IPGs and us - An Insider view on Internet Payments

This blog post is a kind of a walk down the memory lane for me starting from the early days of e-Commerce – think SET protocol to the evolutionary ratification of SSL to be used as the de-facto standard for checkout and payments on shopping websites – circa 1998 when I was at VeriFone (right when it was acquired by HP) to the convergence of the virtual and physical worlds for shopping and e-payments today where I am a battle hardened veteran and former entrepreneur – lost more times than I won but then let’s put that down to experience.

I will touch upon some topics lightly to give a holistic world view on the ecosystem – but will follow up with blogs that contain sufficient detail and rough blueprints on some areas where best practices are often ignored.

Let’s hark back to 1996 - The SET protocol is derived out of the working group SETCo – an initiative of Visa, MC, GTE, VeriFone, VeriSign, IBM, Netscape etc. and was highly publicized as the framework to secure internet transactions. One of the early implementations of a fully functional and certified IPG (vGATE) with merchant (vPOS) and consumer (vWallet) was delivered by VeriFone who betted heavily on SET. The protocol itself was extremely secure offering great levels of non-repudiation (repudiation being the bane of chargebacks) through the use of one time symmetric encryption key (similar to what EMV does today) and , segregation of order and payment data. However, this came with a lot of overheads that required significant computations towards encryption and decryption and resulted in slow transaction response times as well. As a result, despite an initial global push and several large banks across the planet signing up for this, consumer experience and adoption proved to be challenging resulting in the SSL protocol gaining prominence for e-Commerce transactions.

The SSL protocol was ratified / stabilized to secure the communication between the cardholder and the merchant as well as between the merchant website (shopping card / checkout to payment page with redirection) and the payment gateway. Communication between the IPG and Switches continued to be internally secured by banks and processors. For the record VeriFone (with Clear Commerce), IBM and others changed course to leverage SSL on their existing payment gateway installations and go after new business. Some of these continue to be used today with necessary rewrites and improvements and I know of a bank or two who have done this better than any vendor out there.

Going with SSL simplified the experience but enhanced the problem of repudiation leading to huge chargeback losses in the late 90s and early 00s. The problem of repudiation remained unresolved for a period of time as Internet Fraud increased due to skimming of cards (CVV2 can be memorized even as the cards are skimmed). It was only when Visa came up with 3-D Secure (offered as Verified by Visa and Master Card Secure Code by MC).

3D Secure stands for “Three Domain Secure” – the domains being the acquiring bank, the issuing bank and the infrastructure that supports the 3D-secure protocol.

3DS is not the silver bullet against fraud and customer repudiation – far from it. However, it is a deterrent to the “small fry” fraudster and requires certain level of know how to break 3DS (not that I am relieved by this – most hackers are plenty smart eh!!). The only saving grace seems to the liability shift that it offers Acquirers by making the Issuers liable for any fraud losses on e-Commerce merchants which use 3DS.

However, since it is mandated in certain countries, 3DS is quite prevalent – never mind that the experience if bad and entire sets of use cases around automated subscription / recurring payments have to be shelved. Additionally, I have seen significant number of transactions which were 3DS “pass” but actually were caught by fraud management / detection systems – unfortunately in most cases after the Authorization had occurred and goods delivered (bigger problem in the digital download space).

OTPs and other challenge/response systems were trialed out but no clear winner emerged and some of these are now road kills despite good innovation and a genuine interest to solve a “real” problem.

However, it is not all gloom and doom. While the regulatory agencies and card associations have not addressed the usability issues, Fraud systems have started taking advantage of geo location and other behavioral parameters to flag transactions that were hither to going un-noticed until the chargebacks arrived.  

It is my earnest hope that there will be a point in time where companies and processors doing this well would be able to go to the regulators (especially) with sufficient data to prove that the additional factor of authentication provided by 3DS does not compensate for the awful user experience whereas strong risk and fraud controls would alleviate the dangers of eliminating the additional authentication. This is one approach. The other approach that is also being extensively explored is to use some other form of authentication to meet the 2FA requirement where the second factor would be malleable enough to slide into the payment experience without significant friction.

Finally, a convergence in the online and brick & mortar worlds to compete relatively equally for a share of the customers’ money (or wallet) is well and truly underway.  Here, leveraging the proliferation of mobiles to allow such devices (especially smart phones) in conjunction with a card reader (magnetic stripe and / or chip) to become part of the payments eco-system specially for use cases where non-classic / seasonal / low ticket size or otherwise “un-worthy (per the typical bank merchant processing departments)” merchants can now accept cards. Companies such as Square and the clones offer devices that plug into the audio jacks of mobile phones to make them card acceptance devices or m-POS (mobile point of sales) devices. Such solutions also offer e-Commerce companies the ability to receive payments via cards at the time of delivery rather than cash.

Significant challenges and opportunities exist in the payment space for innovators to create solutions that would allow greater adoption of electronic payments for goods and services, cash back and withdrawals which in turn reduce the use of paper currency in transactions which is also the need of the hour given the cost of cash management and rising inflation these days.

Let there be collaboration towards solving this very real problem moving forward to lend greater voice to innovators in their conversations with the regulators – who should continue to remain fair and unbiased towards a particular technology or approach.

Note: All product and company names herein are trademarks of their respective owners