Online payment in Europe is obviously a very fast growing segment and in some countries in the northeast of Europe like the UK or Norway or so, eCommerce has already amassed its share from the total commerce of 20 to 30% very high. But all across Europe, it’s the fastest growing, and in some countries, the only growing segment of commerce. So of course it’s a very important have a payment that’s happening there. And cards has a message share overall from how the payment is happening when it comes to eCommerce. And what the consumer benefits from that paying by card is that today, pretty convenient, and for the consumers, a totally safe way. Because there is zero liability rules and those of the European Union have several rules of the maximum exposure a consumer can have. For the consumer, it’s a pretty seamless and easy way to pay. But, a new regulation is coming there.

Okay, what’s this new regulation? Is it something we should look forward to, come September?

Yes, the new regulation is called Payment Service Directive Two. It was in the making for years, and the name shows the second version. There was a first one a decade ago, and this new one has multiple elements, and what it’s trying to steer is steering competition with open banking. And the other big objective is to further reduce financial fraud in the world of eCommerce and when you do any remote payment or access your bank account. So the objective is clear, although Europe has pretty good track records in terms of fraud on eCommerce payment because it had already implemented tons of security tools and fraud prevention tools.

But the regulator believes that okay, there’s further way, and further room for improvement. So in the three what comes this change and is trying to keep the right balance of having further security elements, but in the same time, keep up the very all [inaudible 00:07:31] gross of eCommerce payment of card payment and eCommerce. Over the years, by implementing of course state-of-the-art solutions, and user-friendly authentication methods to do everything both safe, and smart, and convenient.

Okay, interesting. So this a fraud prevention directive set up by the EU. It’s called Strong Customer Authentication. So we’re in the month of June or July, depending on when you listen to this, in 2019. So come September, for eCommerce merchants, eCommerce store owners, who are listening to this episode now, what would fundamentally change in the way shoppers buy in the EU in their stores?

So what is already happening today in a pretty big percentage of the cases when you do an eCommerce transaction, you are asked to authenticate yourself. We call it sec, VIDA calls it verify by VIDA, which practically means, that before the transaction goes through, you need to prove that you are who you say you are. And how you do it varies a lot country by country. In some countries, you get that SMS from your bank with a special code, and that you need to type into the merchant homepage or to the page which pops up to authenticate yourself. In other countries you have a password which you type in. In again, certain countries, you have some kind of biometric authentication using your mobile phone, and fingerprint reader, and the list goes on. They have various ways of authenticating yourself.

According to the new regulation, this authentication will now be regulated. So while so far it was driven by the needs, and the country, and the banks, what they wanted to implement, what they found required. In the future, the regulators says two thing. One is that there should be a strong customer authentication, which means two factors, so two independent factors should be used. Be one knowledge factor, the other is an ownership factor, the third is an inherence factor. Two of these three should be used. And the second that it also regulates when such authentication should be used. And they are certain rules, basic rules, that it should be used always, except, and there’s a list of potential exception, when the risk is low, the amount is low, or the merchant is reliable, or the bank has very good track record, and for prevention, then they are useful exceptions.

Makes sense. What about subscription businesses? Where you put in your card details once, and then there’s a monthly charge.

So for example, that has an exception dedicated for recurring payment, and the other for merchant-initiated payment. The difference between the two is that recurring payment is defined in a way when exactly as you said, a subscription model, when you subscribe for something, for a newspaper, for a service, which for in every month or every weeks or in a predefined, regular time period, it’s charging you the same amount. That doesn’t require a Strong Customer route. I think it should be because obviously, you get that order now, and every month at the same time, maybe in the middle of the night, you will be charged. But you pre-agreed of that charge, so you don’t need to authenticate yourself every time.

Similarly, merchant-initiated payments, when it’s the same thing, but with variable amount, meaning if you gave your card number to someone, and gave the order or the approval to the merchant the [inaudible 00:11:37]. Whenever, for example, hotels I said, “Okay, here’s my card number. And seven days before the time when I booked a hotel room, feel free to charge my card.” And so that’s what happened exactly seven days before, so maybe again middle of the night, or when I’m in the Tube or something when I cannot really authenticate my self promptly. So that again, that’s exemptive from Strong Customer Authentication.

Okay, makes a lot of sense. Let’s talk about the authentication types. Consumer side, from what I understand, there’s the biometric, which could be a fingerprint or giving face ID, for an Apple, dynamic passwords, two-factor authentication with mobile phone, you know, IDs. Which is your preferred mode or are we going to empower consumers to choose the authentication type, or will that be directed by financial institutions?

The solution will be provided by financial institutions. Typically, there is even more solutions because depending that whether you have the mobile banking app of the bank, whose credit card or debit card you own, or if don’t have but you have a mobile phone, and you can receive an SMS, or if you have some kind of other authentication application, then you have different solutions.

