Signatures, Sergio and standardising the payment experience
According to The Daily Telegraph, “written signatures are dying out amid a digital revolution”. I’m going to miss them. Of course I know that when it comes to making a retail transaction, my signature is utterly unimportant. This is why transactions work perfectly well when I either do not give a signature (for contactless transactions up to £30 in the UK, for example, or for no-signature swipe transactions in the US) or give a completely pointless signature as I do for almost all US transactions.
"Fears are growing that this is potentially leaving people open to the risk of identity theft and fraud as their signatures are more easily imitated."
From "Traditional signatures are dying out amid digital revolution".
If I do have to provide a signature, then for security purposes I never give my own signature and for many years have always signed in the name of my favourite South American footballer who plays for Manchester City. Now it turns out that this is sound legal advice, since according to Gary Rycroft, a solicitor at Joseph A. Jones & Co. it is an increasing problem that people people order things online but sometimes they do not show up so to acknowledge receiving something “I always sign my initials, for example, so I could prove if it wasn't me” (because, presumably, a criminal would try to fake Gary’s signature).
Now the issue of signatures and the general use of them to authenticate customers for credit card transactions in the US has long been a source of amusement and anecdote. I am as guilty as everybody else is using the US retail purchasing experience to poke fun at the infrastructure there (with some justification, since as everybody knows the US is responsible for about a quarter of the world's card transactions but half of the world's card fraud) but I've also used it to illustrate some more general points about identity and authentication. My old friend Brett King wrote a great piece about signatures a few years ago in which he also made a more general point about authentication mechanisms for the 21st-century, referring to a UN/ICAO commissioned survey on the use of signatures in passports. A number of countries (including the UK) recommended phasing out theme-honoured practice because it was no longer deemed of practical use.
Well, signatures have gone the way of all things. In April, the US schemes stopped requiring signatures.
They were sort of defunct anyway. According to the New York Times, Walmart considers signatures “worthless” and has already stopped recording them on most transactions. Target has stopped using them too. I completely understand why, but to be honest I think I’ll miss signing for purchases in America.
No more signing Sergio Aquero for US credit card transactions, hello to signing Sergio Aquero for the Amazon lady who calls at my house with monotonous regularity.
If you are interested in the topic of signatures at all, there was a brilliant NPR Planet Money Podcast (Episode number 564) on the topic of signatures for payment card transactions a couple of years ago, in which the presenters asked why were we still using this pointless authentication technique.
Ronald Mann (the Colombia law professor interviewed for the show) noted that card signatures are not really about security at all but about distributing liabilities for fraudulent transactions and called signatures “eccentric relics”, a phrase I love. His point was that the system doesn’t really care whether I sign my transaction Dave Birch or Sergio Aquero: all it cares is that it can send the chargeback the right way (bank or merchant, essentially) when it comes in.
In addition to the law professor, NPR also asked a Talmudic scholar about signatures.
(The Talmud is the written version of the Jewish oral law and the rabbinic commentary on it that was completed in its current form some time in the fifth century. There are two parts to it: the oral law itself, which is known as the Mishnah, and the record of the rabbis arguing about it and what it meant, which is known as the Gemara.)
The scholar made a very interesting point about the use of these eccentric relics when he was talking about the signatures that are attached to the Jewish marriage contract, the Ketubah. He pointed out that it is the signatures of the witnesses that have the critical function, not the signatures of the participants, because of their role in dispute resolution. In the event of dispute, the signatures were used to track down the witnesses so that they can attest as to the ceremony taking place and as to who the participants were. This is echoed in that Telegraph article, where it notes that the use of signatures will continue for important documents such as wills, where a witness is required.
(The NPR show narrator made a good point about this, which is that it might make more sense for the coffee shop to get the signature of the person behind you in the line than yours, since yours is essentially ceremonial whereas the one of the person behind you has that Talmudic forensic function.)
The Talmudic scholar also mentioned in passing that according to the commentaries on the text, the wise men from 20 centuries ago also decided that all transactions deserved the same protection. It doesn't matter whether it's a penny or £1000, the transaction should still be witnessed in such a way as to provide the appropriate levels of protection to the participants. Predating PSD2 by some time, the Talmud says that every purchase is important and requires strong authentication.
So, my interpretation of the Talmud is that it is goodbye to contactless and goodbye to stripe and goodbye to chip and PIN and hello to strong authentication (which may be passive or active) and secure elements: we have the prospect of a common payment experience in store, on the web and in-app: you click “pay” and if it’s for a couple of quid the phone will just figure hey it’s you and authenticate, if it’s for a few quid your phone will ask you to confirm and can use your finger or your face and then if it’s for a few million quid you’ll get a callback for voice recognition and a retinal scan. The same purchase experience for everything: the cup of coffee and the pair of shoes and the plane ticket. It turns out that once again we can go back to the future in the design of our next retail payments system.