As Internet technology now allows bills or invoices to be
presented electronically and then paid at the presenting web site (whether this
is a bank’s site, merchant site or third-party site) in this brief article we
investigate whether this carries any significant risk from a payee/consumer or
merchant perspective.
Perhaps the very first test of potential “riskiness” when using any electronic
presentment and payment (or EBPP for short) web site is whether it is secure. The
vast majority of web page addresses, also known as URLs, typically begin with
"http." However, to pay bills online, the web page should always
start with "https," which signifies a secure socket layer or SSL connection
(or one in which data is fully encrypted). This typically means that you can see a
padlock icon, usually in the top or bottom corner of the browser window (or in
some cases it may even turn the URL address background green or light blue).
Clicking the padlock icon will often reveal the site's security certificate
(and allow you to read about the particular protection that this affords).
Now that a consumer knows that he or she is on a secure
site, the next step is to ensure that the login process is secure. A good site
will usually give a consumer two options-to pay instantly or as a guest, and to register on the site to use it again and save time on the next
occasion the consumer uses it. As a guest, a web site will typically only ask
for an email address and then ask a consumer how he or she would like to pay
from the options they make available. This may mean entering debit or credit
card details for example, which should then give a consumer the option to
confirm the transaction (and then as a further security step run the transaction
through 3D secure-a process used by major credit card companies as an added XML
layer for online credit and debit card transactions. Visa call this process “Verified
by Visa”, MasterCard call it “MasterCard SecureCode”, JCB International call it
“J/Secure” and American Express call this “SafeKey”. Overall then, a
well-constructed site will offer a safe payment system for consumers (and there
are card and bank protections on fraud and low limitations on consumer
liability in any case). Even so, consumers should also look for extra safety in
specific statements on any given EBPP site about PCI compliance (or payment
card industry standard adherence) and/or that credit/debit card data or numbers
will not be stored or saved in any way (and if they are, that they will be
fully encrypted and tokenised as a further protection against theft or fraud).
When registering (either before or after a bill had been
viewed and paid) a well-designed and safe web sites will ask a consumer to set
up a user name and password that he or she can remember and that identifies the
consumer every time he or she uses the site in the future. The site may also
ask for additional data such as email address, physical address, date of birth,
driving license number or even passport number. In some cases, they may go yet
further and ask security questions to help validate a consumer’s identity in
the case of a future forgotten login ID or password. Although these may seem
personal and even intrusive, these steps are all designed to protect consumer
security and ensure that only one person is able to see the bills posted and to
effect payment of any kind. In other words, this process allows the web site
operator (financial institution or merchant) to know the customer (a process
they call KYC) and protect everyone’s security to the best of their ability.
In general, research suggests that consumers worry most
about using credit and debit cards on online sites of any kind. However, in the
world of bill payment (as opposed to online shopping for example)
these risks are not as great. Even a person
with a stolen credit card number is highly unlikely to pay a bill for another
person (assuming he or she had the bill details to enter) and even if they did,
the risk would be with the merchant and not the consumer. So what about
merchant side risk?
For a merchant, the greatest risk is charge-backs. This is
where the credit or debit card holder disputes the transaction anywhere up to 6
months after the transaction date.
Charge backs can either be because the card holder disputes that they
made the transaction at all (i.e. it was a stolen or fraudulent), or because
they did receive anything in return for the payment that was made. The second
reason for chargebacks in the bill pay space is very rare, but the first
reason-theft or fraud is obviously quite common (with total estimated costs of
just under £1 billion in the
UK
in 2010). This is why online bill-pay web sites need to take so much care to
ensure that card holders (who are not present as they are in a retail
transaction) are who they say they are.
Summary
In the final analysis, for those EBPP sites that have a clear
secure socket payment layer (SSL), have clear statements about security of
information and sound compliance and a well-structured registration process, consumers
face very low levels of risk (with a very low liability even when a rare
problem may arise in any case). The merchant however, faces potentially much
more risk arising from both debit and credit card fraud (and therefore possible
charge-backs), but risk this can be mitigated with good consumer checking
processes that are made easy for every customer to the site to use.