So, what is the most typical in Europe, for example, in Austria, you get an SMS with a code, you type in that code, and then you are also asked the authentication question of what is your favorite pet, or whatever, so a knowledge-based question. What we believe and what the research shows is that people prefer the most biometric authentication, meaning that when you are attempting to do a transaction on your laptop, and then when you hit the button ‘pay’, and then you type in of course your details, and then the application pops up or an EQuIS pops up on your mobile phone and says, “Hey, Milan. Do you really want to buy this flight ticket at British Airways for this amount? And if yes, please push your thumb against the fingerprint reader.” And then I push it there and I say, “Yes, approved.” And then, on the BA homepage, it will appear that, “Thank you for authenticating yourself. All goes fine.” And then, the authorization goes to my bank to check whether I have enough money for that, but that’s the usual [crosstalk 00:14:16] kind of process.

That’s super interesting because I think it’s going to solve two problems. Well, one problem it’s going to solve for sure is reduce fraud from a consumer standpoint. And I guess consumers with stats, they’re already getting used to it you know, in terms of authentication. So once they’re learning to become very seamless, you know, going forward.

Yes. As I said, it’s not something unknown or uncommon in Europe. So, I think comparing to the United States where this kind of authentication is very rare, in Europe, it’s only happening one out of five times. So it’s not unheard of. Some banks need to change the methods, because as I said, the regulator expected to factor authentication in some banks in Europe still use a static password, which is not compliant with the regulations. So some of the place need to upgrade their system, and of course, educate the cardholders that from now on, that password is not enough, but you will also get that SMS message and you need to ‘copy’ ‘paste’ five-digit password or series of number to this homepage. So there’s a need for change in some cases, and education of the cardholders, but it’s not something totally new for a typical European eShopper.

Okey dokey. Before I let you go, on a final note, what should retailers do to prepare? Do we contact our credit card providers? Our merchants? Our account holders? Or do we just sit tight and let consumers be educated with the financial institutions?

So, yes. At [inaudible 00:16:09] industry there’s a lot of work ongoing for a while because this regulation came out one and a half years ago. And also, before, it was in the making, so the only thing new about that, so there have been a lot of work been done to upgrade the systems to be able to manage in a proper way all these authentication flows. So most of the merchants work together closely with their internet gateway or their acquirer to upgrade their system to be able to make this pop-up window work, so-called the free DS message work, I chose the echo system. If you are a merchant who haven’t yet done that, then you should give a call to your internet payment gateway provider or your acquirer and discuss, “Hey. Am I ready? Do I need to do anything more? Do I need to do some coding in my checkout page to be fully ready for September to be able to handle these new [inaudible 00:17:15] authentication.

I think that’s the most important new message for listeners tuning in to this and listening here. So if you serve the European market, you need to check your checkout and you need to check your credit card provider to see if you’re compliant or not. Because you don’t want anything broken in your checkout com Q4. You know, September starts the busiest period of the year for [crosstalk 00:17:47] most, so get on board and start checking right now. It’s better to prepare ahead of September.

Any final [crosstalk 00:17:55] points?

Yes, the same on the consumer side. So if you are an eShopper and you use your card regularly for internet shopping, make sure that you do download your bank’s mobile banking app. Or you refresh whatever mobile phone number the bank stores to you because they may want to communicate you your SMS.

So for example, my bank in the UK asks me to check whether the phone number what they have for me is the latest and is the one what I use most often. So I had to update that and so my bank is communicating to me, I just need to listen because with banks’ communication often I just say, “Oh, there’s a technical update there, I don’t care.” This time, we do need to care and we do need to make sure that we have all updated what the banks asked us to be updated. Because then on the 15th of September, we don’t want to be surprised at, hey, they are asking for a call or something, but we don’t know where to find. So read what the banks communicate to us. And if they don’t, give a call to our bank in the remaining three months, or two months, when you listen to this podcast, to make sure that we have the right general to be authenticated.

Thank you so much, Milan. It’s super, super, super useful for listeners. One more tip- make sure you have your online chat facility. I know you can tab online chat 24/7. Not everybody can, some people do. Some stores have. Just make sure you have the online chat facilities so if any of your shoppers are encountering any difficulties, especially pertaining to authentication, you can educate them right there, live, with your live chats, at checkout.

Thank you so much, Milan. It’s super useful and I just want to thank you.

Thank you very much. It’s a pleasure talking to you.

Yes.

So, that was a wrap on this week’s episode of 2X eCommerce. Remember, you can catch me every week. And also send your questions and comments on Twitter using the hashtag, #2xeCommerce. Keep yourself in the loop by subscribing to this podcast on iTunes or your favorite podcast center app. It only takes a few seconds, and it means you’ll get the most up-to-date episodes to help you grow your online store. Do have a good one ’til I catch you on the next show. Bye-bye.