What do Retailers Want in Mobile?

1 Nov 2014

Money2020 is next week, and I’m moderating the ApplePay session on Tuesday at 5pm… hope you guys can come. I’m more than a little sad that I can’t get any retailers up on stage with me. Why? The top 60 retailers are in MCX, and it makes little sense for them to get on stage and tell the world what they are NOT going to do and why. As I’m preparing to leave for Las Vegas tomorrow, was thinking “what could I write about? What unique perspective can I offer?” Well given I can’t get them on stage with me, let me try to articulate the Retailer’s view of the world. My twitter feed is blowing up as I work to explain why CVS and Rite-Aide turned off NFC. Please know I’m only trying to give perspective…

Payment Services are a brokering activity between two entities engaged in commerce. Logically, a broker must have the trust of both parties, and deliver some sort of value in managing the financial risk associated with the transaction.  Within Consumer Retail, Visa and Mastercard evolved from Bank owned exclusive networks of the 1960s (see History) to ubiquitous independent payment networks. Few remember that back in the 1960s, merchants took either Visa or Mastercharge but not both as the Merchant’s acquiring bank could only be a member of one of the networks. For merchants, the value proposition was clear: consumer credit.

Payment networks thus evolved from a closed and focused value proposition, to a settlement “infrastructure”. However the rules and governance process by which many parties (merchant, acquirer, processor, issuer, network, VASP, …etc) participated in defining operation of this “brokering” activity did not evolve. This is the central issue restricting the future growth of Visa and Mastercard. One I believe both are acting on. My firm belief is that rebalancing network rules will unleash a massive new phase of value creation for these networks.

Let me take a quick side bar here..

Network Theory – Openness

As I’ve stated many times, closed networks always precede open networks until scale is reached (Building Networks and “Openness”, 2011). Weak Links (nodal affinity) influences network creation, and there are VERY few open networks which exist in Nature. This is logical as Networks form around a function rendering generic open networks less “efficient” than specialized networks around any given specialized need.

Scale-free distribution (completely open networks) is not always the optimal solution to the requirement of cost efficiency. .. in small world networks, building and maintaining links between network elements requires energy…. [in a world with limited resources] a transition will occur toward a star network [pg 75] where one of a very few mega hubs will dominate the whole system. The star network resembles dictatorships in social networks.

-Weak Links

Networks NATURALLY form around a function and other entities are attracted to this network (affinity) because of the function of both the central orchestrator and the other participants. Open networks (internet/TCPIP, Visa, NASDAQ, … ) succeed where a common infrastructure benefits MANY NETWORKS.

Visa and MasterCard have transitioned to become common network infrastructure, a position FAR MORE valuable than that of a closed credit delivery system. They are a network of networks. However their rule making and governance processes do not match the other open networks listed above (NASDAQ, Internet, …). Most Banks, have also lost their traditional role of “brokering” and risk management (in retail) by creating a card rewards system that encourages card use paid by the merchant. This creates a brokering incentive separate from the commercial transaction… impacting brokering independence.

What do merchants want? A neutral broker!!

A top 5 merchant told me a few months ago “Retailers like Starbucks have proven that we are best placed to deliver value and influence consumer behavior. I don’t want to force my consumers to do anything, but similarly I want to networks that let me play on an even field. These next 5 years are going to be complete chaos for consumers. What do we want them to do? Swipe, dip, chip, pin, tap, QR…? We have been planning for EMV for 3 years… am I really supposed to jump to Apple in 4 weeks?”

MCX

These guys are good friends of mine, and I think their business vision is well placed. They want a network where they can play on an equal footing. A neutral broker.. or at least one where they can have a seat at the table when rules are set. Will MCX be a massive success? It depends on the consumer value proposition. Are the merchants motivated to work together in creating a neutral broker? Hell yes.

One merchant said it this way “Tom I didn’t think we would ever have someone more difficult to work with than Visa and Mastercard, but I was WRONG. Apple is a nightmare! At least we knew what was coming with Visa and Mastercard, with Apple they don’t talk to us, respond to our letters, or offer any kind of value proposition. Why on earth would I want to let another brand in my store without understanding what it will do for me? They are a great company, with great products, and certainly have a much better approach to data than Google.. but anonymity is NOT a value proposition, in fact Apple makes our efforts to deliver value to the consumer even harder as we have no defined way of using Apple to engage our consumers”. See Brokering Identity – Part 1, ApplePay and Merchants, Digital Transactions ApplePay Issuer Agreement.

Getting a card number from consumer to merchant is NOT innovation. There is just no problem here. My payment friends are already rolling their eyes. Apple does have great security and great ability to manage fraud.. but fraud losses for CP are 3.2 bps. What about store data losses? That is not “fraud”, and certainly a problem for merchants that keep PANs. Tokens do solve this problem… but so does better security, and more intelligent approach to tracking loyalty. Apple must move to create a merchant value proposition, and define how they will help with consumer engagement. I believe Google will far outpace Apple here.

