New Ventures in Financial Services

Focus on Payments and Mobile

Posts Tagged ‘mastercard

3DS: Collaborative Path to Failure

leave a comment »

Very good paper on card fraud systems and the “collaborative path to failure” posted by Bruce Schneier. I trust you have read this one already.. .wow…
 
http://www.schneier.com/blog/archives/2010/02/online_creditde.html
 
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
 
I won’t foget a meeting I had with Paul Baker, Mastercard’s global product head for MasterCard Secure Code (MA’s version of 3DS). When we told him that it was broken and not working and detailed the fraud that was getting through his response was “we just defined the standard, it is the issuers job to implement it correctly“, and that MA thought the requirements were “adequate” but “implementations were not”.
 
So the networks go to merchants with updated agreements, and incent them with discounts of up to 50bps, to adopt new (broken) standards, in turn they obtain a “liability shift” for CNP transactions. Banks like HSBC and Citi saw their fraud losses skyrocket from nothing (as they did not bear loss in a CNP transaction) to $10M+/mo. The issuing banks then began to “dial down” the approval threshold for all transactions (consumers transactions were being declined to manage fraud loss). What a terrible consumer experience… many lessons on “collaboration”. Networks must take ownership for integrity of the system.. although both Visa and MA have Payment Systems Integrity groups, individual banks a left with informal coordination methods to find source of data compromises.. In the states collaborative bank entities like Early Warning are taking the lead.
 
I hope to see a change of attitude by Visa/MA, because if they don’t take ownership of risk and integrity other networks will emerge.
 
– Tom

Written by tomnoyes

April 21, 2010 at 4:52 pm

Posted in Uncategorized

Tagged with , , , , , , ,

Apple’s NEW NFC Patent

with one comment

10 April 2010 (updated 14 April)

I’m still reading through the 243 page patent application… but this is exciting… not just because Apple is taking such an aggressive, broad approach.. but because Visa, MasterCard, ATT, … are also about to “pull the trigger” on some very substantive efforts. As a consumer I know that where there is competition… I win!

From a “payments perspective” Apple looks to be expanding the “iTunes wallet” to support NFC: either as an aggregated payment account (apple as issuer), or an “unaggregated” iTunes Prepaid Card model. In the aggregated model, someone like JPMorgan Chase may be the underlying bank and could provide Apple with an average margin of up to 150bps of TPV. This assumes that the NFC interchange holds at 300-350bps as Merchants are not jumping for joy in current pilots (see BestBuy).

In the “iTunes wallet as prepaid card” model Apple’s NFC revenue would be equal to TPV of ACH payments times the average interchange between POS transactions and other (ex P2P) transactions. Given that iPhone customers are rather Savy, I believe they will quickly educate themselves on the stronger Reg Z consumer protections associated with bank cards (as well as the existing rewards programs) keeping Apple’s interchange revenue suppressed to less then 20-50bps of POS TPV. We should not compare Apple to a “PayPal” as the transaction economics will be much different, given PayPal’s role as both issuer and acquirer. Also note that NFC value proposition is focused at the physical POS.

This is not to say that this will be a marginal business for Apple, in fact my view is the opposite, the real revenue streams to apple will not be from “interchange” but from advertising as  iAD provides the “Yang” to the NFC’s “Ying”. Creating a new payment ecosystem means having incented partners. The timing on Apple’s iAD and NFC developments are not accidental, my belief is that they are part of a very solid mCommerce expansion strategy. (note that the iTunes wallet is clearly evident from patent diagram 5A above).

My guess is that JPMorgan Chase and/or BAC will be a launch partner here, specifically on the “googlization” of financial services (see previous blog). The banks have a tremendous amount of data which can be monetized if consumers give permission. Both BAC and JPM have very aggressive exec teams focused on driving new business models. My guess at a value proposition: Consumer accepts a bank disclosure allowing use of your card data for mobile marketing (x ads per month), in return consumer receives rewards/ discounts/ offers.

On the iAD side, Apple will coordinate  iAD mobile advertising, banks provide “propensity to buy” information (for registered consumers) to Apple’s marketing engine, Apple will manage campaigns and share click revenue with banks. The revenue stream for Apple is in mobile advertising, developing a new ecosystem which will create a “win-win” for: consumers, banks and merchants, and Apple’s application development community.

Beyond near term NFC payment at the POS, many questions will arise on the openness of Apple’s NFC API within the iPhone architecture. Will Apple try to lock the wallet? If it is open Apple may loose control of the ecosystem as other “channel masters” emerge. Beyond payment at the POS, NFC/RFID has many applications.. from opening a door at a college campus.. to a price check on the RFID tag of  a new HDTV. I can’t imagine the strategy discussions going on in the Valley this week “What do we build”….

