Token update – TCH + 2 Big Banks and Paypal

I’ve been writing about this token stuff for over 5 yrs. Wow.. This is an update to my June 2013 blog – Tokens: any volunteers ,  SRC- W3C and Tokens and the Trojan Horse.

First my bias.. I may be naive.. but as I stated in Tokens and the Trojan Horse

Visa and Mastercard provide a level playing field for Issuers and Merchants (with few exceptions). Per my blog Payments Civil War, V/MA are a fantastic creation that have experienced profound success (and growth). As I outlined in the Changing Economics of Payments, the beauty of the V/MA model is that it creates incentives for millions of businesses to invest billions of dollars. For investors, the attraction of V/MA is that it is scale free.. with minimal effort required to add volume. While there are MANY more logical ways to deliver payments.. there are none with more profitable incentives for investment.

Tokens are an enormously powerful control point for the payment networks. 9 years ago the banks were working to “build a new Visa” within an initiative launched by The Clearing House. The idea was to create a new scheme that “wrapped” account numbers with another number (token) and avoid network routing (see wrapping). The networks smartly came down and issued clear guidance, if you wrap my card number with another number …. It is still a Mastercard/Visa.

TCH has been seeking a partner for tokenization since Paul Gallant led the 27 bank consortium 8 yrs ago.  Can you imagine the sales pitch (as I reviewed in the Trojan horse) “give me all of your customer information, I will lock it up.. and give you one of my keys for you to access it”. Google, Apple and Amazon have all smartly said no. What is the remaining “big” eCommerce Cards on File (COF) home? You guessed it PayPal.

While I’m not 100% sure about this.. it is the only group left AND two of these banks told me this week “Paypal is the only one that can move merchants effectively”. I was shocked … paypal can move merchants more than Google? They responded “Google has the best technology, but they just can’t sell merchant more than adwords”.. wow.

Thus my best guess is that 2 of the top banks are working with Paypal as the processor/gateway  to move “W3C” in the direction of the TCH tokenization service. The head of the W3C WG wrote me on twitter

Quite frankly my head is spinning. W3C is a browser standard.. how can Paypal get their TCH tokens in? I haven’t figured this out yet, but what I do know is that the complexity is enormous. We have 3 different token services

  • Visa VTS/MA MDES (Apple is primary customer)
  • Google (see Blog) – had no choice but to develop a new custom “standard” by which the encrypted FPAN flows to the merchant acquirer
  • TCH – Paypal + ??

And also multiple new eCom standards

To read what is happening you must therefore take a matrix view.  Obviously Google is moving with their own token service and W3C. Paypal seems to be moving with TCH and W3C.  Apple with network tokenization and ApplePay.

My head is spinning. I must say I did buy Paypal stock this week. I’m just floored that top tier issuers are innovating with Paypal.. focus, partnerships and execution are moving them into the bank friendly category.

Payment Data.. Banks are NOT the problem

Loss of Anonymity in Payments and the threats to Banking, Retail and Consumers

Compelling WSJ article yesterday on Facebook and Bank data. This article doesn’t begin to touch the extent of the problem. When it comes to data, there 2 very very distinct camps. Those that care about consumer data and their role in managing it, and those that don’t. 

Banks and payment networks care and are “squeaky clean” compared to the rampant data sharing going on within marketing (retailers directly to the big ad publishers). While Cambridge Analytica brought about changes to 3rd party data sharing the entire ad industry has DRAMATICALLY increased direct first party data sharing. In other words many large retailers are sending their real time SKU level purchase data (for all customers) directly into the big Ad Platforms.

  1. Google Offline Conversions API
  2. Facebook Offline Conversion API
  3. Agency Example
  4. Gartner CDP Magic Quadrant

What enables retailers to identify consumers and send this data to Ad Platforms? Historically, only retailers with loyalty card schemes could do this, but recently Payment cards have transformed to become the virtual loyalty card used to accurately identify consumers (without Bank/Network permission). This is shocking, as Payment cards have a solid track record for protecting consumer identity (ie anonymity in payment), with payment anonymity a core “feature”. Within the 4 party network schemes only issuers could identify the consumer, enabling issuing Banks maintain the critical role of Identity broker (see blog). As former banker this makes my head spin, as the Payment Card Industry (PCI) has invested BILLIONS to protect transaction data.. Only to have it pour out from a hole.

