Winners Don't Let Security Screw Up User Experience

Like me, you may have come across people who appear obsessed with security but happily book cabs, order food, and even make payments on their mobile phones without entering a single password / PIN.

This is not as contradictory as it seems if you look at the end-to-end customer journey.

It just means that people value security when they're in the awareness or TOFU (top of funnel) stage of the funnel but they want convenience after reaching the repeat purchase or BOFU (bottom of funnel) stage of the funnel.

For the uninitiated, Customer Journey can be defined as the path taken by customers while interacting with a company / brand. A customer journey traverses multiple stages in a customer’s relationship with a brand viz. awareness, interest, desire, action, repeat purchase and advocacy.

In plain English, the above observation means that people will switch from cash to a digital payment product only if they're convinced it's secure but also that, having started using the product, they'll use it regularly only if it's easy to use.

In payments (and in many other products and services), studies have shown that consumers have different considerations at different stages of their purchase journey and that all considerations are not created equal.

Many payment service providers (PSP) don't get this cardinal trait of consumer behavior and solve only for the TOFU driver, namely, security. Not surprisingly, they struggle to gain mainstream adoption.

Take, for example, two factor authentication. When Reserve Bank of India mandated 2FA for all online payments in India, it presumably thought "people want security, 2FA provides security, ergo people will flock to online payments".

What happened was exactly the opposite. Although the central bank-cum-banking regulator's move was well-intentioned, 2FA caused tremendous friction and resulted in an alarmingly high rate of failed payments for reasons explained in the following exhibit.

People like me who were paying for online shopping with credit cards for years switched to cash on delivery. Many others never tried online payments for online shopping. COD Still Rules Ecommerce In India with a 60% share.

When there was a cash crunch in the wake of the de/remonetization of high value currency notes in India in November 2016, people didn't switch from COD to digital payments – they simply stopped shopping online because they didn’t have enough cash to pay on delivery.

PSPs that have required explicit 2FA for each and every payment – “according to RBI mandate” – have flopped. On the other hand, fintechs like PayTM provided a clever way to circumvent 2FA – or at least make it implicit – and became unicorns and household names in the process.

Let's look at another market: USA. While many security technologies were invented in the USA, not many of them have been implemented there. Let's take 2FA and EMV as examples:

• The American regulator FFIEC mandated 2FA for online payments in 2005 and reissued its guidelines in 2012. But online payments don't require 2FA in USA even today. Stripe, the leading payment gateway company, at one time minced no words about its dislike for 3D Secure, the go-to method for implementing 2FA for online payments. Its website once noted: "At Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits."
• The EMV migration deadline has come and gone over a year ago in USA, still fewer than one-third of US retailers have implemented Chip and PIN technologies.

(https://twitter.com/s_ketharaman/status/795966887565938688)

The sky hasn't fallen.

Sure, there have been a number of data breaches in the US e.g. Experian, Target. But they have all happened on the server side. And it looks like the country is fighting back with overwhelming force. According to New York Times, banks and card networks are adopting military-style tactics to fight cybercrime. If you're an optimist, these measures will convince you that Wall Street would be immune to such breaches. If you're a skeptic, then, fact is, these breaches can’t be prevented, no matter how many additional security-enhancing steps are put on the consumer-side.

The situation in Europe is a bit ambivalent. According to an article entitled EU Online-Security Plan Is Criticized in Wall Street Journal, "business groups are slamming a European Union proposal that would require customers to enter extra security information for online purchases. Credit-card companies and e-commerce associations worry that if online purchases become too cumbersome customers will abandon them." WSJ goes on to add that consumer advocates, on the other hand, say "there is no trade-off between antifraud protections and promoting e-commerce".

---

Security always wins when it comes to intent. Convenience always wins when it comes to action.

While PSPs must make all the right noises about security, it’s futile to anchor a digital payment product around security - an average user won't be able to jump through all the hoops required to make an app totally secure (no matter what s/he says before using the app).

I'm glad regulators and PSPs have learned this lesson. To paraphrase a famous quote from Steve Jobs, they've started taking the trouble to figure out what really appeals to customers instead of lazily giving consumers what they say they want. I also suspect they've been nudged in this direction after witnessing the runaway success enjoyed by products that have treated security more as a go-to-market message than core product feature.

(https://twitter.com/s_ketharaman/status/965564220552171521)

Here are a few results of the change in approach:

• The Indian banking regulator has emphasized convenience over security in all recently launched digital payment products and services such as UPI, BHIM, Recurring Payments and Contactless Payments. (Considering that some of these apps directly touch bank accounts, I think the pendulum has swung a little too far to the other extreme, but that's perhaps a post for another day.)

(https://twitter.com/s_ketharaman/status/791618231169679360)

• In the past, my go-to mobile payment app HDFC Bank PayZapp would log me out automatically after a few minutes of inactivity. This meant I had to enter a PIN to make the next payment. This was obviously a hangover from the shared desktop web security mindset. Recognizing that this approach is needlessly overconservative for a personalized device like a smartphone, PayZapp has modified its logout procedure lately: I now need to tap the Logout button and confirm that I really want to log out of PayZapp. Looks like PayZapp has understood the advantage of letting the user remain logged in to its app at all times - the approach pioneered, AFAIK, by PayTM, India's largest digital payment product.
• A business associate, franchising specialist Prashant Srivastava, tells me that the way of making NEFT, IMPS and RTGS payments on his bank's NetBanking portal has changed lately. For nearly two decades, this Top 3 private sector bank in India used to gate A2A payments with a bingo card and mobile OTP. Lately, I believe, both of those challenges - and the associated friction - have gone away. Now, you select a payee, enter an amount, press the submit button. And, poof, your money has gone!

I'm sure these UX-enhancing features will give a big boost to digital payments in the times to come. I'm also optimistic that they won't cause an alarming increase in fraud. (Go #CashlessIndia!)

---

Some people have proposed Intelligent Friction as a tradeoff between security and convenience.

3D Secure v2 is one way to implement intelligent friction. Stripe, which had earlier panned 3DS v1, has a favorable opinion of 3DS v2.

3D Secure v2 (Image courtesy: STRIPE)

But, if I were a merchant or a bank - or even a payor or PSP - I'd be cautious about anything that has the word "friction" in its name. The extra step(s) required to implement intelligent friction will inevitably delay the affected payments. Some of those payments may even fail if the extra moving part (e.g. mobile OTP) introduced in the "challenge path" is not reliable.

While consumers may keep retrying a delayed or failed payment on that one occasion, the anxiety and inconsistent user experience they go through will not only threaten conversion rates on that occasion but turn people off that mode of payment on future occasions - if not, gasp, drive them back to cash and cheques.

---

Buying and selling happens only when payments are successful. Business is lost when payments fail.

Convenience trumps security.

Winners know this and never let security screw up UX.

DISCLAIMER: If you've come this far, it should be obvious that this post is largely restricted to consumer-facing digital payment apps meant to be used by the average man on the street. By no means should security play second fiddle in the case of server-side applications and databases that store sensitive user and payments data and must be managed by trained professionals in such a way that they're fully secured from internal and external threats.