My messages for the start up community:

  • Better to ride a wave then create your own. Find a way to add short term value in this new ecosystem. Visa/AT&T are far ahead in coordinating a launch of products.
  • Network effects: volume, intelligence, routing, expand nodes, …
  • The iAD revenue stream. Find a way to become part of it. Integrating existing marketing programs (ex. NFC on a subway billboard).
  • Beyond the POS to mCommerce/physical confluence. How can you drive sales or store traffic? (ex. will apple integrate an RFID reader?)
  • Supporting banks. Example. Look at page 4 of patent application, taking an image of a credit card/check. How will a bank use this to make an authorization decision?
  • International. Apple has a tendency to design for US markets… what will it take to localize?

Apple’s approach to controlling its ecosystem is not perfect, but is the right thing to do early stage as both technology and consumer behavior evolve (I remember my Apple IIe). Right now my bet on “mobile wallet” is with Apple precisely because of their ability to orchestrate such an extended ecosystem. This is going to be hot, within the US there are currently 3 major competitive teams:

  • Apple (likely with JPM/BAC)
  • ATT/Visa/First Data (possible that they are aligned w/ Apple)
  • Citi/MasterCard (NFC Stickers)

Comments appreciated

Written by tomnoyes

April 12, 2010 at 3:51 pm

Posted in US

Tagged with , , , , ,

SquareUp – Take 4

with 3 comments

27 January 2010 (updated 4March)

www.squareup.com

Venture Beat – SquareUp

New note from VentureBeat yesterday. Jack has certainly assembled a who’s who of angels. Given that these investors are proven winners I’m trying to guess whether they have “bet on the right horse” or have a plan that I’m not privy to (ex PayPal buyout). If it is the later, my educated guess is that prospects will let this bake for a few years before getting serious. There are too many issues which must be addressed for serious acquisition money to chase a customer convenience play.  Some of which I attempt describe below.

I understand that Jack’s vision for the company is to provide payment services to “craigslist” customers as the market place which will drive volume (an attempt to mimic the paypal/eBay synergy). His story is that everyone has a card in their pocket.. and merchants want to leverage this instrument without the burden of becoming a merchant in the network sense.

Of course Jack is competing with Cash and Checks in this pattern.. much different than the remote Card Not Present (CNP) world which PayPal attacked. I must say that many of my colleagues do not share my negative views on Square, and it has led to some very good conversations.  I certainly agree that issuers want SquareUp to succeed (read: interchange), and Square does have a very nice application, however my strong views are:

  1. There is no compelling consumer or merchant driver. Square will find that changing consumer payment behavior is much more challenging than social networking,
  2. Third party payment aggregation at POS is a moving out of favor with respect to network rules
  3. Fraud rates will be very high (see skimming video below) and bank issuers have ability to shut them down through authorization
  4. Volume will be low (merchant costs, competing methods of payment, charge back rules, …) and business will take at least 4 years to build (with sustained marketing).
  5. Competing bank/MNO sponsored “handset based” payments will overtake this approach in 2-3 years.

PayPal excelled because it addressed a clear gap in payments in a new marketplace where a 4 party system (merchant, consumer, merchant bank, issuing bank) could NOT adapt. This 4 party group, combined with the network and regulators, proved to be ineffective in responding to the “change” presented by online marketplaces.  PayPal did much heavy lifting, building “new rails” to manage merchants.  These eBay merchants were a well organized community which collaborated (generally speaking) and shared best practice. There was a REAL business problem in these pre-PayPal days..

Comparatively Square’s “Craigslist community” is not well organized, and the square payment method is competing with well entrenched behavior (check/cash, a 2 party system) in a person-person sale dominated by checks and cash. What is the problem that Square is attempting to address? My belief is that it is a convenience play, which will have  a much different adoption (and profitability model) then PayPal’s.

Top card issuers would love to see SquareUp succeed in order to drive cards (interchange revenue) further into cash replacement. However network rules (like PCI and merchant agreements) exist for a reason. Square’s approach to lowering the barrier for merchants (a valid market need) risks payment system integrity. In other words, the existing card merchant agreement process represents the rules by which the 4 party system has agreed to. If we take the SquareUp model to the extreme, what will stop every business from ditching their merchant agreement and start using square?  What benefits do acquirers/issuers and network have in supporting this model? Is the potential revenue upside for interchange (in cash replacement) vs. downside in fraud and lost revenue (merchant fees)?

SquareUp is acting as a third party payment aggregator (TPPA), a model which banks have adapted to since their experience with Paypal creating significant new rules and constraints (both ACH and Card). The network PCI rules (and certification process) for devices storing card information are also quite cumbersome, and require sponsor for certification. Perhaps this is why Square’s current customer agreement states:

You are responsible for all electronic communications sent to us or to any third party containing Account Data.