Retail is a zero sum game.. I’m not going to buy MORE gas and groceries.. differentiation is about switching, product selection and pricing on data, ..the fluxonce this flux dies.. steady state resumes.  Perhaps all iPhone owners will only shop at whole foods, but data shows that consumers don’t make decisions this way. In fact payment is not in the top 5 reasons for consumers choosing a new iPhone.

Why are MCX merchants turning off NFC? To give themselves a little breathing room, make Apple create a merchant value proposition (engagement), get a seat at the table in a new network, and help to establish a consumer behavior that works for them too (Most Important Payment Race: Consumer Behavior, Apple’s Platform Strategy: Consumer Champion ).

What do Retailers want in Mobile?

Following from my big blog Static Strategies and the Rewiring of Retail.

  • Consumer Engagement
  • Consumer Acquisition
  • Consumer Loyalty
  • Allow Retailer to be in control of data
  • Partners that allow Store’s brand front and center
  • A Partner either IN CONTROL of the consumer experience (Apple/Google) or one that already has massive consumer adoption (ie Facebook).
  • Creating a fantastic customer experience from end-end
  • Ability to manage campaigns, data or your business
  • A Partner that can reach/influence consumers WHERE THEY ARE.. not where you want them to be.
  • Payment..? I guess if that comes too… 

shopper marketing

How will this play out?

  • Much has been made of the MCX contract provisions that prohibit participating retailers from allowing other forms of mobile payment. This is just not accurate. Any retailer can choose to turn on NFC, any retailer can sign up for MCX. Can an MCX retailer turn on NFC? Yep.. Large retailers are not participating in ApplePay because Apple has completely failed in a merchant strategy, they have not articulated one, nor have they worked directly with merchants. This is really no different than Apple’s failure to work with Banks. Banks are just fuming over the take it or leave it terms Apple offered to them. Merchants had no terms…
  • Apple will rollout a merchant friendly beacon product, and loyalty product for consumer engagement in next 6-9 months, this will also include a renewed focus on BLE. The product will fall flat until they can create an new merchant organization. Google has 4,000 sales people working with merchants, apple has around 16… so it is a big task.
  • Apple will ROCK in App payments.. it will be their homerun… I will make a further bet: Apple will WIN in every situation where they can control the consumer experience from beginning to end.
  • Visa and Mastercard are beginning a shift toward the merchant. They may not win the top 60, but Visa has 36M merchants.. that leaves 35,990,940 that will be open to new ideas. These are my biggest personal holdings, and I know both of the CEOs. Everything I’ve written here they know already.
  • Consumer authentication is VERY disruptive to retail and banking. As Ross Anderson said “if you solve for authentication in payments.. everything else is just accounting”. The need for an independent broker and their services are dramatically different if either the consumer or payment can be authenticated (ie cash, bitcoin). Why do you need a payment product at all? Just present the identity to the bank. This is what Sofort/Klarna does… Why not do this? Because the banks have no ability to MONETIZE the transaction (no merchant agreement). There are many better ways to leverage authentication, but no other ways to currently MONITIZE IT (outside card). Perfect Authentication… A Nightmare?
  • Apple is pursuing an “anti-google” approach: keep no data, closed platform, control everything. Google is 2-4 years behind on platform security.. but is catching up. The Google platform is much easier to build in and control (ex HCE), but consumer adoption lags as each Android participant must move consumer to their vision. Apple has successfully delivered security and authentication, but has not laid out a way for many apps to leverage it. Retail is a REALLY big business, with 1000s of specialists. It cannot be throttled by one company.. thus Apple will work fantastically in environment it can control. (sorry to restate).
  • ApplePay and overall contactless adoption will begin with small merchants and infrequent purchases. Most phones have the capability today. MCX will not stop contactless.. but it will impact consumer behavior substantially

ApplePay Vs Google

  • Is NFC/Contactless Acceptance required as part of EMV rollout? NO!!  This is the most widely held mis-understanding. While the large terminal manufacturers have no products in their official product list without contactless, the top 60 merchants order bespoke or custom terminals to fit their needs.

Paypal at Crossroads (? buying Blackhawk)

25 June

Big things are in store for my favorite eCommerce payments company. Really, I do like Paypal. I may ding them on their POS strategy… as it makes no sense at all… but I love Paypal online.. the “original” ecommerce payments solution that adds value to merchant and consumer. In 98/99 Thiel and Levchin were the first to dream up digital wallets, and first to solve a REAL problem of card acceptance online for small retailers. Perhaps even better than the great Paypal PRODUCTS, were the great PEOPLE that grew out of PayPal.. that have done soooo many great things: Peter Theil, Max Levchin, Elon Musk, Keith Rabois, Premal Shah, Osama Bedier, Amy Klement, Steve Chen, .. (list too long sorry to those I left off).

