iPhone 6 – Apple’s Strategic Opportunity

8 September 2014

We are likely to see much innovation in the iPhone 6, but I suspect there is even more innovation that we won’t see. Purpose of blog today is to help my friends navigate through the coming tsunami of press, to what really matters. What are the things I’m looking for? If you are looking for a list of new iPhone 6 features in this blog.. you will be sadly disappointed.. I’m much more attuned to payments, network strategy, commerce, security/Auth.. admittedly myopic. Note payments stuff is in last paragraph

Tomorrow

Don’t get caught up in buzzwords like NFC, payments, tokens, BLE, Secure Enclave. Will it have a new security architecture? Yes, industry leading from hardware through firmware, OS and Apps.. Will the iPhone be able to do payment? Sure… Emulate a hotel door room key? Yep, in fact it could virtualize and emulate any chip card including the GSM SIM. Yet focusing on this stuff is kind of like talking about what the internet could do…  can I email my Aunt in Singapore? Buy a book from a seller in Seattle… The key questions for investors and start ups in the Valley is: HOW WILL THE iPHONE 6 CHANGE COMMERCE?.

Why am I excited about the iPhone 6? It is the dawning of a new age of mobile “platform”. This leads to the obvious question of: what is a platform, and how can anyone lead it? My favorite book on platforms is Platform Leadership: How Intel, Microsoft and Cisco Drive Industry Innovation. The authors provided a great model to assess the 4 Levers of Platform Leadership

  1. Scope of Firm: What is done inside, how they encourage outside investment and focus
  2. Product Technology: Architecture, Interfaces, Modularity, What do they expose to partners?
  3. Relationship with Complimentors: Support of Complimentors, acting on ecosystem needs, path to consensus and standardization, profitability
  4. Internal Organization: What is the “core”, and how are resources allocated to core activities vs support for partners.

Apple has a massive check mark in #2 (Product Technology), as they are 3-5 years ahead of every handset maker (integrated hardware thru OS and Software). How do we measure this lead? Admittedly technology is a little harder to quantitatively measure than financials and market share, so for the later: Apple captures 70% of industry profits (from 18% market share), #2 in consumer brand (behind Google), and #1 in retail sales per square ft. Most would agree its hard to get to these stratospheric numbers on crappy hardware.

On the technology side, Apple is the only vendor (since RIM) to have developed a secure mobile platform for biometrics, encryption, smart card emulation, …etc. All using a proprietary architecture from A8 Processor, Secure Enclave, OS, Apps and integrated into cloud services. For example, Apple has thrown the GSMA’s NFC under the bus in favor of their own unique design. I think of it this way: RIM started with security in mind and then tried to bolt on a browser and other features consumers wanted beyond secure e-mail. Apple started with the consumer and is now (with the iPhone 6) rolling out the most secure mobile platform in history. I believe Google is 18mo-3yr behind (with ARM/TEE and SE Linux) primarily because they don’t have the same HW control as Apple (see Secure Element, NFC, HCE, EMV, Tokens and Cards).

From a platform perspective the REAL question is Can Apple pull levers 1, 3 and 4?

Platform Leadership

Most all of us know the Microsoft/Intel Story (see reference). WINTEL’s pace of innovation crushed Apple by creating industry standards (ex PCI Bus) and allowing hundreds of companies to specialize on many subcomponents (dives, processors, applications) which further increased performance, decreased price and expanded usage… which in turn drove more investment. Intel’s Architecture Lab (IAL) was centerpiece of this success: an investment in defining and supporting the platform (ex the common infrastructure “bus”) that allowed for specialization and defined interaction (and accelerated Intel’s dominance). No one asked Intel to lead.. they TOOK IT (with great success). Leadership is not creating APIs and taking a 30% cut of revenue, it is recognizing that a business where 100s of companies can succeed is a much bigger business. This is particularly true in Commerce.

In physical commerce, I look at Visa and Mastercard as the best “commerce” platforms. This comment will draw ire from all my merchant friends, but it is factual (total volume processed). The beauty of the V/MA business model is that 1000s of banks invest (and merchants pay) billions of dollars to make this work. They have struck a tremendous balance between bank, consumer, and merchant. They have become the standard for interaction. One that will start to shift significantly toward merchants in next decade (for another blog).

