Is it "Safe" to View and Pay Bills online?

As Internet technology now allows bills or invoices to be presented electronically and then paid at the presenting web site (whether this is a bank’s site, merchant site or third-party site) in this brief article we investigate whether this carries any significant risk from a payee/consumer or merchant perspective.

 

Perhaps the very first test of  potential “riskiness” when using any electronic presentment and payment (or EBPP for short) web site is whether it is secure. The vast majority of web page addresses, also known as URLs, typically begin with "http." However, to pay bills online, the web page should always start with "https," which signifies a secure socket layer or SSL connection (or one in which data is fully encrypted).  This typically means that you can see a padlock icon, usually in the top or bottom corner of the browser window (or in some cases it may even turn the URL address background green or light blue). Clicking the padlock icon will often reveal the site's security certificate (and allow you to read about the particular protection that this affords).

 

Now that a consumer knows that he or she is on a secure site, the next step is to ensure that the login process is secure. A good site will usually give a consumer two options-to pay instantly or as a guest, and to register on the site to use it again and save time on the next occasion the consumer uses it. As a guest, a web site will typically only ask for an email address and then ask a consumer how he or she would like to pay from the options they make available. This may mean entering debit or credit card details for example, which should then give a consumer the option to confirm the transaction (and then as a further security step run the transaction through 3D secure-a process used by major credit card companies as an added XML layer for online credit and debit card transactions. Visa call this process “Verified by Visa”, MasterCard call it “MasterCard SecureCode”, JCB International call it “J/Secure” and American Express call this “SafeKey”. Overall then, a well-constructed site will offer a safe payment system for consumers (and there are card and bank protections on fraud and low limitations on consumer liability in any case). Even so, consumers should also look for extra safety in specific statements on any given EBPP site about PCI compliance (or payment card industry standard adherence) and/or that credit/debit card data or numbers will not be stored or saved in any way (and if they are, that they will be fully encrypted and tokenised as a further protection against theft or fraud).

 

When registering (either before or after a bill had been viewed and paid) a well-designed and safe web sites will ask a consumer to set up a user name and password that he or she can remember and that identifies the consumer every time he or she uses the site in the future. The site may also ask for additional data such as email address, physical address, date of birth, driving license number or even passport number. In some cases, they may go yet further and ask security questions to help validate a consumer’s identity in the case of a future forgotten login ID or password. Although these may seem personal and even intrusive, these steps are all designed to protect consumer security and ensure that only one person is able to see the bills posted and to effect payment of any kind. In other words, this process allows the web site operator (financial institution or merchant) to know the customer (a process they call KYC) and protect everyone’s security to the best of their ability.                

 

In general, research suggests that consumers worry most about using credit and debit cards on online sites of any kind. However, in the world of bill payment (as opposed to online shopping for example)  these risks are not as great. Even a person with a stolen credit card number is highly unlikely to pay a bill for another person (assuming he or she had the bill details to enter) and even if they did, the risk would be with the merchant and not the consumer. So what about merchant side risk?

 

For a merchant, the greatest risk is charge-backs. This is where the credit or debit card holder disputes the transaction anywhere up to 6 months after the transaction date.  Charge backs can either be because the card holder disputes that they made the transaction at all (i.e. it was a stolen or fraudulent), or because they did receive anything in return for the payment that was made. The second reason for chargebacks in the bill pay space is very rare, but the first reason-theft or fraud is obviously quite common (with total estimated costs of just under £1 billion in the UK in 2010). This is why online bill-pay web sites need to take so much care to ensure that card holders (who are not present as they are in a retail transaction) are who they say they are.

 Summary

In the final analysis, for those EBPP sites that have a clear secure socket payment layer (SSL), have clear statements about security of information and sound compliance and a well-structured registration process, consumers face very low levels of risk (with a very low liability even when a rare problem may arise in any case). The merchant however, faces potentially much more risk arising from both debit and credit card fraud (and therefore possible charge-backs), but risk this can be mitigated with good consumer checking processes that are made easy for every customer to the site to use.

Are emailed invoices just as good as digital ones?

