Published Tuesday 12th May 2020
One of the small businesses I operate has a business bank account with one of the UK big 4 banks. Today I made e-commerce card payments for the first time since they moved to an upgraded version of Verified by Visa 3DSecure, each was referred for step-up to 2-factor authentication.
The only choice shown for the 2nd factor was an email address which should have been updated years ago. By chance, I still have access to these e-mails due to an oversight by the service provider, so I was able to complete the transactions.
I followed the advice on the bank website and called the bank helpline to update my details. Firstly, despite previously changing the email address via online banking, another out of date email address continued to show on the telephone banking record.
I was then advised that the bank is unable to amend the email address on the 3DS system and I needed to sign into my Verified by Visa account. I believe this information to be incorrect as it is the issuing bank responsibility to maintain accurate data on behalf of their customers.
The challenge to offer secure 3DS is greater as the bank does not appear to be maintaining accurate and consistent contact records for the business across all channels and systems. When we changed our records online, I do not recall being advised advised of the need to contact all channels.
What will this mean to businesses emerging from lock down?
I strongly suspect that my experience in not unique.
As we move out of lock down, businesses are likely to find that their usual supply arrangements are not available due to supplier shortages, changed credit terms or, sadly, business failure. So, the ability to buy securely online will be critical to sourcing the goods and services they need to operate.
Resolving the issue is urgent not just for the banks’ customers but also to manage their own charge back rates which are critical to their ability to offer transaction risk analysis exemptions permitted under Strong Customer Authentication.
Cardholders unable to complete 3DS are likely to revert to MOTO payments, exposing themselves and the bank to fraud.
Merchants, trying to do the right thing by adopting and updating 3DS in line with the (now delayed) Strong Customer Authentication road map, risk lost business and the costs of MOTO charge backs if their customers find a banks 3DS hard to use.
Is this issue confined to one bank? Experience elsewhere suggests not, which is why I have not singled them out in this post. Unless addressed, this issue will not make good PR for the UK’s large banks, at a time when they have been working hard to deliver support to businesses during lock down.
About the Author: Paul Davidson, is a leading member of ERA’s European Banking and Payments Team having joined ERA in 2005, after a 25-year banking career. Paul has delivered consistently for ERA’s clients by combining his market insight with ERA’s market influence.