After twenty years of progressively complex security fixes being applied to card and bank payments, making life more expensive and complex for both businesses and their customers, new open banking payments regulation and technology has allowed innovative regulated payments institutions like Ordo to start again from scratch. They now offer new open banking enabled payments options for businesses that are not only easy to use, but inherently more safe and secure for both the business and their customers.
- As bank and card payments have evolved over many years, new security gaps have been exposed, and increasingly onerous security overlays for businesses and their customers have been developed to try and protect payments. While generally effective, these security overlays are making payments more difficult, adding expense to businesses and significant complexity to the consumer payments experience.
- Open banking regulation and new technology fundamentally changes this, allowing new regulated payment providers like Ordo to design in security and ease of use for payments processes from the start: frustrating fraudsters by eliminating the collection and sharing of payments information and security details between customer and supplier and letting customers deal directly with their trusted bank to approve payments securely set up for them.
- In this new world, businesses can be sure that every payment they receive is legitimate and irrevocable, and their customers can be sure they know exactly who they are paying and that only the payments they directly authorise with their bank will get paid.
Securing Card and Bank-to-Bank Payments is getting harder for everyone
Bringing card and bank payments online over the last twenty years has delivered huge benefits to businesses and their customers. Without these innovations we would either still be shopping exclusively on the high street or handing over cash to delivery drivers every time we ordered something online. As far as bill payments go, we could still be sending cheques through the post every time we brought the plumber in to fix a leaking tap.
But the growth in telephone and e-commerce card payments as well as real time bank to bank payments via Faster Payments (see box: Faster Payments) has exposed businesses with cards and consumers with bank-to-bank payments to new and growing payments risks and costs; such as PCI compliance.
Taking card payments remotely (whether by phone or online) exposes businesses to fraud which through chargebacks they end up paying for, and consumers making a payment to account details that have been intercepted and changed by a cyber-criminal cost them the lost funds with very little chance of recovery (see box: Push Payments Fraud).
The regulators and industry haven’t just sat back and let this happen, they’ve introduced security overlays to try and mitigate these risks. For example, for bank-to-bank payments the introduction of some Confirmation of Payee/Account Name Checking services by some banks can give consumers greater confidence that they are paying the right business. Much more broadly, the much-delayed introduction of Strong Customer Authentication (SCA) for card payments in 2021 should significantly reduce the risks of card fraud to businesses (see box: Strong Customer Authentication).
But these security overlays don’t come without significant costs and complexity, as well as not dealing with security problems from a root-cause perspective. A common theme with these security fixes is increases in payment process friction for consumers caused by additional consumer actions needed to complete a payment. For every new bank to bank payment consumers now have to enter an accurate business name if their payment is to go through without additional checks and sometimes alarming liability warnings (see box: Confirmation of Payee). Once fully rolled out this year, all but the smallest value online card payments will require the consumer to additionally use their mobile phone to independently validate their identity and confirm they really want to make each card payment. And for the lower value payments, it will still be the selling business that carries the risk.
Open banking regulation and technologies allows us to start again from the bottom up
New open banking FCA regulated payment institutions like Ordo are able to exploit the features of open banking to start again from scratch and engineer ease of use and security together into their new payment solutions (see box: Open Banking Payments).
By way of example Ordo’s innovative open banking request for payment and e-commerce payment solutions take a radically different approach:
- With Ordo’s solutions neither the paying customer or the collecting business ever needs to be asked to provide Ordo with any card or bank details, eliminating an important vector for fraud.
- When a customer is asked to make a payment by Ordo, the receiving business’s account and payment details are passed directly to the paying customer’s nominated bank using the open banking regulated bank-to-bank-grade security protocols, removing the possibility of any interception and change by third party fraudsters. Not only is this more secure, but it also saves the customer the time, and the risk of error, of entering these details themselves – an increasingly big issue now that consumers are also expected to enter the account title of the person or organisation they are paying if they want to make a safe payment. If the customer makes a mistake doing this, the money may be unrecoverable.
- When it comes to making the payment, the customer talks directly and securely with their bank using their normal mobile or online banking app. In their app, they are told exactly who they are going to pay, and they authorise their bank directly, in the normal way, for example by fingerprint or face-id, to make the payment. All these identity and security credentials are kept between the bank and their customer, never shared with Ordo or the business they are paying, just as they should be.
These changes are not about adding ever more sophisticated cyber and information security protections to otherwise exposed processes, they are about fundamentally redesigning how payments happen so that there is nothing to be stolen in the first place. A significant side effect of Ordo’s approach to design is that both businesses and consumers can be sure that they are not sharing any private or sensitive information with each other or third parties that is not absolutely essential to carrying out their instructions. Not just security by design, but privacy too.
There are now better payments solutions for businesses and their customers
With new services like Ordo’s open banking request for payment and e-commerce solutions everyone wins:
- Businesses can be confident that the payments they receive are legitimate and irrevocable. With Faster Payments as the underlying payment delivery mechanism businesses are informed in real time by Ordo when payment has been made and can guarantee that not only will the amount they expect be sitting in their bank account, but that the cash is theirs and cannot be charged back or reversed, and incidentally that not only will they have received the amount they asked for, but that their bank payment will be accompanied by whatever payment reference they specified when they started the request or e-commerce journey, eliminating the growing administrative burden of payments reconciliation.
- Consumers will not only know exactly who they are paying but will see every detail of the payment presented to them directly by their own bank. They won’t have to enter any additional information, just authenticate themselves with their bank, knowing that they don’t need to trust any third party, even the business they are paying, to look after their personal and sensitive information. This leaves the consumer in control, both of when they pay, but also of all their private information.
- With Ordo the banks win as well. They don’t need to go through complex verification processes with their customer to make sure they know who they are going to pay, trying to ask for and match account numbers and account names for each new payment. There is no doubt that the customer has been fully informed about the payment and is making an active decision to pay, and therefore there is no uncertainty about liabilities.
- And finally, the economy wins. Re-engineering payments for ease of use and security, exploiting the incredibly cost-efficient Faster Payments service, and preventing criminal losses from growing payments frauds drives improved productivity into our economy, allowing more to be done for less, and constraining the arms race of attack and defence between financial criminals, businesses, banks and their customers.