[oldprogrammer2]

Stripe, Block, and PayPal each solved a massive pain point.

PayPal provided a way to pay people and vendors without giving away your credit card number.

Square made it easy to accept payment in person on a phone, without an extensive upfront underwriting experience and without expensive fixed monthly fees.

Stripe did the same as Square, but for accepting online payments.

Fraud and Risk come in many forms, and these providers, even with their UX innovations, sit on top of those same rails to reduce fraud. Without those rails, buyers can’t trust sellers and sellers can’t trust buyers.

In my opinion, you need to find a way to solve that problem before you can eliminate the fees being captured by these providers.

[Nextgrid]

A lot of the fraud hinges on the fact that all you need to drain an account is a static card number. A lot of hacks are subsequently piled on top of that to try and make it harder (SCA/3D Secure, captchas, etc), and a lot of busywork is spent tidying up the consequences of that (chargeback handling, etc).

You could eliminate a lot of the fraud by moving off a mostly-static identifier to merchant, amount and time-limited tokens the user generates with their bank (or the merchant redirects them there). This would address a lot of the issues - the tokens are useless when leaked (as they only work against the merchant's own account) and can't be misused even by the merchant to go beyond the agreed amount or time limit.

This means with such a system you’d immediately eliminate a whole category of fraud, with the only thing remaining being merchant-level disputes like goods not as described/etc, which can easily be made optional and the user can choose to opt-in for the extra fee. Then you would actually have a good case for lower/no mandatory fees at all.

One problem you need to keep in mind is that fraud mitigation is a big industry in an of itself (some of it is real, some complete snake oil but relies on the underlying problem being real to sell itself) and wouldn't be in favor of a system that is inherently immune to (at least some types of) fraud.

[hyperman1]

You've described Bancontact, the standard Belgian payment system since the 1980's or so. I suspect most EU countries have similar stories.

Paypal etc basically exist to deal with the backward underinvested USA payment systems.

[erichocean]

But @oldprogrammer2 claimed it was just "innovation" and not create-a-problem, rent-capture-the-solution.

Now I'm confused. There's a better way, and other 1st world countries have already adopted it?

[sidewndr46]

From a merchant perspective, there is a significant group that view this as a feature. Not a bug. Once a merchant gathers you credit card info, they can submit basically any transaction they want at any time. Yes, if you do this enough your payment processor will cut you off. But for businesses like gym membership, NYTimes subscription, car rentals, etc. it's a core feature.

The product in that case is not "payments as a service" to the consumer but in fact "payer as a service" to the business. If consumers didn't represent an unbounded ability to generate recurring revenue there are lots of profitable businesses that would go under overnight.

[Nextgrid]

> they can submit basically any transaction they want at any time

This can be generally be accommodated in my suggested model, they just have to specify upfront how much & how often they'd want to charge. If the gym membership is 50 bucks a month, then the token has a monthly limit of 50 (or maybe a bit more, to account for potential extras). The token lifetime could be set for the membership duration.

> car rentals

Get 1 token with your rental fee + a separate token (scoped until car return date + some time to inspect/discover any damage) for the deposit amount?

[sidewndr46]

You're thinking technical solutions to a sociological problem. Businesses like this are built on the fact that they can charge you an unspecified amount for an indefinite amount of time. Any attempt at a technical solution means those businesses refuse to adopt that solution.

[mnky9800n]

I suppose in this system you could white list such things. It would be a box to click when it directs you through the Auth process. I guess you could directly implement this in stuff like Norway's bank id system.

[martinald]

This is already happening, 16 digit PANs are due to be phased out https://developer.visa.com/capabilities/vts

[Nextgrid]

The page is light on details, but is it scoped and merchant/amount/time limited? Because if not, it’s yet another “hack” that merely reduces one specific type of fraud (when a card number is leaked) without fully addressing the problem, so the need for chargeback arbitration (and thus associated costs) persists.

[martinald]

In a word yes.

You'll still get a lot of chargebacks by the way. With a lot of ecomm I've been involved with the fraud you are talking about is actually a small part of chargeback volume. Most is unhappy or demanding customers, or another type of low level fraud, claiming goods didn't arrive despite a photo of the person literally accepting them from the delivery company. This is absolutely rampant in b2c with smaller merchants (I am aware you mentioned this but not sure if you are aware of the scale of it).

[peteforde]

The alarming rise in the incident rate of inappropriate chargebacks ("my fries were cold") really pisses me off as a sane user of contemporary credit card infrastructure. That is, I think of chargebacks as an absolute last resort; essentially a bulwark/ombudsman to protect me from bad actors. It should be used incredibly conservatively, and it should have significant reprocussions if it is used inappropriately; sort of like steep fines for hitting the emergency strip on a subway because someone wont move their backpack.

If chargebacks go away and aren't replaced by something at least as effective, that means that we're losing one of the most significant advantages intrinsic to the payment mechanism: peace of mind.

[hakfoo]

Chargebacks are in many cases the outsourcing of proper consumer-protection regulation and everyday customer service.

When the merchant fails to deliver or underdelivers -- "my fries were cold" -- appropriate customer service should be meeting the customer at that point and addressing it directly.

Modern systems of unempowered on-the-ground employees and endless loop self-service support stand in the way of that. Consumers naturally respond by pulling the levers that remain, which is invoking the wrath of American Express.

[alex_lazarin]

Reasonable people can disagree. What is a customer to do if they think a merchant is not a bad actor, but mistakenly refuses to refund their purchase? A chargeback seems like the fastest and cheapest option to resolve the dispute.

[rightbyte]

> peace of mind

Pay with cash. No risk of recurring charges, charging more than what you hand over, etc.

