Finally, credit cards done right... maybe
For the longest time, I've been mystified at the way in which we as an information-based society conduct online transactions.
Here's how it goes right now:
- Customer sends secret information (card number and maybe CVV2) to vendor.
- Vendor promises not to disclose information to anyone but the bank.
- Vendor accidentally or deliberately discloses secret information to thieves.
- Thieves run up huge credit card bills with other vendors (call them "suckers").
- Customer reports unapproved use of credit card.
- Bank takes money out of sucker vendors' accounts in the amount of the theft plus a fine. Oh, and charges a percentage of the transaction cost in both directions.
- Rinse, lather, repeat.
Obviously, those vendors that are accepting credit cards are complete suckers, because they get fined for accepting credit card numbers from the thieves, when of course the bank has provided them with no means of confirming the identity of the person placing the order.
It's really obvious that the way this should proceed in an Internet-connected society is as follows:
- Customer identifies herself to the bank (through secret information or public key infrastructure, doesn't much matter, because there are only two parties concerned - bank and customer)
- Customer tells bank what vendor they want to pay, and how much.
- Bank provides customer with a difficult-to-forge, non-repeatable, time-sensitive code tied to this one purchase.
- Customer sends code to vendor.
- Vendor can post code on billboards, for all anyone cares, because that code is only usable by that vendor, for this transaction, for this amount, over the next couple of days (hey, vendors are slow to cash credit card transactions).
- Vendor sends code to bank.
- Bank pays vendor from customer's account.
- Vendor can post code on billboards, for all anyone cares, because that code is now not usable by any vendor, for any transaction.
Obviously, there's still opportunity for fraud - if the customer or the bank share their shared secret with someone else. But then, that's two parties who have engaged in a contract to trust one another for monetary exchange, and who have adequate reason to keep that information secret - plus, if the secret is exposed, there's already an approved method to re-assign new secrets.
Sadly, there's no incentive for the system to change this way - neither the customer nor the banks have any incentive to change, because they don't lost money when credit cards are used fraudulently - it's only the sucker vendor who loses money, and the sucker vendor has to accept credit cards, because there's no other way to take money over the Internet.
All that is about to change, I hope.
PayPal, a division of eBay, is one of the biggest sucker vendors there can be. Clearly, they've gotten tired of having to pay the fees, fines, and cost of lost goods, when credit cards are fraudulently used. Because they've finally come up with the right way to do things!
Okay, so it's not quite as I outlined, because of course PayPal decided to do it in such a way that a vendor doesn't even have to know that they're dealing with PayPal's new scheme - the secret code is exactly a MasterCard number.
Apart from this significant problem - that vendors still have no way to ensure that they are dealing with a more secure payment means, and therefore can't offer faster service, less chance of fraud checking triggering an alert, etc - this is a good scheme, and I want to see it proceed to fruition.
It'll be even better if someone at PayPal wises up to the idea of providing a simple means to check that the MasterCard number provided is from the secured payment program (PayPal calls it "Virtual Debit Card" or "VDC" for the present).
This scheme, or something similar, has been operated previously by other banks and in other countries, but the fact that PayPal, a large provider, is going to adopt it means that we should be on the road to a more secure future, where vendors aren't dunned by banks and thieves alike for credit card fraud that is beyond the vendors' control.