Developing online payment systems that protect consumers
By Dr Jeremy Malcolm January 1, 2014
- Innovation in online payments offers new benefits and risks to consumers
- Governments and standards bodies are developing new guidelines for this space
Digital Consumers by Dr Jeremy Malcolm
THE online ecosystem has fostered enormous technological innovation, yet for the most part the payment systems that we rely upon to send money around the world are a curious anachronism.
For e-commerce transactions, most consumers and many merchants are well enough served by the 1970s-era Visa and MasterCard networks. But for person-to-person transfers, the options are fewer and more costly.
For those with bank accounts, the SWIFT banking network, also from the 1970s, can be used, but the price of transactions is so high, and the complexity of initiating them so great, that many find it unusable – as even the generic name of such transactions, ‘telegraphic transfers,’ suggests!
Those without bank accounts pay even more to use third-party money transfer services like Western Union.
This has been one factor in the rise of alternative online and mobile payment networks that aren't tied to legacy banking systems. For Internet users, the best known of these is still PayPal, which provides a simpler and much more economical alternative in many (but not all) countries, and there are a variety of smaller competitors with a narrower geographical scope.
In the mobile space, one of the early success stories was Kenya’s M-PESA network, since replicated in about a dozen other countries around the world.
The M-PESA system allows payments to be exchanged using simple SMS messaging, even from the simple feature phones that remain the most ubiquitous communications platform in Africa today.
Google Wallet offers a similar experience for smartphone users in the United States, but hands-free, using NFC (near-field communication) technology.
But even these innovations have a rather limited vision: PayPal and Google Wallet are still linked with legacy banking networks, and generally still require users to have a bank or credit account, which many consumers, especially from the developing world, don’t have.
Whilst M-PESA and its ilk don’t require that, they are still closed systems – access to the M-PESA network is only available through one mobile phone provider, and if you want to make a payment overseas, you are out of luck.
Work on online payment standards
In other areas, problems like this have long been solved through the use of open standards that allow multiple providers to compete with each other using a common set of interoperable service specifications.
This is why you don’t need two mobile phones if you have friends on two different mobile networks, or a variety of email programs to communicate with friends who use different service providers.
Standards generally mean more choice for consumers, and more choice means better service and lower prices.
Although the Internet was built on open standards, this paradigm is increasingly under challenge, with one example being the recent explosion of proprietary protocols for mobile messaging, such as the incompatible networks of WhatsApp, Viber, Line, Kakao Talk and WeChat, amongst others.
If the Internet is to have a common, interoperable system for payments, rather than being tied into legacy systems or proprietary networks, it should be standards-based like email, rather than proprietary like WhatsApp.
Taking on this challenge is the Web Payments Community Group at the W3C or World Wide Web Consortium. Manu Sporny, the chair of the current Web Payments work, predicts that it will be taken up as an official world standardisation work item by the W3C after the March Web Payments workshop in Paris.
The W3C is the same organisation that is largely responsible for standardising other parts of the Web's plumbing, such as the HTML and CSS languages that webpages are written in.
The Web Payments standards aim to make sending or receiving payments a simple operation that any website owner can implement.
It can be thought of as a standard language for expressing payment information – including details of the product or service being purchased, the currency and amount of the financial transaction, an authoritative receipt of the transaction, a way of identifying the parties to the transaction that helps you decide whether to trust them, and of course a secure infrastructure for all of this information to be communicated.
Importantly also, it won’t require you to use a single intermediary such as PayPal, or indeed a cartel of intermediaries such as the Visa or MasterCard networks. The standards would allow you to use any funding source, and any currency – including virtual or crypto-currencies such as Bitcoin.
This distinguishes the proposed standards from previous attempts at introducing new payments standards for the Web, such as a standard introduced as long ago as 1997 by the credit card companies themselves called SET (Security Electronic Transactions).
The SET standard would have been an improvement on current practices in a number of ways – for example, by masking transaction data from merchants – but since it was not a truly open standard it did not see wide adoption, and within a few years it had been completely abandoned.
Consumer issues in online payments
The W3C is not the only organisation dealing with standards for online and mobile payments. Also doing so, but from a completely different perspective, is the OECD or Organisation for Economic Cooperation and Development, which is about to release a new policy guidance document on this topic.
Whereas the W3C’s work is dedicated to the nuts and bolts of how standard online payments should work, the OECD’s work is higher level and more technologically neutral, though also somewhat more specific to e-commerce transactions rather than person-to-person transfers.
OECD standards on online and mobile payments are dedicated to ensuring that consumers are provided with easy-to-use, secure payment mechanisms and information on the level of security such mechanisms afford.
