Why are e-commerce payment forms so complicated?

Quick quiz: if your site accepts payments, what do you need to charge a user’s credit card?

Very efficient e-commerce payment form

Just 20 characters: the credit card number and the expiration date. The three fields shown above comprise a complete payment form.

So why do most e-commerce payment forms on the web look like this?

The above form requires 14 fields. For my billing information, that’s 131 characters. It asks for my first name, last name, address, country, city, state, postal code, phone, company, security code, and my card type. And it’s hardly alone: the average web site requires 12 fields and 70 characters just to make a payment.

How did payments on the web become so complicated? Fraud.

Credit card fraud and the black market

Every site that accepts payments faces credit card fraud. On the black market, criminals can buy 100 stolen credit card numbers for $40 and use those to purchase expensive goods from unsuspecting web sites. Weeks later, when the cardholder notices the fraudulent charge on their monthly statement, they’ll call up their bank to reverse it, in what’s known as a “chargeback.” For online transactions, the merchant (not the bank) holds liability for all chargebacks due to fraud, and that liability is expensive. Sites across the internet lose more than $3.4B per year due to fraud in the U.S. alone.

To curb these losses, the major credit card companies introduced two anti-fraud measures in the late 90’s:

AVS (address verification service) matches an address entered by the user against a billing address on-file with the cardholder’s bank. Although effective at one point, today AVS is a weak signal. Fraudsters easily buy address information and good users frequently get tangled up in AVS checks. In our data, AVS catches about 28% of fraud, but also flags 8% of regular users. In the  payment form above, 50 of 131 keystrokes were related to the address.

CVV (card verification value). Starting in 1997, MasterCard started printing 3-digit security code on the back of the card, and Visa followed suit soon after.  In theory, the CVV is less likely to fall into criminals’ hands since PCI-DSS rules prohibit storing the CVV. In practice, of course, the black market is flooded with card numbers that have matching CVV codes. Depending on the country and vendor, CVV also goes by the acronyms CSC, CVV2, CVVC, CVC, CCV, or SPC.

Although AVS and CVV are well-intentioned, they have a cost—more friction and lost conversions. Users abandon forms with too many fields. Good users frequently mistype their billing address. After a user moves to a new address, it can take up to six months for the bank to update their information, leading to false rejections. Users often don’t know where on the card to look for the CVV code. One study found merchants who left CVV out of their payment flow reported 40% higher conversion rates.

Fraud or friction? A false choice

Luckily, you don’t have to choose. You can stop fraud without friction. On the internet, everything is measurable, and fraudsters leave behind tracks they’re not even aware of. What IP address is the user coming from? Are they using a proxy? A Tor node? How is the user navigating through the site? How many accounts have originated from this particular physical device? Is the e-mail from a legitimate domain? The most sophisticated sites today gather hundreds signals and combine them into a risk score using a machine learning algorithm.

How to build a frictionless anti-fraud system would take a whole series of blog posts, but if you run a web site, you have options. Sift Science is building a system to fight fraud with machine learning. There are other vendors out there as well, and some sites start by implementing simple IP-based checks.

Two important caveats: check with your payment processor to see whether removing AVS and CVV will affect your transaction fees. In many cases, you can simply request less information (e.g., just the ZIP code) and get the same fee. Processors tend to be stricter about CVV, and sometimes charge about 0.1% extra to process payments without CVV. Second, rigorously measure the tradeoff between revenue and fraud rate when you change your payment form or verification strategy. We think most sites could grow their revenues significantly with less friction, even at the cost of slightly more fraud, but every site has a different tradeoff.

Conclusion

Payments online can be quick, efficient, and frictionless — without opening the floodgates to fraud. So why not remove as much friction as possible from your checkout process? Your customers and your pocketbook will thank you for it.

And if you need help keeping a lid on fraud, join Sift Science’s private beta.

TwitterLinkedInFacebookGoogle+Email

54 comments

  1. I like the thought of removing the information. But, I wonder if it would really help conversions. I don’t think most customers realize this, and I think that there might be some distrust, if they didn’t have to provide more information. There are several parts of conversion and ease of use is one of them. Another very important one is trust.

    Like you said this is something that should be tested before fully implementing it.

    1. Absolutely, trust is a subjective but important factor. And it probably varies a lot by site — so measure rigorously what it is for your site.

  2. Number of characters required to send a Bitcoin payment: your password length.
    Number of characters required when using a mobile phone + Bitcoin QR code: 0
    Possibility of fraud after 1 confirmation: negligible
    Possibility of fraud 1 hour after receiving Bitcoin payment: impossible.
    And honest users in, say, Syria can still send payments using Tor.

