New Ventures in Financial Services

Focus on Payments and Mobile

Posts Tagged ‘payment

3DS: Collaborative Path to Failure

leave a comment »

Very good paper on card fraud systems and the “collaborative path to failure” posted by Bruce Schneier. I trust you have read this one already.. .wow…
 
http://www.schneier.com/blog/archives/2010/02/online_creditde.html
 
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
 
I won’t foget a meeting I had with Paul Baker, Mastercard’s global product head for MasterCard Secure Code (MA’s version of 3DS). When we told him that it was broken and not working and detailed the fraud that was getting through his response was “we just defined the standard, it is the issuers job to implement it correctly“, and that MA thought the requirements were “adequate” but “implementations were not”.
 
So the networks go to merchants with updated agreements, and incent them with discounts of up to 50bps, to adopt new (broken) standards, in turn they obtain a “liability shift” for CNP transactions. Banks like HSBC and Citi saw their fraud losses skyrocket from nothing (as they did not bear loss in a CNP transaction) to $10M+/mo. The issuing banks then began to “dial down” the approval threshold for all transactions (consumers transactions were being declined to manage fraud loss). What a terrible consumer experience… many lessons on “collaboration”. Networks must take ownership for integrity of the system.. although both Visa and MA have Payment Systems Integrity groups, individual banks a left with informal coordination methods to find source of data compromises.. In the states collaborative bank entities like Early Warning are taking the lead.
 
I hope to see a change of attitude by Visa/MA, because if they don’t take ownership of risk and integrity other networks will emerge.
 
– Tom
Advertisements

Written by tomnoyes

April 21, 2010 at 4:52 pm

Posted in Uncategorized

Tagged with , , , , , , ,

$5B MNO Opportunity: KYC

with 2 comments

March 11, 2010 

If you had 30 seconds on the elevator with the CEO of any of the large MNOs, what would you say? I would tell them that they can uniquely address a substantial short term revenue opportunity with an authentication service (in existing customer base). How big? Addressable market is at least $5-10B with MNO revenue opportunity proportional to user/payment volume.

What drives this addressable market?  A: Fraud. Card fraud is big business (~$5.5B globally) for “bad guys” and so is stopping it.

Why MNOs? Unique capabilities with existing customers which can deliver short term revenue. Globally MNOs seem to be caught up in a brawl with banks and regulators in facilitating payments. For an MNO, why bother with the payment? If MNOs can manage risk (independent of payment type) then they have the potential to change the payments landscape and provide consumers (and merchants) with the ability to form new payment arrangements. If a consumer could be authenticated, then they no longer need to carry around any financial information with them…. account information could be managed separately. This is not a new concept (read virtual wallet). Past “wallet” failures were based upon a MNO model which attempted to “control access” AND “payment instruments”.  Alternatively, an “authentication” model would put MNOs into a role where they support existing processes and payment streams (rather then intermediate them) AND remove them from many of the regulatory hurdles which surround payments.

What are Key MNO Capabilities? Customer location, near real time customer communication, customer payment history, KYC, regular communication with customer, brand (trust greater then banks in most cases), handset (ex. Camera), merchant relationships, ability to incent customer, … etc.

Examples:

  • Globally, the most cost effective form of “authorization” my teams had ever rolled out was SMS based… A simple message to the customer providing a OTP. This model does not require MNO involvement, but could be substantially enhanced with additional MNO provided information (ex. Location, picture).
  • Verisign’s VIP and Arcot’s new OTP generator are great examples of the potential for the mobile phone to act as an authentication device… this kind of service has the potential to displace EMV/CAP (outside the US) and usher in changes in the US.
  • A non-card story comes to mind. CitiFin Japan had one of the coolest mobile applications I had ever seen: mobile account opening. The App took control of the handset camera so that the prospective customer could look into it and say “I accept the terms & conditions”. This would be a great generic service for MNOs.. for all types of “contracts”

Where to start?

In the US, the merchants are bearing the costs of card fraud and are highly incented to partner. The biggest merchant pain point is card not present (CNP) transactions. Getting the customer involved in authentication is a harder nut to crack, particularly when they bear no risk/costs (US Reg E/Z, and Fraud Liability Shift Whitepaper).

To get the ball rolling MNOs need to partner where the pain is (merchants) then incent consumers. Incentive costs should be borne by merchants through some combination of rewards, discounts or coupons. Another possible incentive is fear (identity theft.. don’t laugh have you seen Lifelock’s subscriber base?).  In my previous post (iPhone at POS? ) I touched on several elements which are critical.

Customer Experience? 

  • Having the mobile phone as part of the payment stream would result in the best (short term) customer experience, but would give the card networks new control (adding mobile number to card directory). I’m sure there are 100x permutations, but most would involve a customer interaction with the device to approve or verify.
  • ACH Push has plenty of examples where consumer presents mobile phone number to the merchant (as is done today in Nordics and PayBox) instead of your card.
  • In a “decoupled” authentication process, the merchant would ask to validate the consumer. Consumers are reluctant to give out their mobile numbers, so I would assume that the service may gain the most traction by making the party that stands to gain (merchants) do most of the work.  MNOs would develop an auth service where merchants would send a “validate” request to the MNO for a given payment type (many US merchants use an similar service for checks today: Telechek). Consumer would receive request and approve (prior to card authorization). The great thing here is that this request could also morph to take into account “context” of the validation request (ie. buyer/seller/new customer validation).

