Online card payments still suck (opens in new tab)

(fynbos.app)

75 points_vvhw3y ago114 comments

114 comments

We Indians take it for granted, but UPI[1] is a brilliant system. We make payments for something as small as ₹1 if needed. Transaction of ₹10[2] for a cup of tea is a very regular and ordinary happening.

1. https://en.wikipedia.org/wiki/Unified_Payments_Interface

2. ₹10 is roughly $0.12 (as of today).

smeeth3y ago

UPI has apparently inspired a similar system in the US called FedNow [0] which will launch in 2023.

[0] https://www.frbservices.org/financial-services/fednow/about....

searchableguy3y ago

It is great but require private defaults.

Cred recently added support for adding alias instead of real name. Many UPI apps also associate your phone number automatically to your UPI ID so you are handing out your phone number whenever you pay.

Brajeshwar3y ago

I've actually thought of this and have recently started going back to cash, and actual cards.

piva003y ago

Brazil introduced a very similar system with Pix [1] in 2020.

Sweden has Swish [2] since 2012 which is more limited in scope than UPI and very similar to Pix.

It makes life very easy, I do have some reservations on privacy with this kind of centralisation of financial transaction though.

[1] https://en.wikipedia.org/wiki/Pix_(payment_system)

[2] https://en.wikipedia.org/wiki/Swish_(payment)

rwmj3y ago

Tricky to buy a cup of tea online though. Is this like WeChat, one of the ubiquitous person-to-person payment systems used in China?

zinekeller3y ago

Not Indian, but unlike WeChat (and AliPay), UPI is a government-sponsored interconnect so every bank can implement it. I'm not sure of the privacy implications though.

mcv3y ago

I'm still disappointed every time I try to order something at a webshop and they don't support iDeal[0]. That's how online payment should work. Of course it's only a Dutch system, so it's not going to be supported by all international webshops (although Steam does), but if anyone has the scope to introduce a more secure form of online payment, surely it's Visa and MasterCard? Why don't they introduce an iDeal-like payment protocol that the whole world can use? Why do I still have to type those 16 numbers into a web form, when the banking app on my phone already knows what those numbers are? Why does anyone else need to know those numbers, and why are those numbers enough to authorise payment?

Everything is wrong with that system, and yet credit card companies don't seem to have sufficient incentive to fix it. And yet they have too much power outside Netherland for anyone to introduce a better alternative.

[0] Lego! Why do you not support iDeal? If Steam can do it, so can you.

lotsofpulp3y ago

Why should I care about credit card security? I have zero liability, and in 17 years of using them, I maybe had to ask the bank to issue a new credit card number once, and that would have been many years ago.

I am sure tons of doctors' offices, hotels, online businesses, daycares, etc have my hand written card number and CVC code or whatever laying around, but even if someone did use it fraudulently, I would just click the dispute button on the transaction and I assume I would not hear about it again.

mcv3y ago

It still costs money. Transactions cost more because of the insurance. And it's still bizarrely insecure. Credit card numbers get leaked all the time, even if you personally haven't experienced it. Not to mention that it's inconvenient having to type in all those numbers. Security can actually make things more convenient in this case.

When I buy something, I just have to scan the QR code with my banking app and authorise the payment, and that's it.

2 more replies

r_hoods_ghost3y ago

It's worth noting that this isn't neccesarily how credit card disputes work in other countries. If I want to dispute a charge in the UK I have to first dispute it with the merchant, then if they refuse to give a refund dowload a 10 page .pdf form from my bank, fill it out, print it and sign it (digital signatures will be rejected) give copious evidence that I am not to blame, and then send it off. After a few weeks and probably at least one or two follow up calls I might get a refund. Other countries may have better or worse systems and credit card companies (and banks) are interested in the global market, not just the USA.

amelius3y ago

It takes time and effort to figure out if someone has robbed you.

And sometimes it may go unnoticed for a while, and it happened to me at least once.

1 more reply

ahopebailie3y ago

This is pretty much the exact distinction between the US attitude to cards and the rest of the world. In the US, the ability to dispute a card tx is just part of life.

Everywhere else the banks have forced poor UX onto merchants in the name of shifting liability and improved security.