The OECD also recommends best practices such as limitations of liability for unauthorised or fraudulent use of payment systems, and chargeback mechanisms that can benefit consumers who enter into financial transactions online.
How do these standards mesh with new payment systems, such as those being developed by the W3C, that the OECD has not specifically considered?
In general, they seem to be complementary. For example, the OECD recommends that payment providers, businesses and other stakeholders:
Develop tools to help consumers detect and protect themselves against deceptive, misleading and fraudulent practices. This would include providing consumers with means to remotely freeze an account when unauthorised use is suspected; this would include the ability to disable their mobile phones and ‘apps’ which, when used, could result in payments being made.
These are the kind of issues that the W3C group could tackle through standards. Indeed, they are partly already under development, such as a mechanism that would allow customers to publicly rate merchants at an Internet-wide scale, rather like the Amazon or eBay ratings systems, but scaled to the size of the Web.
This would allow both merchants and customers to rate each other publicly, which would hopefully lead to a better understanding of who you are dealing with before you enter into a financial transaction with them.
There are other aspects of online payments that the OECD recommends, but which are more difficult to standardise technically, and therefore may fall outside the scope of the W3C’s work, or even conflict with aspects of it.
For example, the OECD suggests:
- Payment providers should provide consumers with timely and effective redress mechanisms when their data is compromised and/or they suffer financial losses caused by security breaches.
- Low-cost, easy to use alternative dispute resolution and redress mechanisms should be developed which would facilitate resolving claims over payments involving low-value transactions.
- In some cases consumers should still be able to exercise a right of withdrawal from a transaction even after it has been concluded – as some national laws already require.
- Consumers should have some form of limitations on liability for fraudulent and unauthorised charges that pertain to all mobile and online payment mechanisms.
So far there is little sense of how this might be standardised technically in the W3C’s work. Indeed, for payment mechanisms that are not backed by legacy banking systems – such as Bitcoin – it is unclear even if such consumer protections are possible at all, given the lack of a centralisation in the Bitcoin economy.
New payment technologies, old problems
This reveals another facet of a problem that exists throughout the sharing economy – that traditional consumer and labour protections that we take for granted in the old economy don’t necessarily exist – or even make sense – in the new peer-to-peer context, in which consumers and producers have merged.
But this difficulty should be taken not as a given, but as a challenge. Wherever possible, we should still endeavour to develop technical and process standards that allow new financial and other services to meet the expectations that consumers already have, rather than requiring them to roll those expectations back.
These should at least include the provision of adequate information about consumers’ rights, obligations and available redress mechanisms when they make payments.
Whilst these may vary based on the payment mechanism used, the device being used and the jurisdictions over which the transaction is conducted, this needn’t prevent consumers from being informed in a clear and concise way about what protections that they do or don’t have.
In this way, consumer protection standards don’t need to rule out the use of innovative decentralised currency systems like Bitcoin.
There are, undeniably, considerable risks inherent in the use of such currencies, which regulators from the European Union, China and most recently India have not hesitated to point out (China following this up by banning local exchanges from dealing in the currency).
But as long as consumers are informed of these risks, they can make their own decision about whether to use Bitcoin in transactions, or to rely on more conventional currencies or payment services.
Moreover, much of the risk of Bitcoin is due to the volatility in its value, rather than to anything inherent in the currency that could prevent consumers who desire them from being offered ‘value added’ services that could make their transactions safer. These may include dispute resolution and chargeback services, provided for an appropriate fee by an appropriately regulated provider.
As the OECD notes, payment providers are often the only effective means that consumers have for obtaining redress, particularly in the case of cross-border transactions. So there is a real opportunity here for technologists, having invented a currency that is superior to traditional currencies in some ways, to improve its safety and value for consumers in other ways.
The W3C’s work on Web payments could be a framework for this work on standardising and automating mechanisms for financial consumer protection, not only for Bitcoin but for other currencies also.
And the OECD’s policy guidance can be used to set out the high-level consumer protection goals that digital currencies and payment networks should aspire to be able to provide, just as their traditional equivalents from the past.
Dr Jeremy Malcolm is an Internet and Open Source lawyer, consumer advocate and geek. He is also a senior policy officer at Consumers International and can be found on Twitter and LinkedIn.
Previous Instalments of Digital Consumers:
Asian countries battle IP ‘maximalism’ in leaked TPP chapter
How the Trans-Pacific Partnership threatens online rights and freedoms
Copyright enforcement is killing people
Is digital piracy harmful to consumers?
DRM, the rights of the consumer ... and the UN
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.