If you’re an online media provider with a subscription or membership product — or really, any digital business interacting with users today — there’s likely something you’ll avoid at any cost.

Digital media companies are dedicated to removing any potential friction from the user experience. And for good reason: Online users have so much to choose from, they can easily get frustrated and drop away completely at the first sign that an experience isn’t going smoothly. This means friction is likely to affect your conversion numbers.

Card-not-present (CNP) fraud has been growing steadily every year, accounting for 73% of credit card fraud in 2016.
Card-not-present (CNP) fraud has been growing steadily every year, accounting for 73% of credit card fraud in 2016.

At Piano, we have seen this in the sites we work with; we see checkout completion rates decrease as more steps are added to the process. This is why much of our business is focused on creating a friction-free experience for our customers. We want to keep users moving quickly toward conversion.

There’s something else that’s also a concern to digital businesses, though, and even more so to banks and credit card companies: fraud. According to the European Central Bank, “card-not-present” fraud (primarily online fraud) accounted for 73% of credit card fraud in 2016, for a sum of €1.32 billion that year.

Now a new set of regulations that went into effect on September 14 has put both “fraud” and “friction” on the tongues of digital media providers across the European Economic Area (EEA) and European Union (EU). But while many media providers are worried the anti-fraud legislation contained in the Revised Payment Services Directive (PSD2) will add more friction to their checkout process, the new regulations could, in fact, be the first step to a future that’s even more friction-free.

Fighting fraud

Before I explain what I mean, let’s take a look at the regulations themselves and the adverse effects media companies are expecting to see from them. These concerns aren’t unwarranted, but may not be as long-term as they believe.

To combat fraud while also responding to a rising API economy and innovations in the digital payment market, the new regulations obligate payment providers to add strong customer authentication (SCA) to their online checkout process. A two-factor authentication process, SCA applies to payer-initiated online payments for goods and services €30 and above, necessitating two separate steps before a credit or debit card payment is authorized.

There are some exceptions to the rules that I won’t go into here — and if you’re in the UK they won’t be regulated for another 18 months — but in most cases, SCA requires multi-factor authentication based on at least two of the following:

  • Something you know (like a pin, a password, or authentication questions).
  • Something you possess (like a phone or device).
  • Something you are (like a facial scan or fingerprint authentication).

For many of the media providers we’ve talked to, it’s the addition of a second step in the authentication process that’s the problem. Extra steps add friction, and for many companies that friction is more of a concern than the potential fraud the regulation hopes to address.

The future is (more) friction-free

While the short-term effects of PSD2 may look negative, its long-term promise is exactly the opposite. Piano sees potential in the new regulations to help remove some of the friction that currently exists in the digital user experience, while giving media companies ownership over the important data driving businesses today.

Consider the current authentication process. Driven largely by password access, it may be familiar, but it isn’t exactly friction-free. You just have to think of your own experiences to see that: the time you’ve spent figuring out which e-mail address you used to sign into a given site, then the password you created to satisfy its unique number, letter, symbol, and length criteria.

This is repeated across every site you want to have a relationship with — and is escalated for large media companies, where logins may or may not be “federated” with a single sign-on across sites owned by the same parent company.

Creating a different identity for every site under the same umbrella can be frustrating. But it can also be jarring to try to create an account on a site you've never been to, only to be told one already exists. It’s a common challenge for Piano’s major media clients today.

Better options exist, but in a world where passwords are standard, they aren’t yet being used widely. SCA opens up the potential to popularise them, requiring that users try something new. While password access still remains an option under SCA, so do alternatives like device validation and biometric authentication.

The more commonplace this type of authentication becomes, the more likely it will be built into laptops and desktops, making it more available to browsers. And wouldn’t it be easier to log in with a fingerprint, face scan, or device tap than with a username and password?

In the long term, this technology — once it becomes widespread — promises to remove more friction from the transaction process.

Owning the information

But it does more than that.

At Piano we see the shift to SCA’s two-factor authentication as part of a confluence of events that will begin to give publishers — as opposed to platforms — ownership over their logged-in users, as well as the data that results. This means the locus of user information will shift from platforms and ad tech companies back to publishers. User information will live only in a user’s profile — a human-readable and human-editable repository on the sites they choose to share data with. And logged-in users will enable those sites to understand their visitors better.

Right now, users tend to log into Google and Facebook, accessing sites through these third-party logins. It’s much rarer that they’re logged into the site they’re on. This means Google and Facebook are able to track user behaviour from site to site, even without the use of third-party cookies.

But new developments like SCA — as well as Apple’s requirement that a logged-in user manually click to sign onto a second site — make people sign in at every unique site, an easier experience if you have biometric or device-secured authentication. That also makes logging in through Google and Facebook less appealing, taking away their ability to track.

All of this leads back to biometrically and device-secured authentication. It’s both the safest and lowest friction avenue for consumers. And the new PSD2 regulations push us toward a future where it’s more common, too.