As its early leaders went on to do great things, the company “evolved” from an innovative start up to take on a bank flavor. Scott Thompson came from Visa and all his direct reports had bank backgrounds… the top tier of the organization led to a culture change (in a bad way) and it went from the coolest company in the valley… to … errrr… something else.  Pierre and the BOD recognized this and tried to get the mojo back with putting David Marcus in at the helm. They wanted to recapture what made Paypal great (people).. to reset the culture. David is a great guy, as he says this week he was an innovator.. but one that never ran a team larger than 200.. and certainly not a global one which was highly regulated.  It didn’t help that eBay’s CEO essentially undercut David by allowing Don Kingsborough and Gary Marino end run and make decisions directly with John. How could any CEO make it in that kind of environment!?

Now that David is gone (see Venture Beat) who can lead them (today) and what is their new strategic imperative.. their vision for growth beyond eCommerce?

Next 12 months

I believe Paypal will see competition in its core business like never before, As I stated previous Payments are moving into the OS… and Paypal doesn’t have one. Apple, Amazon, Google are new competitors in core eCommerce… all with an OS.

Paypal’s new competitors?

  • Apple will own payment presentment and authentication on all iOS devices.
  • Amazon will begin to get off Amazon traction (example today is Gogo wireles)
  • Google’s massive success in Shopping Express (Free shipping and payments). Google also just launched wallet in iOS (see google’s blog)
  • Bank Token Schemes and forthcoming rules for cards on file

As a side note, Paypal did squeeze itself into the Apple wallet (for NFC/POS transactions), but Apple will be expanding the iTunes buying experience very soon, and it won’t be looking to drive Paypal merchant adoption, as it is in the process of negotiating card present rates for CNP transactions (See my Apple blog).

Paypal at the POS is a complete joke (see blog). The business guys that have been running the show (or end running David) are focused on a Visa/Mastercard like strategy… not on one that delivers value to their core constituents (merchants and consumers).  Paypal was the company best positioned to execute on a Braintree/Stripe product 5 years ago (remember X.com) and also the best company to have built a Square/Clover like solution. They missed all these things because their business heads were focused on quick transaction volume deals and solutions.. NOT ON VALUE.

POS – Buying Blackhawk?

This is my big theory today. With eBay repatriating $9B and taking a 30% tax hit, we all know that acquisitions are planned. But what?

Obviously Carl Icann, David Marcus and the BOD have had some disagreements. Rather than guess the strategy, lets take a look at WHO is staying at Paypal. Don Kingsborogh is the former CEO of Blackhawk and head of Paypal’s POS strategy, and Discover Network strategy/relationship.

Paypal has promised its institutional investors progress at the POS.. and they have NONE. Jamba Juice and Home Depot numbers are terrible. The Discover partnership did nothing for them, as MCX merchants REFUSED to accept Paypal (routed as a Discover Card) or new processor agreements (that ran as high as 210 bps). Paypal has “learned” it cannot sneak in payment products within an existing network (Discover), nor can it deliver enough value to push merchants toward a new agreement. Few eBay investors realize that the Discover relationship is yielding NO FRUIT.  Even IF they could convince a merchant to TRY paypal at POS.. they first have to line up the Processors to support, and big ones like First Data were not playing (WSJ Article). This Paypal was paying $50k-$250k+ for merchant to SWITCH to Vantiv just to do a pilot.

Paypal at POS needs a ubiquitous merchant acceptance solution and a physical connection to all major merchants. They also have learned how both Google and Apple have developed strategies to end run the traditional payment terminal and integrate directly with the POS (see the brilliant Google/TXvia Patent US 8676709 B2. )

Blackhawk may fit the bill, as it has a merchant network and POS integration solution today. Every time you pull one of those pre-paid cards off the shelf the SKU bar code is tied to the card Primary Account Number.  The Retailer’s POS system sends the SKU to Blackhawk upon payment and Blackhawk activates the card.

Blackhawk is working to leverage this transaction flow to create its own scheme to fund the transaction.See Blackhawk’s patent US8676709 B2. An item in the shopping card becomes a payment instrument. This could be “THE” enabler to someone like Apple too.. a new payment “gateway” that end runs the traditional payment stream. For Apple, all they would have to do is get a secure “TOKEN SKU” to the POS and the POS would leverage Blackhawk to route. Of course items in a basket usually have a cost, but settlement could be accomplished through a 100% discount, or by capturing the merchant ID and terminal ID to push the payment back through their current processor.

