As Internet technology now allows bills or invoices to be presented electronically and then paid at the presenting web site (whether this is a bank’s site, merchant site or third-party site) in this brief article we investigate whether this carries any significant risk from a payee/consumer or merchant perspective.
Perhaps the very first test of potential “riskiness” when using any electronic presentment and payment (or EBPP for short) web site is whether it is secure. The vast majority of web page addresses, also known as URLs, typically begin with "http." However, to pay bills online, the web page should always start with "https," which signifies a secure socket layer or SSL connection (or one in which data is fully encrypted). This typically means that you can see a padlock icon, usually in the top or bottom corner of the browser window (or in some cases it may even turn the URL address background green or light blue). Clicking the padlock icon will often reveal the site's security certificate (and allow you to read about the particular protection that this affords).
Now that a consumer knows that he or she is on a secure site, the next step is to ensure that the login process is secure. A good site will usually give a consumer two options-to pay instantly or as a guest, and to register on the site to use it again and save time on the next occasion the consumer uses it. As a guest, a web site will typically only ask for an email address and then ask a consumer how he or she would like to pay from the options they make available. This may mean entering debit or credit card details for example, which should then give a consumer the option to confirm the transaction (and then as a further security step run the transaction through 3D secure-a process used by major credit card companies as an added XML layer for online credit and debit card transactions. Visa call this process “Verified by Visa”, MasterCard call it “MasterCard SecureCode”, JCB International call it “J/Secure” and American Express call this “SafeKey”. Overall then, a well-constructed site will offer a safe payment system for consumers (and there are card and bank protections on fraud and low limitations on consumer liability in any case). Even so, consumers should also look for extra safety in specific statements on any given EBPP site about PCI compliance (or payment card industry standard adherence) and/or that credit/debit card data or numbers will not be stored or saved in any way (and if they are, that they will be fully encrypted and tokenised as a further protection against theft or fraud).
When registering (either before or after a bill had been viewed and paid) a well-designed and safe web sites will ask a consumer to set up a user name and password that he or she can remember and that identifies the consumer every time he or she uses the site in the future. The site may also ask for additional data such as email address, physical address, date of birth, driving license number or even passport number. In some cases, they may go yet further and ask security questions to help validate a consumer’s identity in the case of a future forgotten login ID or password. Although these may seem personal and even intrusive, these steps are all designed to protect consumer security and ensure that only one person is able to see the bills posted and to effect payment of any kind. In other words, this process allows the web site operator (financial institution or merchant) to know the customer (a process they call KYC) and protect everyone’s security to the best of their ability.
In general, research suggests that consumers worry most about using credit and debit cards on online sites of any kind. However, in the world of bill payment (as opposed to online shopping for example) these risks are not as great. Even a person with a stolen credit card number is highly unlikely to pay a bill for another person (assuming he or she had the bill details to enter) and even if they did, the risk would be with the merchant and not the consumer. So what about merchant side risk?
For a merchant, the greatest risk is charge-backs. This is where the credit or debit card holder disputes the transaction anywhere up to 6 months after the transaction date. Charge backs can either be because the card holder disputes that they made the transaction at all (i.e. it was a stolen or fraudulent), or because they did receive anything in return for the payment that was made. The second reason for chargebacks in the bill pay space is very rare, but the first reason-theft or fraud is obviously quite common (with total estimated costs of just under £1 billion in the UK in 2010). This is why online billpay web sites need to take so much care to ensure that card holders (who are not present as they are in a retail transaction) are who they say they are.
Summary
In the final analysis, for those EBPP sites that have a clear secure socket payment layer (SSL), have clear statements about security of information and sound compliance and a well-structured registration process, consumers face very low levels of risk (with a very low liability even when a rare problem may arise in any case). The merchant however, faces potentially much more risk arising from both debit and credit card fraud (and therefore possible charge-backs), but risk this can be mitigated with good consumer checking processes that are made easy for every customer to the site to use.
No comments:
Post a Comment