Saturday, May 25, 2013

Prolifiration of access mechanisms to payment schemes, will dilute security

It amuses me to see how payment schemes use all kinds of ways to reach an already seriously confused consumer. It seems as if it is almost required to show that customers can reach you in every conceivable different way. A company that is taking this to an extreme at the moment is American Express. By making use of their new Sync product (Read more here), one can now connect your valuable American Express card to (wait for it), Facebook, Foursquare and Twitter. Linking your card in this way allows you to buy special offers from these social networks without having to be re-directed to AmEx. This means of course that you trust the security of your twitter account with your purchase activity.

One could argue that this is not such a big thing as it is only for online offers and fraud opportunities are limited, but this was recently extended to buying gift cards and products from Amazon, Sony, Xbox 360 and Urban Zen by merely sending a tweet. Leslie Berland, SVP digital partnerships claims that they bring true value to customers in a world of social commerce (Read here), but I don't agree at all. By allowing access to the payment system in many different ways, with a myriad number of ways to get authenticated, surely one reduces the trust in the payment system. Customers want to be sure that their cards (or other payment tools) are protected by a simple mechanism (like for instance a PIN to be used always when a payment happens). It also seems as if the prolifiration of social media access, connecting in their own way, with their own hash-tags and special codes happens without clear design and architecture. What are the fundamentals (the un-negotiables) of the payment system, or are we at a stage where anything goes?
It is no wonder that in a recent review of payment tools in the UK, customers believe that cash is the safest way to pay. (Read here). We are creating a mess of the payment world if we cannot assure customers that their payment cannot be spoofed, attacked or phished. We can only do this if we keep the security simple, predictable and standardized.

1 comment:

Ben said...

Being a 'mobile purist', what you're overlooking is the holy quadruplet of the payment schemes. Also known as the 4 party model. Depending on the debit requesting party, 'the merchant', there is liability either on the merchant or the acquirer that covers the consumer in the event of a loss. This liability cover has and will continue to evolve in the face of mobile payments as it did with EMV, eCommerce etc.