What Consumers and Online Retailers Want or Getting the Balance Right:...

What Consumers and Online Retailers Want or Getting the Balance Right: Security and Simplicity in an Increasingly Mobile World

A commentary on the complexity involved in securing electronic and mobile commerce payments

31 October 14

Share This

Fears of online fraud are the top barrier to paying via the internet or mobile device

PayPal recently completed a consumer study of over 15,000 people from 15 major markets around the globe to understand their attitudes and needs towards payments. The most striking were the similarities from the UK to Brazil to Japan. Without a doubt, the largest percentage (62 percent) recognised the need to improve security with fears of online fraud being the top barrier to paying via the internet or mobile device. Hot on the heels of security barriers, consumers were also worried about international purchases arriving (45 percent of all respondents) and annoyed about having to register before they buy (39 percent of all respondents). The hassle of remembering multiple passwords and personal identification number (PIN) codes was also cited as reason to not shop through the internet or a mobile device. These challenges are not specific to, however, also impact e-commerce in the Single Euro Payments Area ( ). So from a consumer point of view we are still far away from a single, secure and simple European internet and mobile marketplace. 

For the past 12 years the European Payments Council ( ) worked hard to define and deliver on . Getting financial institutions of 34 countries (the 28 European Union ( ) member states, four members of the European Free Trade Association (EFTA) Iceland, Liechtenstein, Norway, Switzerland, plus Monaco and San Marino) to change their long standing payment processes into common, harmonised payment products is a Herculean task. However, on 1 August  20141 the first step towards an integrated euro payments market  was done; the migration to of the euro denominated countries. Financial institutions and the business sector - from small and midsize firms to large corporates – have finalised the migration. That’s a tremendous achievement. An achievement many doubted would ever happen. But we are not yet done. The motor is running, however, it stutters, causing payments to go missing or be delayed, refused or returned, creating barriers to a successful European electronic marketplace.

Making ‘cross border’ payments as easy as domestic payments was one of the goals of . However, there are still some banks or countries which prevent making a payment into another country as seamless as a local payment. In some countries, for example, the payment to a non-local International Bank Account Number (IBAN) entity can only be initiated if the user explicitly and sometimes even in written form instructs his/her bank to allow for payments to a non-local account. For PayPal, as one of the largest internet payment service providers ( ) and for our millions of individual buyers and sellers in the zone this continued lack of a seamless, consistent cross-border experience is certainly a disappointment and something we are committed to help support the European banking community in improving.

How to deal with direct debit authorisations in a digital world?

One major obstacle to a harmonised and simplified revolves around mandates for Direct Debits (SDDs). To be exact, how to deal with direct debit authorisations in a digital world? Many times this question is only looked at from a cross-border perspective. However, even on a domestic basis the topic of establishing a ‘legally valid’ mandate in the online space is proofing to be a challenge.

Before a creditor (biller) can collect a direct debit from a payer, the payer has to authorise the creditor to do so, i.e. ‘sign’ a mandate.

Pre- , in many countries the mandate had to be presented by the payer to the payer’s bank. The payer’s bank would check if a mandate is in place before processing a direct debit. In many of those countries the ability of the payer to return a direct debit was limited. In the world, the mandate stays with the creditor. In case a payer doesn’t agree with the debit he has eight weeks to return the transaction without providing any reason for the return. In case the payer wants to return a transaction after eight weeks, his bank can only do so if the creditor cannot provide a ‘proper’ mandate.

What can or should a bank accept as a proof of the authorisation of a direct debit if the mandate was established online?

We are observing diverse behaviours when it comes to the adoption of . Some banks block their customers’ accounts for direct debits unless the account owner explicitly instructs the bank to process SDDs. Others ignore the prescribed process and continue to insist on the presentation of a paper mandate before processing the transaction. All this in the name of safeguarding the customer.

