In today’s heavy omnichannel environment — where so many retailers are using one inventory to fulfill both retail and direct-to-customer orders — AI can make the difference in whether a retailer is able to fulfill a customer’s order.
ABN Amro has completed the first instantly financed, door-to-door transport of a container from a factory in Asia to the Netherlands on blockchain-based platform Deliver.
Currently, the physical, administrative and financial streams within international freight distribution steams are carried out in separate flows.
Edwin van Bommel, chief innovation officer at ABN Amro says: “We are strongly committed to help our clients in their process to fully automate their trade flows. All parties involved in the trade flow will benefit from more effective controls, greater efficiency, transparency and traceability.”
With the PoC behind it, the bank says it plans to open up the pilot to multiple shippers from various industries and acting in different trade lanes.
"With these pilots we will be integrating all the supply chain flows: from workflow management combined with track & trace to the digitisation of paper documentation such as waybills and the financing of handled freight or services," says van Bommell. "The ultimate objective is to reach an open, independent and global platform that operates from the perspective of shippers."
Gijs op de Weegh, COO Payvision, & Evelien Witlox, Global Director Payments & Cards, ING, speak at Money 20/20 Europe about their partnership and what they have achieved in the first year, how they have brought the two worlds together and what Payvision and ING offers merchants.
On Friday 21st June the EBA published a new Opinion Paper on the elements of strong customer authentication (SCA) under PSD2 which has been subsequently been backed up a by confirmatory statement from the European Commission. This opinion has significant practical implications for issuers, acquirers, card schemes and local regulators currently working to prepare for the imminent deadline for compliance with the PSD2 SCA Regulatory and Technical Standards (RTS) on 14th September 2019. In this post I summarise the main points made by the EBA, look at their potential impact and suggest the actions stakeholders need to take.
Merchants, consumers and regulators are not ready to implement SCA
Our recent work supporting preparations for PSD2 has brought home the need to strike a pragmatic balance between the objectives and spirit of the regulation and the practical challenges of implementing SCA solutions that will work for consumers and merchants and are practically deliverable by PSPs and vendors.
Technical solutions based mainly around 3DS 2.0 will be partially available in time for 14th September, however it is also clear and widely recognised that many merchants will not be ready to implement them and with less than three months to go, consumers are unaware of the imminent changes to their online and mobile shopping experiences.
Furthermore, there is still uncertainty over the allowable interpretation of certain key aspects of the Regulatory and Technical Standards (RTS) and a tension between the wording of the regulation and the need to implement practical and inclusive SCA solutions that minimise disruption to the user experience, shopping cart abandonment and unnecessary transaction declines. The use of card credentials as an SCA factor alongside SMS delivered one time passwords (OTPs) is one of the most contentious outstanding issues.
The EBA’s key rulings
The EBA opinion provides clarification on these issues.
In doing so it is requiring local regulators, or Competent Authorities (CAs), to take a more interventionist approach to ensuring issuers and acquirers implement compliant solutions and take responsibility for their adoption by merchants within short agreed timescales.
It also effectively outlaws the use of card details as an SCA factor and restricts OTPs to proving possession. In doing so, the EBA deems most current SMS OTP based approaches, the SCA solution most widely deployed and planned by European issuers, to be non-complaint.
The key points and provisions of the opinion in more detail are as follows:
1) The opinion acknowledges the complexity of payments markets across the EU, that some actors, notably merchants, may not be ready by 14th September and that key component for the successful application of SCA is to explain the changes to customers. It also acknowledges that it is paramount for customers to be able to continue making online payments.
2) The opinion accepts that CAs may work with PSPs and other stakeholders to provide limited additional time to allows issuers to migrate to complaint authentication approaches and acquirers to migrate their merchants.
3) This extra time is on condition that issuers and acquirers have set up and agreed a migration plan with their local CAs and that CAs monitor these plans to ensure swift compliance and consistency of authentication approaches across the EU.
