Up until recently, I’d been labouring under the happy illusion that while most banks view their retail customers as somewhat annoying pond scum, you’d generally get a better experience if you were a business customer. That was, until I had the joyous experience of dealing with HSBC (or more specifically, their Merchant Services arm).
I’m in the process of building a site for a client which will (eventually) have an online store. It’s going to be selling high-value items, so the payment gateway needs to be a cut above the PayPal experience. No problem, thought I - the client’s using HSBC as their bank, and HSBC offer a full range of card services through their Merchant Services division.
What I need specifically is the implementation details for the payment gateway so I can wire up the cart software. APN endpoints, dummy account numbers for testing, that kind of thing. So my first stop was the HSBC Merchant Service website. Hopefully they’d have some guidelines about how slick and easy their services are?
No. There’s some newsletters, some Ts&Cs, and a guide to handling offline transactions - but nothing about the online side of things.
Ok, so let’s try their 0800 number. After stabbing semi-randomly at menu options that seem close enough, I finally get through to someone who from their accent and the compression on the voice signal is somewhere on the Indian subcontinent.
They start to read me a script, outlining the terms and conditions of card processing and how I must acknowledge that I’ll be liable if I don’t check the card details and so on. I interrupt them, and explain that that’s not quite what I’m after - what I really need is some technical information.
They start to read the script again, so I interrupt for a second time to explain that this isn’t quite what I’m after. They start to read the script for a third time.
By this point, I’m interrupting slightly less politely than I was initially. After explaining for a third time that this wasn’t what I’m after, they explain to me that they HAVE to read me the terms and conditions regardless of what I’m after.
Mentally thanking $deity$ that this is an 0800 number, I give in and let them read me the script. Then I explain for a FOURTH time what I’m looking for - and they tell me that they can’t help me and I’ll have to be put through to the Helpdesk.
After what seems like a fortnight of badly-compressed hold music, I end up talking to the Helpdesk. The first thing they ask me for is a merchant number, so I have to explain that I don’t have a merchant number and all I want is information. They can’t help me, because without a merchant number they can’t talk to me, even to provide me with the information I need to decide whether I’m going to be able to use their service in the first place. So we bid each other good day, and I hang up.
By this time, I’m on a mission to get this information if it involves harming someone. So I decide on a lateral approach - my client gave me the email address of their HSBC contact, which has a “globalpay.com” domain. Worth a try, right?
Into the address bar goes http://www.globalpay.com, and back comes a “403.4 - Forbidden: SSL is required to view this resource” error page. Which is a bit strange - but being charitable, I assume that it’s something funky with my browser and try the https version.
At this point Chrome throws up an “invalid server certificate” error, and I give up.
OK, so what’s the bottom line to all of this - apart from my getting a rant off my chest?
From the perspective of a potential customer, this is on a par with walking into an HSBC branch and finding a large steaming dog turd in the middle of the carpet. I doubt if anyone in the HSBC Merchant Service marketing team knows what “cognitive dissonance” is, but I’ve just had a dose of it.
Online payment processing lives and dies by security - yet as an organisation, they a) can’t be bothered to put even a redirect on their primary domain; and b) are happy to have a glaring security error advertised.
In a bid to whittle a bit off the bottom line, the helplines and enquiry numbers have been outsourced to India, and dumbed-down to the extent that their staff can’t deviate from procedures, let alone think laterally to solve a potential customer’s problem.
This doesn’t leave me with much confidence that the experience of being a customer is going to be a good one.
Rather than an image of a large, responsive and highly-secure organisation, my mental picture of HSBC Merchant Services is now a steaming dog turd in the middle of a branch carpet. Which is what I’m going to tell my client when he asks how the site build is going, and what I’ve just told the world (or at least anyone who stumbles across this post).