Morals and economic issues of ‘seamless’ payments; some thoughts.

Slight departure from the usual security fare this post, but hopefully you’ll find it interesting!

This week I attended the ‘Cards and Payments’ summit.  This was pretty interesting, and it was certainly good for me to attend a conference not purely focussed on security to see what the wider payments industry is talking about at the moment.

I’ll provide a brief overview in another post, but I wanted to write my entirely non security and non technical thoughts on a particular topic that was discussed numerous times over the two days;  How to make payments as seamless, transparent and friction free as possible.

On the face of it this seems like a great idea.  Who wouldn’t want to be able to securely pay for goods and services without any friction or interruption to what they are doing?  Indeed I’m even involved in some work around how we can use things like device ID, location, behaviour etc. to improve security while lowering friction.

However the other side of this coin is the fact that people have been proven to spend far more as they get further from transferring actual cash to someone else.  Since the inception of credit and debit cards, people in properly controlled studies spend more, will value the same good higher and will tip more with a card vs. making a cash payment.

This trend further continues as you move online, the more transparent payments are and the less involvement the consumer has in the payment process, the more likely they are to spend.

When you consider this fact in the overall picture of many countries where people have a clear propensity to overspend and carry more debt than they can manage, is this trend a good thing?

From a moral perspective should we really be creating ways that have been proven to psychologically increase spending when many people are already in a lot of financial difficulty?

You could of course argue that people need to be responsible for themselves, which is an opinion I often tend towards.  However I think industries do need to be held to some level of responsibility for their customers, especially when there are clear and impartial studies highlighting the risk and psychological triggers that are being used to change behaviours.

On a macro level I would also argue that the economy as a whole would be better off in the long term if consumers are managing their money better as they will always have money to spend.  The reality of ongoing over spending is longer term economic troubles.

One of the presenters who was promoting the benefits of completely seamless payments with seemingly no controls on how much you spend was from sky <betting and gaming.  He unsurprisingly disagreed with me and spoke of making the process as seamless and excellent as possible.  This seems particularly dangerous as they are clearly combining potential habit and addiction issues with technology designed and proven to make people overspend..

To be fair to him he did mention having other things they offer to help with gambling problems, but he was very clear these should be separate from the actual gambling and payments process – which does kind of miss the point in my opinion.

What do you all think?

Is some affirmative friction a good thing in payments?

Should business have some obligation to look out for its customers rather than just doing everything to make them spend?

Regardless of the moral question, should businesses have some view to the longer term health of the economy?

If not business, is regulation the only answer to drive good behaviours from them?

 

It would be great to hear your thoughts!

We’ll be back to security stuff for my next post..

K

Low friction, secure online payments

Online payments whether made from a traditional PC or any mobile device must be secure, strongly resistant to fraud, and convenient.

Currently online payments suffer from a couple of key issues relating to ease of use and security;

·         Extra security features such as 3DS (3D Secure) provide a frustrating consumer experience.  This leads to consumers abandoning shopping carts and merchants disabling the feature where they are provided the option to do so.

·         False rejections of payments by the issuers, again this provides a terrible user experience and shopping cart abandonment.

 

Both of the above issues lead to frustrating situations.  Examples of these are when people forget their 3DS credentials, or when you call your bank to be told the rejection was because of the merchant, then the merchant says it was the bank!

 

In addition to this the upcoming EU rules on electronic payments authentication, how we verify that the person who is paying is the right person, are likely to add to this complexity.

 

These regulations are the Revised Payment Services Directive (PSD2).  They have three objectives: harmonization, innovation and security.

On security, PSD2 requires ‘strong customer authentication’ to be applied for all electronic payments in Europe.  Strong authentication in this case refers to using at least two of these three factors;

·         something you know such as a password,

·         something you have such as a card

·         something you are, for example, a biometric.

 

The EBA (European Banking Authority)  is responsible for the regulatory technical standards to deliver strong customer authentication.

 

The above issues and potentially increasing complexity leads to a poor experience and shopping baskets being abandoned.  This is due to either friction in the process or false rejections of payments by the issuers.

 

So how can this situation be improved upon? We need a solution that meets the needs of consumers, merchants and issuers as well as the intent of the proposed PSD2 regulations?

Breaking these down;

 

Consumers want a safe, seamless and reliable payments ecosystem.

Merchants want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

Issuers want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

The EU and EBA want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.  Additionally they specify through PSD2 that we must verify that the payer is the correct person using ‘strong authentication’.

 

As you can see the needs of the majority of people in the payments ecosystem are basically the same, safe, seamless and reliable payments!

 

Can we solve this and provide a solution that will minimise fraud, improve acceptance rates while maintaining or improving the customer experience.  The short answer is YES.

 

By combining advanced authentication solutions with card details it is possible to provide strong assurance that a user and card are correctly linked and that a payment is genuine.

 

Utilising relatively simple code and an authentication solution fast enough to be in the online transaction flow enables us to reliably link a card to a device.  Note when I say device I include laptops / desktops as well as phones and tablets etc.

 

By doing this we can immediately identify multiple attributes about the card, device and behaviour such as;

  •  Have we seen this device and card combination successfully used before?
  • Have we seen the same name on a different card from this device before?
  • Does this behaviour align with previous successful payments from this combination such as volume, velocity, amounts etc?
  • Where were these payments made from?

 

This is in addition to all the traditional fraud analytics applied to the card behaviour alone.

 

3DS can still be incorporated if required, even with all this additional information.  However its use can be minimised by asking questions such as; 

  • Have we seen successful 3DS from this device and card combination within a predefined period? 
  • have we seen the same name on a different card from this device successfully authenticate with 3DS?

If so then trust this as if it was a 3DS payment.  This would enable the ability to provide the assurance of 3DS, while minimising it’s adverse impact.

 

This requires some innovation and for the issuers, schemes and processors to work together, along with the EBA recognising that this meets the intent of their proposed regulations.

What are the next steps?

Schemes and issuers, work with the processors to enable these benefits.  Accept greater assurances and risk based decisions from processors.  A higher payment acceptance rate and lower fraud, all with minimal effort clearly benefits everyone.

To the EU, EBA and those writing PSD2, engage in the discussion and realise there are ways to meet your intent without adversely affecting the payments ecosystem.  Intelligence and innovation can provide ‘strong authentication’ without the need for any extra complexity in the payments process. We can in fact reduce the friction while improving the security.

 

Everyone involved in the payments ecosystem wants pretty much the same things, let’s be innovative and achieve these in ways that improve the experience for merchants and consumers.  This ultimately improves things for everyone!

 

Feel free to contact me via this blog, or find me on LinkedIn to discuss further and if you’d like to know some more details around how this really can work in practice.

K