Secure your business from login to chargeback
Stop fraud, break down data silos, and lower friction with Sift.
- Achieve up to 285% ROI
- Increase user acceptance rates up to 99%
- Drop time spent on manual review up to 80%
By Evan Schuman /
6 Oct 2016
Evan Schuman is a guest contributor to the Sift Science blog.
A single, standard way to pay for anything securely online. Sounds great, right? But does this ambitious vision actually stand a chance of happening?
Recent talks from the World Wide Web Consortium (W3C) about establishing one consistent method of making purchases online has a lot of potential, especially given the active participation of Google, Facebook, Apple, Microsoft, American Express, Alibaba, and Tencent. But who’s not currently participating? Amazon and PayPal – and that spells big trouble for the single consistent online payments effort.
Before we jump into the particulars of what W3C is trying to deliver, let’s be clear about how difficult a task establishing a single online payments standard would be. First, there are different operating systems—both mobile and desktop/laptop—and umpteen different versions of those different operating systems. Second, there are more than a half-dozen different major Web browsers and dozens of versions of those browsers. Third, we have many different payment processors and even more payment types.
W3C’s initial goal is to include all credit and debit cards—globally—along with NFC payments authenticated by biometrics and bitcoin and ACH and whatever else is coming down the payments road. And oh yes, we also have different retail web sites for merchants of all sizes.
So, this is one massive endeavor. And it’s even more daunting without the support of the world’s largest e-tailer and one of the largest online payment firms. Why aren’t Amazon and PayPal wild about W3C’s effort? They’ve spent years creating very effective, easy-to-use payments systems of their own. Giving every e-tailer and payments firm access to a system that is just as easy to use could undercut much of those firms’ marketing efforts.
The W3C has published the first working draft of its payments effort. And The New York Times recently did a deep dive into what M3C is planning, but the story contained a potentially misleading line: “The fees from transactions will still go to existing financial institutions like credit card companies and banks, unless customers choose a new online payment method like Apple Pay or Samsung Pay.”
That is a common misconception, saying that some transactions have fees that go to payment card brands and banks while NFC systems like Apple Pay (and NFC-enabled Android Pay) and Samsung Pay (usually magstripe emulation) do not. False. Just about all Apple Pay, Android Pay, and Samsung Pay transactions are actually on the credit or debit card in that shopper’s mobile wallet. The banks and card brands get their cut either way. Apple Pay takes an additional cut, but that doesn’t replace the interchange fee paid to the banks and brands.
So, things wouldn’t change much for issuers in the brave new world of a standard payment system. None of the several previous retail/carrier efforts to do end-runs around Visa, Mastercard, and the banks have survived. In the charge toward a standard payment system, any of the proposed approaches still wind up either hitting a major payment card or directly accessing a bank account. For almost all mobile purchases today, the choice is whether to offer the card directly or through the mobile app.
“The bigger goal behind the W3C project is to create a standard, seamless, and secure way to pay for things electronically in a future that will most likely include virtual reality stores, chat-based transactions and machines making payments to other machines—an autonomous car paying for a parking spot, for instance. The standard will also make it easy to include new payment methods like Bitcoin or the Chinese payment provider Tencent,” the Times story noted.
Whether the effort to create a single standard succeeds or not will ultimately come down to how similar payments need to be. Will the authentication portion work for all of a shopper’s devices and computers? And the interface in their car? And maybe a connection into Apple TV? Fingerprint scans—the favorite current approach of NFC systems—don’t work outside of the small portion of mobile phones equipped with a biometric reader. So some will be password and others will be biometric? At the same time, there are extensive campaigns in security against passwords.
This means that the ideal approach for W3C is some authentication method that works on all matter of devices (including cars) that is far more secure than passwords or PINs. Setting aside all of the rest of the complications, simply coming up with that new authentication mechanism—and getting all of these companies to agree to it—is monstrously difficult.
The Times piece said something else that’s very interesting. The story quoted a source involved in the process who referenced the earliest days of e-commerce and that, in those early days, “the main hurdle to accomplishing more seamless payments was online merchants, who did not want to give up control over any part of the checkout process.”
What the story doesn’t say is that the vast majority of today’s e-commerce merchants would kill to rid themselves of the payments part of the transaction. Beyond the fees and beyond the countless headaches from maintaining PCI compliance, merchants have discovered that payments burdens them with sensitive payment data that they are responsible for protecting. That’s a burden that they don’t want—at all.
They have also discovered that payments processing involves some of the greatest delays in the transaction. Most merchants would love to just sell the product and let someone else handle the payment processing. That means that merchants are cheering on this effort—unless you are a merchant who has already solved this issue for your customers (aka Amazon).
Let’s also consider fraud. Having one mechanism handling every e-commerce transaction in the world would create a gigantic opportunity for the best cyberthieves. If they can crack that system, they have a ready-made key to every e-tailer in the world.
And what would happen in that scenario? The merchant would get burned. But the legitimate shopper—the one who was impersonated by the thief—may also get burned. This all depends on how they paid. If they paid with a credit card—as opposed to a debit card—they are generally protected by a card program called Zero Liability. But if they used a debit card or an ACH transaction, their bank account could be emptied. And the return of funds might take months, which is often far too late.
The best way in e-commerce payments to truly solve online misery is to create zero liability programs that will also protect debit transactions. But that would face even stiffer odds than W3C faces. I sadly report that neither will likely happen in any reader’s lifetime.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld, and eWeek.
Stop fraud, break down data silos, and lower friction with Sift.