[Nextgrid]

Thing is, if you eliminate the risk of unauthorized transactions, you can then reasonably discontinue the concept of chargebacks as a whole, replacing it with a mediation/arbitration service that consumers can opt-in for an additional fee.

This would open the door to cheap or even completely fee-free transactions if the user doesn't want to opt-in to additional protection, which they reasonably may not want when the stakes are low enough (you weren't gonna chargeback a lunch anyway).

But for this to be viable, the risk of unauthorized transactions/origination fraud needs to be eliminated completely at a technical level, something I believe an oAuth-style system would do, and currently none of the many of hacks on top of the legacy system address. Otherwise, you'd still need to take some fees to refund unauthorized transactions, separate of customer-merchant conflicts.

[jkaplowitz]

How do you handle the part of chargebacks that currently validly apply to authorized non-fraudulent transactions, like services/product not delivered or not as described, or accidental double charges from vendors like random taxi drivers with whom you don't have a way to arrange a refund?

[ADent]

Zelle did that, but then the news had stories about Granny sent money to a scammer and the bank won’t give back her money.

[hugs]

> You could eliminate a lot of the fraud by moving off a mostly-static identifier to merchant, amount and time-limited tokens the user generates with their bank (or the merchant redirects them there). This would address a lot of the issues - the tokens are useless when leaked...

This almost sounds like a subtle recommendation for the Lightning Network. It's based on single-use invoices that are locked to a specific recipient and is usually limited to specific amounts.

[quohort]

It's pretty much how every cryptocurrency works, with separation of public (receive) and private (send) keys.

The fact that invoices are temporary in LN is a weakness of the design, not an intentional choice. The lightning network represents a regression from the typical use-case of cryptocurrency because both sender and receiver need to be online to make a payment.

[egypturnash]

There's a lot of interesting ideas around cryptocurrency but they all kind of have the problem that they're associated with cryptocurrency, which is now strongly associated with absurdly high transaction fees, get-rich-quick scams, and wasting colossal amounts of energy for a pathetically-low transaction throughput.

Good luck convincing J. Random User that your cryptocurrency is none of these things.

[EasyMark]

I would never recommend anything as volatile as crypto for a payment system.

[kinakomochidayo]

Lightning Network will never get widespread adoption because the UX is horrible.

[hugs]

That hasn't been my experience using Alby and Primal's Nostr client. It's been as easy as Venmo.

[azthecx]

Portugal like many European banks already has a working solution to this for 20 years where you can create temporary card numbers and use that instead or, as of late, pay directly through an app that enables this same behaviour.

The Netherlands had a similar system where they used physical totp (I believe) terminals which generated them from your bank card + pin, completely offline. Nowadays everyone uses iDEAL identically to what you describe.

[Workaccount2]

We have had this in the US too for at least a decade, people just don't use them, probably because of convenience.

[Nextgrid]

Unless you can cap the amount it’s indeed pretty useless. Most systems like this that I’ve heard of do not allow you to do that.

[Workaccount2]

With citi bank I can cap the amount and set the expiration.

[EVa5I7bHFq9mnYK]

You seem to have described Google pay and its tokenization scheme.

[immibis]

I often make medium-to-large purchases using SEPA bank transfer. The merchant gives me a bank account number, a random or serialized reference code, and a week to make payment. I go to my bank, and send the money to the bank account, inputting the same reference code. Once it arrives (usually within the day or the next morning) the thing is paid. This works for most online purchases that are not urgent and support the payment type.

[rafram]

That’s fair, but paying by credit card lets you:

- Keep the money in the bank (and earn interest on it) for another month or so

- Contest fraudulent charges or payments for goods or services that are never delivered

- Earn travel rewards (I know, those have systemic downsides)

- Pay any business in essentially any country in any currency with no fee for you and a low fee for the business

[Muromec]

SEPA has no fees and doesn’t care about currencies either. It’s EU only however.

[snotrockets]

You're wrong on all accounts here:

1. Banks are also allowed to charge fees for SEPA transfers, with some limitations.

2. It does care about currencies, in that it only supports one: the E stands for Euro, and all SEPA transfers, in the four rails it provides, are in Euros, including transfers from and to countries that are not in the euro zone.

3. And SEPA isn't limited to the European Union, as it has 36 states participating in the scheme, more than the EU's 27.

[l3x4ur1n]

I don't know from where you are, but in my country this is considered generally a bad or not safe idea. When you send money directly to someone, if they are fraudsters, it is very hard to get that money back. On the other hand, it's generally easier when you paid with your debit card. And even easier and safer if it was a credit card.

[immibis]

The victim is identifiable by their bank and therefore traceable by the law enforcement agencies. If they're fraudulent, men with uniforms and guns come to their house and put them in jail. It's a clever system, really.

[immibis]

I meant to say the recipient, obviously.

[holowoodman]

The things that are still missing to make this perfect:

- SEPA instant transfers (exist, but cost extra)

- A consistent (across all banks) API to poll for received payments for the merchant

- A consistent API (e.g. an URL schema that browsers do support) to quickly fill in payment details with your bank's transfer form.

[Muromec]

Dutch iDeal will be rolled out continent wide pretty soon ( soon in bank time ), which is what you want.

Last time I checked instant sepa (which was today) it was free as in zero commissions on either side and was actually instant.

[jkaplowitz]

Depends on the bank. In Germany, N26's free account charges 0.49€ per instant SEPA transfer, and sometimes it's unavailable because the other bank (e.g. one used by many German doctors) only supports non-instant SEPA.

But yes, instant SEPA is often free and often available and very nice when both of those are true.