With respect to platforms and mobile, I was in Hong Kong last year constructing scenarios with a major investment bank, with the key question: Where will value flow in mobile once handset hardware is a commodity? (Battery life, processors, screen resolution, are all good enough). What are the FACTORs of competition today? Can someone else change the game? I went through this analysis in my blog on Stage 4 Value Shift.

As we look for where the form of mobile competition may change, it would seem to be outside: hardware, software and network bandwidth. If hardware is good enough, and not the primary factor of competition, it must be software, services or data that will drive competition in the next phase… If platform is decided on software only.. then software platform with most open standard and most users (ANDROID) should dominate as any connected devices (handsets and everything else) have lower cost and more ability to “specialize”, particularly if intelligence is in the network (not the device).  But software is currently not the point of competition either… If not DEVICE software, or hardware, or network connectivity.. then what?

 

… Orchestration and Trust:  mobile phone transforms into the networked device “bridging” the virtual and physical world then value (and profitability) will shift from platforms executing transactions to coordinating interactions.

Apple’s greatest asset is its ability to change consumer behavior (see blog Apple and Physical Commerce, and Consumer Behavior). Apple’s reputation is well deserved and earned “the hard way” by remaking: phones, music, mice, computers, apps, …etc.  Through consistent delivery of value within fantastic hardware delivering great (and fun) consumer experiences they earned trust for their products and brand. The greatest NEW opportunity for Apple to influence consumers beyond the individual (music/contacts/calendar) and eCommerce (browser, apps) to the real world: Commerce. Apple’s core gap? How will it allow for investment, specialization and define interaction of aligned participants.

Commerce Platform

I’m assuming Apple will get its consistent A+ in hardware, and there will be a bundle of new capabilities in the phone and connected devices (ie iWatch). But commerce is between a consumer and a merchant/manufacturer. What “platform” will exist to assist Merchants? What is Apple’s role in mediating platform (and consumer) with the merchant (beyond the app store)? How will Apple enable 100s of other companies to invest billions of dollars to make its Commerce Platform the centerpiece of value orchestration? Beacons (see Apple iBeacon Payment Experience)?

Google, Amazon, Facebook, all organize millions of businesses, and billions of consumers. Apple is missing the business side… in a BIG way (remember iAd). From a network strategy perspective, Apple has created a consumer focused nodal platform (vs hub centered orchestration). They certainly have the opportunity to create a hub (ie iCloud), but their hardware centric organization may keep this from maturing (Lever 4). Thus Apple is 5 years behind Amazon, Google, Facebook in delivering value to merchants, and orchestrating Commerce. As I stated above, handsets are becoming a commodity, Apple’s new handset will not lead in screen resolution or battery life.. consumers will start to look at the VALUE it provides in connecting to other REAL WORLD businesses.

A January 2001 Harvard Business Review Article: Where Value Lives in a Networked World put it this way:

In more general terms, modern high-speed networks push back-end intelligence and front-end intelligence in two different directions, toward opposite ends of the network. Back-end intelligence becomes embedded into a shared infrastructure at the core of the network (cloud), while front-end intelligence fragments into many different forms at the periphery of the network, where the users are. And since value follows intelligence, the two ends of the network become the major sources of potential profits. The middle of the network gets hollowed out; it becomes a dumb conduit, with little potential for value creation. Moreover, as value diverges, so do companies and competition. …. In a connected world, intelligence becomes fluid and modular. Small units of intelligence float freely like molecules in the ether, coalescing into temporary bundles whenever and wherever necessary to solve problems.

where value lives

Apple’s strategic opportunity is to orchestrate these information bundles and consumer insight in a way WHICH THE CONSUMER CONTROLS. This was the focus of my previous Apple Strategy Blog: Apple’s Platform Strategy: Consumer Champion.  Unfortunately, it seems that Apple’s management team may be so hardware focused that they are missing this opportunity. Retailers like Nordstrom, Macy’s, CVS, and Starwood will show (tomorrow) how excited they are to work with Apple. But Apple needs a version of Intel’s IAL, that is focused on Retailers, Gimbal and Commerce.  Actually, I believe Apple’s gap here is so large that they must find a way to partner/acquire someone else in this space (not paypal). This is a $100B opportunity, and if Apple doesn’t move on it, it will be left competing on screen resolution, and hyper sensitive affluent consumers seeking data privacy.  (Note to Apple, one of my companies would love to pitch you a few ideas here).