I think this is THE most brilliant scheme EVER!! I love it.. If implemented via ACH.. and MCX. I just don’t love Paypal delivering it because of “cost” and ability to coordinate/execute in delivering value from  all merchant data.

I’m only 50% confident here.. just put a small $10k bet along these lines for fun.  But at a $1.4B market cap.. this would not be a bad bet for PayPal.. problem is that merchants will never go for it.. this does NOT solve the VALUE problem (for consumers or retailers).. it only solves the network acceptance problem. This approach continues the “we will sneak it in” approach. It may “solve” a short term problem of Processors.. but it creates a new one for the merchant in having to deal with multiple processors (one for swipe one for … something else).

IF the merchants would go for this, it may be the best payment design on the planet.. as it would give a way to provide discounts and rebates within the POS system. Integrating with the POS would completely disrupt the processor/payment terminal process, and we would begin to realize the “power of tokens”.

Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV

EMV

EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.

TOKENS

It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.

 

 

Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC.  I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion

Facts

  • There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See http://en.wikipedia.org/wiki/Near_field_communication
  • Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
  • Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
  • The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
  • HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
  • Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
  • Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
  • In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction.  US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card..  just as they did with within the TSM provisioning model.
  • There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
  • Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
  • MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons).  The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
  • Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
  • 4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.

 

Opinion

  • Apple’s biggest asset is their ability to change consumer behavior (blog).
  • Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
  • Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
  • Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
  • -Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
  • Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
  • Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
  • How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
  • Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
  • What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
  • The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
  • Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
  • MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

Apple’s Platform Strategy: Consumer Champion

Apple’s Platform Strategy: Consumer Champion

I’m trying to read the tea leaves on Apple and it seems they have devised a unique.. brilliant platform strategy around securing consumer data. I think of it as the anti-Google strategy.  As we see so much commonality between the functionality of IOS and Android.. along with the associated legal wrestling, what could Apple do that would be something Google never could?

Per my previous blog Apple and Physical Commerce, Apple has an unmatched level of trust with the consumer, and ability to change consumer behavior. I also outlined how Apple is completely reworking the role of authentication in the platform (see this great article from Networked World), this work, combined with Apple’s efforts to limit ad tracking are frustrating advertisers (see Tech times ). But there is hidden genius in all of these mechanizations.  Apple seems to be making a bet that there will be a tsunami of coming issues with privacy and anonymity. In this they are turning themselves into the ultimate consumer protector… both online and in the physical world.  They are the gatekeeper… the only entity that can know what a consumer is doing.

How can they monetize this role? In hardware sales…  Don’t look at them as an ad business.. (although they could build it later).. but right now protecting your consumer from data leakage and loss is a VERY big competitive differentiator, a feature that is particularly well aligned to Apple’s demographic. It is also a very hard one for Google/Android to match.

 

Thoughts?

Targeting and Attribution – Facebook’s Substantial Lead

6 March 2014

A very very hot topic in digital advertising today is attribution. My definition of attribution: The process by which an advertising campaign measures its influence on consumer behavior. Digital advertising is typically measured by: Ads presented (Impressions), Click Through Rate (CTR), Cost per thousand (CPM), Interaction time (see DoubleClick Data and Top 10 Metrics). Marketers have more data for online advertising than for any other channel, the problem is that people don’t live online. For example, eCommerce sales are around $180B, compared to total Retail sales of $2.4T (excluding Auto, Financial Services and Gas). Similarly Google owns 50% of the digital ad market, with US revenue running at over  $30B/yr, which is just a small slice of the overall US marketing spend of over $500B. The CPG vertical for example is the has the largest marketing spend (P&G $3.2B), but very low digital spend (see Retailer as Publisher).

The marketer’s key “nut to crack” : how does online advertising influence offline behavior? (attributing behavior). Facebook is leading the world in 2 critical areas of advertising: Targeting and Attribution.

Targeting

Facebook is highly differentiated here, think lasers vs nuclear weapons. Not only can you build a custom audience based upon email, phone, … etc. You can have Facebook expand that to a lookalike audience, or use external data to form a partner audience (consumers that drive a Mercedes, are over 40 and drink OJ). There is no platform on the planet that does a better job targeting. Tech Crunch covered most of this in an April 2013 Article.  Also a consumer privacy group has a very detailed article on issues surrounding facebook/datalogix.

Attribution

This is where the stakes get much higher, and the facts are VERY closely guarded. Why the secrecy? Perhaps data use is beyond the scope of use agreed to, or at least the “value” of the use has not been realized by the owner of the data. For example the Tech Crunch article outlined how Datalogix used grocery store loyalty card information in custom audience creation (targeting) and attribution. However, Datalogix may not be authorized to use the data in this way (at least for all of the Retail clients).