[lifeisstillgood]

Can I understand this flow?

I want to buy a CD from Amazon for 19.99. I click on my bank application (or maybe some QR code on Amazons site) And that tells my bank app on my phone to authenticate my phone agains the bank And ask for a 16 digit number that is solely for amazon, 19.99 and 20240812

[Nextgrid]

Think standard oAuth. Github has multiple flows that should cover most purposes here: https://docs.github.com/en/apps/oauth-apps/building-oauth-ap.... The key is that payment data is encoded in oAuth-like scopes, so all authorizations are scoped by amount and lifetime, and are implicitly merchant-specific.

Browser-based flow, where you're already logged into the bank in an existing browser tab:

* Amazon redirects you to oauth-proxy.visa.com where you select your bank (if you've done it already once, it remembers and redirects straight to your bank)

* Visa redirects you to your bank - if you're not logged in, you do a login - this is up to your bank on how to do that - authorize with an existing phone, WebAuthn, etc. On OSes supporting it, this URL can be hooked and handled directly by a native app which may use the device's secure element to store its auth credentials for the bank

* Bank displays you the payment request details (which include your Amazon account email, order ID, etc - all info you need to confirm it's indeed your payment request and not someone else's) and allows you to change them (maybe you want to authorize more or less, or make it one-time/recurring with a daily/weekly/monthly/yearly cap, or set an expiry after which the authorization is no longer valid)

* In the background, Amazon gets a success webhook from Visa (or their processor) saying that this authorization request has been granted, or they can poll an endpoint - this eliminates the need for a final redirect back to them like in normal oAuth

* If this is a recurring charge scenario, Amazon can store this payment request token against your account and use it multiple times, as long as the charges fall within the policy set during initial payment request establishment (if you set a max of $20, they can do as many transactions as they want up to a total of $20).

Device-based flow, where you aren't/don't want to login in to the bank the same browser:

* Amazon redirects to oauth.visa.com as above

* Instead of clicking on your bank directly, you say "authorize via phone", it just encodes the URL of the current page in a QR code so you can scan it on the phone - you then do the above flow there. Because the success/failure of a payment request is already communicated directly between the merchant and Visa, there is no need for your phone to pass any data back to the browser, so no need for a "reverse channel" to be set up.

* On your phone, you may have your banking app installed, so it takes over the domain name of your bank and automatically opens the payment request authorization there, using your existing session within the app.

Point is, not only is there no longer a concept of a card number that can be copied, stolen, or leaked, but the user also remains in control - they can control whether the payment is one-time or recurring, set limits on recurring payments, and be able to cancel these authorizations at any time, after which they're guaranteed that nobody can take more money without going through this auth process again. This eliminates many reasons for chargebacks, and reduces fraud risks for merchants too (merchants are no longer vulnerable since the auth to authorize a new payment request is between the user and their bank directly), so things like behavioral fraud detection or captchas on payment pages are no longer needed.

Downside (for scammers): business models based on a free trial that rely on the user forgetting to cancel, or those who intentionally make cancellation annoying or impossible wouldn't work, because payment requests should list upfront the max amount they can take, and the user can adjust that and make sure the unwanted charge just won't go through even if they tried.

[CyanLite4]

This is no different than chip+pin for physical purchases. There are still other major areas of fraud that has to be addressed.

It doesn’t cover credit risk-even on a debit card, there can be a “hold” period of an arbitrary amount before the final transaction clears. When you swipe a card at a gas station, they often run a $50 authorization hold on your account.

It also doesn’t cover merchant fraud—- Visa/MC covers you if the merchant doesn’t ship the product because they’re a fake company.

Then there are value-added warranty services that higher end cards offer. These are easily worth the 1%+ fee.

[FireBeyond]

> When you swipe a card at a gas station, they often run a $50 authorization hold on your account.

Safeway gas stations upgraded their pumps to have tap-to-pay.

But with increasing gas prices (and not getting into that), they upped the auth hold to up to $125.

Except many card issuers limit contactless payments to $100... rendering tap to pay useless on the pump because it'll deny the preauth and require chip insertion.

[_w1tm]

> Except many card issuers limit contactless payments to $100... rendering tap to pay useless on the pump because it'll deny the preauth and require chip insertion.

I’ve noticed lately that contactless payments that go over the limit don’t require chip insertion, the reader just asks for the PIN to proceed. Maybe there’s been some updates to the standards?

[nasmorn]

We had a similar issue with ATM in Austria where they are all set to max give you 400 EUR. Which was a sensible idea in 2001 but pays for much less in 2024. Somehow the banks have never heard of inflation or really don’t want you to use cash

[lifeisstillgood]

So, this tickles an idea in my head. Under EU / UK regulations one can “overlay” a users bank account. I had always thought that was useful only as a Mint style approach but this seems feasible

[treflop]

This is a technical solution to a non-technical problem.

My risk to my credit number being stolen is honestly low. The risk is the merchant providing a substandard service 99% of the time, and an OAuth style payment flow does nothing for that.

Someone like Amazon who is a trusted merchant already negotiates fees with their banks and they likely already have an extremely low fee rate.

What Stripe, Square and PayPal provide is a service for integrators who don’t want to spend money talking to a bank, negotiating a rate, and then implementing the required security to execute their own transactions.

[simfree]

Walmart, Amazon, and the other big companies are not interchange exempt. They are not able to get a significant discount below interchange, hence why they keep financing lawsuits against Visa, MasterCard and such over the bundling of all Visa or MasterCard branded low-cost (non-rewards) and high-cost rewards cards under one banner that they are forced to accept as a bundle.