But is this really in the interest of European consumers? Is it really desirable for the customer to undertake extra, in most cases manual steps, to enable their bank account for SDDs? Our research just released clearly shows that the process of pre-registering before being able to pay was one of the primary barriers to not using the most efficient means of buying and selling, which is through electronic and mobile commerce. Should an not be part of a general product feature of a current account? Why is it that financial institutions think they need to establish an extra layer of security for SDDs even though their customers have eight weeks to return a transaction? Is this not like wearing a belt and suspenders at the same time?

If all of the above does not sound questionable then let’s have a look at the digital world.

According to Eurostat, the official statistics board of the , in 2012, 75 percent of the respondents between 16 and 74 in the EU28 stated that they had used the internet in the past 12 months. 60 percent of which indicated that they had shopped online in the same period.

According to eMarketer’s latest forecast, worldwide business-to-consumer (B2C) e-commerce sales will increase by 20.1 percent this year to reach 1.500 trillion US dollars; one primary driver being the rapidly expanding mobile user base.

Admittedly, there are various ways to pay for an online purchase: cash in advance, cash after delivery, credit card, debit card but also direct debits. Direct debits are prevalent in countries where the credit card penetration is low and debit cards are not online enabled. For those consumers the bank account, i.e. a direct debit, is the only way to pay for an online purchase. While credit cards and in some countries also the debit card evolved from a point of sale only payment method to an online payment method, the bank account or direct debit did not.

The worked hard to harmonise the various direct debit models and processes, but it has so far missed the opportunity to elevate a paper based product into today’s online world. Only at the very end of the harmonisation process was a rule included in the Rulebook which called for a mandate established in the digital world to be signed with a qualified electronic signature. Alternatively, a mandate can be authorised by following the ‘eMandate’ process as described in Annex 7 of the Rulebook. The process described in Annex 7 of the Rulebook basically describes a process where the payer authorises a mandate by being re-routed from the merchant’s web-site to his online banking application. After logging in to his bank account, he agrees to the mandate by providing some form of authorisation of the transaction like a paper/e-/ or m-transaction authorisation number (TAN).

As outlined above, a debtor’s bank can return a direct debit after the eight weeks ‘no question asked’ return period if the creditor cannot provide a ‘proper’ mandate. Whether or not a mandate is a proper mandate is the ultimate decision of the payer’s bank.

In the paper world, the debtor’s bank can base its decision on the signature captured on the paper mandate. What can or should a bank accept as a proof for the authorisation of a direct debit if the mandate was established online?

The solutions for the establishment of an electronic mandate as described in the Rulebook would indeed provide the debtor’s bank with the desired ability to approve or decline unauthorised direct debits. The usage of qualified electronic signatures, however; does not exist and the process of authorising a mandate through an online banking application is a) not even close to being a widely acceptable solution as the online banking penetration in many countries is still low and b) the user experience is simply too complex for a fast-moving, mobile based retailing environment. 

2013 statistics from Statista show that of those European consumers using the internet about 48 percent of them use online banking. Looking at the online banking penetration on a country level, statistics show that online banking penetration of internet users in France is 56 percent, in Germany, the stronghold for direct debit usage, is 48 percent, in Spain 33 percent, in Italy 31 percent and in Portugal only 21 percent. If in those countries a mandate for online transactions can only be established through usage of an online banking application, up to 80 percent or even more of internet users will be excluded from paying with their bank account – often the only way they can pay.

From a user experience perspective, being re-routed from a merchant’s web-site is a substandard, slow and complicated experience, leading to drop offs of up to 50 percent. While such low conversion rates are not acceptable for merchants, such a cumbersome process is also not acceptable for consumers who are expecting a frictionless purchase experience. In addition, with the rise of mobile, which includes mobile phones but also tablets, a solution which re-routes the user to an online banking application where the usage of a paper/e-/ or m-Tan is needed to authorise a mandate, is not acceptable, because the usage of the same tool for receiving the m-TAN and instructing the transaction is not allowed or because the tablet application does not support online banking.

There are other solutions being developed in the market; most of them, however, based on a re-routing concept to online banking applications and only usable domestically. Others are based on the provision of mobile numbers effectively confirming a user’s access to a mobile phone rather than a bank account.

