Day: September 5, 2025

In my last article, I detailed why there has been a steady blurring of the lines between Card Present (CP) and Card not Present (CNP) transacting and explained why this demarcation of payment types is rapidly becoming less useful.

What is much more important today is to define the type of transaction, the user experience that is desirably associated with that transaction, and whether the merchant or ecommerce provider is prepared to retain the risk associated with that payment, or shift some of its risk and the associated fraud liability onto the card issuer or holder. First and foremost, it’s important to identify which key drivers are at work that create the need for extra layers of authentication and/or transfer of liability away from the merchant.

Larger ecomm sites focused on cutting cart abandonment

For example, having a frictionless experience at online checkouts is invaluable to most large ecommerce providers in terms of reducing their ‘abandoned cart’ levels considerably. The resulting lower abandoned cart percentage generated by superior user experience (UX) more than offsets the fact that many ecommerce sites (and associated mobile apps) are carrying most (if not all) of the risk associated with these transactions.

It’s worth bearing in mind that ecommerce cart abandonment levels are still pretty high. According to the Baymard Institute’s 2024 study, average cart abandonment levels stand at 70.19%. That percentage rises close to 80% for ecomm purchases being completed via your smartphone.

Reasons given for cart abandonment are largely linked to poor UX. Key reasons for abandonment uncovered in consumer studies are the discovery of extra costs (shipping, tax, fees) at checkout, as well as insisting on account creation (more on this later), long/complex checkout processes, lack of trust, slow delivery times or limited payment options. So, not offering a Buy Now Pay Later (BNPL) option for larger transactions is now leading to higher abandonment levels for more expensive goods bought online, for example.

One way that ecomm operations manage their exposure to the risk of fraudulent transactions, and contain chargeback levels within sub-1% tolerances mandated by acquirers, is by waiting for payment funds to clear before shipping any goods. Tap to Pay functionality can be used to enable rapid checkout for guests who do not want to sign up for an account via your mobile app to complete a transaction. More on this later.

High value ecomm transactions could use Tap to Everything to reduce fraud risk while reducing cart abandonment

However, for higher-value goods and services which you are paying for online: perhaps buying long-haul flights or booking hotel accommodation overseas, rather than risking a card being rejected and the affected customer simply walking away, the application of Tap to Everything looks to have its place to manage elevated transaction risk.

We could inject another level of authentication into the transaction process by, say, asking the buyer to tap their card on the relevant mobile app screen on their phone (or Tap to Pay) to prove that they have the card that they are using to buy these things. It is entirely possible you could also ask for them to tap in their PIN number as well (‘Tap+PIN’ entry), or the card’s CVV, to complete the transaction. By doing so, fraud risk falls dramatically and liability shifts from the merchant to the card issuer or card holder.

Riskier transactions offer further use cases for Tap to Everything

For those buying an expensive restaurant meal via a mobile app that they may not even be signed into, placing a bet online, buying crypto, or making a series of expensive ecommerce transactions one after the other in quick succession, it understandably makes sense to build Tap to Pay (TTP) functionality into the transaction process. This reduces the inevitably elevated fraud and chargeback risks associated with these sorts of transactions and buying behaviours, while simultaneously passing remaining transaction risk towards the issuer and away from the merchant.

TTP is not only a better customer experience (tapping rather than manually entering card numbers). It is also significantly more secure because Mypinpad, as a PCI-certified solutions provider, can keep the cardholder’s details secret even from the app that they are using — thereby reducing our merchants’ PCI-DSS compliance requirements.

TTP also offers a more secure payment method which helps protect customer data and reduces fraud risk. This is achieved by tokenising card data either via Card on File (CoF) or Network Tokens, the latter being much preferred since its ‘device binding’ capability reduces CVV reliance over time. This provisioning, plus the tokenisation model, significantly reduces the risk of cardholder data loss while providing a simple, clear user experience. There’s less risk of digital theft, or abandoned carts.

Guest usage of occasional use mobile apps

Many users today feel that their smartphones are already overloaded with mobile apps. For occasional use services, we don’t particularly want to retain an account associated with a dedicated mobile app to support it. Take the case where you are on a road trip through Europe. You get to a city in France which demands use of a mobile app to pay to park on the street near your hotel. You don’t want to create a new account for that city’s mobile parking app, then assign a payment card to that account. You just want to pay for parking and run.

The app provider does not particularly want you on their customer database either, because you are unlikely to use the app again, and if you do happen to come back to that place on another occasion, you will never remember your credentials – creating lots of support queries and messages to get logged back in and pay.