    1. Do you have a reference for the law around that? With Stripe going into beta in the UK, I’m interested in whether we’ll need to add address verification to our payment form or not…

    2. Great post. James – I don’t know if this is actually the law(?) but I know that almost all merchant account providers in the UK require the address, full name, CVV etc. and “just asking” for them to remove the requirement of this info is futile.

      Stef – In the UK beta, Stripe seems to be offering exactly the same forms as they are in the US, so I’m quite excited about that.

    3. It is required by law, at least in the EU countries. The reason is (among other things) that you have to be able to prove that VAT has been taken care of properly and by doing so you need the personal information for each purchase made so the tax agencies can verify it.

  3. This is precisely why I use Stripe. Minimum number of fields. Dead simple to use and integrate and their out of box UI component options are well designed, cross-browser and mobile friendly.

  4. I found my self amused that the comment link at the bottom of this post had 3 fields in addition to the comment and 2 of them were required. Reason? fraud.

  5. Brandon, great post. The only thing I’d add to this is that the *way* in which anti-fraud concerns prompt more fields is slightly more complex / insidious.

    In order to respond to a chargeback, a merchant is supposed to first go through an inquiry process where they produce the original receipt. During that phase, the merchant is required to interact through the “system” (I think it’s the customer’s issuing bank, but it might be the merchant’s bank or even the interchange) and there’s no way for the merchant to directly contact the customer via that rigid system.

    A lot of cases of chargebacks are things where the customer doesn’t recognize a legit charge. (There’s not enough room in the memo field that gets put on a credit card statement to explain subtleties, like “we are called Florida Home Products but our parent company is Maine Distributors” or whatever.) The merchant feels the need to capture all of the contact info so he can contact the customer and say “hey, we are your friends at Florida Home Products, why are you charging this back?” and resolve the chargeback amicably.

    Finally, there’s also a lot of first-party fraud: customer knowingly orders the item then claims it never arrived, etc. Given the rules of the interchange, merchants can get left holding the bag. Getting enough info to go after such a customer is pretty crucial (especially for merchants who ship hard goods or otherwise incur significant COGS).

    Interchange rules are pretty rigid about who can share what info with whom, but it would be a great help if there were a way to guarantee legitimate contact from a merchant to a customer, given a verified transaction between the two — perhaps a one-way blinded email / phone gateway. (Of course, a payment processor like Stripe could probably cache contact info gathered at one merchant and key it to the card number as used elsewhere, and provide this as a proprietary value-add.)

  6. It’s a nice idea to collect less data and with some business models it might make sense. While old school anti fraud measures like AVS and CVV2/CID seem simple and outdated, they are still a solid deterrent. Fraudsters will target the weakest link and merchants that opt to do away with some of the basic controls will become targets. One of the values of using device parameters during fraud screening is to compare against what is being overtly collected. Fraudsters know what they are entering in a checkout form but aren’t so sure about what is being collected behind the scenes. Detecting a mismatch between overt and covert data is a great strategy and you lose this if you only require the minimum. There are some basic things a merchant can do like not have someone select card type when it can be detected by the first digit. They can trim down mobile payment flows so it becomes easier with smaller devices. The key is finding a balance.

    1. That’s absolutely right — it’s a balance. My belief is that most sites are out of balance, and can move toward less friction in the payment process without taking on large amounts of fraud.

  7. This whole payment system is silly and retarded in my opinion. Consumer credit authentication is in the stone age. What happened to two factor authentication?

    If someone steals your social security number they can open accounts in your name. To stop it you have to call one of the credit bureaus and they will put an “alert” on your account together with a phone number. What most creditors do when they see this alert is call that phone number and make sure it’s really you opening the account.
    Really? Why isn’t that just the default? Are you opening credit accounts so often you are majorly inconvenienced to make sure someone verifies it’s you by calling the number you selected?

    Similarly with credit cards. They could just text your phone to confirm that you really are about to purchase something. You could turn this off EXPLICITLY, and turn it back on when you lose your credit card.
    If everyone used “Verified By Visa” or PayPal oauth-type portals for payment, this wouldn’t happen. When your bank password is compromised, you can just change it. To do this, you simply ask them to send you an authentication code at a previously supplied email address — two factor authentication. But now it’s too late, because anyone who accepts your credit card can steal it, and use it a year later.

    For that matter, why do we use Social Security Numbers and Credit Card Numbers for such important things? It’s a relic of terrible one-factor authentication. That signature stripe was probably supposed to be used to match your signature that you sign the receipt with. Well, no one does that.

    All you have to do is go on the site, purchase something using two lines, and they text you on your phone. You can turn it off explicitly. Then the law and the liabilities can change with such merchants. Of course, this will take years.

    1. That’s hard because users don’t like friction. That’s part of why things like “Verified by Visa” have had trouble getting acceptance among merchants.