So what is the solution then?

The – in its revised Rulebooks to take effect in November 2015 - deleted the need of a qualified electronic signature to authorise a direct debit, implementing a change they had already communicated earlier. On 1 October 2013, the published a clarification letter (see ‘related links’ below), which highlights that the signature methods as described in section 4.1 of the and B2B Rulebooks are not exhaustive. scheme participants, (i.e. that have formally adhered to the Schemes), may consider allowing continued usage of other legally binding methods of signature including those that were used under the local legacy scheme rules.

At the same time, the successor of the Council, the Euro Retails Payments Board ( ), has established a working group with the mandate to identify and address issues representing barriers to the emergence of a pan-European integrated market for electronic mandate services used for . The , chaired by the European Central Bank (ECB), will “help foster the development of an integrated, innovative and competitive market for retail payments in euro in the ”. members represent the demand and supply sides of the payments market. (The is a member of the .) national central banks also participate in the . The European Commission acts as an observer. (For detailed information, refer to the ‘related links’ below and the Newsletter article, entitled ‘Learn More About Work Items Related to Credit Transfer and Direct Debit Addressed by the New Euro Retail Payments Board ( ) Chaired by the European Central Bank’ included in the ‘related articles in this edition’ below.) We welcome the desire to create a harmonised, but simple and fast, solution to address the authorisation of direct debits.

We do not know what the results of the working group will be. We hope that current realities – from existing or non-existing infrastructures to consumer demands – and the need for a risk based approach will be considered and lead to a consumer friendly solution.

Consumers fear of the complexity involved in securing e- and m-commerce payments with multiple PINs, passcodes and procedures

Not unrelated to the challenge of how to authorise a direct debit in a traceable but user friendly manner are the other two pain points for consumers in the electronic marketplace: the genuine consumer fear of fraud on the one hand, and the complexity involved in securing e- and m-commerce payments with multiple PINs, passcodes and procedures.

The ECB’s desire to create a series of recommendations to the industry for the security of internet and mobile payments is a goal PayPal strongly supports with the aim of ensuring that payments are safe. But we do believe that minimum standards and levels of security should be defined and applied to providers (based on a risk assessment), rather than any sort of proscriptive ‘one size fits all’ technical solution or solutions. To tap the full potential brought by e-commerce’s rapid expansion, payment providers should be encouraged to innovate especially with the proliferation of mobile technology. With the ever growing ‘marketplace in the cloud’, with global reach, the risk is that we create a ‘fortress Europe’ stifling commerce and innovation. New solutions like hosted card emulation (HCE), which creates a minimum layer of standardisation for authenticating a payment card for e- and m-commerce transactions, for example, while leaving the bank or with the ability to innovate and still authenticate with any number of devices seems to be the right direction.

It’s important for the success of the payments business to keep it good and simple while ensuring adequate levels of security. An email address or phone number, an amount, and the money is off! Behind the scenes, the best and ever evolving security technologies and customer service are available. That’s why it is important that we continue to sustain innovation, harmonise the industry security standards and consumer protection regulations on the one hand, while balancing this with truly open standards and a level playing field that encourages people to enter the market. 

Katja Lehr is Director Core Payments Management at PayPal.


Related links:

Time, Money and Tech: PayPal Study Reveals Global Attitudes 

Statista: Anteil der Internetnutzer, die Online-Banking nutzen in den EU-Ländern im Jahr 2013 (this graph in German language identifies the share of internet users who use online banking in the countries in 2013) 

Regulation (EU) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro (the SEPA Regulation) 

EPC Website: The SDD Mandate 

EPC Website: The Creditor-Driven-Mandate Flow (CMF) 

EPC Clarification Letter on Electronic Mandates to SEPA Direct Debit Scheme Participants (October 2013)

EPC Blog (15 April 2014): PSD2 – The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme 

