Pushmepullyou: Discount for Cash

By | 2012-10-05

I’ve touched on the idea before, but I thought it was time I made it explicit. I want to compare customer-not-present purchases using bitcoins and using credit cards.

In particular: security.

Consider a modern web site, accepting a credit card. You fill up your basket and press “buy”. You have to supply:

  • Name
  • Address
  • Email (so you can log back in to the website)
  • Credit card details

These bits of information are almost certainly stored by the company you’re purchasing from. Let’s think about how they get their money. They take these details, plus one other,

  • One “secret” number, the CVV, which the credit card companies insist (but they have no way of enforcing) that nobody stores. It’s a three digit number randomly assigned to each issue of the card you receive.

… and head off to their payment processor (often the supplier’s bank), having made up a payment authorisation request using your details. Their payment processor is not necessarily someone you have a deal with; they are another intermediary. That processor gets in touch with VISA (or Mastercard or even Amex I suppose) and hands over your details again with a request for a certain amount of money. VISA and Mastercard are clearing houses; they have a deal with your actual card provider (probably your bank) as well as the payment processor. All card transactions pass through their hands — it’s the only way to make it so your supplier doesn’t have to have a payment arrangement with every bank on the planet.

Bear in mind, there is nothing that forces the price on the page where you clicked “pay by credit card” equal the amount being requested from the clearing house. Note also that your details are in at least three company’s hands. Note that the “secret” number is in their hands too.

At this point, VISA pops up a page in your browser asking that you confirm your identity by using the card number to look up a VISA account, which has a password associated with it. This password is never shown to the original supplier or payment processor. (Not that a bit of Javascript from the supplier couldn’t easily scrape it as you type).

The request gets authorised and the supplier can ship your goods. The supplier now waits for VISA to get in touch with your card issuer (they can work out who this is from the card number) and request payment via the banking systems own payment system. That payment eventually clears, VISA take their cut, the payment processor takes their cut, and the money ends up in the supplier’s account.

This is a PULL system of payment. Your supplier has to ask (via some proxies) your bank for the money. They request whatever they want, they retain all your details, and nothing prevents them from making another request tomorrow. The fact that they store all these details means that if any of the sites you purchase from ever gets hacked, your card details are compromised and the thief can start making requests for your money just as the supplier can. In short: your money is completely out of your control. What’s more, VISA see everything; your privacy is non-existent.

Consider a web site accepting bitcoins. You fill up your basket and press “buy”. You have to supply:

  • Address (assuming this is physical goods we’re talking about). If not physical goods then… nothing.

They might ask you for your email address, but it’s not necessary. You don’t even need an account on the website; just this one basket of goods.

Their website gets in touch with their bitcoin software; which provides them with a unique bitcoin address for this order. They probably write that address in their orders database along with your delivery address. Then they tell you that address, and the number of coins needed to complete the order.

You go to your bitcoin wallet, and send the appropriate amount to the appropriate address. You choose how much to send, and from what source it is sent. You could, if you wished, send the bitcoin address to your gran and say “hey gran, buy this for me for my birthday”. Or you could pay part from your desktop wallet, part from your online wallet, and part from your mobile wallet.


The supplier is free to monitor that address until it has received enough to pay for the goods, and then ships when they have it.

The supplier is happy because when there is no messing around with authorisation then clearing. Bitcoin clears transactions in ten minutes — not just authorised, cleared. The supplier has the money and it can’t be taken away from him. What’s more, VISA didn’t get a cut. He can charge you a lower price.

You are happy because you didn’t have to hand over information that would be valuable to a hacker. If the supplier subsequently gets hacked all the hacker learns is a way to pay your bill for you.

This is a PUSH system of payment. You choose to send money; the supplier does not get to just suck it from your account because they happen to know the card number.

Your privacy is protected because all that can be seen by third parties is a transfer from random account A to random account B. What’s more, because each new order creates a new payment address, it can’t even be seen whether you’re using the same supplier.

The only advantage the card payment systems have is historic: they are what we already use. If we were starting again today, we would consider them antiquated.

“Discount for cash” is about to become “discount for bitcoin”.