4) The opinion requires that CAs engage with:
Issuers to identify the two-factor authentication approaches they are using, or their migration plans to meet SCA requirements Acquirers to understand the implementation approaches they are taking with merchants and the migration plans they have in place comply All PSPs to ensure they have customer and merchant communications plans in place5) Both the EBA will monitor for consistency and take actions to remedy where necessary and the Commission will also be “particularly vigilant in monitoring the transition ensuring that all players…play their full role and assume their responsibilities”
6) Biometrics, including behavioural biometrics are an acceptable as inherence elements and there is some detailed clarification on what is acceptable, however data points provided by merchants for Risk Based Authentication (RBA) through the 3DS 2.0 protocol are not currently considered to constitute inherence elements and memorised swipe paths may constitute knowledge but not inherence elements
7) Static card details and security codes printed on card cannot be used as either a possession or knowledge element and the opinion advises CAs to closely monitor their application
8) Dynamic card security codes may be used to provide evidence of possession and card security codes that are not printed on the card but sent separately to a customer could constitute a knowledge element
9) An OTP cannot be used as a knowledge element
10) Some leeway is given on dynamic linking, with the EBA recognising that not all compliant elements may yet be able to enable dynamic linking but encouraging CAs to ensure that new SCA approaches can.
Note that the opinion does not change the current view on the application of exemptions or transactions that are out of scope of SCA, so those aspects of an issuer, acquirer or merchant strategy are not changed. It does however put more focus on acquirers to accelerate their efforts to bring merchants on board and impacts the way in which an SCA challenge is applied when it is required, and the way issuers communicate this to their customers.
A late and heavy-handed intervention?
While the opinion paper acknowledges the reality of the complex task faced by the payments industry and the impacts on consumers and merchants of getting it wrong, this comes very late – less than three months before the implementation date, and has significant implications for issuers, acquirers and indeed for CAs. It is positive that the need for properly structured managed rollouts of SCA is now accepted. This is something that the UK payments and retail industry has been quietly working on with the UK CA, the Financial Conduct Authority (FCA) for a while – for more on this see below. However, it represents a change from the previous approach of the Commission and EBA that was built on technical neutrality. In addition, the practicality of aligning approaches across all countries and CAs within the EU at such short notice will be extremely challenging.
Furthermore, the opinion on card details as a factor will be viewed by many as a backwards step that is unlikely to decrease fraud, will inconvenience consumers and potentially puts them directly at risk from fraudsters seeking to steal security credentials.
While the EBA Opinion is not in itself legally binding, the nature of the requirement it puts on CAs means that the industry has little choice but to accept it and adjust its course to comply.
The need for a layered response
The payments and retail industries need to respond at both a national and individual company level.
Nationally, industry representatives and trade associations need to work closely with their competent authorities to craft managed rollout plans that will lead to full compliance, merchant adoption and consumer awareness in short, but achievable timescales.
The UK approach led by industry body UK Finance in conjunction with the British Retail Consortium (BRC) and other retail trade bodies alongside the card schemes and leading issuers and acquirers provides a potential model. The FCA has supported and fully engaged with the initiative.
In it's response to the EBA’s opinion published today (28th June) the FCA has confirmed that it aims “to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.” The FCA also states that once the group has finalised the plan and the FCA has agreed it, it expects all participants to meet the agreed milestones, targets and final delivery date but that it will not take enforcement action against firms if the do not meet relevant requirements for SCA from 14th September. But this delay to enforcement is not an opportunity for the industry to sit back and relax. The FCA makes it clear that it only applies to areas covered by the migration plan and where there is evidence that the firms have taken the necessary steps to comply with the plan.
It is clear that while there is some leeway on the date for enforcement, individual issuers and acquirers will to have review their current implementation and customer engagement programmes and be prepared to submit their plans to a higher level of regulatory scrutiny and oversight. So, what do they need to do?
Considerations for Issuers
The impact for issuers is twofold, particularly for those whose current or planned SCA strategy relies on card credentials as one of the factors, or on a one-time password as a knowledge factor. There will be a need to review and potentially change SCA challenge method strategy and develop a structured and long-term customer communications plan. The two are aspects are clearly interlinked.