Example “future payment” process: Taking my cart full of groceries to the checkout counter of Tesco, the clerk gets my name and asks “would you  like to pay for this the same way you did last week”? I say sure.. and get a message on my phone with amount and store, validate with my PIN. Store recieves validation and processes order with my last payment instrument. I never had to open my wallet, and get a feeling that the store knows me… perhaps this is “back to the future” with the local corner grocery of 100 years ago (they knew their customers and cash was not always required). 

Summary

Authentication is a natural space for MNOs, and US merchants are screaming for help in managing $1.5+B in fraud. Unique MNO KYC capabilities could provide for many new revenue streams and accelerate an “mcommerce” world that expands beyond ring tones. In the US, we must find a way to leapfrog EMV, improve customer experience AND address the tremendous risks and fraud costs borne by merchants. Why should I carry around 8 cards and swipe for everything when 90% of merchants already have my payment information? MNOs have the opportunity to deliver compelling value and cement their position in customer interactions. Generating revenue from a “generic service” like authentication will likely require additional companies capable of consuming (and extending) it. Perhaps the mobile phone will be the “key” to trust portability (hey that rhymes) and link the virtual and physical world of commerce.

Related Links

Written by tomnoyes

March 11, 2010 at 5:38 pm

Posted in Analysis, US

Tagged with , , , , ,

SquareUp – Updated from Previous Post

with 2 comments

Updated Dec 10, 2009 (Previous Post Here)
http://squareup.com/

Twitter founder Jack Dorsey. Card swipe on iPhone.

More info today (Dec 2, 2009) from Venture Beat. The updates are based upon business model of card-card vs. Card to existing POS (or receiver registering as a “merchant”). Will I see my local ticket scalpers and hot dog vendors taking credit cards on their iPhone? Data we know:

  • Plug in Card reader into Audio input Jack
  • Pilot with a couple small merchants
  • Not open for business yet (as of 12/2/09)
  • Mind behind it is Dorsey
  • Khosla is Seed Investor.
  • Very US centric.. no EMV (Chip and Pin)
  • “Picture” for risk management
  • Unclear whether model is Card-Card or SquareUp is acting as a merchant aggregator (see IPSG in Here)

Updated Analysis:

  • US Centric Consumer play (no EMV)
  • Credit Card transactions with 350bps… not the greatest for a “cash replacement” value proposition (PIN Debit is 150)
  • Issuing Banks have control over card-card transactions. Pilot likely used SquareUp as merchant.
  • If SquareUp is acting as a Merchant Aggregator, then they will own all fraud losses (CNP Transaction). Assuming that the  “merchant”  swipes the card, it is assumed that the “merchant” did not sign the merchant agreement (ie. visa/Mastercard), SquareUp would be the Merchant in this case and the card was not present at SquareUp’s POS for inspection.
  • Consumer population is limited (how many of your phones have an “audio input jacks”)?
  • Model competes heavily with both bank initiatives (in mobile) and those within Visa/MasterCard. (MasterCard MoneySend, Visa Money Transfer)
  • Merchant incentives are weak vs. Cash or PIN Debit.
  • Issuers will not jump on board with this one. 1) competes with other projects 2) fraud controls are not proven, 3) Consumer demand, 4) Issuers want to own the consumer experience,
  • MNOs will likely also resist, as they have no incentives to support.
  • Device is not certified by Visa or MC, where Verifone’s payware is http://www.paywaremobile.com/

My guess is that squirrel has the technology working.. but haven’t figured out the “banking side” and how to expand beyond the cards that they can directly control. This team should have partnered with either a bank or an MNO as it will require some significant marketing dollars to move customer adoption.. even for a pioneer in social networking like Jack.  Differentiate this approach, with the “partnership” approach taken by teams like BlingNation (see post here)

In addition to BlingNation’s partnership model, integration of NFC into existing handsets will presents a much larger “global” opportunity. See

Innovation in payments is tough… if I were going to add something the Steve Job’s product plan for the iPhone what would it be?
• Global
• Ubiquitous
• Unique to every person
• Globally Accepted for use in Payment and Authentication, by merchants, banks, networks, regulators
• Low error rate
• Impossible to clone
• Difficult to crack
The answer is… ( ). OK so nothing fits my criteria, but any appendage on my iPhone must certainly seek to optimize the goals above. Only item I’ve seen that comes close it IRIS scanning.. now being miniaturized to fit on a chip the size of your thumbnail (below). Just for fun.. I bought “paybyiris.com” domain as I finished this article (today).

http://www.nydailynews.com/archives/news/2002/01/07/2002-01-07_credit_card_cloners___1b_sca.html
http://4g-wirelessevolution.tmcnet.com/news/2009/08/19/4331395.htm

