Credit card security is broken. Here’s how Bitcoin could help fix it.

December 30, 2013

My wife and I are planning a trip to Asia in January, and so I've been making hotel and airplane reservations. In the process, I've had first-hand experience with the dysfunctional state of international credit card payments. I've had three transactions declined on spurious security concerns, and each incident has required a call to my bank to correct the problem.

A common criticism of Bitcoin holds that the Internet-based payment network isn't actually useful. Sure, Bitcoin allows people to transmit value electronically, they say, but conventional payment networks like MasterCard already do that.

But the clumsiness of international credit card transactions, not to mention Target's recent security woes, provide good illustrations of how better payment technologies could be beneficial. As we'll see, a Bitcoin-based alternative to conventional credit card networks could be significantly more secure and, as a result, more convenient and affordable for everyone.

But getting there would be tricky. Fees in the credit card network are paid by merchants, whereas the Bitcoin-based payment scheme I describe here would have consumers paying by default. The Bitcoin community will have to figure out how to shift fees back onto merchants if it wants to attract enough users to make Bitcoin-based payments mainstream.

A 20th-century payment network

My efforts to buy Asian plane tickets went like this: I went to an airline's Web site to make a purchase. The bank that issued my credit card flagged the transaction as suspicious and refused to honor it, leading to a cryptic error message on the airline's Web site.

I called my bank. After verifying my identity by asking me some not-very-secure "security questions," the bank representative told me the bank had denied the transaction as a security precaution. I assured him that the purchase was legit. He cleared the hold on my account and asked me to resubmit the transaction.

In the last week, I've gone through this process not once, but three times. Each time I've called the bank, I've asked them to update my account to make sure my transactions with Asian hotels and airlines don't get blocked. They haven't been able to do it, forcing me to make multiple, time-consuming phone calls.

In the age of the Internet, this is a crazy way to run a payment system.

Chicken and egg

The fundamental problem with conventional payment networks (mine was a MasterCard, but other credit card networks work similarly) is that they try to detect fraudulent payments without the active participation of the card holder. If the credit card network wants to know if a payment from my account is legitimate, the best way to find out would be to ask me.

When the credit card was created decades ago, there was no practical way to do that. So, instead, credit card companies try to guess which transactions are legitimate using characteristics of the transaction, such as the country it was made in and the size of the purchase. That's an inherently error-change process.

Happily, the world has changed. Today, most people have Internet-connected smartphones in their pockets. In principle, it shouldn't be difficult for users to confirm payments at the time of sale, nipping most credit card fraud in the bud.

Indeed, there are products like Safepay that do just that. But they face a huge collective action problem: They only work if both merchants and customers adopt them. Safepay requires merchants to sign up with a $15 per month account. And it requires customers to download the Safepay app so they can confirm transactions.

As long as few merchants are Safepay users, there isn't much incentive for customers to download the app. And with few customers using Safepay, there's little reason for merchants to adopt the system. So far, no Safepay-like product has become widely adopted.

That's one example of a general problem with credit card security: Responsibility for credit card fraud is divided among merchants, card-issuing banks, the credit card network itself and users. That diffusion of responsibility, as well as the complexity of the credit card networks' rules (Mastercard has hundreds of pages of regulations governing transaction disputes), make the system hard to improve.

Why Bitcoin is different

The Bitcoin network operates differently from conventional payment networks, and those differences could allow the Bitcoin community to develop more effective anti-fraud techniques. Conventional payment networks place most of the liability for fraudulent transactions on the merchant, allowing customers to challenge and reverse suspicious payments. Bitcoin, however, puts all of the liability on the payer. If you get tricked into sending a payment to the wrong person or hackers steal your Bitcoins, you have no recourse.

That allows for much simpler rules for the Bitcoin network compared with conventional credit card networks. Many of the regulations that govern Visa and Mastercard are designed to prevent misuse of the network and to protect consumers. Bitcoin operates on a buyer-beware basis. That might not be good for consumers (we'll get to that in a minute), but it makes the Bitcoin network much more hospitable to innovation.

It's obvious why merchants would be drawn to this kind of system. Accepting Bitcoin payments means lower fees, fewer regulations and no worry about liability for fraudulent transactions. Bitcoin transactions are irreversible. Once you've received a Bitcoin payment, you don't have to worry about it being challenged and reversed. Bitcoin's merchant-friendly approach may explain why the number of Bitcoin merchants has been soaring.

