eCommerce payment security is receiving a reboot. Strong Customer Authentication (SCA) in Europe is an example but this is now a global trend.
In this new security era, failed payments and false declines due to perceived fraud risk, a curse of eCommerce payments, may eventually become a thing of the past.
Instead of so-called ‘hard’ declines, customers will be faced with a 2-factor or ‘step up’ challenge. Adding extra steps into checkout flow creates friction which we know results in some customers abandoning their purchase and so checkout ‘drop off’ will rapidly be crowned the new conversion killer.
The final decision whether to ‘step up’ will rest with issuers to make in real-time. It’s safe to say not all issuers are equal in their perception and tolerance of risk.
Forward-looking merchants are boosting sales conversions by analysing their payment data to understand how best to satisfy key issuer risk parameters and control the likelihood of a 'step up' challenge.
Rise of False Declines In eCommerce Payments
Global retail eCommerce sales are forecast to pass the $5 trillion (USD) mark in early 2022 and with only 3% of global commerce currently taking place online, it’s safe to say that e-commerce payment volumes will continue to rise at their current double-digit annual growth rate for the foreseeable future.
Yet because e-commerce payment authorisation requests are far more likely to be declined, a staggering amount of revenue is continually being left behind on the table by many businesses. With industry-wide average authorization rates for eCommerce card-not-present (CNP) transactions as low as 85% compared to 96% for card-present (CP) transactions, this revenue leakage problem is now set to balloon to as much as $720 bn (USD).
Payment declines or blocks can be triggered by any of the players on the payment value chain from the merchant through to gateway provider, acquirer and on to the card issuer.
Payment authorisation requests are declined for various reasons starting with basic reasons including insufficient funds or expired cards but more often than not they are declined due to suspected fraud risks.
A growing proportion of these are situations where the risk engines incorrectly decline legitimate users’ transactions. The growth in false positives, also known as false declines, reflects the increasing complexity and sensitivity of assessing fraud risk for card-not-present transactions.
Failed payments caused by false declines have become the curse of many eCommerce businesses, and in particular for the growing number of subscription-based businesses. For them, a failed payment not only means one lost payment but very often results in a lost customer. The customer's subscription simply doesn’t renew and unless the merchant takes action, it will lead to a lost customer. This type of unintended customer loss is known as ‘passive churn’ and requires a significant investment in ‘dunning’ management to effectively and smartly communicate with customers to keep them subscribed to the service.
Rebooting eCommerce Payment Security
In response to the massive growth in eCommerce volume and the complexity of fraud that comes with it, regulators across the world are introducing new rules to increase eCommerce payment security. Strong Customer Authentication (SCA) regulation in the EU is a case in point. But Europe is not the first nor last geography to introduce 2-factor authentication based security standards. With the exception of the US, some form of a legislative roadmap towards tighter eCommerce payment security is now a clear global trend. In most cases this is actually part of a larger shift to embrace Open Banking with more security required as access to banking infrastructure is opened up.
Interestingly, in the new higher eCommerce security era, false declines and failed payments may eventually become a thing of the past. Rather than a ‘hard’ decline a payment authorisation request where the cardholder has not yet been authenticated, issuers will instead ‘soft’ decline and respond in real-time with a ‘step up’ 2-factor challenge.
This is an important new principle to understand and will operate according to the new 2 version of 3D Secure technology protocol developed by EMVCo. In a basic scenario, a merchant or their payment processor, may identify a transaction as sufficiently low risk to skip 2-factor authentication, and pass the payment through to the cardholder’s issuer for authorisation. The issuer’s risk engine - tuned up to be less risk tolerant - may disagree with the low-risk assessment.
However, rather than hard declining (and failing the payment), the system responds with a soft decline. It is essentially saying ‘I need my cardholder to identify themselves before I authorise the payment’. This will introduce a further step in the cardholders' check out process. For example, the issuer may send code via SMS to the cardholder that needs to be entered into a new browser page or the cardholder is prompted to touch their smartphone’s fingerprint sensor. There are other options but in all cases, it is the issuer (and not the merchant) that controls the user experience.