My top strategy questions for tomorrow

  • Does Apple see strategic growth for iPhone as working in real world (Commerce)?
  • What level of investment/support will Apple give to “community”? How (IAL)?
  • Where does Apple “Stop” and partners “stop”
  • Apple’s organization.. anything changing? Is it still H/W dominated?
  • Apple’s phone is no longer differentiated by external features.. so what is different and why is it valuable to consumers? Merchants? (Can Tim articulate)
  • Does Apple see itself as the Consumer data/privacy champion? How do you monetize anonymity?
  • How will retailers work with Apple?
  • How will beacons be supported?

Security, Authentication and Anonymity

The biggest features we will see (IMHO) surround  how Apple is completely reworking the role of authentication and security in the platform (see iPhone 6 Secure Enclave, great article from Networked World). Apple’s proprietary mechanisms for “smart” card emulation (credit card, hotel door key, transit pass) will impact many, many industries (see Authentication in Value Nets).  Apple has ROCKED THE CART substantially with this capability. My guess is that they will demonstrate the obvious tomorrow with contactless card emulation (V/MA/Amex) and security keys (Starwood hotels). The much more sensitive area is virtualizing the GSM SIM. I believe the iPhone 6 is capable of virtualizing the SIM, I have no idea if they will demonstrate the capability.

From a consumer perspective, the big changes will surround Apple’s efforts to limit ad tracking will significantly impact advertisers (see Tech times ). I believe there is hidden genius here as they turn themselves into the ultimate consumer protector… both online and in the physical world.  They are the gatekeeper and orchestrator… the only entity that can know what a consumer is doing. Question is can anyone else work with Apple (and the consumer) to request that the gate be opened. For example, will Apple be the primary publisher (please send phone ID 187349387 the following message .. and Apple approves).

Payment Stuff

Most of my readers are in this area.. so sorry for saving this till last. I described how payments will work in the new iPhone back in March: Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”. The key innovation in iPhone 6 should be credited to Visa and Mastercard: tokens. No longer will Primary Account Numbers (PANs) be sent in the clear as we have with EMV, and NFC today (I know, hard to believe.. see this blog for background). Now if someone steals your phone.. and breaks Apple’s unbelievable security.. they have a number.. that is COMPLETELY worthless.. they can’t use it anywhere.  At time of manufacture and OS load, Apple has loaded 6 tokens: Visa credit, Visa Debit, MA Credit, MA Debit, Amex, China Union Pay, (and perhaps a few backups).  These numbers are locked up in the secure enclave, they are 16 digits long and are BINs that processors can route to the appropriate network. The networks operate as TSPs (Token Service Providers) and map the Tokens to the Actual Bins. The primary key for the mapping is Token, plus Token Assurance Information, plus Phone ID.  Technically.. everyone of us could have the same exact 16 digit token and Visa/MA/Amex could still map the correct card based upon the other unique information.

My biased view is that the networks emulated what Google (under Osama Bedier) put in place 3 years ago as Google also operates this Token environment within their TXVIA acquisition. The big plus for Google is that the consumer can register any card they want, as Google does not charge the banks anything.

The biggest “surprise” over last 2 months is that Apple has squeezed 15-25bps from the 5-6 participating banks at launch (C, BAC, COF, JPM, Amex and perhaps WFC). The challenge for phone wallet companies has always been there is no economic model for them. Banks know that wallets will not work without cards.. for example Apple has little chance of success if Chase, Citi and Cap One don’t participate. Thus someone must have “blinked” and the others followed. No one wants to be left out of the Apple launch. Thus to participate in the Apple wallet, Issuers will need to cough up the fee to Apple. There are 3000+ issuers in the US.. so this may be a little challenging on the consumer side. I also have firm G2 that BAC, C and possibly WFC will enable debit cards (have no idea how these will be priced).