Merchants would love to reject all cards that are a Visa Signature and above, leaving only the very low cost cards as accepted. The Card Networks have engineered via branding and contracts that this does not occur though.

[throwway_278314]

I'm not sure you can eliminate fraud. You can shift it around, but not eliminate it.

Sweden thought going cashless would reduce crime. Nope, crime increased.

[blacklion]

PayPal: In Netherlands there is system called iDeal which provide online payments via tokens, without giving any of your data to seller (recipient). It is supported by all banks. It is super-convinient, you scan QR code by bank app on your smartphone if you pay on other device (laptop, computer) or link is opened by your bank app on mobile and you approve payment. You don't need to enter anything, only select your bank from the list. You don't need to pass your payment data to 3rd party like PayPal, there is no place to steal or phish your card or account data in this scheme.

Visa or MC could do the same, without additional parties. But no.

[farrelle25]

Just back from Poland- they have a great system 'BLIK' that sounds like iDeal...

Most merchants have a BLIK button... you click it, enter a 6 digit code created on your banking app. Purchase complete. Takes a few seconds. No card numbers, CCV etc..

[deepsun]

Same thing in Ukraine. And it's not because they face less fraud attempts, it's just their tech is years ahead of US.

[aguaviva]

Their tech is years ahead of US.

Can you elaborate? (Am new to the topic, so your perspective would be appreciated).

[deepsun]

Hard to pick up one thing among multiple.

For example, transfers between accounts are instantaneous, not 2-5 days for ACH (Wire transfers are same-day, but expensive).

Electronic menus/payments in cafes are default for at least 3 years now (US has toasttab.com but it's far from being default).

If you have a small business account, taxes are paid in one click (app shows you tax to be paid with Confirm button).

PS: These features are available in many other countries besides Ukraine, of course. Only in government id/functions Ukraine excels (#2 in the world, after Estonia only).

[aguaviva]

Good to know, thanks.

[Muromec]

Let’s just say I get an iPhone notification when the court case in which I’m a party had a hearing sceduled.

And if I want to write a petition in this case, I log into the web portal, write it down, click send and blink into the app twice to Electronically sign it.

Which produces your normal CMS ( pkcs#7 ) signature on a pdf file.

It’s also not a special court app for a specific locality, but a nation wide government app.

Wr also don’t write damn cheques and never did, as it’s bullshit. You want to somebody —- you get their card number, open the bank app and tap send.

[aguaviva]

Would this be the єСуд app, then?

That's certainly an interesting use case. And yes, difficult to see being pulled off anywhere in the US, the way it tumbles along with such things.

Re: paper checks: they're far from bullshit -- being time-tested, perfectly easy to use, and best of all, not requiring a device of any kind. Provided, as concerns ease of use, one has spent enough time in an environment where their use is ubiquitous. So I can certainly see they might appear as a nuisance or just weird at first, for the rest of the world).

[t0mas88]

iDeal is working on international expansion, so it may become available in other European places.

The main downside of iDeal for consumers is that it's irreversible. If you pay and then never receive the product, you can't get your money back. While PayPal and credit cards do offer that extra protection to consumers.

So iDeal is really only good for the merchants due to the very low transaction costs.

[olejorgenb]

I believe Vipps in Norway is similar as well

[roughly]

Stripe had a live dashboard over Black Friday that showed the dollar value of all transactions across their network, including those blocked for fraud. The fraud rate was nearly 12% of the total dollar amount of transactions.

[fragmede]

Which, we've got to ask about the false positive and the false negative rate. it's annoying when it's really me and I try to charge something and it gets declined, but also the fraud detection can't be 100% effective, so the real rate is probably higher.

[thesausageking]

The challenger to these will solve for a different problem. Not every transaction needs complex fraud detection or being able for the customer do to chargebacks.

For a 3% discount, would customers agree to use something that worked just like cash, where the transfer was instant and couldn't be undone? Then you don't have to worry about fraud, chargebacks, etc.

[multjoy]

>Not every transaction needs complex fraud detection or being able for the customer do to chargebacks.

Fraud is an industrial level enterprise. You absolutely need fraud detection if you're accepting payment that isn't cash.

[snotrockets]

You also need it for cash, but there fraud takes different form, and need different mitigations.

[ta_1138]

You are missing the opposite side of the fraud picture: Where it's not the business scamming you, but someone taking your credentials and spending up to the limit in a store that deals with no chargebacks. This is, if anything, the larger size of the fraud losses for the Stripes of the world. Fake businesses that use the cards either for testing if the creds are good, or where the owners charge cards that they obtained from some other malicious actor.

So it's not that I get 3% off by not supporting chargebacks, but whether I want to have a dollar under a payment system that supports someone emptying me out without recourse.... and the answer is often no.

[grogenaut]

Or further abusing your weak password on a site and then racking up a ton of charges to a product that they're capable of laundering in some way into money for them at any ratio.

[d0gsg0w00f]

But fraudsters can steal your cash too. The difference is that you don't call the bank when someone takes your cash, you call the cops.

[tonyarkles]

There's an issue that you're not addressing: what happens when someone who isn't me spends my money? I think people would be happy for the theoretical 3% discount until their account is drained and sent to North Korea with no recourse.

[BeetleB]

> For a 3% discount,

It is fantasy to think they'd get a 3% discount. The goods in stores that take only cash do not tend to be cheaper than those that do.

They know what people are willing to pay and will charge the price. If they see people are willing to pay $99 with a credit card, then they'll be willing to pay that with cash.

[devman0]

I think the issue here is who is paying the fee and where is the fee surfaced. A free market solution would work here, but it requires some regulating to create the transparency required.

