Last week, I read an interview in which Silicon Valley legend Marc Andreessen talked about reinventing finance, with the theme being, as he put it, “We Can Reinvent the Entire Thing”. Of course, Andreessen talking not about ‘big’ finance but online consumer transactions, the focus being on the cost and security of these transactions.
As he puts it, “We have a chance to rebuild the system. Financial transactions are just numbers; it’s just information. You shouldn’t need 100,000 people and prime Manhattan real estate and giant data centers full of mainframe computers from the 1970s to give you the ability to do an online payment. You would not today, starting from scratch, invent any of these financial businesses in the same way.”
To anyone who thinks afresh about the cost and lack of security in online transactions, the situation seems to be absurd. With ecommerce being so much in the news--and being apparently set to become the preferred mode of shopping for larger and larger number of people, surely there should be some focus on these aspects. For the merchant who is accepting credit or debit card transactions, the cost can be two per cent or even higher.
As Andreessen points out, this is absurd, especially for Debit Card and Netbanking transactions, where there is no credit risk as in credit cards. The RBI talks a lot about replacing cash, but this can’t be the way to do it. If you walk into a shop and hand over ten thousand rupees, it doesn’t cost you or the shopkeeper anything, regardless of whatever it has cost your bank to handle the cash and operate the ATM. Pull out a card and suddenly the bank need 200 rupees, or more, to let you pay. Nobody should be surprised at the absurdity of India’s e-commerce revolution involving handling large amounts of physical cash.
The other part is security. While the cost problem is almost universal, in credit card security, the Indian situation is uniquely absurd. The RBI has decreed a huge and cumbersome system of passwords and one-time codes. This makes it impossible for the kind of transactions (recurring charges and quick unattended swipes, for example) that the rest of the world takes as normal. However, it does nothing for security because international transactions are still allowed.
The goal of this password business is that if someone is capturing (say on a hacked computer or server or network device) your card number, expiry date and CVV,, they still can’t do an online transaction without knowing your password too, or having access to your mobile phone. However, as implemented, this system is not much more than slightly comic security theatre. International payment processors can still charge your card without the password. So an Indian site can be hacked, someone can capture your data and then turn around and charge it through an international processor. And this happens all the time. Evidently, the real role of the password and code rigmarole seems to be create an illusion of accomplishment where only meaningless activity exists.
The real problem is that the lives of Indian customers and the operations of legitimate Indian businesses more cumbersome and more expensive. Think about it. I run a small business where people come to our website and buy books and magazines on personal finance. What are the chances that a vast ring of international credit card crooks will steal data and use it to buy a mutual fund magazine for Rs 100? And if they do, we’re quite willing to take the liability. And yet, the RBI forces our customers to go through the same useless security theatre as it does to those buying something valuable and resellable (say, gold jewellery) online.
As things stand, just as ecommerce seems to be taking off in India, our payment systems are taking a different turn, towards higher cost, more cover-your-behind security theatre and no actual improvement in security.