Lets assume that they have no rights to use Safeway’s data for either targeting or for attribution, how do they get around it? For Targeting: my guess is that they are using a smaller Grocer’s (GroceryX) data to construct an initial data set that Facebook expands (via lookalike). For attribution, they then use loyalty card purchase information to statistically project the performance of the original data set (projecting the purchase behavior of the GroceryX’s loyalty customers on the larger data set).

If this is the case, then GroceryX’s data contributed all of the attribution performance (as well as for targeting). Subsequently the revenue that SV should receive is far above their data’s representation in Datalogix’s grocery macro database. In otherwords, SuperValu (or another unknowing participant) may not be getting paid for the value they are creating.

Regardless of the data use, Facebook is becoming a CPG’s dream channel, far exceeding the performance of anything they have ever worked with (by a factor of 5+!). This is one of the reasons I’m very high on Facebook, and I do own the stock. It may have taken them awhile to figure out targeting and mobile advertising, but they are absolutely killing it today. I believe they could easily grow their CPG advertising 10x in next 18 months.

Purchase Behavior.. Who has it?

There is SIGNIFICANT data leakage going on today. It is a Tsunami that is about to hit every retailer. Data is being used far and above its intended purpose. Another grocery example is what was UPromise, and now SavingStar.  UPromise was an original construct to earn points toward college tuition from SallieMae. Every grocery provided their data to the program so their consumers could participate. SavingStar has tremendous data.. but what can they do with it?  Bank of America’s card linked offer program started to use this data, but the issues of use, ownership and the latency (ex getting credit on day 3) issues persist.

Retailers run a very profitable business in data today. It is core to the current status quo, particularly as it relates to trade spend ($200B/yr). Most retailers are very, very conscious of issues surrounding data leakage. The leading Retail analytics companies (Catalina, dunhumby, Spire, Inmar, ..etc. ) could do wonders in attribution if their data owners would let them.

Purchase Events

Another entity that has purchase data in the US is Argus Information, a Division of Verisk. A little over 10 years ago, Argus evolved as a US bank marketing utility for measuring/targeting cards. Banks send Argus all of their card transaction detail and Argus creates reports for banks (ie Average Customer spend vs competitor in region, average customer balance, …) it was a benchmark service, plus a way for Banks to target Card mailings.  Argus’ former CEO Len Laufler is now running a new data Division at Chase for Jamie.

My friends tell me that Argus has been openly discussing how it can sell its purchase intelligence to non-banks and advertisers (this year). I can tell you one thing for certain, Banks are not cool with this. The head of Retail at a top 3 bank called up Len 2 years ago and told him in no uncertain terms, that the moment they sold their data outside of its intended use they would no longer receive it, and find themselves in front of a judge. The Banks are at risk, Argus is at risk, Consumers are at risk.. if data is used beyond the approved usage. The only way to get this data is with the approval of issuer and consumer.

AdAge had Amex/Mastercard story along these lines in April.   I was also told last month that another source for the data could be Yodlee. As Yodlee’s very first customer (Wachovia 1999) I would say that they have an advantage of customer permissioning. They also have experience in dealing with 3rd party use (Mint, offermatic, …), problem is that it takes time to get the data (customer must register), and there is a latency between transaction, bank record keeping, OFX polling, attribution logic, .

GoogleZave Reciept detail

Quite frankly Google has all of the assets to kill CPG/Retail. Their Zave purchase has put them IN the IBM/Toshiba 4690 OS (run by 16 of 20 top retailers).  Every time I shop at my local Harris Teeter and use electronic Coupons.. it is Google powering a fantastic consumer experience. Customer level SKU information attribution nirvana. They also have a unique content delivery mechanism (targeted incentives) that Facebook can’t match. Manufacturers are not keen to issue coupons to everyone.. they want to target incentives to specific buyers… However Retailers DO want coupons for everyone, unless someone will pay them more to change their behavior. It will take Retailers, Manufactures and Consumer participation to make this all work.. which means tremendous focus (and investment).

 

 

What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance[5] and if it fits the criteria for being considered a personal area network.[citation needed]

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.

 

From a mobile payment perspective, NFC is

  1. Protocol. NFC Forum owns the Protocols making up the ISO specifications.  These protocols are the “universal” aspect of NFC that is NOT changing.
  2. Platform for How NFC works in a Phone
    • GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
    • HCE
    • Apple Secure Enclave
    • ??
  3. Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom

 

 

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog).  Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control.  The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.Token schemes

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog).   Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me),  MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

  • an x% interchange reduction
  • Treat as Card Present, and own fraud (can not certify unless acquirer)
  • Access to DATA as permissioned by consumer
  • Share fraudulent account/closed account activity with you to sync

If you:

  • Tokenize (dynamically) every one of our JPM cards on file
  • Pass authentication information
  • Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

Rewiring Commerce: Four Phases

18 Feb 2014

One my most often repeated lines is mobile payments are not about payments.. but about everything else. We have no payment problems today. When was the last time you left a store without your goods because the merchant doesn’t take your form of payment? Payments are the easy part, and experience has shown that it takes a VERY VERY long time to change consumer payment behavior (20 yr plus, see my blog on Behavior Change).  My personal bets are all around mobile’s future role in commerce….  I call it Rewiring Commerce (previous Blog).

