Blog article
See all stories »

Why Do People Obsess Over Security And Then Make Payments Without A Password?

Let’s take the following two statements:

  1. Indians are obsessed over security
  2. Indians make payments without entering any password.

Each of these statements is a fact. But, taken together, they appear contradictory and portray Indian consumers as fickle (or worse).

Not true.

In this blog post, I’ll use the principles of Customer Journey Mapping to explain why these statements are not contradictory and Indian consumers are not fickle.

Before that, let me amplify the two aforementioned statements.

Indians are obsessed over security

Everyone insists on security of their payment apps but Indians are obsessed about the topic. For some reason, there's a widely held belief that fraud originated in India. While I disagree, I’m in the minority. As a result of the majority opinion, Indians demand utmost security in everything, as a result of which we have super-secure security practices e.g.:

  1. Two factor authentication for online credit card payments; for a long time after the introduction of PIN for offline credit card payments, they required signature as well "just to be on the safe side")
  2. Electronically delivered documents (e.g. ebills, digital security note for online stock transactions, etc.) will be sent only to registered email address. Although users access that inbox via password, the electronic document (typically in PDF format) will have its own passphrase. After all that, the PDF will itself have a digital signature
  3. No burner phones. Even prepaid mobile phone connections are subject to full KYC.

Needless to say, the security obsession of Indians extends to mobile wallets in which they store their money.

Indians make payments without entering any password

PayTM is the largest mobile wallet in India. With over 300 million users, it's gunning to become the largest mobile payment in the world (by user count, not transaction volumes). Should you wish to know how PayTM raced ahead of its competitors, I strongly recommend this blog post entitled Five Reasons Why PayTM Is Miles Ahead Of Its Competition , even if I say so myself:).

The logout button of PayTM is buried deep inside the app - it requires five scrolls to reach it.

[PayTM's Elusive Logout Button]

As a result, many PayTM users haven't seen this button and remain logged into the app at all times. This means they can make payments without entering the password that's asked only at login. And 99% of them do, going by my personal observation.

As we'll see shortly, this creates a huge security vulnerability in PayTM.

Still hundreds of millions of security-obsessed Indians make prolific use of PayTM.


That's because of the way customer journey works.

For the purpose of this post, Customer Journey can be defined as the path taken by customers while interacting with a company / brand. A customer journey

  • traverses multiple stages in a customer’s relationship with a brand viz. awareness, interest, desire, action, repeat purchase and advocacy AND
  • encompasses a variety of physical and digital touchpoints like store, telephone, website, mobile, and other channels.

Closely related to Customer Journey is the concept of Customer Experience, which is the overall experience felt by the consumer while they go through the Customer Journey.

In the specific context of a mobile payment app, let's say you've installed a mobile wallet and use it regularly, say, 3-5 times a day. In customer journey parlance, you're at the "repeat purchase" stage.

Question: If you have to enter a 8 character password that is a combination of letters, number and special characters (say Pa$sw0rd123) into a mobile wallet five times a day, will you look forward to using the app?

I thought so, too.

The takeaway from this is that you'll use an app on a regular basis only if it’s frictionless. Per contra, you’ll avoid an app that makes you jump through several hoops. This means that you value convenience at the end of the customer journey.

Now let’s go back to "awareness", the stage at the start of the customer journey.

Question: If you hear that a mobile wallet is not secure, will you touch it with a 40 feet bargepole?

Again, I thought so, too.

But PayTM is one such app. Notwithstanding all the song and dance PayTM makes about Norton Secured, PCI-DSS, and the other acronyms splashed all over its app, an app that lets you make a payment without entering a PIN or password is not secure.

I'm not the only one.

For one, RBI mandates that all payment apps must be gated with a PIN or password.

For another, PayTM has itself complained to the regulator that WhatsApp Pay - the messaging app's payment service that's being piloted among 1 millions users in India - allows a payment to be made without entering a password.


Still, nearly 300 million people (and counting) use PayTM.

This is because a user is in the "awareness" stage only once but they're in the "repeat purchase" stage countless times. Therefore, it's logical that convenience, the attribute that's important in the repeat purchase stage, should play a more important role than security, the attribute that's important in the awareness stage. PayTM gets this logic.

Before using an app, security looms large. But once people regularly start using a mobile wallet, their expectation from the app becomes nuanced. To put it simply,

People want their mobile wallet to let them use their money easily. They also want their mobile wallet to prevent anybody else from using their money, no matter how hard they try.

PayTM fulfills the first explicit expectation by delivering a frictionless experience that eschews password for each payment.

Maybe PayTM will find a way to fulfill the second implicit expectation one day. But, today, it does not. If a fraudster lays their hands on your smartphone, they can transfer your wallet balance to themselves instantly. Besides, PayTM now stores CVV of cards on file, so the fraudster can also drain your bank balance if you've kept a debit card on file with the app. Seeking refuge under lockscreen password is lame: Lockscreen is the gateway to your entire phone which has many apps that don't require a password. Whether you want to have a lockscreen password or not is entirely your decision. PayTM and other payment apps have no right to rely on your lockscreen password to prevent unauthorized use of your funds inside their apps.

PayTM's app design reflects a keen understanding that convenience is more important to continued usage of an app, no matter how heavily consumers obsess over security before they start using the app.

PayTM's approach is not unique. All of us regularly book a cab, order delivery and check email on our phones without entering a password. But it is testimony that this consumer behavior trait is equally applicable to a sensitive usage scenario like payments.

Moral of Story: Consumers are driven by different considerations at different stages of the customer journey. But all considerations are not created equal.


Comments: (0)

Now hiring