Demystifying everything around 1-click checkout (store card feature) : Amazon Patent, Conversion, Compliance (and more)
[Editorial notes : Yesterday we covered the making of Flipkart’s Saved Card feature and today we are demystifying the 1-click checkout process (a.k.a. saved card or stored card feature) in a conversation with Nitin Gupta, CoFounder and CEO of PayU. PayU launched it’s 1-click checkout (white label) service in September 2012 and this QnA is an attempt to demystify how 1-click checkout works.]
NBW: What can be stored and what is not allowed to be stored?
Nitin, PayU: Card holder name, Card Number and expiry date can be stored. CVV of the card and the password is not allowed to be stored.
NBW: If somebody hacks into a user account on a merchant’s website; can then he/she see the card details of the user?
Nitin, PayU: No. As a practice, once the user has stored details then whenever he/she logs into the account again, the user is only shown part of the card details (usually the last 4 digits only). So there is no way that anybody can know all the card details. Further on, CVV and 3-D secure password is required to complete the transaction. These details are never stored.
NBW: What kind of compliance and security requirements are needed to be able to store data?
Nitin, PayU: Card data can be stored and managed in two ways:
(i) The merchant does it by itself: This means that all the compliance and security requirements are taken care of by the merchant. At minimum, the merchant needs to be PCI DSS (Payment cards industry Data security standard) compliant. After that the merchant needs to encrypt the sensitive card details and store it securely. The encryption and storage process is tricky since there are several ways to do it and there are several ways to manage the key which is used for encryption. The ideal process is to use specialised hardware for the purpose of key management and encryption. However, hardware is extremely expensive and difficult to deploy as compared to doing it manually or using software.
(ii) 3rd party like PayU does it and offers it as a white label service: Here the 3rd party becomes responsible for the encryption and storage of sensitive card details thus taking care of all compliance and security requirements. The 3rd party like PayU should also maintain different keys for different merchants since they are offering a white label service and the data of one merchant cannot be used on another. When using a 3rd party service, it is important to ensure that the 3rd party used hardware for key management since they will be managing large number of keys. For example, PayU uses such hardware (or switches). The way this process work is that when the user opts in to store card data, then PayU shares with merchant a token for that user. When the user comes back and the merchant has authenticated the user, then the merchant passes this token to PayU. PayU cross verifies the token and at the time of calling the bank API’s substitutes the token with the card details to process the transaction.
NBW:Amazon has a patent on 1-click checkout. What does it meant to ecommerce companies implementing this feature?
Nitin, PayU: The process that Indian comanies follow (due to 3D secure) is diff from that of amazon. So not at risk but the phrase ‘1-click‘ needs to be ideally avoided.
NBW:If a merchant is PCI DSS, then does it mean it can store card details?
Nitin, PayU: It depends upon who is managing data encryption and storage. PCI DSS compliance means that merchant can deal with card data which includes collecting card data on their own site. To store card data, one needs to encrypt and safely store the card data which means the PCIDSS compliance requirements goes up. Until and unless, this added security and compliance is being taken care of by a 3rd party like PayU, the merchant would need to do additional effort.
NBW: If a merchant is not PCI DSS, then can it store card details?
Nitin, PayU: Yes! This is where the white label service of a 3rd party comes into picture. For example, in case of PayU, if you are not PCI DSS certified then the card details are collected on the PayU Page. At the time of entering card details, the user is given an option to save the card details. If the user opts for it, then the card storage is managed by PayU and the merchant is given a unique token for that user. Offering store-card for any merchant today is easier than getting a payment gateway!
NBW: What kinds of adoption rates are merchant’s seeing on store card?
Nitin, PayU: There are two statistics that we are seeing as PayU:
(i) About 10.2% of the users who are given an option to store card details, choose to store card details. At this point in time, we expect that as this service becomes common, then this number will increase to north of 20%.
(ii) Users who store card details do about 2.4 times more number of transactions than users who do not store card details.
The above also implies that loyal users prefer to do this. It clearly improves the overall user experience and in our opinion, improves the conversion rates as well. The earlier the merchant offers this service to their customers, the better off they are.