Example

Today, when a consumer uses their V/MA card to purchase the retailer creates an “anonymized ID” and stores the transaction set internally (at ~50% of the top 10 retailers) with the entire inventory of items purchased. There are few rule or privacy issues here (IMHO), as general trends and loyalty are measured.  However, retailers are voluntarily sending this transaction data (mapped to consumer ID not PAN) directly to the big Ad Platforms. The ad platforms then map this activity to the “anonymized ID” customer behavior it maintains (ex preference for soccer and CNN.com). Issues with this model:

  • Replacing the PAN with another Anonymized ID SHOULD NOT cause it to run under a different “rule set”. If ANY card information was used in the mapping, it should run under network rules
  • Neither the issuers, the networks nor the consumers have permissioned this data sharing.
  • Banks will never have a data business if data plays in this way
  • Retailers are giving away enormous consumer insight and strengthening the pricing power of Google/FB
  • The value of the “raw data” will diminish. Once reliable predictive models and preferences are established (ex Tennis player that likes Lacoste) I no longer need the raw data
  • Data is the “new uranium” we must work to control dissemination or it will destroy those touching it.

Obviously data is following the path of least resistance to centralization points that can act on it efficiently (covered in my blog Equifax, FB and Dangers of Data Centralization). However the ABILITY to act on data is different than the rules which data should act within. Transaction data was developed with VERY thoughtful rules and controls. For example, when a party submits a transaction or request the counterparty is known as is the legal agreement under which the “transaction” operates. Trust developed as a result. Trusted data must be managed.

Russ Schrader (Commerce Signals GC/CPO and Executive Director of the National Cyber Security Alliance) put together these 3 simple rules of thumb when thinking about data use:

  • Right to have the data
  • Right to use the data
  • Right to share the data

To be clear my goal is NOT to create a government imposed GDPR in the US. Rather I want Banks and Retailers to have a data business, and create great new consumer experiences.

Yes I have a bias here, it is what I built my company around (see Federated Data®). Data centralization is the v1.0 architecture of data science. Sure you can learn great things if all the data is mashed together but the value of data is based upon use. If you can’t control use… you can’t control the unique value that is unlocked (or the rights) within a given use.

Bank/Network Actions

Let me be clear.. banks must have a role in data! The economics of payments are changing. Banks must protect their ability to deliver value beyond the transaction. Banking is a commerce function and Alipay has shown what the future holds for “commerce orchestrators” .. payments allow them to become banking orchestrators as well (see WSJ and Ant Financial).  There are both offensive and defensive actions that must be taken. 

  1. Defense. Change the rules to protect your data ensure every party “in the network” is operating on your data with permissions. Your data is playing in the market today.. and you don’t even know it. Banks have permissioned and distributed their data to marketing, loyalty, and shared market insight vendors. While individual transaction data may not be distributed by your partners, consumer level models are built and shared (see Banks as a Data Business). Typical network rules allow for merchants to use card information for the purpose of “loyalty and marketing” these rules need to be tightened up as the rights to share this data with many parties was never part of the original intent.
  2. Retailers are not big enough to force change within the ad world. You are..  Ensure that all data operates within the simple rules above.
  3. Banks must collaborate in data. As a top 3 bank told me “… we have learned some very hard lessons in data, no one bank is big enough to go it alone. What we should have remembered is the success with V/MA. Even though we compete with [Banks] a common network allowed millions of businesses and consumers to work with us consistently….” and another “ The real threat to banks is the Alipay. We need a common data network with common rules. Banks have a role to play in creating great consumer experiences however there are only a very few of them we are poised to lead”.  
  4. Take on the roles of transparency and consumer champion.
Retailer Actions

Retailers have a right to payment data. While big data can create great new insights if we centralized and analyzed all conversations, there is a downside. Digitally, every interaction you have with a consumer is a conversation. Brands must manage who gets to take part in these conversations and build insight from them. If your downstream data “partners” mis-use your data your customers will go to Amazon (which doesn’t share data with Google and FB).  You must create great consumer experiences, but you must balance against consumer privacy and your rights to the data.