What about customers? At first blush, shifting liability to the customer isn't a consumer-friendly move. And the bare Bitcoin network isn't at all hospitable to ordinary users. Securing a Bitcoin wallet is tricky, and people who store their wealth in bitcoins risk having the value of the currency suddenly plunge.

But Bitcoin is an open platform that others can build on. Just as companies like Bitpay and Coinbase help merchants accept bitcoins with minimal hassle, so consumer-oriented startups may be able to help users spend bitcoins securely. Just as Bitpay and Coinbase allow merchants to immediately convert Bitcoins back to conventional currencies to protect against the risk of Bitcoin's volatility, so a customer-focused Bitcoin payment service could hold customers' cash in conventional currencies and convert them to Bitcoin at the time of payment. They should also be able to offer the same liability protection as banks and credit cards: that the company, not the customer, will be liable for the costs of hacking, fraud and other security issues.

Who should pay?

Of course, these services won't be free. But they could be pretty affordable. One of the biggest expenses of this type of consumer-facing Bitcoin payment service would be reimbursing customers for fraudulent transactions. That means that the fees a Bitcoin payment service would need to charge would depend primarily on how secure it is.

Bitcoin-based payment services would have both the authority and incentive to improve the security of their apps and pass those savings on to customers. For example, one of the best ways to boost the security of a payment app is to use an authentication token, a keychain-sized device that provides a "second password" that changes every minute or so. Users typically resist carrying such a device, but some might change their tune if a payment service offered them a significant discount for doing so.

A well-designed payment app could be cheap enough that customers with unusual needs would be willing to pay for them. International travelers, for example, might be willing to pay a modest fee to never have to worry about their transactions being declined or getting hit by unexpected fees. At the opposite end of the spectrum, some consumers who lack credit card and bank accounts are forced to pay their utility bills in cash. They might find Bitcoin-based payment services a convenient alternative.

Of course, to be truly mainstream, Bitcoin-based payment systems would need to match the zero-fee principle of the conventional payment network. Bitcoin is such a good deal for merchants — they save the roughly 2 percent credit card fee, and they don't have to worry about charge-backs — that it might make business sense for them to offer customers a discount of 1, 2 or even 3 percent if they paid with bitcoins and still come out ahead compared with the cost of accepting credit cards.

The open payment network

Obviously, I'm doing a lot of hand-waving here. Much of the infrastructure I'm describing doesn't exist, and my specific predictions will probably prove to be wrong. But the market structure I'm describing illustrates an important strength of Bitcoin. Conventional payment systems are monolithic. Everyone is required to use the same procedures, limiting experimentation. But Bitcoin gives users, and the firms that send and receive payments on their behalf, a lot more flexibility. Over time, we should expect that freedom to foster greater experimentation and quicken the pace of innovation.

Something similar happened in the telecommunications industry. Since the mid-19th Century, the world's telecommunications infrastructure had been managed by the International Telecommunications Union. The international body ensured that communications networks could interoperate by requiring them to adopt shared standards.

By the 1970s, this system had produced a sophisticated system of phone and telegraph networks, but it was also beginning to show its age. New telecommunications services required buy-in from national telecommunications monopolies, which meant that progress was slow. Fees for long-distance communications were high.

The Internet upended that system by adopting a much simpler set of rules. Rather than trying to specify which features Internet-based networks must provide to their customers, the Internet's core protocols simply provided a basic ability to transmit data and left individual users the freedom to build more sophisticated services using that basic communications capacity. Initially, the Internet was dramatically inferior to conventional communications networks, but over time Internet applications became increasingly sophisticated. Today, the Internet's capabilities are much greater than those of the conventional services overseen by the ITU.

Bitcoin applies the same philosophy to payment networks. Rather than trying to build every feature into the core protocol, the creator of Bitcoin defined a simple, flexible way to transmit money. The system leaves it to others, like Bitpay, Coinbase and firms that haven't been founded yet, to build secure, user-friendly payment applications on top of that basic infrastructure. It's impossible to predict what those services will look like or whether consumers will prefer them to conventional payment networks. But history suggests that Visa and Mastercard shouldn't get too comfortable.

SECTION: {section=business/technology, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=2, includereport=true, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=2, includereport=true, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=business/technology, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=2, includereport=true, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, defaultsort=reverseChronological, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, includevoteofftopic=false, allow_videos=false, childrenitemsperpage=3, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, includesorts=true, includeheader=true, defaulttab=all, includeverifiedcommenters=true, includerecommend=true, maxitemstop=2, includereport=true, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments
Most Read Business
Next Story
Andrea Peterson · December 30, 2013