EU Online-Security Plan is criticized
Business groups are slamming a European Union proposal that would require customers to enter extra security information for online purchases above EUR 10 (USD 10.64), saying the extra hassle could cut online sales by more than EUR 11 billion (USD 11.7 billion) a year
The European Banking Authority, an EU rule-making body based in London, said it aims to combat fraud by requiring customers to enter extra information, such as a personal identification number, but “will seriously consider” making changes. It plans to announce revisions by the end of this month.
Credit-card companies and e-commerce associations worry that if online purchases become too cumbersome customers will abandon them.
Consumer advocates, on the other hand, say there is no trade-off between antifraud protections and promoting e-commerce. “We disagree that stringent security measures will put people off,” consumer-rights group BEUC said in a written statement. It said instances of online fraud in recent years warrant tougher rules. The situation needs to be improved quite quickly,” said a spokesman for BEUC, Sebastien Pant. Still, even BEUC said it doesn’t “see the logic of the EUR 10 limit,” arguing instead that when a buyer is known to a merchant the stricter standards aren’t needed.
The conflict centres on technical standards to the Payment Services Directive, an EU law designed to ease cross-border payments, which will go into full effect next year. The EBA said it received a record number of responses to its draft standards after publication in August.
There was “extremely heated” debate at the EBA’s public hearing in September, said Arun Srivastava, a partner at the law firm Baker McKenzie in London who attended the crowded meeting. “I was quite taken aback by the number of people,” he said.
The retail sector objects to proposed exceptions from so-called Strong Customer Authentication, an industry standard designed to prevent online fraud. Under SCA a buyer would need to use a combination of two elements such as a PIN, authentication code or fingerprint. The EBA proposes exempting online purchases below EUR 10 from such rules.
Retailers and credit-card providers worry that if customers must take extra steps, then they will buy less. Purveyors prefer to set their own rules on how best to combat fraud.
Visa Europe, the European subsidiary of global payments-technology company Visa Inc., estimates that the new EBA rules would put EUR 11.2 billion of online sales a year in Europe at risk. This equals about 2 % of Europe’s e-commerce market, which is expected to have exceeded EUR 510 billion last year. A survey of more than 5000 adults across Europe, conducted on behalf of Visa, indicated that 61 % of consumers would abandon purchases if more steps were added to the online payment process.
The industry would prefer to use a system known as Risk Based Authentication, which takes into consideration factors such as whether the retailer’s website recognizes the buyer’s internet address. “There are existing methods of customer authentication, which are more efficient than this two-factor authentication,” said David Stephenson, general secretary of the European Card Payment Association, a trade group.
The EUR 10 figure is “completely random and arbitrary,” said David Birch, an industry consultant. If there is a black-and-white limit on when the stricter authentication is required, criminals also will know when it will be harder and easier to commit fraud, he said. The airline Deutsche Lufthansa AG and retailer Toys “R” Us Inc. could have different limits, for example, he said.
Lawmakers also question the EUR 10 limit. Markus Ferber, a German member of the European Parliament, said that if the EBA’s proposals became law, “many fast payment possibilities, which are valued by customers, would no longer be possible.” He said customer-authentication policy should recognize the difference between a customer making a payment from a regular device or location versus the customer “suddenly making transactions from Nigeria.”