Everyone pays their own credit card fee as a line item on the receipt, merchants are required to print it on the receipt. If customers actually had to pay their own fee's on each swipe you'd see a lot less people reaching for the Platinum card and instead for the no frills local bank credit card. You'd also see immense downward market pressure on swipe fees as now card issuers have to compete against each other.

[BeetleB]

Technically the merchant is paying the fee, and he perhaps is passing some or all of it to you.

The reason merchants might not pass it all to you if that they get a lot more sales volume when they support credit cards, so they can still be more profitable while paying for some of those fees.

I know I'm going to get hated for saying this, but the businesses that charge extra for credit card use under $10 are trying to extract as much out of you - they're aiming to get the best of both worlds. The price of their goods are still such that they're assuming you'll pay with a card.

At the end of the day a business has several costs. Rent, cost of shipping, utilities, etc. When these go up so do the costs of goods. Credit card fees are no different in that regard. If they hated it that much they wouldn't support credit card payments. They do support it because then know it'll bring in more revenue than without - and will easily pay for itself and more.

[Panzer04]

The issue is there's a huge disparity in the fees for certain payment methods.

Some cards cost merchants much more than others, but they are contractually forbidden from differentiating their prices based on that. It's anticompetitive. Lots of "buy now pay later" schemes work similarly, when afterpay was (or is) a big thing they charge 7% and forbid the merchant from including that cost in their prices.

If the consumer had to bear the cost of their payment choice, no problem, but the reality is consumers with low fee payments are paying slightly more than they should for everything and those with high fee payments pay less than they should for everything.

[immibis]

The reason merchants don't pass fees onto credit card customers only is that the credit card network prohibits them from doing so. If they were to charge a credit card fee, they'd get banned from processing credit cards at all.

[jnordwick]

> The goods in stores that take only cash do not tend to be cheaper than those that do.

In NYC they most definitely do. A lot of the corner stores will change you less with cash. I'm not sure it is a the card payment or that they are keeping the sale off the books, but something that might cost me $18.50, I'll pay $18 for.

[jtc331]

Yes, cheaper in the same store, but not usually compared to other stores that don’t have cash discounts.

[BeetleB]

When I wrote that comment I knew someone would come out and use New York City as a counterexample.

The reality is except for a few of the really major cities those types of stores are usually more expensive than their larger counterparts in virtually all other cities in the US.

In my city I'm not going to get cheaper groceries by going to the smaller stores. They are more expensive regardless of whether they support credit cards or not. They may be superior and certain other aspects but price is not one of them.

My guess is the opposite may be true only in places where owning a car is expensive or inconvenient.

[crtasm]

Handling cash has its own significant cost, it's not a direct comparison to a low-fee digital payment.

[jakub_g]

In Poland, the default way for computer shops in 2000-2010s was to offer 2% discount when paying in cash. (The prices displayed were assuming cash, so if you paid by card, you'd pay more.)

I didn't see this anywhere else though. It probably made sense for computer shops because most transactions one would do there would be sporadic, big, and planned.

(Since then, the Mastercard/Visa fees went down to 0.2-0.3% due to EU rules, so probably those discounts are less popular now).

[BeetleB]

> I didn't see this anywhere else though.

In the US offering different prices when paying by cash vs card was a violation of the agreement with Visa, as is putting a minimum price threshold for card usage.

It's still fairly widespread though, and occasionally makes the news. Might explain why you didn't see it often.

[jkaplowitz]

I believe the Visa merchant agreement never forbade cash discounts, only credit card surcharges. I'm not sure, but the current rules are different due to a legal settlement.

In the US, not only does Visa now allow cash discounts and minimum price thresholds up to US$10, but they also allow, in most states, credit card surcharges (sometimes subject to specific state-law legal requirements).

Visa still officially disallows minimum price thresholds outside the US and certain related territories like Guam, and credit card surcharges outside the US - but I nevertheless see them plenty often here in Germany in small shops. I think the permission to offer cash discounts is global.

[mrastro]

Do gas stations have a special deal with the card processors then? Basically all of them have a lower cash price.

[drstewart]

>In Poland, the default way for computer shops in 2000-2010s was to offer 2% discount when paying in cash

Yes, being able to illegally evade taxes is an easy way for businesses to lower prices slightly.

[Wytwwww]

And how would that work accounting wise? Would they just claim that a bunch of PCs "fall off" a truck?

I'm not sure subjecting everyone to poorly regulated (even in the EU it's fair from ideal) monopolies/oligopolies that are legally entitled to literally tax every single transaction in the economy (in addition to the complete loss anonymity and all the implications of that) is not a too high price to pay for some reduction in tax fraud...

[com]

“Shrinkage” is the generic term I have heard for stock losses of all kinds in retail and distribution channels.

In many jurisdictions, cash payments can allow the retailer to avoid on-paying sales tax or VAT, as well as mark stock shrinkage as a loss for their own tax purposes.

Countering this would require very careful auditing of electronic toll records and paper receipt processes, which are in most cases trivial to evade if well-prepared.

And you can’t always be sure that the shrinkage - without the cash - is reported to the manager of the retailer by the person on the till, especially if an unofficial handwritten receipt is provided by the cashier.

I recall seeing a situation involving a very large champagne purchase on New Year’s Eve in cash for 25% off and a “till receipt problem”.

[rfw300]

This is the purpose of Zelle, Venmo, money wires, and checks. But there are many problems they don’t solve, that customers and sellers prefer to be solved and are willing to pay for.

[tqwhite]

I would use my debit card even if it behaved exactly like cash, ie, when the recipient got the money, my only way of getting it back is to sue them or call the police.