As an engineer I like to take a control volume approach to systems. To some extent, marketing is a measure of inefficiency… heat or friction in a mechanical sense. Marketing spend makes up almost 19% ($750B) of total US Retail sales (around $4T), with most of that spend untargeted and non digital. Even these astounding numbers do not begin to touch the total opportunity in Commerce Efficiency (ie  transportation costs, spoilage, mark downs, discounts, and inventory write offs). Rewiring Commerce is much more than Apple’s beacons talking to you when you shop, it’s about how local suppliers/producers could meet needs locally, providing manufactures with tools to better estimate demand (eliminating waste and transportation), mass customization,  resource optimization, value orchestration..  yada yada yada.

Who is impacted by rewiring commerce? Everyone that buys or sells. What is key? Data, trust, identity, platform.

rewire impact

I see disruption of Commerce (ie rewiring) occurring in 4 phases.

rewire commerce phases

The First phase of mobile commerce disruption was focused on improving information flow (ie Showrooming).  Second phase is underway, experimental and highly fragmented with one my favorite companies being Blue Kangaroo. In this phase there is context to the mobile interaction without the consumer’s direct input. This is where Apple’s beacons will play (see blog Apple and Physical Commerce earlier this month).  Perhaps the best categorization of Phase 2 is in shopper marketing from Booz & Company.

shopper marketing

Third Phase: Intent

Theme here is consistent with a physical world version of Google’s search word marketing advantage. In this phase retailers and manufacturers work to influence your behavior before you are in the store (as opposed to in store beacons in phase 2). One of the start ups I’m incubating is focused on helping any company purchase intent information.  For example, when someone turns their car off in a mall parking lot they may be intent on shopping. Or when you buy suntan lotion you may be intent on a beach trip. Google is light years ahead of everyone in physical intent… why do you think they want to put up all those free wi-fi hot spots. But their information is extremely limited.. much more location based than behavioral.  In this phase retailers use their consumer insight in combination with others to provide relevant information to specific consumers.

 

In order for consumer adoption to take place there must be real value. Value requires:

  • knowing the customer (historically),
  • knowing the customer now (intent),
  • having the ability to touch the customer before they shop (publishing),
  • trust (consumer permission),
  • ability to run an advertising campaign,
  • ability to target consumers based upon insight,
  • ability to track consumer behavior after the campaign (redemption/purchase)
  • tracking requires ability to work with retailers

Yep.. that is a long, long list. What companies can do this today? Google, Apple, Amazon and Facebook.. with Google and Amazon 3-5 years ahead.

There are several strategies at play here today, but the biggest challenge is in obtaining real world intent. Several “Omni Channel” plays leverage online intent to create off line behavior to get around the real world data challenge (only if the consumer starts online).

  • Platform: Amazon, Apple, Google, Facebook
  • Retailer Focused: Square, Amex/Loyalty Partners PayBack Card, OminChannel, Paypal
  • Big Data: IBM, …
  • Big Government: NSA (meant for a laugh, please don’t add me to Echelon/PRISM)

Third Phase Summary

In this phase the Retail environment is not changing substantially, we are better using mobile to interact with consumers within the current retail and advertising constructs. Junk mail and random push messages are gone. Consumers are choosing to “trust” entities that consistently deliver RELEVANT VALUE. Services will be focus toward affluent consumers, as the focus of value will be around discretionary purchases. As efficiencies improve, we will begin to see a massive shift in advertising spend toward digital channels and specifically mobile.  The key for mobile monetization will be in Consumer Identity Arbitrage.. with Apple’s framework the clear leader.

Fourth Phase – Value Orchestration

I discussed this in Value Creation and Distributed Innovation, Static Strategies and the Rewiring of Commerce and in Future of Retail.

In this phase we will see real world changes to how Commerce is conducted, including: store formats (footprint, layouts, inventories), advertising, online/omni channel, customized products (by region and individual), local sourcing of goods, new intermediaries, brokering of: trust, identity, anonymity,…..etc.

Retailers and Mobile Network operators will begin to translate their distribution and data advantages into new platforms. Big data will be used to project your behavior, and recommendations will be targeted to you. I’m not going to go into much detail here, as this is where most of my big bets are…..

This is not a good wrap up.. but I have work to do.