Written by tomnoyes

December 2, 2009 at 5:20 pm

PaybySquirell and iPhone Payment

leave a comment »

Twitter founder Jack Dorsey. Card swipe on iPhone.

http://www.finextra.com/fullstory.asp?id=20618

http://www.engadget.com/2009/10/17/twitter-founder-jack-dorseys-squirrel-project-revealed-as-th/

Roberto Garavaglia was nice enough to share this finextra story on linkedin. Is this a consumer play.. or a “merchant play”? Will I see my local ticket scalpers taking credit cards on their iPhone? This start up was certainly “in the black”.  Data we know:

  • Squirrel has a “signature” line in the app
  • Have hardware on the phone
  • Alpha test in NYC
  • Receipt in engadget pic above shows consumer payment (you paid)
  • Mind behind it is Dorsey
  • Top VCs know about it, and seem to think it is a merchant play.
  • Very US centric.. no EMV (Chip and Pin)

There are certainly some conflicting data points. If a consumer play.. this signature will not be valid… and transaction will be treated as a CNP (so why the signature?). If this is a merchant play who would possibly want to act as acquirer (fraud loss)? The merchant use would make most fraud heads loose a little sleep, for they would have a whole new threat vector. Can you imagine the buyers of the merchant use?.. The bank and I will have to worry about every kid in a fast food window and every waitress holding my card swiping on their iPhone (in addition to paying for my dinner). My guess is that squirrel has the technology working.. but haven’t figured out the “banking side”.

Fraud attacks the “weakest link” in payments quickly. Would love to hear from others on the community, but my view is:

  • Interesting as a merchant play…. but acquirers will shy away from originating transaction in either network without solid fraud controls. The merchant owns the loss here by rules of network in a “CNP transaction”. Signature capability will be debated…
  • Squirrel biz model.. questionable as anything but a hardware business. The fraud numbers of leading merchant selling digital goods is astounding. All top merchants have had to develop their own internal specialist teams to handle.  If Apple and PayPal have trouble with teams of 300+ (after 10 years) this will be a challenge for any new “merchant”. As a payment method, squirrel will have to take this on. Having access to the physical card may allow them to try something disruptive like MagTek which reads the randomness (noise) in the card stripe to establish a “unique” card… which has the downside of card registration. Something like this would push squirrel further into a “US centric” model as it appears that they do not support EMV (aka Chip and PIN).  
  • “No go” as a consumer play. Why not just keep my card at the Apple app store? or at PayPal? What is the incremental value that this provides me? Why not just key in my card data.. why add a reader to my sexy iPhone .. .in its sexy case.

Innovation in payments is tough…  if I were going to add something the Steve Job’s product plan for the iPhone what would it be?

  • Global
  • Ubiquitous
  • Unique to every person
  • Globally Accepted for use in Payment and Authentication, by merchants, banks, networks, regulators
  • Low error rate
  • Impossible to clone
  • Difficult to crack

The answer is… (   ). OK so nothing fits my criteria, but any appendage on my iPhone must certainly seek to optimize the goals above. Apple has a payment patent around a semacode displayed on the screen and “scanned” at the POS (Starbucks in trial).

Apple has been VERY non-committal with respect to NFC, as it develops strategies to get a cut of the transaction revenue … merchants would be insane to put yet another vendor in the mix at the POS (apple Semacode reader)… I don’t see it on HP/Verifones product plan either.  We may be left w/ putting NFC stickers on the back of our beautiful iPhone.. . of course that is better then a card reader.. or a semacode… but not as nice as NFC embedded w/ chipset with software providing OTA capability.

Apple’s instance in getting “control” in payment, combined with same tendencies at carriers, is leaving the door wide open to Android and competitors. There are some super start ups with plans to enable all kinds of services through NFC. Imagine using your iPhone to open doors, store coupons, vending machines, college campuses.. a whole new ecosystem all locked up because Apple wants to control the payment channel (and refuses to embed NFC).

Regarding this Apple payment patent: What is starbuck’s business case? is it driving traffic? How many more stops will the average iPhone user make because of this app? My guess is that this was funded out of Starbuck’s marketing budget.. and payback will be minimal. But it is cool. (I wish I could make a living out of being cool.. of course I would first have to be cool… not currently the case)

https://www.starbucks.com/mobile-apps/#num=01&id=coffee_home
https://www.starbucks.com/mobile-apps/StarbucksCardMobile/default.asp
http://www.genoco.com/link/interactive_iphone+starbucks.html
http://www.forbes.com/2007/12/26/apple-patents-iphone-tech-wire-bc_1227appatent.html

Perhaps a more ubiquitous form of payment is something coupled with authentication. Perhaps IRIS scanning, which is now being miniaturized to fit on a chip the size of your thumbnail (below).

Iris Reconition Built into Phones

Iris Reconition Built into Phones

http://www.nydailynews.com/archives/news/2002/01/07/2002-01-07_credit_card_cloners___1b_sca.html

http://4g-wirelessevolution.tmcnet.com/news/2009/08/19/4331395.htm

Written by tomnoyes

October 20, 2009 at 1:14 pm