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

The challenge any analyst has in assessing strategy is information. Given Square’s potential to drive electronic payments, either a card acquirer or PayPal interested … certainly a partner capable of managing the remote risk. If I were interested in acquiring, I would certainly let Square burn money gaining adoption,  changing consumer behavior, gaining approval from the networks, finding an acquirer and learning to manage the fraud issue… then if they are successful join in. At GartnerGroup we would call this approach  a  “late follower”. There is no revenue in this business for 3-5 years… my guess is that competing technologies like NFC will step all over this by that time… at least I HOPE SO!

Previous/Related Posts

https://finventures.wordpress.com/2009/12/02/squareup/

http://tomnoyes.wordpress.com/2010/01/26/usregs/

Written by tomnoyes

March 2, 2010 at 6:23 pm

Verifone – Paywaremobile

leave a comment »

Verifone – Paywaremobile

December 10, 2009-12-10

 Super move by Verifone, a “serious” device for merchants. As an investor, be glad you skipped on the SquareUp opportunity. Advantages of the Verifone’s device:

Down side

  • Merchants must sign a merchant agreement with an acquirer
  • Costs associated with merchant agreement (below)
  • Paywaremobile could add chip and pin functionality… There is life outside of the US

Summary, for small merchants that don’t want to sign a merchant agreement there are payment solutions out there today (paypal). If you want to accept a card directly, you’d be best served by going through an acquirer and using a certified device like paywaremobile… as your risks are not inconsequential in accepting cards through without a merchant agreement in an uncertified device.

Written by tomnoyes

December 10, 2009 at 3:08 pm

SquareUp – Updated from Previous Post

with 2 comments

Updated Dec 10, 2009 (Previous Post Here)
http://squareup.com/

Twitter founder Jack Dorsey. Card swipe on iPhone.

More info today (Dec 2, 2009) from Venture Beat. The updates are based upon business model of card-card vs. Card to existing POS (or receiver registering as a “merchant”). Will I see my local ticket scalpers and hot dog vendors taking credit cards on their iPhone? Data we know:

  • Plug in Card reader into Audio input Jack
  • Pilot with a couple small merchants
  • Not open for business yet (as of 12/2/09)
  • Mind behind it is Dorsey
  • Khosla is Seed Investor.
  • Very US centric.. no EMV (Chip and Pin)
  • “Picture” for risk management
  • Unclear whether model is Card-Card or SquareUp is acting as a merchant aggregator (see IPSG in Here)

Updated Analysis:

  • US Centric Consumer play (no EMV)
  • Credit Card transactions with 350bps… not the greatest for a “cash replacement” value proposition (PIN Debit is 150)
  • Issuing Banks have control over card-card transactions. Pilot likely used SquareUp as merchant.
  • If SquareUp is acting as a Merchant Aggregator, then they will own all fraud losses (CNP Transaction). Assuming that the  “merchant”  swipes the card, it is assumed that the “merchant” did not sign the merchant agreement (ie. visa/Mastercard), SquareUp would be the Merchant in this case and the card was not present at SquareUp’s POS for inspection.
  • Consumer population is limited (how many of your phones have an “audio input jacks”)?
  • Model competes heavily with both bank initiatives (in mobile) and those within Visa/MasterCard. (MasterCard MoneySend, Visa Money Transfer)
  • Merchant incentives are weak vs. Cash or PIN Debit.
  • Issuers will not jump on board with this one. 1) competes with other projects 2) fraud controls are not proven, 3) Consumer demand, 4) Issuers want to own the consumer experience,
  • MNOs will likely also resist, as they have no incentives to support.
  • Device is not certified by Visa or MC, where Verifone’s payware is http://www.paywaremobile.com/

My guess is that squirrel has the technology working.. but haven’t figured out the “banking side” and how to expand beyond the cards that they can directly control. This team should have partnered with either a bank or an MNO as it will require some significant marketing dollars to move customer adoption.. even for a pioneer in social networking like Jack.  Differentiate this approach, with the “partnership” approach taken by teams like BlingNation (see post here)

In addition to BlingNation’s partnership model, integration of NFC into existing handsets will presents a much larger “global” opportunity. See

Innovation in payments is tough… if I were going to add something the Steve Job’s product plan for the iPhone what would it be?
• Global
• Ubiquitous
• Unique to every person
• Globally Accepted for use in Payment and Authentication, by merchants, banks, networks, regulators
• Low error rate
• Impossible to clone
• Difficult to crack
The answer is… ( ). OK so nothing fits my criteria, but any appendage on my iPhone must certainly seek to optimize the goals above. Only item I’ve seen that comes close it IRIS scanning.. now being miniaturized to fit on a chip the size of your thumbnail (below). Just for fun.. I bought “paybyiris.com” domain as I finished this article (today).

http://www.nydailynews.com/archives/news/2002/01/07/2002-01-07_credit_card_cloners___1b_sca.html
http://4g-wirelessevolution.tmcnet.com/news/2009/08/19/4331395.htm

Written by tomnoyes

December 2, 2009 at 5:20 pm