This is why the US rolled out chip cards with a signature while everyone else has been using chip and PIN for years.

psychlops3y ago

When losses are socialized, fraud is someone else's problem.

1 more reply

dr_dshiv3y ago

I love iDeal! It is one reason why the Amazon Monopoly has less hold in countries like the Netherlands. Online payment is such a breeze!

mcv3y ago

It's true, I haven't bought from Amazon in years. Usually bol.com is my first stop for that kind of stuff. But if it's really a lack of iDeal support that's holding Amazon back, why don't they just support iDeal?

I doubt iDeal is much harder to support than other payment systems, so the only reason not to support it is because they don't really consider Netherland an important market. I don't care about Amazon ignoring us, but I'm a bit disappointed about Lego.

brnt3y ago

And you know, good old bank transfers worked perfect decades before that too. Still do in fact. Even Europeans from certain (Eurozone) countries seem wary to use it, while typing in am IBAN is really not anymore work than typing a credit card number.

Tijdreiziger3y ago

Amazon.nl does support iDEAL

1 more reply

soco3y ago

The Netherlands have iDeal, India has UPI, Brazil has Pix, Switzerland has Twint, there are quite some solutions for easy and simple payments floating around. Next step is to figure out how to integrate all these for international payments.

Ayesh3y ago

Yeah, we had an overwhelming majority of Dutch users using iDEAL to a point that we didn't see any decrease in sales when we had our credit card payment gateway down.

I believe you need to sign up with a Dutch acquirer/CPSP to get iDEAL payments sorted out, so there is an entry barrier for many international shops to accept iDEAL payments. This is pretty much the same for other payment providers such as CB, UPI, LankaQR, even AliPay too, so that effort is probably worth it.

themoonisachees3y ago

Unlike iDEAL, dealing with CB gets you nothing now. I haven't seen a CB card that wasn't also a visa card in 20 years, so if your payment system accepts visa you don't have to deal with them

WirelessGigabit3y ago

No. iDeal sucks. No insurance. Go read on some Dutch websites where they discuss online purchase issues. First question they ask: paid with credit card? Open dispute. Paid with iDeal: much harder as they have your money. If they’re not associated with some kind of governing body your only recourse is a lawyer.

I’ll pay the credit card transaction fees. Peace of mind.

WirelessGigabit3y ago

Downvoters: prove me wrong… what’s your recourse when the shop refuses to corporate?

nottorp3y ago

You may want to mention that no small store accepts visa/mc in NL :)

Apparently because the commission is sky high. In other parts of the EU that's been regulated and I can buy as low as two apples with a credit card.

If you're a tourist in NL, bring cash.

bluedino3y ago

Why don't they just advertise a minimum purchase or fee for using a card? You're not supposed to do it but it seems like every small party store/gas station in the US does so.

1 more reply

wink3y ago

Did this change recently? I had no problem paying with my German Maestro/EC for everything a couple of years ago. (Just like in most European countries, really)

2 more replies

mcv3y ago

I only have my credit card for online purchases, and only for webshops that don't support iDeal. There's little to no domestic credit card use here.

wwilim3y ago

In Poland, we have this wonderful system called BLIK. You provide nothing except a single-use 6-digit code, then you confirm the payment in your bank's mobile app. It works in online payments, physical stores and ATMs, it supports bank transfers using just a phone number, and recently it's been upgraded to support contactless payments as well https://en.wikipedia.org/wiki/Blik

whizzter3y ago

Sounds a lot like Swish in Sweden (and I think Vipps in Norway). It basically started as a user to user system that works by tying a persons phone-number so you can send momey to anyone you have a phone-number for.

Quite quickly this system was adopted by small companies before it was made official and they quickly introduced a user to company variation, a tad costly but the ease of just scanning a QR-code to pay has made it a hit (The QR code always has a recipient, optionally with a sum and infotext also I think).

bluedino3y ago

It's odd that confirmation systems like you mention are almost never used in the US for ordering. Seems like that would solve the problem of delivery drivers stealing your food or iPhone.

boring_twenties3y ago

So, you can't pay if you don't have your phone on you, or it's not charged, or the network connection is spotty?

silvestrov3y ago

Seems like this article is only about United States without being aware of it.