My G2 tells me that the Issuers refused to give on CNP interchange, so even though Apple has tokens and can sign them with same assurance information a “tap” at the POS will have a different rate than an eCommerce/mCommerce CNP transaction. One of my bigger unknowns is how Paypal will play in all this launch. I understand Apple is near launch of an “off Apple” eCommerce payment scheme (?EasyPay?).. will Paypal be the merchant acquirer and white label a PayPal like button (pay with “Apple”).

Strategically, Payments are moving to be part of the Operating System. What does that mean? See blog. My favorite payment quote is from Ross Anderson at a Federal Reserve meeting. If you solve for Authentication in payments, everything else is just accounting. This is a key example of how Apple has the potential to completely turn the world of payments upside down. For start ups this means that payment is no longer a specialized function, just as TCP/IP was not in Windows 95 launch.. and became part of the standard stack.. so are payments with iOS and Android. There will be no more Paypals in the future.. A key WIN for Visa, Mastercard and Amex is that Amazon, Apple, and Google are all of one mind: Let consumers pay they way they want to pay.

Arcane payment stuff. I’m more than a little interested in how Apple will actually get paid beyond the honor system. Card emulation applications have no idea who they presented the card to, or size of transaction. Visa/MA/Amex will be able to track transactions, but don’t know of any formal facility to pay a wallet company within the settlement stream, meaning that the issuers will be cutting the check based upon data that only V/MA and/or the issuer themselves have. So beyond the pure “TSP” role, is there also a role for wallet settlement in the overall V/MA scheme. Optimally, issuers would have one way to register cards for participation in any given wallet, this was a significant flaw in the NFC TSM card provisioning flow. It would be very smart for V/MA to take this on. In other words a new V/MA process for registering card/token scheme/Assurance information/approved wallet (ex HCE).

Merchant Acceptance

My view is that the MUCH larger problem for Apple is merchant acceptance. As I outlined in Apple Payment Experience, Apple did not want to launch within network contactless specifications, they wanted certification of BLE.  Apple presented its solution back in August of 2013 and the issuers went “nuts”.. going to V/MA telling them “You are going to let Apple own the PATENT for how a card goes from phone to merchant.. I thought that was your job”. Thus we see the press release on tokenization in Oct 2013 that came out of no where.  The networks did not want to fragment acceptance infrastructure and give merchants the opportunity to accept Apple BLE and not NFC.

There will be 2 or more merchants moving from MCX to Apple tomorrow, one rumored is CVS. Of course they could still accept MCX, but rumor is MCX agreement precludes other forms of mobile payment acceptance. Payment acceptance is no peripheral battle to merchants. This is a VERY VERY big deal and I don’t believe Apple understands it at all. Net margin in retail is around 2.6%, so taking a 225bp card is VERY MATERIAL. Retailers tell me that mobile is the #1 thing they think about in strategy, and they are quite confident that they are in the best position to influence consumer adoption and value creation (ala Starbucks). My hope is that Apple can work out its desired BLE experience directly with MCX retailers.. and let the merchant/consumer decide how all this works. See  Value Creation and Distributed InnovationStatic Strategies and the Rewiring of Commerce and in Future of Retail

How will the iPhone 6 Change Commerce?

Remains to be answered pending Apple’s platform support strategy. Where does Apple see its role in value creation? (Or does Apple just see a role in consumer protection?) The Google, Amazon roadmap is much clearer to me.. I don’t want to buy into a hardware company.. hardware is becoming a commodity, value orchestration is the $100B+ opportunity.

This is not a clean wrap up.. but my football game is on and I want to watch it.

 

 

 

Authentication – In “Value” Nets

March 3, 2014

Today’s blog brings together: the Role of Authentication in Value Orchestration, Apple’s Role in Commerce, Constructs for Compensating Authentication Agents, and Ability of Payment Networks to Adapt. The ability of other parties to assume risk in payment is the key shortcoming of all of our existing payment systems (see last week’s Blog). The recent activities around tokens can best be explained through this Risk Lens.