Developing a revised SCA strategy will be challenging while there is uncertainty over which CAs will opt for a managed implementation and what the timescales and milestones will be where they do. The one thing that may help is that the options for issuers are now severely limited and by default all issuers and CAs are going to have to converge on similar approaches. This will likely comprise:
1) Defining an endpoint by which time all SCA step up options offered to customers are fully compliant and ensuring that this endpoint can be reached in the shortest practicable timescale.
2) Accelerating the adoption of biometric and app based authenticators as the favoured solution with a compliant alternative choice for those customers unable or unwilling to use a smartphone or app.
3) Continuing with committed to plans to deploy non-compliant SCA step up solutions for the short term. This will support the adoption of 3DS by merchants and will bring experience of working with exemptions. There will however be a need to set a clear transition strategy and ensure that customers are fully prepared for an early second transition to a compliant solution.
4) Carefully consider and understand the impact on customer experience and ensure that the latest version of 3DS 2.0 and other card scheme authentication and authorisation solutions are supported as early as possible throughout the roadmap. This will optimise the application of exemptions, minimise unnecessary step ups and declines and give the best experience for customers.
Customer communication strategies will need to explain and prepare customers for the full transition period explaining the background and rationale to SCA, the long-term aim and the interim steps. They will also be a need to proactively encourage customers to adopt biometric and app based solutions to a greater extent than may have been previously envisaged.
Considerations for Acquirers
The opinion and statement from the Commission make it clear that responsibility for ensuring merchants are able to support SCA lies with acquirers. This means ensuring all merchants support the appropriate version of 3DS 2.0 within the timescales that are agreed for managed rollouts. Some key points to take into account are:
1) You will need to develop a plan that can be shared and agreed with CAs (in the member states in which you operate) and that you can demonstrate that you can deliver on
2) Many merchants, particularly smaller ones, will have little or no awareness of PSD2 SCA or 3-D Secure, and proactive and effective communications campaigns will be needed to raise awareness
3) Merchants and their ecommerce solution providers will need clear and unambiguous instructions on what they must do, by when - and will need reminders.
4) High level awareness campaigns will need to be backed up with effective guidance and support resources targeting merchants, gateways, e-commerce web developers etc.
5) Adoption of SCA will not be a business priority for many merchants and yet acquirers will be held responsible for ensuring they adopt or upgrade. This will require sustained and effective communication and potentially the need to offer creative incentives.
Where Next?
The EBA opinion and the Commission statement have only just been published, and there will be a need for CAs, industry associations and others to digest and agree their approach. While this means continued uncertainty over the detail, the overall message for issuers and acquirers is clear and if current plans don’t take account of these clarified requirements there is a need to start working on the response.
Digital receipt startup Flux has signed its first online deal with food delivery marketplace Just Eat.
Initially available to Starling & Monzo bank customers at launch, the service will be rolled out across Flux’s other existing bank partners, such as Barclays launchpad, later this year.
To mark the launch, Flux and Just Eat are offering 50% off to the first 2,500 orders made with a Flux linked bank card.
Fernando Fanton, chief product & technology officer at Just Eat UK, says: “We’re delighted to be the first in our sector to roll out Flux digital receipts ensuring customers can see exactly what they’ve ordered from the 30,000+ restaurants we work with across the UK, directly within their banking apps.”
Just Eat is the first online marketplace to partner with Flux, joining brands including KFC, schuh, EAT. and Costa Coffee.
Visa is buying Verifi, a payment dispute resolution technology specialist that promises to help firms reduce chargebacks. Financial terms of the deal were not disclosed.
Verifi’s technology connects all parties in the dispute management process in near real-time with the aim of resolving issues before they become a chargeback. The firm serves more than 25000 accounts.
Visa says that by integrating Verifi chargeback tools into its risk management services, it can provide buyers and sellers more automation, near real-time communication and data-driven insights.
Mary Kay Bowman, global head, seller solutions, Visa, says: "Facilitating trust and transparency across the buying experience is core to Visa’s brand promise and Verifi’s technology and expertise will extend these capabilities to more partners across the payments ecosystem."
The acquisition is subject to regulatory approval.