I was paying my cell phone bill on the carrier’s website because I was lazy and waited until the last minute- in the process it occured to me, why do I have to fill out all of this credit card information again?  The short answer for this particular site was that I had recently moved and not updated my information with them, but in broader terms, why do I have to do that for every freaking website?  Why are companies so quick to want to handle payment information themselves?  The transaction charges may be a bit cheaper per transaction, but I cannot in any way imagine that dealing with the PCI DSS every year really makes the net process noticeably cheaper, at least if they are honest in their approach to the process.

At some point in the distant past I was paranoid about who I gave my card to, and was horribly discerning.  This site looks sketchy, or this site has a retarded security seal so is obviously not secure, or whatever, so they don’t get my business.  Despite this paranoia, I have had my card information stolen and used (or at least attempted to be used) three times.  In two of the instances my scary good at profiling my behavior fraud protection kicked in and charges never even posted to my account (there is something truly to be paranoid about- whatever profiling algorithms they use, they are horribly accurate about knowing your behavior), the third a handful of small charges hit my account in $20-$40 increments.  The thief was using the card information sparringly to sign up for membership websites, I believe, in order to steal contact lists to use for spam.  I reported the charges to my bank and they went away.  At some point I realized that it was impossible for me to control my card data, it was just as possible for a waiter to skim the information when they took my card as it was for someone to compromise a website and take it.  I can’t feasibly protect that asset, and banks know that, which is why consumers essentially have zero liability.  At the end of the day the banks want me to spend with the card, so they will do what the need to, accept some risk, in order to keep me spending.  I don’t worry about financial loss when my card gets stolen, I worry about the inconvinience in not having it for 10 days as my bank issues me a new one.

Which comes back to the point with my cell phone carrier- it was inconvinient for me to change my information on their site, and amazon, and netflix, and threadless, and thinkgeek, etc.  I would rather they simply all allowed PayPal as that way I only have to change my information once.  Moreover, I am more confident that one site that specializes in payment transactions will be able to save me the inconvinience of having a new card issued because they leaked the information than I am that a whole host of sites that accept payment as a small subset of their business.  In general I am not a fan of single sign on, but that is because it allows one point of failure to compromise multiple assets. With payment it is different, as it allows multiple points of failure to compromise a single asset unless you centralize it.

Using a centralized payment service isn’t just about saving me inconvinience though.  To tie back into the first paragraph, handling payment yourself is a pain in the ass.  Complying with PCI is non-trivial, and even if you think you are doing everything right, a QSA checking over your system may not agree.  On top of that, PCI is absolutely no guarantee that you are actually protecting card information, simply that you are in compliance, as Heartland (PCI gold member for the win) demonstrated.  You still have liability if you do have a breach of payment information.  With PayPal a third party is handling all of that headache- they are responsible for conforming to PCI, you have no payment information to leak, and the customer doesn’t have as much headache managing payment information.

There are drawbacks.  There is a danger of one or a few handful of payment systems like PayPal essentially becoming a payment monopoly (or duopoly) if everyone switched to centralized payment, which would effect prices.  The per transaction cost is higher, and a new login is introduced into the process flow on the website.  It also doesn’t work well for companies that may not know the exact charge up front, for example FedEx which gives you an estimated shipping cost but won’t apply the real cost until they actually weigh the package in their facility, and apply initial and revised charges to a card.  Finally, for those subscription based services, PayPal makes it really easy to centrally manage, which means they make it really easy to cancel.  Especially in this economy I doubt companies with reoccurring charges really want consumers to be able to look at all of their reoccurring charges in one place- they might realize where all of their money is going.

Still, I think being able to transfer the risk to someone else is a pretty compelling argument.

~ Joshbw