Many countries in Europe and Asia have much better payment solutions than the states.

ahopebailie3y ago

It's actually about what is supported natively in Web browsers and what the vendors of those browsers have done to make it better.

Sadly you are correct that the mentality of the browser vendors is VERY card (and US) centric so accommodations for other payment methods get very little attention.

This is not a fault of the working group participants who have tried to push for everything from iDEAL to crypto but in the end it's pretty clear we're heading for a wallet-dominated world and we all know who those wallets will come from unless we push back.

jonkoops3y ago

This, we use iDEAL [1] here in the Netherlands since 2005 and it's awesome! You just scan a QR code with your banking app and pay.

[1] https://en.wikipedia.org/wiki/IDEAL

franciscop3y ago

> "The security of your card details is only marginally improved"

Please don't be ridiculous, I understand you have to instill fear in the people reading this for them to use your service, but the security of what you described before to today has improved by orders of magnitude:

- I'm going to guess no HTTPS 20 years ago (it was formally specified 22 years ago).

- Merchant employee has access to the raw data of your credit card. Lowest paid one probably, since it's manual data entry.

- Send this data using email, which is not secure neither at the sending point, receiving point or transportation.

- To the ordering service, again a lowly paid employee with access to the raw credit card data.

- In none of these points, except the first, the payment amount was confirmed/verified by the client.

- At none of these points the author of the order is verified to be the legit owner of the card.

Today, sure it's still complex, but we basically have 2FA, card tokenization, client verification of payments, forced HTTPS, etc. which remove all of the insecure points mentioned above.

Disclaimer: I recently joined Stripe, opinions my own though ofc

ahopebailie3y ago

I think you miss the point that card payments should never have evolved to still require us to type sensitive data into a web form at all.

Also, don't forget that 2FA etc are not ubiquitous, especially not in the US.

As I implied, PCI DSS is lipstick on a pig. We could have done much better in the last 20 years. Now Apple and Google are doing it for us and we won't have any choice but to get further locked into their walled gardens.

franciscop3y ago

No I get and agree to that point, but the article also literally says the line I quoted above! Those are not mutually exclusive.

Apple and Google pay I feel like will somehow get stuck in the USA, I'm from Spain and I can def not see how, seeing how convenient payments are over there, they will get any meaningful penetration. It's funny because every year that I've come back to Spain (now I live in Japan) there's been a totally different but more convenient way of payments there. I need to write about it some day. Like, I'm the last person who expected payment methods would have a 1-year turnaround in the "old school" country of Spain! But somehow it happened, and that while not locking foreigners out (which is common e.g. in Japan, where you have all these "strange" payment methods that are inscrutable for tourists).

Retric3y ago

Your timeline is off, Netscape Communications created HTTPS in 1994.

So while it became a formal specification in 2000, browsers where already supporting it at the time.

franciscop3y ago

True, I just searched when the standard was created, my point still remains that by 2002 most sites were probably without HTTPS though. Heck, I remember in ~2012 when I started programming about half of the login sites I used were without HTTPS!

hotpotamus3y ago

Took a quick look and SSL was 1994, so going on 30 years. Formal specification may have taken a bit longer, but I definitely remembered using SSL in the 90's.

trentnix3y ago

Yep. I remember it being recognized as essential for payments in 2002.

_trackno53y ago

No surprises here.

Cards should've been deprecated as a payment method long ago.

Brazil's Pix, Netherlands's iDEAL, Poland's BLIK, etc, are all better payment methods that follow a push model (i.e., the customer actively confirms the purchase on their phone) instead of pull model (i.e., I send my card details to the store and it forwards it to the card network).

I really hope the EU gets its shit together and moves forward with TIPS[0]. I would love for this to become a requirement for all banks in the Eurozone.

[0] https://www.ecb.europa.eu/paym/target/tips/html/index.en.htm...

charles_f3y ago

That's all great till you don't have network, or you're abroad and need to shell out a $15 roaming day pass to pay for a freaking croissant. No thanks.

At least the credit card networks achieved some degree of industry standardization. I can pay with my freaking phone and it requires my fingerprint to validate the payment. I'm not clear what lack of convenience you're referring to

marcosdumay3y ago

Well, I don't see how any of those problems are a reasonable issue for online payments.

