Netherland. It's not entirely clear to me what Americans mean by a debit card, but over here, we tend to pay with our bank card, and simply transfer money directly that way. Although with smartphone apps, the card is now mostly optional; I just pay with the app. Over NFC in a shop, or by scanning a QR code online.
Although one of my banks has recently sent me a new bank card with a credit card number on the outside, and that worries me a bit, because I don't have or want a credit card from that bank, and I certainly don't want to expose myself to that kind of security hole.
That's a debit card then. In the Netherlands, that historically means Maestro or V PAY, which are indeed not usable for online payments.
But as you've noticed, Maestro is being phased out by Mastercard, to be replaced by Mastercard Debit, and that one will be usable online using its 16-digit card number just like a credit card.
If you don't want to use the online payment feature of it, some banks let you disable it. Otherwise, the worst that can happen is that you're short the money until your bank refunds you in case of fraud – still very frustrating if it does happen, but it's very revocable.
> Maestro is being phased out by Mastercard, to be replaced by Mastercard Debit, and that one will be usable online using its 16-digit card number just like a credit card.
But that's a massive step back. We should be getting rid of payment information on the outside of cards to share with merchants. We should be introducing protocols for secure online payment through your own bank. Which Netherland has (iDeal), but it's not universally internationally supported. (Steam supports it, Lego does not.)
What we need is an international version of iDeal, not turning everything into the insecure system that credit cards use.
> the worst that can happen is that you're short the money until your bank refunds you in case of fraud – still very frustrating if it does happen, but it's very revocable.
Yes, but that introduces fraud into a system that doesn't need it, which will drive up the cost for everybody. It's a step backwards.
Seen purely from a security point of view, I agree.
But so many people have only exactly one debit card and currently can't use it for online payments abroad at all. Adding that feature to a bank's standard card seems like a good idea from that point of view, especially given that it doesn't add any additional liability. I also think it should be possible to be deactivated, but "on" seems like a reasonable default to me.
> We should be introducing protocols for secure online payment through your own bank.
This exists for credit and debit cards: 3DS! It's even mandatory for many intra-EU payments. If it's not used, chargebacks are mostly trivial to win for banks.
> What we need is an international version of iDeal, not turning everything into the insecure system that credit cards use.
Realistically, that's not going to happen anytime soon. Visa and Mastercard have had many decades to grow their international footprint.
Domestic alternatives have started showing up (e.g. UPI in India, WeChat and Alipay in China) with significant success, though, and I could see some of these eventually expanding to a competing global system. I don't see that happening for an individual EU country's scheme, though; it would have to be something pan-European like the proposed "digital Euro".
Not if users aren't aware of the fact that their bank account suddenly has a massive new vulnerability they have to be looking out for.
> 3DS!
Another system by Visa and Mastercard. I'd really like our payment systems to be independent from that duopoly.
But also: it still has the fundamental problem that credit cards have: you still enter your card number into the merchant's website. From what I understand, only if merchant and customer agree to the extra security, does it actually offer that extra security.
The big advantage of iDeal is that the only thing the merchant has to know, is which bank I use. Merchant redirects me to my bank, sends the payment details to the bank, I authorise the payment on my bank's site with the best security my bank offers, and the bank sends me and the approval back to the merchant.
Many webshops kinda do something like that by handing payment off to their payment provider, but their payment provider isn't my payment provider yet still needs a credit card number. And what if a merchant uses a shady payment provider? But if those payment providers were to support a safer system, and international version of iDeal, that's really all we need. (In fact, I think some of them do support iDeal, which is great.)
But I want to get rid of typing large supposedly-secret-but-not-really numbers from my card into a stranger's webform.
3DS is mostly independent standard from Visa and Mastercard. Yes they’re responsible for authoring, but the technical systems underneath are pretty much independent of standard card processing systems. 3DS is basically implemented as a standard set of REST API and html pages, with a standard around how the 3D flow is initiated, and crypto tokens exchanged via standard card payment ISO messages.
Nothing would prevent you from strapping 3D onto any other payment system of your choice.
Merchants have to choose to perform 3DS, but EU Strong Customer Authentication rules make it mostly mandatory for EU merchants to use 3DS. They can only really opt-out if they can consistently demonstrate they’re capable of detecting and preventing fraud, keeping it at levels that are basically equivalent to fraud seen on 3DS transactions.
The card number alone is not enough to perform a card transaction. There are some merchants out there that are capable of performing card transactions with only the 16-digit number, such as Amazon, but you need to be a very large merchant, and demonstrate you’ve got effective fraud controls in place to prevent abuse. Any smaller merchant attempting something similar will find their merchant accounts quickly closed, and all transactions automatically refunded.
> Many webshops kinda do something like that by handing payment off to their payment provider, but their payment provider isn't my payment provider yet still needs a credit card number. And what if a merchant uses a shady payment provider?
They mostly don’t exist. Becoming a payment provider on the Visa and Mastercard networks is expensive, difficult and very time consuming. Additionally Visa and Mastercard monitor all network participants, if they’re seen to be misbehaving then they get disconnected from the network, and their collateral payment is seized. So running a shady payment processor isn’t profitable.
The system isn’t perfect, but most of things you’re concerned about don’t happen in the EU. They happen a lot in the U.S., but the U.S. has a very different culture around money to the EU, and their payment systems are a bit more bonkers. Which is why EU banks tend to get a bit trigger happy with their fraud rules when customers travel to the U.S.
Although one of my banks has recently sent me a new bank card with a credit card number on the outside, and that worries me a bit, because I don't have or want a credit card from that bank, and I certainly don't want to expose myself to that kind of security hole.