Far better to give these types of visitors the option to check out as a guest, perhaps paying via a one-time QR code which is provided via the app without the need to create an account to access that code. TTP can be used to pay via the QR code. According to a recent industry report, approximately 60% of mobile app‑based transactions are completed as guests, rather than by logged‑in account holders.

Tap to Confirm already gaining traction for verification use cases

Although most of the use cases above are Tap to Pay-focused, Tap to Confirm (TTC) is naturally finding a great many use cases amongst applications which demand verification. For example, Mypinpad is enabling rail season ticket holders to prove that they are the holder of a given season ticket by showing their card to the barrier reader rather than showing the season ticket itself. In this way, the rail operator knows that the person who has bought the season ticket is indeed the same person going through the barriers. This is a TTC application which we enabled over two years ago for a major European transport operator.

We are also working with a major bank using TTC as part of Step-up Authentication (SA) where risk levels associated with a specific transaction have breached accepted norms.

Step-up Authentication (SA) is already a proven way to strike a balance between security and friction. It ensures users can access some resources with one set of credentials but will be prompted for more credentials (normally requiring a third authentication factor) when personal transaction ‘behaviour’ norms are breached.

So, in most cases where transaction size looks to be in the ‘normal range’ and it is being completed via a smart device which is located in the country it is normally in, then two factor authentication (2FA) suffices.

However, if you were to make a request of your bank to wire several thousand dollars to a bank account in North Africa from a device located in a country you are not normally in, that might trigger SA, resulting in a request for another factor of authentication to prove you are who you say you are, and that your phone hasn’t been stolen or hacked into. That may include one of the above ‘proof of inherence’ biometric factors like facial, iris or fingerprint scan, and perhaps requiring secure PIN entry for the card being used for the transaction via Tap to Confirm. So, in this way CNP transactions naturally flex into CP authentication, and in doing so, fraud risk is lowered and liability passed onto the issuer.

We are seeing increasing demand for SA deployments to dynamically adjust authentication levels according to the degree of risk associated with specific transactions. It’s a relatively new development which makes sense in a world where device thefts, combined with digital identity theft, is sadly becoming more commonplace; while transaction history analysis can be run ‘on the fly’ using AI to spot potential transaction anomalies and increase authentication requirements dynamically to combat the increased risk associated with those anomalous transactions.

TTC usage means that your PIN could join the growing 3DS mix

As indicated above, PIN entry can be brought back in as part of TTC flows if an extra layer of authentication is desirable alongside biometrics associated with unlocking your mobile device, for example. There is now some speculation that your PIN number might be added to the mix of the online fraud prevention and authentication protocol 3DS.

The use of OTPs (one-time passwords sent by text or email), together with biometrics (Face ID or fingerprint recognition already in use to unlock your phone), is already in wide use for mobile payments. Certainly, there is an increasing number of use cases associated with verifying you are who you say you are.

Tap to Activate gaining ground with banks

As the number of physical high street bank branches and associated ATMs dwindles across much of the developed world, and the percentage of transactions which are completed online increases (compared to those completed in-store), it increasingly makes sense to be able to activate a new bank card via Tap to Activate at home or on the move.

The innovation brought by Tap to Activate offers the ability for a consumer to just tap their own bank card against the back of their own phone to provision a card and then use the freshly activated card to complete an ecommerce transaction in the comfort of their home.

Tap to Everything an ideal enabler of Smart City multi-modal travel

It is conceivable that TTC could be used for smart city transport applications where, in the future, people will hold a ‘smart pass’ to cross a city in the most efficient, multi-modal manner – moving from e-bike, to electric bus, onto a tram, then underground and overground rail services, even perhaps extending to gaining access to and paying for a hire car to exit the city. It is conceivable that this type of application could lead to Tap to Pay as well as Tap to Confirm in one single multi-modal journey.

Tap to Everything is enabling greater payments agility and is driving market innovation

It is clear that Tap to Everything already offers an array of payments and non-payment applications, many of which we are already building out for banks, ecommerce providers and merchants.

It can help improve the user experience in ecommerce and make card activation, provisioning and even the updating of card details (changing the PIN number of a card for example) light work for consumers. It can help merchants to reduce fraud risk and pass fraud liability to card issuers (or card holders themselves) — increasing authentication levels as risk levels rise in real time.

The benefits in terms of reduced cart abandonment, reduced fraud and chargebacks and being able to accommodate payments by unregistered users of mobile apps are clear. We are finding new Tap to Everything use cases on a near weekly basis right now. So, it’s opening up a wave of innovation in the market.