  8. TL;DR

    1. Payment forms suck and are too long and provide false sense of security
    2.There are options. You don’t need to live in fear or mess up your forms!
    3. Options are hard, btw we are going to sell a service to provide said options.

  9. You forgot to mention marketing. When you purchase something from a company you become a customer and companies have the right to market to their companies. Getting your personal information helps them make you a repeat customer.

  10. If we talk about the development of payment systems we always get in a situation where we have to respect and have to take so many things into consideration.
    But there are very often various interrelated problems to solve …
    Here is a related article regarding this discussion …
    http://ux4dotcom.blogspot.com/2011/01/shopping-carts-check-out-there-is-often.html
    and about forms …
    http://ux4dotcom.blogspot.com/2009/06/form-of-forms-we-need-them-but-also.html

  11. Currently working in an e-commerce specialized enterprise, coding at the moment a merchant website.
    To be able to sell in the US, you need to calculate the taxes amount separately. This taxes amount depends on the product type, the current period, the state, sometimes even the city or the particular zipcode in this city. So you absolutely need a billing address, credit card alone is not enough.

  12. If you’re selling jumbo jets then 14 fields would be a starting point; and if you are selling 99 cent iPhone apps with no per unit manufacturing costs then a cardnumber and expiration date is probably sufficient. The real point is that anyone in the transaction chain can decide whether or not to accept some risk. Just look at Square and similar processors. They are the merchant of record and have accepted a large part of the risk in order to reduce the time (read friction) it takes to become a merchant.

  13. The modern credit card was the successor of a variety of merchant credit schemes. It was first used in the 1940s, in the United States, specifically to sell fuel to a growing number of automobile owners. In 1938 several companies started to accept each other’s cards. Western Union had begun issuing charge cards to its frequent customers in 1921. Some charge cards were printed on paper card stock, but were easily counterfeited.-:

  14. Movie reason for truth a superb web marketer. Your website loading acceleration is usually outstanding. The idea kind of feels that you are executing almost any distinctive strategy. Also, The actual belongings tend to be must-see. you’ve done a fantastic undertaking within this theme!

  15. hello!,I like your writing very so much! percentage we keep up a correspondence extra about your
    post on AOL? I require a specialist in this area
    to resolve my problem. Maybe that is you! Taking a look ahead to peer you.

  16. I see a lot of interesting posts on your page. You have
    to spend a lot of time writing, i know how to save
    you a lot of time, there is a tool that creates unique, google friendly articles
    in couple of seconds, just type in google – laranita’s
    free content source

  17. hey there and thank you for your info – I have certainly picked up something new from right here.
    I did however expertise several technical issues
    using this web site, as I experienced to reload the site a lot of times previous to I could get it to load properly.
    I had been wondering if your web host is OK? Not that I am complaining, but slow
    loading instances times will very frequently affect your placement in google and could damage your high-quality score if ads
    and marketing with Adwords. Anyway I am adding this RSS
    to my e-mail and can look out for much more of your respective interesting content.

    Make sure you update this again soon.

  18. If there has been loss of property or automobile damage, keep them as evidence.
    Without an experienced legal team on your side, the court process can be overwhelming
    and may not be resolved in your favor. Also, a client needs to know
    that an attorney is invested in handling the claim
    themselves.

  19. Woah! I’m really digging the template/theme of this site.

    It’s simple, yet effective. A lot of times it’s very difficult to get that “perfect balance” between usability and visual appeal.
    I must say you’ve done a superb job with this.
    Also, the blog loads very fast for me on Chrome. Exceptional Blog!

    Feel free to surf to my homepage Attorneys Network Peoria Il

  20. I’m curious to find out what blog system you happen to be
    working with? I’m having some minor security
    problems with my latest website and I would like to find something more
    safeguarded. Do you have any suggestions?

  21. My brother recommended I might like this web site.
    He was totally right. This post actually made my day.
    You can not imagine simply how much time I had spent for this info!
    Thanks!

  22. Hello there! I know this is kinda off topic but I was wondering which blog platform are you using for this site?
    I’m getting fed up of WordPress because I’ve had problems with hackers and I’m looking at options for another
    platform. I would be awesome if you could point me in the direction of
    a good platform.

    My web page – Lawyer Lookup Peoria Il

  23. Would it, using only steam and water, clean my tile floors.
    However, just like any type of product being sold, you need to understand that there are also some products that don.
    If you have the capability to dry foods you can have what you need at anytime you may need it.

  24. I read a lot of interesting content here. Probably you spend a lot of time
    writing, i know how to save you a lot of time, there is an online
    tool that creates high quality, google friendly articles in seconds, just search in google –
    laranitas free content source

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>