Electronic Payments: is it about Trust or Risk? by Rob Stringer @ ROAM Data

As a consumer would you give your credit card to any of these vendors?

a) Your waiter at an al fresco table at a cafe in a city you are visiting.

b) A person selling “Guchi” sunglasses on a sidewalk in New York for $5 each

c) Someone selling their art at a local arts and crafts fair

Now imagine you were the bank, issuing loans to these people to finance
their business (think: Jim Carey in “Yes Man”). Would you give them your
Credit?

The current model of electronic payments is contingent upon two very basic
concepts. Trust and Risk. The consumer has to trust that the merchant
won’t steal their information, the merchant has to trust (contractually)
that the card issuer (VISA, MasterCard, or Amex) will pay them the
amount they enter into the credit card machine and the Merchant Account
provider has to weigh the risk of default or fraud against the possible
profits a merchant can bring in when allowing the merchant to accept
credit. Without all of these being true, the friction of commerce would
be huge and we’d be stuck in a cash-based economy.

It has been said that card transactions are inherently a “trust based
exercise.” Do you trust the person you’re handing the card to to not
write down the numbers, or that the ATM machine that looks dodgy hasn’t
been tampered with? Everyone in the stream; the consumer, the
merchant, the merchant account provider, the hardware manufacturer and
the issuing bank and credit card company all have a vested interest in
building this trust in the consumer. Consumers want to buy things
easier, and plastic, or more specifically electronic payment, is easier
than cash. The merchant gets potentially more and higher ticket sales.
The electronic payment providers (MSPs, hardware, etc..) all get a
piece of the transaction in one way or another. As a society, the
faster money can flow, the stronger the economy.

Card issuers have helped money flow by offering credit to individuals at a
rate that is variable based on on the individuals credit rating – the
likelihood they are “good” for the loan. In addition, the card
companies have set up an infrastructure that allows not only for
authorizaiton (checking that there is enough funds in the account) but
settlement as well (actually moving the money). Through this system,
they transfer that “trust” factor for the merchant from the consumer to
themselves. The merchant doesn’t have to trust that the consumer can
pay their credit card bill, they only have to trust that the card
issuing bank has the money.

All of this trust comes at a cost. We do not live in a utopian society
where we can all trust each other and be happy. Someone has to take a
risk that there isn’t a “bad apple” that will try and take advantage of
the situation. Risk = Reward. Whomever takes that risk should be
compensated based on the amount of risk.    This is the basis for all
insurance deals. You pay a little every day IN CASE something goes
horribly wrong. IF something does go wrong, you only have to pay your
deductable. The insurance company pays the rest.   In electronic
payments, who is paying that role? What happens if someone’s infomation
does get stolen and misused?   is it the consumer who has to pay, or is
it someone else? The consumer can trust that even IF their information
is stolen, Visa or MasterCard or American Express will refund their
purchases since they, obviously, were not at that big box department
store in Guadaloupe buying $3,000 worth of electronics. But is that the
end of it? Not at all.   Once the card issuer has made the refund to
the consumer, they are looking to recoup that loss from others in the
ecosystem.

Now just say that were to happen. Who gets burned? Let’s rate it from 1 to 10.

Does the consumer? Most likely they will have to spend a few hours on the
phone with a representative from their credit card company, assuring
them that this was not their purchase, and no to dock them OR their
credit rating. Score 2.
Does the merchant? The retailer in Guadaloupe would have to eat the charge
back for not checking the card holder’s identification closely enough.
Score 5.
The merchant that was traced to the root of the security breach could face
up to a $100,000 fine, which is big enough to crush most small
businesses. If the breach happened at a merchant that has met all
security protocols given by the issuer (PCI compliance) then the
merchant can defend themselves against the fines. I’d say that’s a 10.
What about the issuer? Anything that hinders the use of a Visa or
MasterCard is a burn to them. One $3,000 loss won’t break the bank, but
if it was systemic, that is another issue altogether. Score 3.

Consumers trust well known brand names like Visa and MasterCard, and when a
merchant has a “We accept Visa” sticker or a “MasterCard accepted”
tabletop, the trust and security in that brand rubs off on the merchant.
There is an implication that the card holder can use their card with
impunity without having to worry about fraud, since there is an implicit
assumption that the large company like Visa and MC has done their due
diligence on this merchant. As a marketer I get it. Put a picture of a
lock on an e-commerce website and people thin-slice it as more secure.
But that is not always the case. It’s pretty easy to copy and paste
images these days.

Now let’s go back to the four use cases above.

Suppose, just suppose, that the person in each case is untrustworthy. That the
waiter is about to leave her job and wants to get back at her employer
so she has her phone with a skimmer app on it in her apron, she swipes your card
when she goes to the register to ring up your dinner check, taking
your card info and then uses it to pay for her ticket to France. That
the guy selling the fake Gucci sunglasses is actually just a front for a
card skimming ring. He has an iPhone app that looks like a reputable
company you’ve seen before, but that is really his own app that isn’t
connected to anything, it’s just stealing your credit card info. Oh, he
plays an artist too on the weekends traveling to craft fairs with
someone else’s art to skim cards there too. Did that art seem too good
for the price?

It all comes down to trust and risk, and once burned, how likely are you
to go back and trust again how much risk are you willing to take? For
most consumers, there is enough choice in the marketplace that if you
get burned by one retailer (I’m thinking TJMaxx here) you can almost
always go somewhere else that you still trust and get the same or a
similar product. For merchants looking to accept electronic payments
it’s different.

Everyone in the industry has the responsibility to make their payments as secure
as possible, to reduce the risk of having that trust compromised.
Mobile Commerce is the next “big thing,” and companies that offer a
mobile card acceptance service that can be relatively easily compromised
are a risk that the industry as a whole has to weigh the benefits
(profits) against. Are the risks to customer confidence worth the basis
points you get per transaction? ROAM does not think so.