Obviously any electronic payment system needs to be secure internally but society lasted a long time and made fine progress when having your wallet stolen meant losing your money.

It would be fine to require a person to charge their debit card with a finite amount rather than have it be funded up to the limit of the supporting account and that would solve the last problem compared to cash.

[margalabargala]

I understand that Europe is more secure with chip+pin, but in the US, debit cards do exactly what you describe. If fraud happens, you are out money until it is resolved.

The key difference from cash, in the US, is the ability to abuse cards at a later date without the physical card. For someone to steal your wallet, they have to be colocated with you and can only steal as much as you're walking around with.

As long as debit cards have a magnetic stripe and have their full number printed on them, and that information is useful, this problem remains.

[Deathmax]

> As long as debit cards have a magnetic stripe and have their full number printed on them, and that information is useful, this problem remains.

Which the EEA/UK has also (partially) solved by enforcing Strong Customer Authentication (SCA) that mandates that (most) transactions require MFA.

[Nextgrid]

I don’t believe SCA is enforced by the bank. It’s voluntary by the merchant. It acts as a liability shift but won’t save you from someone not caring about it and emptying your account (temporarily until the chargeback goes though). I don’t think any bank offers an option of “allow SCA-only transactions” and I don’t think it would be even possible (I’m not sure there is any token/session identifier to tie the SCA request and the actual subsequent transaction even).

When adding a card to a taxi app for example I get SCA prompt for a zero amount, but then they can charge me for any amount without subsequent SCA flows.

Presumably those subsequent transactions wouldn’t have a liability shift to the issuer but it still means that they can at least temporarily steal all your money until your chargeback claim goes through.

The whole concept of “card number” is rotten. What’s needed is an oAuth2-type system where every payment needs to redirect to the bank (actual redirect, no stupid hacky iframe like SCA/3DSecure is) and where you can see the merchant and set the max amount (and whether one-off or recurring) and the bank records that and keeps a list of authorized merchants so you can revoke them at any time. The merchant then must use this token to pull money, and can't pull more than what the token allows - just like your usual oAuth2 scopes.

[zinekeller]

This is not right at all (it's mandatory fo all banks and merchants in the EEA), although you're correct that SCA still has loopholes (like a US merchant... just trying, although a bank could just mandate 3DS to solve that).

[margalabargala]

Yeah, Europe is ahead on this; I hedged my earlier statements heavily.

It's not a difficult technological problem to solve. A card's chip should be able to guarantee that the card is physically present for any transaction.

Obviously online payments would pose a problem, people would need to either own USB card chip readers or banks would need to do something new and special.

[felurx]

In Germany (/ the EU?) we have electronic ID cards that can be used for a few online services.

The physical card can communicate via NFC, and there's a smartphone app you can use with it. For PCs, you can buy some fancy NFC interface if you want, but you can also have your phone act as a reader, the PC connects to it over the local network.

Maybe something similiar could work for banking cards. They all have NFC anyways.

On the other hand, you might as well just have an app that is registered with the bank on your computer/phone (like how it works for smartphone NFC payments) and skip the card.

[oneplane]

Online payments are done using pretty much the same system. Instead of the chip, you get either a 2nd authentication mechanism, or start out with a strong token (be it the strength of the token itself, or the stability of it).

An older example was getting transaction authorisation numbers. You would either get a long indexed list on paper, or you could receive then over the phone (voice or text). This was then mostly replaced (about 10 years ago) with hardware (H/T)OTP type tokens that required your card to be inserted in the token and PIN authenticated. Later on that too was replaced by a cardless version, and that one then was replaced (for consumers) with mobile apps.

The combination of minimum software versions, online authentication, transaction limits, daily limits, and time-locked temporary limit increases (so you can buy a car with your phone, but you have to up the limit a couple of hours ahead of time for it to take effect) make it pretty safe with acceptable risk for the bank. And then there's of course the standard fraud detection and prevention departments, so if you do something unusual that also involves a lot of money, you're likely going to get a call.

For business use, there are other systems, generally two types like EU-wide smartcards or bank-specific smartcards that can be used to authenticate and authorise. You'd use an USB or NFC connected method for that. Sometimes that involves entering a PIN on the device itself before the computer can talk to it, but that does make the OTP exchange very fast. You'd still have limits or multiparty authorisation setup in your organisation so you don't end up with one person just moving a couple of 100K around on their own.

And then there's some overlapping systems, apparently this one is going EU-wide: hhttps://en.wikipedia.org/wiki/EIDAS and apparently some implementations include useful things: https://www.idin.nl/en/businesses/ like age confirmation where the business doesn't need to know who, what or where you are just if you're of age (and not even a specific age). Granted, nothing is perfect, but it's a whole lot better than finding some S3 bucket somewhere with JPEGs of ID cards. As long as they don't do dumb stuff like trying to MITM TLS, it's progress. The overlap is in the concept where you can use some electronic means to prove who you are to get something done.

[grogenaut]

Lol

If you have an unprotected vector fraudsters will find and exploit it. They're literally paid to do so.

I've seen fraudsters that are ridiculously persistent to make $2,000 in a year. But they just keep poking at it at a certain point you're able to ramp that up to $80,000 in a month I know they're good it was completely worth it to him for several years.

How I've seen people spend hundreds of hours to generate a few hundred dollars worth of in-game currency or on-site reward points.

[crazygringo]

> Not every transaction needs complex fraud detection or being able for the customer do to chargebacks.

Well, not until you get hacked.

We might be happy with instant, no-undo transactions until our device gets hacked and our bank account with many thousands of dollars gets drained, through no fault of our own.