My use case for today: Assume Apple has the best biometrics system on the planet, and Consumers trust Apple with all their credentials. How can non-Apple Service Providers use Apple’s Authentication service (pay them)? As I outlined in Who do you Trust (Sept 2013)

The “KEY” [prerequisite] in value orchestration is owning the Consumer relationship. Therefore Identifying and Authenticating the Consumer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.

This goes hand in hand with my other favorite payment quote from Ross Anderson with respect to payments:

If you solve for Authentication.. Everything else is just accounting

The Role of Payments in Commerce

As I’ve stated before payment is just the last (easiest) phase of a long commerce process that involves design, manufacturing, marketing, advertising, retail, payment, …etc. (see Payment enabled CRM). Payment is the key PROCESS by which these parties measure the effectiveness of their activities (think attribution). To measure effectiveness (and value) participants tie their activity to Consumer and: items, activities, processes, and behaviors. Answering questions like “did the consumer see our ad on facebook?”, “did our campaign influence the consumer’s buying behavior”?

Before we can assess the value of Apple’s Authentication we need to identify the processes and participants that can use the service. My bias is that the greater value to be unlocked is around the attribution than payment (as a side note Apple has constructed a new platform to manage an Advertising Identifier around this “identity arbitrage”). My personal bets are around the hypothesis (outlined in Apple and Commerce): that Apple’s biggest asset is their ability to change consumer behavior, and are working to make the iPhone the centerpiece of physical commerce (not payment). However, since I have no interest in writing a novel on the subject, I’ll give my highly condensed views on authentication in today’s payment instruments.

Value of Authentication in Payments

What is value of authentication in payments? To whom does the value accrue? We should not assume payment methods will change in anything shorter than a 20 yr horizon (analysis of value in existing payment networks). The value flow in a 4 party payment network is fairly simple: Merchant pays with the Issuer receiving 80% of the revenue. Any payment for Authentication must therefore come as “cost” to the issuing bank. There are 5 models for extracting authentication fees from Banks:

  • Bank chooses to pay (or exchange something of value … like data)
  • Network forces payment
  • Authentication provider forces payment
  • Consumers force payment, or Choose to pay themselves
  • Regulators force paymentGAO payment flow

Optimally a service cost would be based upon value (if the value declines … the cost should decline). Of course nothing in payments work this logically. Issuers like to have all the control, so that they can retain all the margin. In fact, Top Issuers would be fine keeping mag stripe with no authentication (see Perfect Auth… a Nightmare to Banks). Perfect authentication would eliminate all risks not credit related (ex ability to pay). It would therefore be very hard for Banks to justify any payment fees (interchange) beyond the cost of operation. Banks make their money on the ability to manage risk (not eliminating it). Mobile Authentication (biometrics) provides a mechanism to reduce risk outside of the bank’s services.

Startups.. this is the challenge in selling banks improved risk management or identity solutions that are not in their control. It is also why Banks want their services manifested through applications they control (not others). However, Banks must live in a world where their payment product does live outside of their environment (not that they like it, but Amazon does have a little potential to sell :-)).

A recent example of external network driven services: Verified by Visa (VBV) and Mastercard Secure Code (MSC). VBV/MSC rolled out in 2003 (Europe) and shifted eCommerce CNP risk to Banks. It was a complete and utter failure, not just from a tech view but also from a customer experience and business model. Merchants were incented to put the technology in place (10bps and fraud shift to Banks). VBV/MSC failed to catch the fraud… who was motivated to fix the flaws? Not the merchants.. they had given the fraud loss to the Banks and received a discount. It was rather the Banks, which were left with declines as their only tool (as I outlined in Perfect Authentication – A Nightmare for Banks). In other words, Banks had no way to pay the merchant to do a great job at managing risk in VBV/MSC, but only penalize a merchant for poor performance (through declines). This is why we don’t see VBV or MSC running in Amazon, Apple, Paypal, … etc.. Merchants fear declines much more than they do managing the fraud.

But how do a Banks pay external parties (ex Experian, EWS, …) for assisting in the risk management of payments? Usually a per transaction fee of $2-$5 in account opening, and then 10bps for transaction risk scoring (think check verification, although not all transactions need to be scored). The Networks themselves offer services for authentication and account management.