European Central Bank Website: Governance (includes detailed information on the Euro Retail Payments Board ( ) and related documentation) 

Mandate of the Euro Retail Payments Board (ERPB) Working Group on pan-European Electronic Mandate Solutions 

European Central Bank: Recommendations for the Security of Mobile Payments. Draft Document for Public Consultation (developed by the European Forum on the Security of Retail Payments) 

European Central Bank Recommendations for the Security of Internet Payments (developed by the European Forum on the Security of Retail Payments) 

European Central Bank Press Release (20 October 2014): ‘ECB and EBA [European Banking Authority] step up cooperation to make retail payments safer’ 

European Banking Authority (EBA) Website (20 October 2014): ‘EBA consults on implementation of Guidelines on internet payments security’ 

EPC Website: SEPA at a Glance – the Infographic (this infographic provides an overview of the actors involved in the process at the European level and their interaction) 


Related articles in this issue:

SCT and SDD Rulebooks: Modifications to the Rulebooks to Take Effect in November 2015 and November 2016, Respectively. Based on feedback received during the 2014 public consultation on changes to the rulebooks, the EPC resolved to update the release schedule applicable to the next rulebooks generations

Learn More About Work Items Related to SEPA Credit Transfer and SEPA Direct Debit Addressed by the New Euro Retail Payments Board (ERPB) Chaired by the European Central Bank. The ERPB represents the demand and supply sides of the payments market with participation of national central banks

Next Step to Create the Digital Single Market: EU Lawmakers Adopt the New Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. European Union authorities seek to enhance trust in electronic transactions

Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World. Will the EU legal framework aimed at ensuring secure online payments amount to a series of harmonious provisions, or result in an uneasy compromise?

SEPA Migration (Euro Area) Round Up: the Transition has been a Success Throughout the Region. Market participants comment on the 1 August 2014 deadline and next steps in the SEPA process


Related articles in previous issues:

Evolution and Oversight of the SCT and SDD Schemes: the Role of the European Commission and of the European Central Bank. The SEPA payment schemes in the legal and regulatory context ( Newsletter, Issue 23, July 2014) 

PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties. Update on legislative process leading to the adoption of the revised Payment Services Directive ( Newsletter, Issue 23, July 2014) 

Join the Debate on the Further Evolution of the SCT and SDD Schemes: Less Flexibility, More Harmonisation? An overview of the options, variations, exceptions and exemptions possible in SEPA today ( Newsletter, Issue 22, April 2014) 

Next Generation SCT and SDD Rulebooks: Three-Month Public Consultation Starts on 19 May 2014. All stakeholders are invited to provide feedback on possible modifications to the SCT and SDD Rulebooks ( Newsletter, Issue 22, April 2014) 

From Theory to Practice and What Comes Next? Challenges and Opportunities After More than a Decade of SEPA in the Making. A commentary: “Like all major new economic initiatives, SEPA needs time to find its feet and achieve all it set out to accomplish.” ( Newsletter, Issue 22, April 2014) 

The Concept of an Open Standard Interface for Controlled Access to Payment Services (CAPS). A commentary: “Access to accounts – why banks should embrace an open future.” ( Newsletter, Issue 21, January 2014) 

Electrabel GDF Suez: “We Are Delighted to Offer Our Customers SEPA Direct Debit Services!” The biggest Belgian biller completes migration to SEPA Direct Debit (SDD) in December 2011 and boosts the national SDD migration rate to 19 percent in that month ( Newsletter, Issue 17, January 2013) 

Newsletter: Articles Published in the Section ‘Opinion and Editorial’ 

In February 2012, the European co-legislators, i.e. the European Parliament and the Council of the European Union ( ), adopted the 'Regulation ( ) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009', which defines 1 February 2014 as the deadline in the euro area for compliance with the core provisions of this Regulation. To avoid difficulties for non-compliant market participants, in February 2014, the European Commission, the European Parliament and governments agreed to “give an extra transition period of six months” during which payments which differed from the format could still be accepted in the euro area after 1 February 2014.

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.