Then suddenly, complex fraud detection and transaction reversals seems like an awfully good idea.

Because the issue here isn't about chargebacks where you genuinely made the transaction but the business failed to deliver, and maybe you lose a couple hundred dollars. The issue here is about when you never authorized transactions at all, and you lose all your savings.

[alberth]

You just described debit cards.

And there fees are 1/10 of that of credit cards, as a result of giving up these benefits.

[nazcan]

But at least in Canada, only have low fees if they are in person - not online.

[stefan_]

EU caps interchange fees at 0.3%, which is probably still too much. The 3% is mostly to finance the various gimmick programs that make naive people think they are "gaming the system" with their 20th card in wallet (and because they can, of course).

[immibis]

Would the customer still agree to that 3% discount, after their computer got infected with a virus and 100% of their money was irrevocably gone?

[fuzzer371]

This has been done with Zelle and people are crying because they're dumb enough to fall victim to obvious scams.

[Yeul]

The idea of buying stuff from a dodgy website just seems strange to me.

One of the most fundamental basics of trading has always been trust.

[com]

Wait until you hear about German SME e-commerce and “open invoice” billing. So much trust from the vendor!

[DeepYogurt]

> Fraud and Risk come in many forms, and these providers, even with their UX innovations, sit on top of those same rails to reduce fraud. Without those rails, buyers can’t trust sellers and sellers can’t trust buyers. In my opinion, you need to find a way to solve that problem before you can eliminate the fees being captured by these providers.

And failing the elimination of those issues there will always be some fees. New vendors can pop in and push the fee structure down if they can run a more efficient operation.

[miki123211]

Most countries that aren't the US basically did this, in one way or another.

There are multiple ways of doing so, two-factor authentication (think 3d secure) is one, an oAuth like system where you log in to your bank on their website and consent to a wire transfer is another. There are variations on these ideas, the system we have here gives you a 6-digit code in your banking app which you can enter on any device, trusted or not, and then accept the transfer via a pop-up on your phone, no personal data involved.

As far as I understand, both US law and US history heavily incentivize the use of credit cards. There's no nice way for landlords, banks, mortgage lenders and other such institutions in the US to do "background checks" on their customers except through credit scores, and that incentivizes credit card use. There's also a regulatory difference in how credit versus debit card chargebacks are handled, making credit a lot more friendly to consumers in cases of actual fraud.

Then there's the historical aspect, in the era where there were no computers, and most vendors could at best call a bank to verify if a card was valid, a debit based system wasn't technically feasible, which is what put the US on the path of credit. A lot of poorer countries had the major cash-to-cards transition a lot later, in the era of chips and dial-up modems, which made debit a lot easier to implement, and so that's what they went with, and debit usually means far lower fees.

[m463]

> Most countries that aren't the US basically did this, in one way or another.

Most countries that ARE the US put the burden on the business and the credit card companies, and limit the liability to the credit card holder ($50 max, sometimes $500)

I've known people in other countries that lost money and they were SOL in comparison. Maybe they have cheaper transaction fees.

[Iulioh]

Nah, that's just because in the US people usually buy with credit while in Europe is mostly debt.

If you buy with credit you are using the bank's money, with debt your own and you have less protections in the second case.

Trust me, i have meet my fair share of adults who don't own a credit card and if they want to buy something online just charge a prepaid card with the needed amount.

American express is not accepted in a lot of places because it is only credit and the processing fees are double that of debit cards.

Visa and mastercard debit cards are accepted just because you can't only accept debit cards, a lot of vendors fought for the ability to do so.

[zeroCalories]

These systems act as sort of a fraud insurance. I think in an ideal world we would have low friction low cost money transfers, but people could purchase insurance against fraud. There are complications to this, such as how to be both efficient and avoid abuse, but it would simplify every day life not having to think about a million different payment systems.

[jongjong]

I find it weird how fraud protection is used to justify why these companies are so popular because fraud is not something that most consumers care about up front, most people only start caring when it happens to them. Most tend to assume that every tool they use is secure by default. "This product is not insecure" is not a very compelling selling point IMO.

It's actually difficult to justify Stripe's popularity aside from media monopolization preventing alternatives from gaining mindshare. Everyone knows Stripe but many don't know about the existence of alternatives.

[treflop]

Stripe, Block, and PayPal were never required to process transactions.

You can negotiate with a bank to get your own rate and then implement your own secure transaction processing. Visa is still required though.

I have worked at companies that bypassed those middlemen. Many companies don’t do it because they are okay with paying higher fees so they don’t have to deal with that extra headache, or because they work at smaller companies that think Stripe, Block, and PayPal invented payment processing when Visa and banks have been around for decades longer.

[konschubert]

No.

With 99% of my transactions I don’t care one bit about the ability to do chargebacks.

I just went grocery shopping. VISA was involved and took a few percent. Why??

I got my groceries. I’m not going to do a chargeback because the salad was bad.

Earlier, I bought something on Amazon. Again, VISA took a share. Why? In 15 years of shipping with Amazon they have always hinteres my returns.

[kleinsch]

You leave your credit card on the table at a coffee shop. A thief takes it and goes to the grocery store. You’re going to do a chargeback.

[matwood]

Funny aside. Anytime my CC has been stolen the thieves always go grocery shopping first, I assume for alcohol.

[warkdarrior]

It's the easiest way to test a card, before going to the Apple Store.

[konschubert]

Yea I’m not proposing to replace low security credit cards with low security debit card this is a silly strawman.

EDIT: I see the general problem of origination fraud. But that can be mitigated by imposing limits and requiring extra levels of authentication for bigger payments.