By the way, most countries still have cash. What is important, because the credit card network is known for going offline once in a while.

quickthrower23y ago

Apple pay coupled with fingerprint on iphone has been my most enjoyable experience both on the web and in person. There is still a CC under the hood.

Am4TIfIsER0ppos3y ago

The government can always make it worse. The EU removed my prepaid card simply because I refused to get a phone for it which was expected to receive some sort of permission for each transaction.

hocuspocus3y ago

SCA is a big improvement for most people.

Some card issuers don't require it done via a phone if that's important for you.

culturestate3y ago

> Some card issuers don't require it done via a phone

And some (looking at you, DBS) toggle seemingly at random between requiring it via SMS or via their mobile app.

1 more reply

rwmj3y ago

For most, but not anyone like us who has no mobile reception.

1 more reply

unsignedint3y ago

Unpredictability of international online card payment is painful. Up until March, most if not all the transaction to Japan were working. Two out of three cards I regularly stopped working on March, and one card still works, except it get flagged at EVERY SINGLE instance of these purchase that I actually have to call the issuer to get it unblocked for transaction. (Doesn't matter where it is, doesn't matter how many times I've made purchase from the same vendor.)

It seems like this is something to do with changes in 3DSecure; what's frustrating so much is that noone can provide me information what's going on, it's simply doesn't work.

clintonb3y ago

I’m still not sure what the author thinks sucks about wallets like ApplePay or GooglePay. They are the most convenient options both online and in-person.

Unless I missed a paragraph, the author never describes and ideal alternative.

ahopebailie3y ago

On the contrary I think both products are excellent.

The issue I have is that we've taken 20 years to find a better alternative than raw card data in Web forms and as a result we're gonna be stuck with a choice of only those 2 wallets when we could have a had wallets as diverse as websites if we'd been able to work together on a solution that was appropriate to the Web platform.

clintonb3y ago

Can you share more of that vision? As a well-off US consumer, things are fine. It takes me seconds to pay in person. It takes seconds to pay online using either of the wallets or via almost-direct entry with 1Password.

I get that I/we have ceded control of funds flows to card networks like Visa and processors like Stripe. Even if I didn’t work for Stripe, I would be okay with this as a merchant due to the convenience.

What am I missing? What do you envision is better for consumers and/or merchants?

Kukumber3y ago

If a website only offers me to put my Credit Card number, CVV, password, then it is a failure

Stripe would have been good in the first years of internet commerce, now it is outdated, worse, it's dangerous

djschnei3y ago

If only there was an instantaneous, nearly free (cost per transaction), opensource, anyone-can-access, infinitely scalable, infinitely interoperable, payment rail that we could start building solutions on top of...

tombert3y ago

If you're referring to cryptocurrency, isn't the average cost-per-transaction for something like Ethereum on the order of $40-$50?

zeroclip3y ago

Parent is a Bitcoin maximalist, just to be mindful.

Currently it's about $0.85 USD to send ETH or $2.50 USD to send ERC20[1]. Most people will suggest not using a L1 as a payment system, but instead something application-specific like a rollup or state channel. In Ethereum those will be in the range of 5 - 20 cents per transaction[2], and may be much lower after EIP-4844[3].

Other non-Ethereum blockchains and L2s have similar range of low fees.

[1] https://etherscan.io/gastracker

[2] https://l2fees.info/

[3] https://www.eip4844.com/

1 more reply

landemva3y ago

Just sending a payment is typically cheap for eth. Calling a lot of code can get expensive for the code execution costs, though L2s are available for that if you do it regularly.

pshc3y ago

It’s more like $1 these days due to the bear market, granted these remain high fees.

Cheaper payments can be sent on a zero-knowledge Layer 2 like starknet or zksync. Beta services but usable (except the whole on-ramp off-ramp part). Once sharding is implemented, fees are likely to drop to sub-cent levels.

Ideally payments would be anonymized on a privacy-preserving L3, but I don’t think those exist yet

1 more reply

djschnei3y ago

Not Ethereum. Ethereum has a lot of massive problems. Not 'crypto' which is by and large a scam.