Next Blog: Targeting and Attribution

Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

4 Nov 2013

Long blog.. load of typos

As I’ve stated before, this blog has been a great way to make new friends and stay in touch with my 100s of friends and former employees around the world. When you are in a small company you tend to lose touch with what else is going on as you no longer have 1000s of folks feeding you market intelligence. Small companies live and die by the risks they take, and I’m primarily focused on reducing risk by sharing G2 and perspective.worry-about-identity-theft-confession-ecard-someecards

Industry History (experts can skip this section)

I’m fortunate to have worked with some of the best teams in both Security and Fraud areas. Back in 1998 I ran Oracle’s Payment and Security National Practice where we did things like PKI, Single Sign On, as well as Oracle’s first Java application: iBill and Pay (built on Oracle’s first Application Server OAS which scaled to 40 users regardless of hardware). I switched from the tech side to the business side in 02, and can assure you that running online Banks keeps you in the security AND Fraud space. In 2008 I left Citibank to go to 41st Parameter (just acquired last month by Experian). 41st Parameter was founded by a visionary fraud prevention guy.. Ori Eisen, with a focus device ID.

From a Commercial/operational perspective there is always friction between the security teams and the Fraud/Operations teams. The security teams are always working to enhance security, the fraud and operations teams are always working to mop up the mess from any holes in security and create proactive processes by which they can stop it. As I said in my blog last week, if I let security guys have their way with authentication …. customer experience would be awful.. and no one would use online banking. Hence we have services like Risk Based Authentication, Honey Pots, Fraud Controls, …

This same Security vs. Fraud dynamic plays out in payments. From the 1970s to the 1990s banks had built their authorization infrastructure around tools like HNC’s Falcon to create rules based authorization, with daily tuning of rules based upon fraud. Today Banks continue to invest billions of dollars in fraud and risk infrastructure (see blog). The metaphor for competition here

If you are camping with your friends and a hungry bear comes to your campsite.. you don’t have to be faster than the bear.. you just have to be faster than at least one other camper.

Thus the rule of thumb: fraudsters always attack the easiest target. Big bank billion dollar fraud platforms thus drive fraud to smaller competitors. This enables the large banks with sophisticated controls to derive higher margins in payment products, which drives incremental investment.  This is one reason why large US banks are so resistant to EMV (it levels the playing field). Fraud numbers in the US are not well reported, the best data is from my friend in the UK (see UK Card Association).  Large US banks were not involved (or informed) of Visa/MA’s plans to mandate EMV. As one CEO told me personally “Tom .. to this DAY Visa has never come by my office to discuss EMV, I found out about it the same way you did.. in a PRESS RELEASE.. “ [Top 3 Issuer].

In the late 90s Banks were not prepared for Card Not Present (CNP) Transactions that came from eCommerce. Their fraud systems (ex HNC Falcon rules) were not tuned for this type of transaction. Actually, banks really didn’t care much here because 100% of fraud loss was borne by the merchant. The only Bank impact was helping the customer deal with fraud (and reissuing cards). Thus RETAILERs began investing in Fraud systems and 3rd Party specialists (GSI, CYBS, 41st P, Digital River, 2CO, PayPal, …) emerged to help manage fraud on behalf of retailers. LARGE retailers followed the same path as large banks, investing in custom fraud infrastructure (ie Amazon, Apple, Google, Airlines, …).

Banks thus ceded eCommerce risk management to 3rd parties until around 2003 where 3DSecure was developed (See Wiki. Implemented as VBV by Visa and MSC by Mastercard). Merchants were incented to adopt the scheme by a liability shift (to banks) and an interchange reduction of 5-10bps. Rollout of the scheme in Europe was a disaster (see UK Guardian). Banks now owned a mountain of new fraud losses (as 3DS technology was broken), with only ONE tool to address: Decline Transactions. See my 2010 blog and Schneier’s: Online Credit/Debit Card Security Failure

Mobile

Banks are determined to avoid their prior mistakes, in eCommerce risk/roles,  and take a leadership position in mobile (ie payments, risk, authentication, data, … ). I’ve detailed their efforts in:

Why is mobile so important to Banks?

#1 PRIMARY INTERACTIVE customer touchpoint. 10 years ago, how did you interact with your bank when you were away from home, work and a branch? The only interaction you had was a piece of plastic.  Mobile enables a new class of Services.. but ALL mobile services must add value. The rest of these priorities pale in comparison to consumer touch… Banks are thus experimenting on what they COULD DO with mobile to remake banking.

#2 Authentication. Confirming identity of consumer.

#3 Risk Management. Both gaining additional consumer insight, and enabling new levels of risk control based on this data.

#4 Remaking of Retail Banking (reducing cost to serve)

#5 Mobile Payment.

