Disrupting online payments

In the UK consumers are predicted to spend £8.1 this Christmas, a growth of £1.2 from last year and accounting now for nearly 10% of all Christmas spending. Despite this growth, online payments has lacked real disruption and innovation. Most of the of the time consumers still enter their credit or debit card details on each and every merchant site, Nielsen says that 60% online shoppers still use a credit card. The alternatives are still in the minority: Paypal has about 14% of the global e-commerce market according to Business week, Nielsen says closer to 25%. Google checkout and Amazon checkout and similar schemes are a lot smaller than that. There is still a massive market opportunity for a disruptive technology and plenty of room for online commerce to grow by converting those offline consumers with a more secure and convenient proposition

My basic proposal is that you should be able to use your online banking credentials to buy anything online. If you are already logged into your online banking buying something becomes one click or two clicks. No need to enter any card, name or address details, just pick the card or account you want to pay with, checkout and wait for that UPS truck or download your digital content. It should work easily regardless of the endpoint: desktop/laptop, tablet or mobile.

Why this makes sense

  • People are far more likely to associate payments and buying stuff in the logical grouping with banks, far more than Google (search), Amazon (books),  Paypal (ebay) – this is probably closest. Also banks are far closer than Facebook, Twitter, or any other random open ID provider
  • People trust banks with security – whether correctly or not, this is the case. One of the most successful marketing differentiators is informing online banking customers that if they are the victim of any fraud or wrong doing the bank will refund the amount fully. Customer really don't care about the details of security but this type of guarantee which they trust from a bank is compelling
  • Online banking is reaching saturation. Comscore reports that over 60% of the US Online population, nearly 58 million people use at least one online banking provider
  • Banks have already invested a lot of money into securing online banking and reducing fraud. They already have a lot of the people, processes and systems in place including basic and step up authentication, anti-fraud systems, heldpesk and customer support processes

What’s in it for everyone involved?


  • Concerns over fraud and security, especially sending credit card details over the internet is a major reason sighted as why people don't shop online. This is probably not as big as shipping costs and being able to touch a product but it is up there 
  • People are short on time therefore convenience and speed of checkout are important. You could spend a lot of time researching, reading user reviews, looking for deals and group bargains but when you  have decided to buy something if you can do it quickly and easily then that is a good thing. 
  • Most times you want to buy something at a new merchant you have to register and even as a guest enter all your delivery details again. Yet another password to manage, yet anther vendor that has your home address. Reducing re-entry and proliferation of these details would be beneficial


  • Storing and protecting credit card details have a cost. PCI-DSS compliance and security and risk management costs if you do it yourself, costs to an outsourced payment processor otherwise
  • If lower processing costs could be offered that would be a major incentive. If banks can cut the amount of charge-backs (refunds for fraud) as well as increase the overall amount of online transactions then a lower fee should be possible
  • Merchants can also benefit from lower charges for disputed transactions. This is the same way that Verified by Visa and Mastercard Securecode gained adoption – good economic incentives

Banks / Card issuers:

  • Increased online commerce means higher balances and thus interest payments on credit cards and more transaction fees on all types of cards
  • Chip and Pin has been effective in reducing fraud, but card not present fraud continues to be high. Anything that made a significant dent to  these fraud levels would translate directly to the bottom line

The challenges

There are number of challenges to implementing such a system, the key ones being:

  • Internet banking authentication systems for most banks are not federated. They were never designed with federation in mine therefore it would be a bolt-on (never the best way to do security but often the way it gets done)
  • Internet banking systems which have not been updated in the last 5-10 years are more likely to be propitiatory rather than using COTS. This means that they could be using propitiatory protocols and authentication systems – especially to integrate with legacy backend mainframe and AS400 systems
  • Different banks have different online banking systems, integrating these into a coherent system that is easy for merchants to use is challenging. It has to be easy as embedding a wordpress plugin – just copy paste some lines of html and javacript. VbV and Securecode have come into some criticism regarding how they requested embedding at the start, especially use of pop-ups, so avoiding those with say an iFrame would be required


  • Different banks have different processes – again as far as checkouts go this would need to be integrated in a central processing center
  • End to end integration testing for go live and for updates is challenging, finding change windows, sufficient environments and resource commitments
  • Managing change control and update cycles


  • Getting past the politics, agreeing a set of requirements with a large number of stakeholders and finding a workable commercial model among competing banks without breaching anti-trust


  • Internet banking fraud would most likely increase at least in the short term as credentials are used for checkout. A compromise of one would mean a compromise of the other
  • The attack surface for phishing attacks would increase as any merchant site could be used to phish credentials. Site to consumer authentication such as the VbV phrase could assist
  • Vulnerabilities with embedding the checkout code could be exploited
  • Overall the increase in risk may not be within the risk appetite of enough banks to gain the scale required.  They would only want to join once it was proven to be successful and make more money than it risked.  This chicken and egg scenario would need to be overcome

Possible solutions

These challenges are not insurmountable. On the technology front, the good thing is at least all Internet banking systems are web based. To transform them into standards based, federated identity providers is not that hard. SAML, OpenID, Oauth exist and are now sufficiently mature.  Federated identity providers like Ping Identity, Oracle Identity Federation and even OpenSSO are experienced at taking existing internal authentication systems and making them federated quickly. Alternatively a single federated authentication front-end system could be built which effectively brokered the authentication on the backend to each card issuer online banking system, similar to how card authorization transactions are currently performed. Process and people challenges are more difficult, there are probably three organizations in the world that could make this happen and get all the issuing banks on-board. Whether they could do it quickly and deliver something to market that works in a reasonable timeframe or whether a disruptive start-up does it partnering with a number of the leading banks is another matter

No comments:

Post a Comment


Written by