[crazygringo]

> EDIT: I see the general problem of origination fraud. But that can be mitigated by imposing limits and requiring extra levels of authentication for bigger payments.

Which are exactly the kinds of things credit cards do, but it can't be perfect so they still suffer losses, so they still have to charge a percentage.

(Of course a lot of the percentage can go to rewards programs, so we're talking about the percentage once those are accounted for.)

[konschubert]

In the US you can take money from a credit card by just using the that’s plainly written on it. That’s not what I would call making an effort at origination fraud prevention.

[crazygringo]

Believe it or not, they make a huge effort at fraud prevention. Because it takes away from their profits.

However there are both historical and convenience reasons at play here. It was a big transition to move to chips, for example.

So your assertion that they're not making an effort at fraud prevention is just completely untrue.

[lmz]

Hell, you can take money from a bank account by just using what's written on a cheque...

[ta_1138]

And that becomes industrial, as someone takes 50 thousand cards, and then steals $20 from each. Then the next store takes another $20...

Fraud is already a big business, with the current security levels. With worse security? Fraud goes up some more.

[konschubert]

Why are you thinking cards?

A modern payment system would require at least touch/Face ID on every transaction.

Higher amounts would require 2FA, pre-authorization, delays, cool-downs etc.

[devman0]

You said you don't want the ability to do chargebacks, but chargebacks solve two different problems: 1) origination fraud (i.e. someone not you originates a transaction from your account) and 2) merchant fraud (i.e. goods not as described/unsatisfactory/undelivered).

It's fine if you say, yeah I can do without #2, but realistically you cannot do without #1 in any digital payment scheme that will have wide acceptance so a chargeback mechanism is required.

The only settlement methods we have that do without both protections are cash, cashiers checks, and wires. Setting aside cash the other two are a pain in the ass to originate exactly because they are non reversible.

[konschubert]

1) can also be solved with limits and increasing levels of authentication.

[warkdarrior]

Sure, tell me the limit that has no fraud detection, so I know how many card numbers I need to steal.

[welder]

Nobody uses physical cards anymore... even my kids pay with their toy watch when playing restaurant

Edit: Tap pay is ubiquitous in the EU

[dkasper]

Absolutely not true. Some places still don’t even take tap to pay and still use chip.

[t0mas88]

Is that in the US? Europe hasn't used the magnetic strip on cards for years. It's all chip based and those payment terminals all take NFC / Apple Pay.

It would be suicide for a shop not to take it, I know many people that don't carry their bank card at all. Only their phone for Apple pay.

[FabHK]

Fun fact: In China, most people don't carry a wallet anymore. It's all on the phone.

[abakker]

Yes - for example, Home Depot does not take tap payments yet.

[tonyarkles]

This is something I find so fascinating about the American financial system... Home Depot in Canada has taken tap payments and Apple Pay for a long time now.

[welder]

Home Depot only exists in the USA. I was talking about EU where tap is everywhere.

[ta_1138]

Because you don't want someone that steals your credentials to spend large amounts of money in things they ship to themselves, instead of to you!

[carlosjobim]

> I just went grocery shopping. VISA was involved and took a few percent. Why??

Because you paid with a VISA card instead of paying by cash. Hint: it says Visa on the card.

[konschubert]

Why are you intentionally missing my point?

Are you saying we should somehow all go back to cash and also use cash online?

[oneplane]

What he's saying is that you (konschubert) involved VISA in the transaction. And since VISA is a paid service, you were charged.

As for why you involved them, that is the actual issue at hand, because it's a choice, not something that was forced upon you. But the choice isn't the first one that comes to mind; the choice was between protecting consumers or protecting corporations. And in the US, corporations are better protected than consumers. To level that protection, you (a consumer) have to involve someone else (a corporation) to gain any practical protection.

If that method of protection wasn't needed, you'd be paying using a cheaper (or free) method where you'd be protected differently (i.e. not based on the money going from A to B, but based on the fact that you are a consumer and should thus be protected).

You could also go back to the first choice that might come to mind: protection. If you are not in a society that protects consumers directly, but you also don't want to pay a corporate provider for that protection, you could opt to forgo that protection.

[konschubert]

And what I (konschubert) am saying is: I would like to have more choices, as a customer and especially as a merchant, so I don’t have to pay visa 3% next time.

And I think this means there is opportunity for disruption.

[oneplane]

Creating those choices requires societal adjustment. It is not something that can be manufactured by a market, and as such is the purpose of government. Many examples of this exist in production all over the world, with high degrees of success.

[carlosjobim]

If you find businesses who are willing to let you pay by other methods (assuming you are unwilling to use both cash and credit cards), you can give them your business. Businesses respond to consumer demand.

If they don't trust you enough to give you credit without a guarantor like Visa or Mastercard, then I don't think there is any way for you to force them.

There are businesses who let you purchase stuff online by bank wire.

[fendy3002]

One aspect that's very important is legal. It's very hard / cumbersome to comply in legal for payment processing in one country, having it to comply in most countries is a massive feat, and an expensive one at that. Though yeah if you already has a mass, pressuring regulation may be easier.

[katzinsky]

The whole point of a credit card is that you can give the number out. You're nesting solutions here.

[darth_avocado]

And the value prop isn’t just the payments. Once you add things like inventory management, front/back of the house integration, taxes and a bunch of other things, you’re simplifying a lot of things for the business at a lower cost than having them pay for every one of those things.

[analog31]

I use PayPal for my tiny business. On the one hand, I'd rather not pay them 3% of my sales. On the other hand, if the features of PP (security, buyer protection, ease of use) increase my sales by a palpable amount, then it pays for itself.