Most people now believe that electronic invoicing offers significant advantages over paper-based processes (saving direct costs like printing an invoice, stamping an envelope and sending it in the mail etc. and saving indirect costs such as lost invoices, late and missing checks in the mail and often much more difficult reconciliation). However, there is not always agreement on what the term “electronic invoicing” actually means and in this brief article we will look at two very different kinds of e-invoicing-emailed invoices and digital invoices. These are often perceived to be similar and/or equivalent methods but, as we will see, they are actually quite different.

Emailed invoices

Sending an invoice via email is usually done these days by attaching the invoice as an Adobe PDF document. This allows the invoice to be sent cheaply and quickly to the recipient who can use a free product (Adobe Acrobat Reader) to open and view it. The simple idea here is that once the customer has reviewed the document (and even saved it to his or her hard drive) he or she can then pay it. In theory (especially in Business to Consumer or B2C markets) the invoice is not only sent out quickly (and at much lower costs than traditional invoicing methods) but means that the customer can send back a check or phone in a credit card payment within hours or just a few days (and well ahead of the latest date he or should could technically pay) thereby helping to accelerate merchant cash-flow. Unfortunately, although this works in some situations, the process is rarely this smooth and a number of problems can occur.

Firstly, the merchant needs to have a customer’s email address to be able to send a PDF. Secondly, the PDF is still a flat document which most customers will not only have to open, but will often print and put in a pile to deal with later, when they are ready (just like receiving the paper-based invoice in the mail). This means that the customer may wait as long as they did before to pay the invoice (assuming they do not lose their printed piece of paper in the meantime having deleted their original email). In addition to all of this, an emailed PDF does not encourage the customer to pay by electronic means any more than an invoice arriving in the mail does. Research suggests that customers actually often like to have the option to pay online by debit or credit card for example and can often only do so by calling the merchant (and having to spend time and effort, and within the hours of business operated by the call-center). Finally, in Business to Business (or B2B) invoicing, the emailed PDF presents a whole new layer of challenges as these often require a digital signature. PDF technology is now much better at allowing digital signatures to be securely added to invoices when they are sent in the mail. However, the process is by no means simple and presents many logistical issues, particularly when multiple approval signatures are required.

Digital invoices

A digital invoice is available at a web site. Sometimes this is embedded in part of a merchant’s web site or it is “hosted” on a third-party web site (to which customers can go directly or can be redirected from a link on a merchant’s web site). In most cases, the digital invoice rendering process is even quicker than emailed invoices, as there is no need to generate a PDF and attach it to an email address. In addition, although a customer may be notified that a new invoice is available via email, it is not necessary to have an email address (as the customer can be notified about the web address by normal physical mail and then subscribe to the web site service to be later notified by either email or even their mobile phone –via SMS). In practice this means that digital invoices will often collect or “scrape” new email addresses from customers progressively.

Perhaps most importantly, a digital invoice is viewed in a truly online way (and does not require printing (as it can be easily stored and retrieved permanently or resent by a merchant at almost no extra cost). This means that not only can the customer view the invoice (in as much detail as they wish) but they can use many online features to both deal with the invoice (save it, schedule it for later payment or send it on for viewing or approval to another person) or even just pay it immediately of course. And if they do choose to pay it immediately, they typically get to do so via their debit card if they want to use their current bank account or by a variety of credit card options (and in some cases even by cash by printing out a voucher and taking it to a local newsagent or local store that takes cash payments). This is therefore much more likely to accelerate merchant cash-flow than in the emailed invoice situation and means that the payment is much easier to reconcile (as less difficult to reconcile checks or phone-based payments are being made). Finally, the invoice recipient (whether it is a B2C one or B2B one) can elect to pay a bill 24/7 as the bill presentment and payment web site is truly “open-all-hours”.

Conclusion

Emailed invoices are superior to traditional invoices sent in the mail. However, they fall far short of full digital invoices, which offer many additional benefits (which translate into much greater time and cost saving for the merchant). These two approaches are therefore far from equivalent and a merchant can realize considerable advantages by upgrading from an emailed invoice to a full digital one.