  1. Maintain control of your data supply chain. Both WHO is using your data and HOW it is being used. Create a mission control that allows you to see what data is shared with Whom, for which Use under which legal agreement (a shameless plug for our service)
  2. Rather than sending out raw transactional data that improves pricing leverage of Goog/FB build a CDP and enable your own targeting. Make partners bring their insights to you, or ask you to append a propensity score for a specific campaign.. not raw data for all of your customers. This is what Commerce Signals enables. 
  3. Hold all marketing partners accountable to performance against a common benchmark. This does not mean a measuring against a panel of 8M location based “presence” participants. But leverage your transaction data to measure performance consistently. This means Google and FB must be measured against your metrics.. Not report their own. Mark Pritchard of P&G is the most vocal advocate of this approach

For more information, please see my previous blogs

Amazon 2% + PayPal Discover

Two HUGE payment events this week

Amazon 2%

Per Bloomberg, consumers that don’t want to go for the 5% back Amazon store card (SYF) can now link their DDA and earn 2% back.  This may be the biggest payment innovation of the year!  Continue reading “Amazon 2% + PayPal Discover”

Chase Net 2017

Its tough to find time to Blog as a CEO…. Most of you my blogs are sometimes snarky and tactless (making NOT offending someone a new consideration).

I was taking a look at JPMC’s latest investor presentation and noticed that ChaseNet is gone.. Why? I’ve written on JPMC and ChaseNet a number of times over last 6 yrs. Today I’ll cover my views on the latest developments and my views on JPMC’s ChaseNet strategy. Lets recap first: Continue reading “Chase Net 2017”

PIN Debit at the POS

Most of you have read that Walmart, Home Depot and Kroger have launched new litigation against Visa for “PIN” and Debit.  This issue is so complex it makes my head spin… For those unfamiliar with some of the basics see this article, my prior blog on PIN debit consolidation,  AT Kearney, Digital Transactions: PIN Debit Claw Back and Pinless PIN Debit. Continue reading “PIN Debit at the POS”

Browser Tokens – Payments in OS Part 4

My last articles on this topic were
I’ll forgive you if you didn’t see the big news out of Google I/O. There is a MUST READ article in Android Police that is spot on. Summary? Google (Chrome/Android) and Apple (Safari) are ready to integrate payment tokens in the browser.. Buy buttons will be integrated into ads, product listings, or a single “pay” button with no subsequent user information to fill out “quasi one-click”. From Android Police

Continue reading “Browser Tokens – Payments in OS Part 4”

“One Click” for Ads

I was hoping to see rollout of a long rumored payment innovation at Facebook. All I can gather is that they must still be in testing.. but the idea is just brilliant.

Facebook has a tremendous advantage over just about every other advertiser.. its consumers log in before use. Facebook is rumored to be in the midst of  integrating payment tokens into advertising. This means when you click on that beautiful North Face Jacket, or those Climbing shoes that the payment instrument (and even the authorization) is integrated. The only thing that the consumer would need to do is confirm shipping address. Wow.. talk about end running the payment specialists.. this is “one click” for ads.

The very idea that there is a “payment specialist” needed between the ad and the seller is going away.. payments are becoming a generic infrastructure services that no one cares about. See Payments in the OS. In this case IDENTITY TRUMPS everything.. if I know who you are.. everything else is just accounting. Someone should go out and write a patent on a similar flow using blockchain.

My guess is that Facebook would be the beta launch for VBV/MSC and the new 3DS 2.0 spec. So not only would this be a great experience, merchants using this would have a liability shift onto the bank and a 20-30bps rate advantage over traditional eCommerce payment acceptance.  (see my blog on Civil War). This flow would hold on both mobile and desktop.

The other implication here is for the banks using TCH token vault.. sure you can vault your own tokens.. but this also means that you must keep up with the fast changing specs in EMVCo and the other users of the specs in MasterPass and Visa Checkout.. doing your own vaulting may mean that consumers can’t do some of this other really cool stuff.

ApplePay in Browser – March 2016

News today from Jason at Re/Code – ApplePay in Browser this Year

OK.. so I was a year off! (see Blog ApplePay in Browser by Summer 2015).

Not much surprise here.. as I outlined in my January blog on topic ApplePay in browser has been for over a year. I don’t have time for a long blog so will make bullets on what I think are latest “big items” Continue reading “ApplePay in Browser – March 2016”