Relationship between drop off and step-up authentication
Experience tells us that this extra security step, which adds some friction to an otherwise smooth check out experience, can result in a customer abandoning their check out process. That is to say, the customer does not complete the extra step and aborts their eCommerce purchase at that time.
This kind of ‘drop off’ can be caused by many factors and again experience tells us that, in the new security era, merchants can expect a rise in their drop off rates.
So while merchants may experience a decline in hard decline rates, they will now have to deal with rising ‘drop off’ rates. From a merchant perspective, high ‘drop off’ rates are more difficult to diagnose the root cause of and are therefore a potentially more damaging payment outcome than hard declines.
To determine the likelihood of a particular customer dropping off, there are at least 4 variables to consider. First, the friction created by the method the issuer chooses to use, second, how frequent the particular customer faces a challenge and how familiar they are with the process, and thirdly, the type of product or service being sold by the merchant, and fourthly, the channel and specific context of the customers eCommerce checkout experience.Drop off rates will also vary depending on the merchants' environment. The dynamics are completely different for low value / high volume versus high value / low volume merchants.
Understanding the relationship between drop off rates and frequency of step-up authentication is critical. In the context of the European SCA rules, merchants need to use the available SCA exemptions to control authentication rates at a target optimal level and it may not necessarily mean trying to minimise step-up authentication challenges. An overview of SCA exemptions is provided here.
Customer familiarity with the step-up authentication process is not to be underestimated. A customer that is hardly ever challenged may drop off when eventually challenged simply because they are not familiar with the process and don’t know what to do. So a strategy to minimise step-up authentication challenges may not in fact lower drop off rates, and a more optimal approach for a merchant is to proactively increase the frequency of step-up authentication so as to familiarise customers with the process.
Know-Your-Issuer To Gain An Advantage
In the context of the European SCA rules, merchants should take note that hard declines will not disappear anytime soon. Issuers will be required by law to systematically hard decline all non-SCA compliant transactions. So merchants must track hard decline rates and make necessary adjustments to ensure their payments are submitted in a compliant manner.
Not all issuers are equal and merchants should gain an understanding of how individual issuers interpret SCA rules and have set up their systems to behave is key. Systematically developing issuer intelligence over time and adjusting how payments are subsequently submitted will make a difference in drop off rates.
With both greater resources and payment volumes to learn from, larger merchants will have a distinct advantage. Likewise, merchants on eCommerce market places or platforms will equally be able to leverage similar benefits. Stand-alone mid and small-sized merchants face a greater risk of uncontrolled hard decline rates (due to non-compliance) and rising drop off rates (due to uncontrolled step up authorisation rates). The actual risk depends on the circumstances and environment of each individual merchant.
The good news is that merchants that are able to control their eCommerce payment environment, will be able to steer their business towards desired commercial outcomes.
Advanced digital native merchants are already demonstrating what can be achieved through better control and management of their payment domain.
Practical Steps To Controlling And Optimising eCommerce Payments
Merchants can start with small practical incremental steps towards greater control of their eCommerce payments environment.
An immediate goal is being able to track and monitor the 3 key indicators mentioned above: hard decline rates, soft decline rates / step-up authentication rates and customer drop off rates. The starting point for this is identifying the various data sources and developing an integrated dashboard. In particular, data required for drop off rates will not entirely be available from a payment processing partner. They will not be able to report on aborted checkouts that do not result in payment authorisation request.
Having developed insight via a tracking and monitoring dashboard, merchants can then set a goal to test and learn if and how adjustments improve the KPIs.
Finally, through a gradual process of optimisation, merchants should be able to clearly link KPI improvements to desired commercial outcomes such as sales conversions and a positive financial impact.
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).