“Better” 3-D Secure
When you pay for something online, you probably see this little window asking for characters from your password. The shops don’t have any control over the design of this part of the page.
I get annoyed with these every time I use them, so for fun I had a go at re-designing it.
- I’ve made the input boxes bigger
- I’ve made it clearer which number to enter in each box by using labels directly above the boxes
- I’ve removed the information that is seemingly useless to me
- Date - I know what the date is!
- Personal Message ‘Welcome to RBS secure’ -
pointless waste of spaceUpdate: Apparently this is a personal security message you can set yourself so you know the page isn’t spoofed - I’ve never been asked to set this personal message and it isn’t obvious where to do it, so in the end it’s still pointless. - Card Number - I know that I’ve just entered it
- Username - I still don’t know what this is for, I can’t enter it anywhere or change it. It’s irrelevant right now anyway
- I’ve made the payment amount and payment recipient more obvious
- I’ve made the text on the ’submit’ button relate to what you are doing (Pay £10.54)
- The ’submit’ button is much larger and more clearly separated from the cancel button
Making your checkout as easy to use as possible is really important. It’s amazing how many customers just give up if they don’t understand something or get even the slightest bit stuck.
Er… the “Personal Message” is supposed to be one of the main points of the thing, since you set that yourself (using your card company’s online facility), and the only people who know it are the card company - so when you see it displayed, you know you’re using a genuine card acceptance page, not a phishing page. It’s a kind of reverse password, if you like, that the card company uses to identify itself to you. See “What is a personal greeting”, about two thirds of the way down http://www.mastercard.com/securecd/faq.do
Much the same applies with the card number - it’s echoing it back to you to prove that it’s the same organisation that you just gave it to. (Also, if you have more than one card and you’re rather forgetful, you might need reminding at this point which one it is so that you know which of your passwords you need to use).
Given that you don’t know that, though, it rather demonstrates the incompetence of their publicity - and, since the other main point is to transfer liability for misuse of your card away from the card company and on to you, the fact that they’re not telling you how to use the system securely doesn’t exactly inspire confidence in their level of customer service: “Here’s this new system, if you use it carelessly and get scammed then it’s entirely your fault and we disclaim all responsibility, but we’re not going to make any effort to educate you into how to use it properly - you’ll just have to go away and read all the small print yourself.”
The problem is, many users will never understand or bother to read this stuff. Even remembering a password or a number of passwords for different cards is a major challenge for many people.
A study found that sites could lose up to 15% of their sales by implementing 3-D secure:
http://www.internetretailing.net/news/3-d-secure-schemes-put-sales-at-risk
In principle it’s a good idea but it’s been executed very badly.