New Ventures in Financial Services

Focus on Payments and Mobile

Posts Tagged ‘fraud

3DS: Collaborative Path to Failure

leave a comment »

Very good paper on card fraud systems and the “collaborative path to failure” posted by Bruce Schneier. I trust you have read this one already.. .wow…
 
http://www.schneier.com/blog/archives/2010/02/online_creditde.html
 
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
 
I won’t foget a meeting I had with Paul Baker, Mastercard’s global product head for MasterCard Secure Code (MA’s version of 3DS). When we told him that it was broken and not working and detailed the fraud that was getting through his response was “we just defined the standard, it is the issuers job to implement it correctly“, and that MA thought the requirements were “adequate” but “implementations were not”.
 
So the networks go to merchants with updated agreements, and incent them with discounts of up to 50bps, to adopt new (broken) standards, in turn they obtain a “liability shift” for CNP transactions. Banks like HSBC and Citi saw their fraud losses skyrocket from nothing (as they did not bear loss in a CNP transaction) to $10M+/mo. The issuing banks then began to “dial down” the approval threshold for all transactions (consumers transactions were being declined to manage fraud loss). What a terrible consumer experience… many lessons on “collaboration”. Networks must take ownership for integrity of the system.. although both Visa and MA have Payment Systems Integrity groups, individual banks a left with informal coordination methods to find source of data compromises.. In the states collaborative bank entities like Early Warning are taking the lead.
 
I hope to see a change of attitude by Visa/MA, because if they don’t take ownership of risk and integrity other networks will emerge.
 
– Tom

Written by tomnoyes

April 21, 2010 at 4:52 pm

Posted in Uncategorized

Tagged with , , , , , , ,

SquareUp – Take 4

with 3 comments

27 January 2010 (updated 4March)

www.squareup.com

Venture Beat – SquareUp

New note from VentureBeat yesterday. Jack has certainly assembled a who’s who of angels. Given that these investors are proven winners I’m trying to guess whether they have “bet on the right horse” or have a plan that I’m not privy to (ex PayPal buyout). If it is the later, my educated guess is that prospects will let this bake for a few years before getting serious. There are too many issues which must be addressed for serious acquisition money to chase a customer convenience play.  Some of which I attempt describe below.

I understand that Jack’s vision for the company is to provide payment services to “craigslist” customers as the market place which will drive volume (an attempt to mimic the paypal/eBay synergy). His story is that everyone has a card in their pocket.. and merchants want to leverage this instrument without the burden of becoming a merchant in the network sense.

Of course Jack is competing with Cash and Checks in this pattern.. much different than the remote Card Not Present (CNP) world which PayPal attacked. I must say that many of my colleagues do not share my negative views on Square, and it has led to some very good conversations.  I certainly agree that issuers want SquareUp to succeed (read: interchange), and Square does have a very nice application, however my strong views are:

  1. There is no compelling consumer or merchant driver. Square will find that changing consumer payment behavior is much more challenging than social networking,
  2. Third party payment aggregation at POS is a moving out of favor with respect to network rules
  3. Fraud rates will be very high (see skimming video below) and bank issuers have ability to shut them down through authorization
  4. Volume will be low (merchant costs, competing methods of payment, charge back rules, …) and business will take at least 4 years to build (with sustained marketing).
  5. Competing bank/MNO sponsored “handset based” payments will overtake this approach in 2-3 years.

PayPal excelled because it addressed a clear gap in payments in a new marketplace where a 4 party system (merchant, consumer, merchant bank, issuing bank) could NOT adapt. This 4 party group, combined with the network and regulators, proved to be ineffective in responding to the “change” presented by online marketplaces.  PayPal did much heavy lifting, building “new rails” to manage merchants.  These eBay merchants were a well organized community which collaborated (generally speaking) and shared best practice. There was a REAL business problem in these pre-PayPal days..

Comparatively Square’s “Craigslist community” is not well organized, and the square payment method is competing with well entrenched behavior (check/cash, a 2 party system) in a person-person sale dominated by checks and cash. What is the problem that Square is attempting to address? My belief is that it is a convenience play, which will have  a much different adoption (and profitability model) then PayPal’s.

Top card issuers would love to see SquareUp succeed in order to drive cards (interchange revenue) further into cash replacement. However network rules (like PCI and merchant agreements) exist for a reason. Square’s approach to lowering the barrier for merchants (a valid market need) risks payment system integrity. In other words, the existing card merchant agreement process represents the rules by which the 4 party system has agreed to. If we take the SquareUp model to the extreme, what will stop every business from ditching their merchant agreement and start using square?  What benefits do acquirers/issuers and network have in supporting this model? Is the potential revenue upside for interchange (in cash replacement) vs. downside in fraud and lost revenue (merchant fees)?

SquareUp is acting as a third party payment aggregator (TPPA), a model which banks have adapted to since their experience with Paypal creating significant new rules and constraints (both ACH and Card). The network PCI rules (and certification process) for devices storing card information are also quite cumbersome, and require sponsor for certification. Perhaps this is why Square’s current customer agreement states:

You are responsible for all electronic communications sent to us or to any third party containing Account Data.

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

The challenge any analyst has in assessing strategy is information. Given Square’s potential to drive electronic payments, either a card acquirer or PayPal interested … certainly a partner capable of managing the remote risk. If I were interested in acquiring, I would certainly let Square burn money gaining adoption,  changing consumer behavior, gaining approval from the networks, finding an acquirer and learning to manage the fraud issue… then if they are successful join in. At GartnerGroup we would call this approach  a  “late follower”. There is no revenue in this business for 3-5 years… my guess is that competing technologies like NFC will step all over this by that time… at least I HOPE SO!

Previous/Related Posts

https://finventures.wordpress.com/2009/12/02/squareup/

http://tomnoyes.wordpress.com/2010/01/26/usregs/

Written by tomnoyes

March 2, 2010 at 6:23 pm