Enhanced security in electronic card payments in Spain: the difficult balance between security and conversion

One of the clearest trends in consumer habits among the population, which we have all been witnessing for years, corresponds to the unbridled boom that electronic commerce is experiencing. Each year, a greater proportion of consumption is carried out over the Internet. In fact, at present, around 1 out of every 4 purchases made in Spain is made in this way, figures that we are very likely to see increase in the future.

The data are unmistakable: during the second quarter of 2022, Spain reached a record 18.19 billion euros in e-commerce turnover, figures that only consolidate the trend observed in recent years.

However, far from pretending to develop a macroeconomic or sociological analysis of this new, although already consolidated, consumption modality, this article aims to address one of the most common concerns raised by businesses focused on ecommerce: How do you balance the need to secure electronic payments, while at the same time not affecting the conversion rate of visits to your web pages?

In recent years, European institutions have endeavored to issue new security-related regulations on payment services, regulations that have a direct impact on the issue addressed in this article. In this regard, the most relevant standard is the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market and amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010 and repealing Directive 2007/64/EC. (Text with EEA relevance), also known as the PSD2 Directive.

The PSD2 Directive aims to strengthen the security of electronic payments in the common market, as well as to regulate access to European consumers’ banking data. Its transposition into Spanish law was carried out through Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters, which came into force at the end of 2018.

Among other issues, the directive established the obligation for payment service providers to enhance the security of online transactions through strict customer authentication. These standards were also extended with the entry into force of the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council as regards regulatory technical standards for strong customer authentication and common secure open communication standards.

Specifically, the obligation to use two or more simultaneous authentication elements was established, each of which must belong to a different category of the three categories of elements presented to us:

  1. An element of knowledge, such as a password.
  2. An item of possession, such as a cell phone, through the use of an SMS message.
  3. An inherent element, such as a fingerprint.

In this context of tightening security conditions applicable to electronic payments, businesses focused on online sales are finding that the reinforcement of security works against conversion rates related to visits to their sales portals. It is therefore necessary to set up mechanisms to ensure a balance between security and sales agility.

It is also critical to ensure the security of online stores, to prevent consumers from committing fraud in the acquisition of certain goods and services offered by ecommerce-based businesses, as this can be a constant nuisance.

To armor themselves, online businesses have the possibility of turning to resources that apply additional layers of protection to online purchases. One of these resources is the protocol 3D Secure, developed by Visa (and also used by MasterCard), which guarantees the legitimacy of the transaction by means of a double control: on the one hand, the introduction of the card data and, on the other hand, the introduction of a code sent by SMS (usually) that allows the buyer to be authenticated.

The major drawback of the 3D Secure protocol is the decrease in sales that its use can cause, because users confuse this protocol with a fraudulent portal, or because, by delaying the purchase process, they back out. This is known as “friction in the payment process”. Therefore, businesses operating in the network will have to choose between three possible options:

  1. Apply 3D Secure on all purchases: This will result in a lower conversion rate, but will guarantee the security of all sales.
  2. Apply 3D Secure only for amounts above a certain value.This mode reduces the abandonment rate, while protecting larger transactions.
  3. Do not apply 3D Secure: The abandonment rate is reduced to the maximum, but all sales are exposed to possible fraud.

When the protocol is applied, the responsibility is transferred to the consumer, as the purchase has been reliably confirmed by number, expiration date, cryptogram and, above all, secret key. This ensures that the buyer does not have as many options to claim payment for the transaction.

In conclusion, although the requirement of the 3D Secure protocol may mean a reduction in the sales volume of a business focused on e-commerce, the benefits obtained by applying it are very considerable, as the following are achieved reduce fraud and save time and labor in resolving consumer disputes. Security in electronic payments is essential to protect consumers and businesses, but it must not become an obstacle that slows down the growth of e-commerce.

This publication does not constitute legal advice.


How can LAW4DIGITAL help you?

At LAW4DIGITAL we are lawyers specialized in digital business. We provide comprehensive legal advice to digital companies. We help you with online legal advice.

We will keep you updated about digital business. In any case, you can contact us by sending an email to, calling (+34) 931 444 820 or filling out our contact form at

We look forward to seeing you in the next post!

Law4Digital Team.

Subscribe to our Newsletter!