#6 Partnerships. Sales, Distribution

I’ve touched on #1 many times, but before I go to Authentication/Authorization/Risk, let me provide a brief recap of my many blogs covering the “other services”. As I outlined in Card Linked Offers, Banks don’t realize is that just because you CAN interact with the consumer doesn’t mean that the consumer WILL. You must actually deliver VALUE if you want to capture consumer TIME. Having run 2 of the largest online banks I know what customers do. Retail Customers log in 3 times a week, check their balance, pay a bill or two and log off (180 seconds later).  Bank CEOs.. I gave my recommendation on what you SHOULD be doing in my Bank NewCo blog.

Authentication – THE Lynch Pin

As I stated in Who do you Trust,

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software (from NFC to the SIM). …[ If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.

and in Authentication – A Core Battle for Monetizing Mobile

As Ross Anderson said “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past.

Beyond Authentication, mobile also plays SUBSTANTIALLY on the risk side, as it enables Banks to interact OVERTLY and COVERTLY with the customer. For example a risk system could ask: is the customer’s cell phone within 20 yards of their transaction (at X merchant).  Or even issue the customer a one-time PIN (or PIN request) to complete transaction.

Perfect Authentication – A threat to Banks?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

If we made an inventory of payment systems (technical investment) between merchant to consumer bank we would see today’s systems, processes and rules would be DESTROYED by a future state of connectivity and authentication. I’m sure this one line statement will be questioned “prove it”, but I don’t have time.. I’ll leave it to someone else. Take this statement for what it is: my opinion.

Authentication is 0-1, Risk and Fraud deal in shades of grey. For example, if there is a CHANCE that Joe Smith is a really a the end of the transaction, and he is my wealth customer, I’ll let him in the door, see what he wants to do and then risk it based on it. I certainly won’t LOCK HIM OUT.  Another example, if I could authenticate a customer why do I need to make the transaction secure? This is the BEAUTY of the Square “pay with your name” scenario.  Why do I need tokens? Someone just needs to map consumer ID to payment types.

The very concepts of payment “products” begins to dilute. No more credit, debit, pre-paid, Amex, ACH, check, … In a world of perfect Authentication “old line” products evolve toward dumb pipes as competition shifts to speed and cost (not risk).

From Cash Replacement

Networks are designed around a value proposition.  For payments to flourish, a coordinated system of instructions which can be read by trusted participants is necessary. Providers of payment services must consider what network participants are providing in order to collaborate in risk management and settlement; the greater the number of consumers and businesses that participate, the greater the collaboration and interdependency. As more people adopt the payment system, its value increases, since it provides access to more people; this encourages larger networks. Not only do the benefits increase as the network expands, but the per unit cost of service falls. This behavior is the basis for what economists refer to as a “network effect”.

Once a payment system reaches a “critical mass”, economic value will be created at the ends of networks. At the core- the point most distant from users-generic, scale-intensive functions will consolidate. At the periphery-the end closest to users-highly customized connections with customers will be made. This trend pertains not only to technological networks but to networks of banks as well as small merchants and even to consumers who engage in shared tasks9. From a payment network perspective, this means that the “routing” of payments will provide much less revenue opportunity than managing the end points (e.g. the customer interaction or the products which are sold on the network).

…] Payment networks are inherently “sticky” with investments required by consumers, merchants, and banks for effective functioning. Payment networks also have substantial government involvement to support Commerce and Treasury functions that ensure stability, resilience and protection of parties. Innovation in payments is challenged by this network dynamic. As most small companies know, getting a bank to make a decision is tough… but nothing compared to getting 4-6 groups (issuers, acquirers, merchants, MNOs, Regulators, networks, ..) to collaborate in making coordinated change. A level of difficulty that is only superseded by the challenge new entrants face in competing directly against these existing networks.

A truely jaw dropping piece of research was completed last month by philippon_newfig1NYU’s Thomas Philippon (  http://www.voxeu.org/article/where-wal-mart-when-we-need-it).

The cost of intermediation grows from 2% to 6% from 1870 to 1930. It shrinks to less than 4% in 1950, grows slowly to 5% in 1980, and then increases rapidly to almost 9% in 2010

In other words Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). This is BY DESIGN as the orchestrators of banking have successfully created constructs to squeeze COMMERCE. Further demonstrating that existing payment networks are incapable of leading ANY FORM creative destruction. As I stated in Commerce Battlefield

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). … (Also see Push Payments)

Regulation… the KEY

Payments, telecom, commerce, customer data, … all are regulated (merchants … not so much). Banks are completely justified in seeking solutions to their current regulatory burden. After all they bear most of the AML, BSA, CPFB, FED, OCC, .. burdens here. What needs to happen is that regulators must allow non-bank entities to bear risk. This is where innovation occurs. See blog US Payment Innovation and Regulation