Reducing your online checkout process to a single click is tempting, isn’t it? In the face of phenomena such as the mobile first approach, demand for instant gratification among young generations of consumers, and conversions taking a matter of milliseconds, one-click payment might seem to be the Holy Grail of modern online commerce.
But every rose has its thorn. Enabling single-click purchases comes with increased risk and, therefore, needs to be implemented wisely. In this brief entry, I explain how one-click payments work, what the pros and cons of this solution are and show a few examples of this technology being leveraged truly effectively.
What is one-click payment?
One-click payment is a type of card-on-file transaction triggered by the cardholder. Simply put, a cardholder saves their card details on file, those are tokenized, and then the card can be charged without additional authentication whenever the user hits a “pay”/”buy” button or carries out another action defined as a payment trigger on the shopping site or in an app. Although, in theory, the system might be based on diverse flows, in most cases the merchant is not involved in card vaulting. In fact, they don’t even get access to card details. It’s the acquirer who stores all the card information and processes transactions when requested by merchants with valid tokens. This model also involves a PCI-certified payment gateway, supporting the tokenization process and, of course a quality user authentication system on the side of merchant infrastructure (as being logged in is enough to carry out payments). To be clear, the “click” does not necessarily have to be an actual click or tap, it might be any other action/event defined as a transaction trigger, such as finishing a rental of a shared vehicle or getting to a specified destination with a taxi ordered via a mobile app. Confused with all the parties involved in the process? Read this entry to understand the key participants of the payment ecosystem.
What does it take to accept one-click payments?
From a merchant’s perspective, all it takes is “just” 1) a quality payment gateway with PCI DSS Level 1 certificate combined with 2) a top-class fraud prevention system and 3) a smartly designed storefront. Let’s take a closer look at how the three can be assured. Below, I explain it through the lens of some critical aspects of the payment process.
One-click payments and security – tokenization
As you surely know, security is a crucial aspect of online payments. This is why cooperating with a credible, certified payment service provider is vitally important for the one-click payment model to be effective. As mentioned in one of the upper paragraphs, one-click is a type of card-on-file payment. Card-on-file payments – be those automated subscription-based transactions or one-clicks – leverage tokenization – the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
When your customers save their cards on file by filling a payment form on your checkout page with their card details, the only entities entitled to access those details and to store them are the acquiring bank and the certified payment gateway (like Straal). It is also the acquiring bank or the certified gateway who converts card details into tokens (both ways are acceptable as long as relevant PCI requirements are met). In other words, neither you – as a merchant – nor your gateway service provider (unless properly certified by PCI DSS) have access to card details. All you get are tokens assigned exclusively to your store. In order to charge a card, these tokens are either 1) sent to an acquiring bank via a payment gateway and after making sure that the tokens match their securely stored counterparts, the acquiring bank initiates transaction processing, or 2) are verified by the certified gateway who then sends a charging request directly to the acquiring bank.
As payment industry is strictly regulated, every single entity in the process has to meet certain requirements and hold relevant certificates. And here comes the key reason for PCI DSS Level 1 gateways being the most cost-effective choice for merchants when it comes to card-on-file payments. According to PCI standards, using a gateway certified as Level 1 enables accepting card-on-file payments with just SAQ-D (the lowest grade of a self-assessment questionnaire) met by the merchant. Simply put, tokenization is what makes card details, and thus one-click payments, secure. Therefore, making sure that tokenization is handled properly by credible entities is paramount.
Fighting fraud is one of the major challenges for online commerce. Effective risk management is all about making well-informed, data-driven decisions. While fraud prevention is a serious challenge even in the case of one-off card payments, enabling carrying out recurring transactions without additional authentication measures is – as you can surely imagine – bound with even greater risk. Simply put, more unauthorized transactions may result in more chargebacks. In turn, more chargebacks might lead to the violation of chargeback thresholds imposed by card organizations, leading to your business getting MATCHed, which as a result may lead to bankruptcy. Therefore, before implementing one-click, make sure that your business model and type of merchandise are suitable for instant shopping, that your storefront is properly secured against user account takeover attempts (consider biometric-based user authentication) and that your fraud prevention system is truly accurate in predicting fraudulent transactions. Learn more about fraud prevention tools designed for one-click payments.
Fraud committed by organized crime groups is not the only threat you need to beware of. Risk assessment for one-click payments must also take into account increased vulnerability to friendly fraud – much more difficult to spot as it’s committed by legitimate cardholders. Although, regular customers seldom use the chargeback mechanism to intentionally extort goods or services, some chargebacks might be filed by legitimate users who’d carry out transactions by mistake. Fortunately, this kind of risk can be to some extent mitigated through the use of UX mechanisms explained further.
Before you move on, please, keep in mind that one-click payment is – in terms of UX – one of the best inventions ever introduced to the world of online commerce. Modern-day shoppers/users expect instant results and get frustrated whenever experiencing a process that is either too long or complicated. On the other hand, checkout experience reduced to a single click might lead to the aforementioned unintended transactions and those might end up as chargebacks. You can prevent this from happening by implementing some smart speed bumps, such as:
- Easy purchase cancellation – a smart way of mitigating the risk of unintended transactions. Once a shopper hits the “buy” button, instead of initiating payment immediately, your system can inform them that it’s about to charge their card and that they have, say, 5 minutes to cancel the transaction without the card being charged at all.
- Proxy screen – making sure that carrying out a transaction is exactly what the user intends to do. It is yet another way to halt erroneous purchases. The flow is similar to the easy purchase cancellation one, yet the “buy” button does not trigger a transaction. It, in turn, opens a proxy screen asking the customer if buying a particular item with one-click is what they really want to do, allowing them to either proceed further or abandon the purchase.
- A dynamic confirmation request mechanism based on basic behavioural information – an extra authentication layer which can be activated when, according to behaviour analysis, the transaction is likely to be carried out by an unauthorized individual. In order to confirm the transaction, user might need to enter a single-use SMS code or PIN.
The three solutions, though practical, can be applied only in prepaid models – where payment determines fulfilment. When it comes to postpaid flows, including payment speed bumps of any kind is not recommended.
One-click payments – pros and cons
Examples of use one-click payments
- Mobility as a Service apps
One-click payments fit vehicle sharing and ride hailing apps hand in glove. Card details saved on file allow smooth and easy payments for rides and give service providers the ability to – if necessary – charge users for damage or other violation of terms & conditions automatically. Unlike in the case of prepaid mobility apps where in order to take a ride, users have to top up a digital wallet and are limited by the amount paid in advance, one-click payments give consumers certainty of being charged for only as much as they use the service. This lowers the entry threshold and makes new MaaS entities more accessible and inclusive.
- In-app cross-selling
As one-click payment is just a user-triggered card-on-file transaction, it perfectly extends subscription-based models, especially in the SaaS segment. Software vendors can smoothly sell additional services to their current base of subscribers, sometimes even right from the subscribed app. Knowledgeable SaaS merchants who monitor their user behaviour and adjust their cross-selling campaigns to different “levels of initiation” can win a lot thanks to one-click.
- Multi-platform digital service providers and IoT merchants
When the service is delivered to your customers in many different channels and through diverse platforms, one-click appears to be the only reasonable way of providing on-a-level user experience. Imagine typing in a credit card number on your TV remote control or on a keyboardless e-book reader. Painstaking, right? This is exactly the reason why Amazon developed one-click payments primarily for Kindle users and why their Dash Button technology – being a prequel to true IoT commerce – had gained quite a publicity before its key function was incorporated in Alexa voice shopping, resulting in discontinuing of the series.
Still got questions? Don’t hesitate to contact our Sales Team at [email protected]