Security and Convenience When Shopping Online: Does Monopoly or Competition Keep Us Safer?
Next time you are queuing to pay at the supermarket, and possibly cursing why the queue is so long and there aren’t more tills open, remember that it could be much worse: much, much worse.
What if the queue wasn’t two people with full trolleys in front of you, but five; that you need to wait not for six minutes, but fifteen. To make matters worse, when you finally get to the checkout half of the items in your trolley are not recognised by the scanner and you have to leave them in the shop. Imagine that this all happens in the busy shopping weeks before Christmas. The chances are that you might run screaming from the shop never to return.
If the problem were confined just to one shop then you could avoid that shop.
But what if someone sitting deep in the basement of a grey building made this happen in ALL shops? You would have no way of avoiding this hell. That would put off even those who are enthusiastic about shopping.
The reason I am torturing you in this way is that an obscure new rule being devised by the the European Commission, the European Banking Authority (EBA) and the European Central Bank (ECB) might be about to turn your online shopping experience into exactly this type of hell.
The people involved are all well-intentioned, of course. They want to protect consumers from fraudsters, and that is a good thing. But design by bureaucracy is almost never the way to find an effective solution for the real world.
The European Banking Authority is currently redrafting a standard security process for banks and retailers that accept payments. This will implement the updated EU Payment Services Directive (II). It proposes that all online transactions follow a model called ‘strong authentication’. This involves transactions being approved by banks before they can be accepted. So in the future every time you make a simple online transaction with Zalando, BlaBlacar, Amazon, Carrefour or others it would need to be approved by a bank.
Tests have shown that such bank processes are more cumbersome than the current secure process followed by retailers, that they result in many customers simply abandoning their purchases and, importantly, that they are no more secure.
Today, 95% of online transactions use what is known as a ‘risk-based’ approach. Sellers use a number of different techniques to secure the transaction depending on the level of risk. After all, security and fraud prevention require a nimble approach, because fraudsters are constantly adapting. Importantly, sellers using a risk-based approach must themselves be liable for any problems with fraud that their customers might have, whereas with ‘strong authentication’ the bank is always liable. So customers are always protected if something goes wrong.
Requiring all transactions to use ‘strong authentication’ is not only cumbersome, it would also hand a monopoly on transaction processing to the traditional ‘savings banks’ who operate these systems. Conspiracy theorists might imagine that this was being done deliberately to hand a monopoly to savings banks, thus presenting them with a new and guaranteed revenue stream: no online purchases could be made without use of the bank system.
Whether this is intended or accidental, it would be the effect. A single standard operated by a single category of company would result in a lethargic monopoly, not something that is likely to be up to the challenge of keeping systems secure, particularly once fraudsters and hackers have one stable target to aim at. It also would not help the retail industry that is constantly looking for new ways to keep their customers safe and to improve the retail experience.
This picture of retail hell can easily be avoided. A wide coalition of MEPs, credit card companies, and retailers are trying to make sure this doesn’t happen. As the EBA updates this security standard it should maintain a dual approach to security: It should define strong authentication and allow an exception for a risk-based approach, something that is just as secure, provides a better experience for consumers and is used in 95% of transactions today. A risk-based approach is already used by thousands of commercial banks, credit card companies and retailers who are constantly innovating. I would say that was better than a monopoly.