Why don't banks allow more control over credit/debit card charges?

Question

Why don't most banks have a system where, when you charge something on your credit or debit card, you then have to log into the bank and approve the transfer of funds? Alternatively, why don't they offer 2-step verification via sms for all transactions? Why don't they have settings that you could customize that would require you to approve the transfer only above certain thresholds or in certain locations or if the business is on a personal blacklist or isn't on a personal whitelist? Why don't we use one-time-use keys generated on banking websites instead of CC numbers for transactions? It just seems really strange to me that money can be withdrawn from bank accounts simply by knowing the CC number (semi-private), CVV (semi-private), CC expiration (semi-private), name (public), and address (public).

The answer I am expecting here is that it would be slightly inconvenient to do these things, but I see no downside for the bank or the customer if the customer is not required to opt-in. This answer would not make sense unless these measures are forced upon customers.

Answer 1

quid has expressed some of the disadvantages with this approach, but there is another. Vendors will not want to give you any goods you buy with your credit card until they are sure they will get the money. With your suggested approach buying something with a credit card now looks like:

1. Vendor runs the credit card and have you punch in your PIN.
2. Vendor waits while the SMS is sent to your phone.
3. Vendor wonders why the SMS is taking so long. Wait again while you try to get better cell reception
4. Vendor waits again while you type in the response code and it gets to the bank.
5. Vendor apologizes to the customers behind you that this is taking so long.

No vendor is going to stand for this for even moderate sized transactions, so in reality they will just decline your card if you have this facility enabled.

Answer 2

Credit card fraud is an extremely (to stress, EXTREMELY) small proportion of total credit card transactions. The card issuing entities all offer zero fraud liability, even on debit cards. There are millions of transactions every day and fraud loss just isn't worth developing, and supporting, an additional authentication layer that faces the consumer.

To be clear, the downside is cost. Cost to develop, cost to implement, cost to maintain, cost to support. All of this to stop something that millions of people have yet to even experience.

Answer 3

Actually in Finland on some bank + debit/credit card + online retailer combinations you type in your card details as you normally do, but after clicking "Buy" you get directed to your own bank's website which asks you to authenticate yourself with online banking credentials. It also displays the amount of money and to which account it is being paid to. After authentication you get directed back to the retailer's website.

Cannot say why banks in US haven't implemented this.

Answer 4

The other answers touch on why having two-factor auth or some other additional system is not worth it compared to simple reactive systems (cancelling lost cards, reversing fraudulent charges etc), but it should also be noted that this goal can be achieved with a method similar to what you describe.

My bank (TD Canada Trust) has an app (I'm on android) that gives you a notification immediately after your card is charged (even test charges like at the gas station). It's really simple, does not slow down authorization, and makes fraud detection super easy. (I'm sure some other banks have similar apps).

Answer 5

Credit cards and debit cards make up the bulk of the transactions in the US. Visa and Mastercard take a percentage of each credit card transaction. For the most part, this fee it built into the price of what you buy. That is, you don't generally pay extra at the grocery store if you use a credit card (gasoline purchases are a notable exception here.)

If you were getting something like 2% of a third of all the retail transactions in the US, you'd probably not want to rock the boat too much either. Since there is little fraud relative to the amount of money they are taking in, and it can often be detected using statistical analysis, they don't really stand to gain that much by reducing it through these methods. Sure they can reduce the losses on the insurance they provide to the credit card consumer but they risk slowing down the money machine. These companies want avoid doing something like reducing fraud by 0.5% revenues but causing purchases with the cards drop by 1%. More security will be implemented as we can see with the (slow) introduction of chip cards in the US but only at a pace that will prevent disruption of the money machine. EMV will likely cause a large drop in CC fraud at brick-and-mortar stores but won't stop it online. You will likely see some sort of system like you describe rolled out for that eventually.

Answer 6

This is a question with a flawed premise. Credit cards do have two-factor authentication on transactions they consider more at risk to be fraudulent. I've had several times when I bought something relatively expensive and unusual for me, where the CC either initially declined and sent me a text asking to confirm immediately (after which they would approve the charges), or approved but sent me a text right away asking to confirm (after which they'd automatically dispute if I told them to). The first is legitimately what you are asking for; the second is presumably for less risky but still some risk transactions).

Ultimately, the reason they don't allow it for every transaction is that not enough people would make use of it to be worth their time to implement it. Particularly given it slows down the transaction significantly (and look at the complaints at the ~10-15 seconds extra EMV authentication takes, imagine that as a minute or more), I think you'd get a single digit percentage of people using that service.

Answer 7

A few years ago I had a US bank credit card that was serviced (all support, website, transaction issues) handled by FIA Card Services (part of Bank of America).

I could create one-use credit card numbers, or time-limited (for example, 3 months) numbers.

I could also create ("permanent)) extra card numbers.

All of these could have a max charge value (IIRC, even a fixed value), so you could have a separate card number, with a limit, just for a subscription service or gym membership.

The Bank issuing the card cancelled the entire card offering, so I lost these features. Maybe FIA still provides these features on cards they service.

As a note to pjc50 (can't comment in this SE yet), Japan has had contactless cards for >10 years, but during use they tend to place them in a special tray (with the sensor underneath) during the transaction.