I'm talking about Bitcoin with The Lightning Network.

Most payments I make over Lightning, regardless of size, carry a fee of fractions of a cent. On an average day I make 50+ payments over lightning - on aggregate the fees add up to less than $.01

edmcnulty1013y ago

what's the cost of lightning Network these days??

I like where your head's at but the fact that it's possible to do an overthrow of the system if you have 51% of the miners worries me.

landemva3y ago

> overthrow of the system if you have 51%

You may want to look into this further as it is fascinating. For example, a theoretical reorg to unspend or respend your own transaction does not allow signing transactions for others.

djschnei3y ago

Average fees are fractions of a cent.

Centralized systems are much easier to capture and historically always are.

A 51% attack on Bitcoin/Lightning isn't impossible, but incredibly unlikely.

https://www.swanbitcoin.com/fact-check-darpa-funded-report-o...

ForOldHack3y ago

Of course they do, but then again, I may not know, since I have not done ONE in about 6 years, when Paypal lied to me, and they suck worst of all. No more. Thanks.

fragmede3y ago

For a comparison, spend $5 or $10 that was gonna go to a lotto ticket or starbucks coffee and instead, buy an NFT. Just experience the UX of the web wallet system. It's weird, for sure, and unfortunately it's wrapped up in crypto (because of the emotional baggage people have with crypto), but the UX is interesting. Some lessons from there could be applied to online card payments and traditional banking to make them suck less.

prezjordan3y ago

Like what?

fragmede3y ago

Accounts are the first thing that come to mind. right now, I have an account at my bank, and I need to meet certain requirements to have that account. Web3 wallet accounts have no such requirements, and creating a whole new account is just a click away.

To make a payment, because my web wallet is already linked, I just select which wallet I want to make a payment from. No need to type out my credit card number. Apple pay has some of the similar convenience, but that's vendor locked and a dead end.

2 more replies

eraad3y ago

If card networks, issuers, acquirers, processors and gateways used bitcoin as their settlement layer, most of the current issues would be automatically solved. They could focus engineering resources on creating better user experiences, anti-fraud, etc.

Consumers can keep using their tokenized credit cards, debit cards, etc, but their money would be moved using the bitcoin time chain, instead of hundred of CSV files.

Why haven't the W3C participants even mentioned bitcoin for standardizing web payments? I believe it's because of politics and business. Bitcoin can't be controlled and manipulated and it's not an easy truth to swallow. I hope this changes.

phphphphp3y ago

xml via ftp is used across many industries because these systems are decades old: there are many suitable replacements — the problem is not that there isn’t solutions, it’s that changing old systems is very hard. Bitcoin doesn’t solve that.

yellowapple3y ago

> Bitcoin doesn’t solve that.

It doesn't necessarily need to. The other solutions are dependent on fixing the existing financial system, while the premise behind cryptocurrencies like Bitcoin is to outright replace the existing financial system. Bitcoin, in other words, offers a path to deprecate and phase out the old systems entirely.

Whether that'll actually happen is pretty uncertain, to say the least, but it's a possibility that other solutions generally lack.

Foobar85683y ago

Xml+sftp For data transfer in 2022, best in class yeah!

rwmj3y ago

No one being able to buy anything online is one way to solve online payment problems I suppose.

colesantiago3y ago

Bitcoin has failed as a means for payment and after almost 15 years nothing legitimate has come from it.

All people have used for it is gambling, speculation and ruining the planet.

Nobody, not even merchants are using Bitcoin for payments.

andy_ppp3y ago

I didn’t think Bitcoin could handle that many transactions, never mind the environmental damage it causes…

Timja3y ago

It is surprising that in 2022 this is still a popular misconception, even on a site like Hacker News.

The amount of transactions the Bitcoin blockchain handles does not impact how many transactions can be done in Bitcoin via higher layers like the Lightning Network.

I think the reason is that secure and trustless payment methods are a new thing that only came up a few years ago, and nothing like it existed before in the history of mankind.

There have been higher layers like banknotes that "represented" gold, but it always involved trust to use them.

With cryptographic solutions like Bitcoin+Lightning, no trust is needed anymore.

2 more replies

j / k navigate · click thread line to collapse