Amidst a global pandemic, e-commerce is in the spotlight as people around the world prefer the safety and convenience of online shopping. India is no different. E-commerce in India has seen a surge of 20-30% in online sales over the past few weeks. However, this isn’t just a situation-led case in point. The Indian e-commerce industry has seen a steady upswing over the last few years on the back of a large number of merchants entering the market coupled with an explosion of smartphones and payment options.
India is expected to become the second largest e-commerce market in the world by 2034, according to IBEF projections. The report further highlights the e-commerce market is expected to reach Rs 13,97,800 crore (US$ 200 billion) by 2027, from Rs 2,69,076.5 crore (US$ 38.5 billion) in 2017. Projections also suggest that Internet penetration rate in India will be over 60% by 2026. Thus, giving a further boost to the e-commerce industry.
While marketers are waking up to the opportunity of e-commerce, the segment still needs the attention of advanced and simplified payments backed by security and convenience.
In India, online shoppers largely use either one of these following payment modes -- cards, prepaid wallets, UPI, net banking or cash-on-delivery. Cards, which was once one of the most popular methods of online payments, is now facing stiff competition from new-age payment formats such as UPI and prepaid wallets.
Surely, cards are still holding on to the popularity quotient. But, over the past few years, both merchants and consumers have become acutely aware of the need for simplified payment experiences. Merchants worry about cart abandonment rates and transaction drop-offs. It is recorded that about 20% transactions drop-off on cards leading to just 80% Payment Success Rates (PSR). In 2019, card transaction drop-offs were estimated to have caused at least a $10 billion loss of e-commerce sales in India.
What complicates matters for card issuers and payment networks is the RBI mandate on 2-Factor Authentication (2FA) introduced in 2009. While prepaid wallets have been exempted, UPI implements this through a static PIN and cards mostly use SMS OTP as the second factor.
As a result, merchants too tend to push payment methods with the least amount of friction and the highest success rates. This is why one can see an upsurge in UPI and wallet transactions.
While the mandate certainly did its job in curtailing fraud, its implementation is less than optimal. Most online card payments in India are based on the 3DS 1.0 protocol, with every cardholder being authenticated through an SMS One-Time Passcode (OTP) sent to the customers’ registered mobile number.
To bring to the fore, the 3DS 1.0 protocol was originally written in 1999, and was largely meant for the desktop generation. In a country like India, where about 70% of online transactions originate from a mobile device, this protocol tends to have an adverse impact on the PSR.
Visa and Mastercard under the aegis of EMVCO have released a far more robust, secure and mobile friendly specification. This is called EMV 3DS specifications or 3DS 2.0 -- as it's commonly known. This next-gen protocol supports multiple form factors and new use-cases, while moving the entire ecosystem to “risk-based authentication”.
As we move forward, e-commerce will demand a more dynamic, risk-based, multi-factor authentication. What works in favour of 3DS 2.0 is that it supports almost tenfold in data exchange between stakeholders, while enabling faster and secure authentication.
With risk-based authentication, real-time checks are automatically run on online transactions. Depending on the service provider who is supplying the risk-based authentication solution used, these may include behavioural checks (Does the cardholder typically make this type of transaction?), Device checks(Is this the usual device a cardholder uses?) and merchant checks(Is the merchant trust-worthy?).
Based on these assessments, the issuing bank will determine whether to challenge the transaction or not. This means reliable authentication, fewer SMS OTPs, faster checkouts, lower cart abandonment rates and a frictionless payment experience.
Unlike static authentication where each transaction requires cardholder verification, risk-based authentication challenges only the riskiest transactions. What 3DS 2.0 does differently is that instead of relying on 5 to 7 data points (being collected in the 3DS 1.0 flow) issuers can collect over 70 variables; thus allowing issuers to make better decisions.
The amount of merchant data that can be collected using 3DS 2.0 is massive; offering merchants the possibilities of many frictionless capabilities. 3DS 2.0 is now being widely adopted internationally with Visa and MasterCard coming out with rules around liability, usage and adoption. Issuers and merchants in markets such as in Europe, Australia, Singapore and UAE have already begun adopting 3DS2.0.
Well, hopefully, RBI is listening too. Risk-based authentication is certainly something RBI can consider doing a Proof-of-Concept -- maybe use the regulatory sandbox to test this out in a limited manner.
In conclusion, 3DS 2.0 is adapting to the times by offering a seamless e-commerce payment experience to consumers -- whether they’re transacting via desktop, mobiles or laptops.