Yesterday, Flipkart announced a ‘save card’ feature which was variously discussed as similar to Amazon’s 1-click feature. This article is an attempt to explain the nuances involved and understand what this really is about and whether it makes sense for other merchants to consider this.
Introduction to Card Security
First, a bit about Card Association (Visa, MasterCard, etc.) rules relevant to this:
- Storage of credit card numbers attract stringent security mechanisms described in PCI DSS specifications which is the industry body regulating the standards pertaining to card data. These are much more stringent than those required for simply accepting the card number and handing over to payment gateways (which is what all merchants do in India)
- Storage of CVV (the 3 digit number behind the card) is not allowed to be stored. Card associations allow charges to be made without specifying CVV, but the rates they then charge for each transaction are slightly higher (since there is a higher risk in the transaction).
When 3DS security is enabled (Verified by Visa, MasterCard SecureCode, etc.), which is RBI regulation, additional authentication is required:
- For every 1-off transaction (which is 99% of all transactions in India), user must specify the password configured with issuing bank for 3DS, whether or not the card details are stored by the merchant.
Advantages of Card Details Storage
Given these, what does Flipkart announcement mean? It is certainly not 1-click since 3DS forces you to have a password entry page.
- Convenience: The ‘save card’ feature is really what it says: a convenience feature where you don’t have to have your credit card details with you every time you purchase, this saves you a few minutes in typing (or an hour if you have to look for your card and can’t find it!).
- Impulse Buying: It encourages impulse buying by removing a barrier to completing purchase when finding something interesting during casual browsing (2 pieces of data entry you have to do every time is typing your shipping address and your credit card details – Flipkart already saves address for you).
- New features: Features like magazine subscriptions (which include monthly charge or renewals) are better done (with better renewal rates) if you have credit card on file. Magazine subscriptions (or any other kind of subscriptions) are good businesses to be in, and this enables Flipkart to offer these features.
Issues with Card Details Storage
However, with this capability, you get into host of other issues:
- Password scam vulnerability: Through this feature, they have suddenly made my Flipkart password so much more valuable to hackers, because now if someone gets to know my password, they can attempt a purchase. Saving grace is that 3DS requires them to know my VerifiedbyVisa password too which makes it safer, but it is still a big motivator for hackers now to steal your Flipkart password.
- Data Security: Customers have very poor opinion of data security worldwide, and in India, it is particularly bad. So it is debatable if you would trust Flipkart to store such valuable details for you, or you would rather go with the extra hassle of inputing the credit card details every time (or still better, use COD!).
- PCI Compliance cost: The stringent requirements for compliance to PCI-DSS standards mean investment in infrastructure as well as annual audits. These costs easily run to $1M a year or more. ROI of this cost may not be there, at least initially.
This is still early days for this feature, even though it was long overdue. Most merchants should sit back and watch the user adoption and early teething problems being sorted out. This is an area where being early adopter can be very costly. Flipkart has no choice but do this since it is the market leader, but other merchants don’t need to. Once user adoption is significant, compliance costs have come down and enough expertise is available to build such a secure and compliant infrastructure in a cost-effective way, other merchants can think about this.