Payments are fail

This is a story about checks and credit cards.

Once upon a time, you would pay people by paper check. You had little pieces of paper with a bank’s name on it. When somebody wanted to pay someone else, they would write on the piece of paper, and the recipient would use the reputation of the bank and/or other authenticating documents to determine whether to accept the payment.

Today people still carry the little pieces of paper around, but they are no longer really used as checks. Today, most checks are converted into an EFT transaction (electronic transfer) before deposit. The particular kind of EFT commonly in use in the US is called Automated Clearing House or ACH. There is a newer, better, Check21 standard, but the legacy ACH system will be around for the foreseeable future.

The first problem is that writing a check to cover the groceries triggers a whole flowchart of parties to get involved in the transaction. And whenever you have five parties, you have five computer systems, and your 95% uptime becomes 77% uptime, and it’s a minor miracle that transactions go through at all. Just forget about figuring out, while you’re still in the checkout line, whether or not there’s money in the account to pay the bill. It’s actually easier to build systems that guess whether or not the check is good than it is to call up the originating bank and find out.

And because there’s so much risk in the system, everyone wants to make sure they were paid by the previous party before forwarding along the money to the next party. As a result, what should be a row lookup in a database table served up at 300ms turns into a 5 business-day affair while everyone waits for funds to clear. Ponder that for a minute: automated systems keep business hours. This part of the Internet closes at 9. Not to mention how the 5-day delta of the transaction increases the risk for everyone involved, incentivizing every party individually to try to slow it down further, leading to more risk, leaving to longer clearing times. Round and round it goes.

Oh, and were you under the impression that the Automated Clearing House actually clears checks? Don’t be fooled. Checks can be dishonored months after being “cleared”. So much for that.

Second, because ACH was replacing the legacy paper check system, it carries around legacy baggage. In order to be adopted, there had to be an easy way to convert paper checks into ACH transactions. But all the security of a check was in the paper–watermarks and holograms and such. So by definition, a system that removed the paper would be removing all of the security inherent in the system.

Here’s how to collect payment via ACH: call up a bank, and give them the numbers at the bottom of any check and an amount. Five days later, the money will be in your account. That’s all it takes to rob someone via ACH. The numbers aren’t even a one-time-key: they’re the same on every check. The only security measure to any of this is that they passed a law to criminalize it.

The problem is so bad that people keep stealing money from Donald Knuth, who sadly no longer writes checks.

As if that’s not enough, somebody can go to the actual bank and get real, paper checks with your account number on them. No ID is required to do this. There are no safeguards. Not only is the ACH system broken, even the old paper system has been irreparably broken as a result of the addition of ACH numbers to the paper.

And if somebody does steal your money? Good luck getting it back. Protection laws are minimal, or nonexistent. Even if you close an account to stop someone from writing the 30th fraudulent check drawn on your account, the bank will re-open it if they receive a debit, and happily charge you overdraft fees.

Enter credit cards, which have a clearing time measured in seconds, and strong consumer protections against fraud. Everything’s good, right?

If this looks more complicated than the ACH flowchart, that’s because it is. There are two systems in play here: the “authorization” system that decides at the point of sale whether the transaction will go through, and the “settlement” system that actually transfers the money. The “authorization” stack for most credit cards runs on, and this is not a joke, IBM 390-series assembler, an architecture that not only predates Windows and DOS but even the Intel 8086. The “Settlement” stack is built atop–what else?–ACH transfers. We’ve certainly learned from our mistakes.

Credit cards, like ACH, run on a “pull” architecture. All I need is the information printed on your card, maybe a zipcode, and I can stick you with a bill. Transactions are considered valid by default. Maybe you can dispute a charge, but with most banks the merchant’s continued business is a lot more important to the powers-that-be than yours. AMEX is one of the few companies that actually holds merchants’ feet to the fire, and this is part of the reason why they are not universally accepted.

In fact, the only problem that this new-fangled system solves, from a transactional point of view, is the type of fraud where somebody pretends to have more money or credit than they actually do. That is, the type of fraud where the bank or the merchant is left holding the bag, covering lost funds. Those scams where a merchant is incorrectly billing a consumer: recurring billing scams, fitness centers, advance fee fraud, and any other consumer-oriented scam; as long as the bank can skim their 2% off the top, it’s just not a priority.

In fact, what we need is a “push” payment architecture. I carry a mobile phone in my pocket. When a merchant bills me, I should have to explicitly “approve” the transaction via voice or SMS while in the checkout line, or else the transaction will be rejected. That way, to cancel service X, I don’t have to call and beg some customer service rep to stop billing me. I just have to stop pressing OK on the dialog that appears once a month. We can code up the technology to do this kind of “push” payments in about ten minutes. It’s not that difficult. It’s not that much of a hassle. And it totally fixes our broken payment systems.

There is such a company that provides this “push” architecture. Unfortunately, they suck. They’re far too busy trying not to be regulated as a bank and who knows what other legal nonsense.

The fact is, there’s no money in advocating for consumers. As a consumer, you’re not the customer of a payment system, you’re the product. Visa and the banks are out there selling to the merchants–Walmart, Target, etc.,–and you are just a bullet point on the sales presentation. Look at our reach! 40 million customers! Now let us skim 2% off of your transactions.

---

Want me to build your app / consult for your company / speak at your event? Good news! I'm an iOS developer for hire.

Like this post? Contribute to the coffee fund so I can write more like it.