Secrets designed to be divulged and other payment oddities
whatshot 41 snips
Mar 5, 2026
A deep dive into why payments were built on shared secrets and the long-term fraud trade-offs that created. Explores CVV, AVS and other stopgap measures that balance security against conversion. Traces the failures of physical tokens and EMV terminals. Shows how smartphones finally deliver scalable cryptographic continuity and why regulation and SCA changed the incentives.
25:30
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
Original Sin Of Payments Is Shared Secrets
Payments were built on shared secrets like PANs which were widely distributed and thus inherently fragile.
Patrick McKenzie explains PANs get promiscuously shared (embossed, read over phone, typed online) making widespread compromise inevitable.
insights INSIGHT
CVV Exists Because PANs Were Everywhere
CVV was introduced as a transient 'double plus secret' to reduce misuse of PANs stored by merchants.
Patrick notes CVV must be forgotten by merchants (PCI DSS) and yet is optional for charging, trading off conversion for fraud reduction.
insights INSIGHT
AVS Tried Using Addresses As Secrets
Address Verification Service (AVS) used billing addresses as a scalable secondary secret banks likely knew.
Patrick highlights AVS's limits: address formats vary and banks often don't have current addresses, making AVS imperfect.
Get the Snipd Podcast app to discover more snips from this episode
Patrick McKenzie (patio11) deconstructs the "original sin" of payments: building a global financial substrate on shared secrets that were distributed promiscuously to function. He examines the multi-decade game of Whack-a-Mole played by the industry to balance the "optimal amount of fraud" against the catastrophic conversion hit of high-friction security. From the physical failure of terminal buttons to the smartphone finally solving the lifecycle problem of cryptographic tokens, Patrick explores the technical and social reasons why we’ve moved from "something you know" to the "continuity of access" provided by the device in your pocket.
If you have more interesting hobbies than managing your money, Mercury Personal is built for you. It allows you to automate movement between accounts—allocating paychecks and tax prep the moment they hit—with a sensible permissions model for partners or accountants. It works the way tech people expect banking to work. Go to mercury.com/personal to experience banking built by the same folks Patrick trusts for his business.
If meetings consistently leave you with hazy action items and lost context, Granola handles the transcription so you can actually participate and gives you searchable notes afterward. Try it free at granola.ai/complexsystems with code COMPLEXSYSTEMS
Timestamps: (00:00) Intro (01:32) Publishing the shared secret… again (03:39) Manufacturing shared secrets at scale (07:51) Something you own, take one (10:10) Sponsors: Mercury | Granola (13:48) Something you own, take two (18:26) Something you own, take three (21:24) One other semi-successful method: positive pay (24:45) Wrap
Complex Systems with Patrick McKenzie (patio11)