Authentication Fee Structures

Issuer Controlled

  • Interchange Rate Reduction ~15-30 bps based upon performance
  • Fraud Shift (for CNP + Auth in eCommerce)
  • Data Sharing (quid pro quo)

Network Controlled

  • New Category – Mobile Card Present with Authentication (30bps below current)
  • Network Enhancement Fee – Charged to Issuer (for Token and for Auth)

Platform Controlled

  • Authentication Fee (Nothing gets passed to Issuer unless they choose to use service)
  • Network support of new field(s) for Authentication information

My preference (for Authentication) would be for last item in the list, where Apple and Google assess an authentication fee to Banks which choose to leverage Authentication. This allows for performance based pricing. If the service is not providing benefit to the Banks, it is stopped. Issuers which invest in using the service will receive benefits that can be passed to consumer.

Oddly enough the danger in this approach is for Visa and Mastercard. As Issuers work with Google and Apple directly, it provides them an opportunity to end-run V/MA and define their own rules for CP/CNP, as well as Tokenize their existing portfolio and gain access to data.

Mobile Auth and Payments – Today

The scenario on biometrics and tokens is happening today… Apple’s new iPhone will have both biometrics, a secure enclave, and  patented Point of Sale Interaction. Host Card Emulation has evolved so quickly because Banks were told by Apple that they would have to pay for their cards operating within Apple’s scheme. As I outlined in Token Acceleration, the Banks responded by telling V/MA “we are not going to let our Cards operate under an Apple Patent… you guys killed our TCH project and said you would own this… so are you owning it or not?” Hence we have this Press Release.

The networks are committing a fair amount of brain power here. Clearly the benefits and control of a token led scheme will flow quickly to issuers unless there is a solid process to lock up the token standards and token translation. For example, assuming V/MA certify an HCE scheme that provides for “transparent” EMV compliant Paypass transaction.

This is why NO ONE has seen the token spec… and why it is not evolving as quickly as hoped. Not only must V/MA/Amex make the Spec functional, they must also work to control the token creation, authentication and routing rules. Arrggghhh…

Big Picture Thought

What we REALLY need is a payment network where risk and data can be owned by non-banks (selectively). This was my input to the Federal Reserve, and the driver behind last week’s post Risk: Carving it up in Payments.  Real time payments is not holding up innovation, the ability to take risk and manage it is (just as it is in our economy). While I believe Ross Anderson’ view that Authentication is the key to value, the dumb pipes are all owned by non-aligned Banks.

What if American Express created a new payment network that allowed for merchants to selectively own risk for clearing? In this model, Amex could operate as charge card, Bank, prepaid card, or link to another banked account. Merchants could assume risk depending on consumer history, payment type, purchase type, reputation, … Some merchants would choose to allow the consumer to decide. Others (like Grocery and WalMart) would encourage the consumer to choose the lowest cost instrument (selective settlement risk), or even change their relationship (banking, data sharing, … ).

If the value of authentication and the value of “payment” is not in settlement and risk but in the attribution, then we must have much more flexibility and consumer participation.What will glue together these new Value Nets?

 

Apple Services

 

Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

4 Nov 2013

Long blog.. load of typos

As I’ve stated before, this blog has been a great way to make new friends and stay in touch with my 100s of friends and former employees around the world. When you are in a small company you tend to lose touch with what else is going on as you no longer have 1000s of folks feeding you market intelligence. Small companies live and die by the risks they take, and I’m primarily focused on reducing risk by sharing G2 and perspective.worry-about-identity-theft-confession-ecard-someecards

Industry History (experts can skip this section)

I’m fortunate to have worked with some of the best teams in both Security and Fraud areas. Back in 1998 I ran Oracle’s Payment and Security National Practice where we did things like PKI, Single Sign On, as well as Oracle’s first Java application: iBill and Pay (built on Oracle’s first Application Server OAS which scaled to 40 users regardless of hardware). I switched from the tech side to the business side in 02, and can assure you that running online Banks keeps you in the security AND Fraud space. In 2008 I left Citibank to go to 41st Parameter (just acquired last month by Experian). 41st Parameter was founded by a visionary fraud prevention guy.. Ori Eisen, with a focus device ID.

From a Commercial/operational perspective there is always friction between the security teams and the Fraud/Operations teams. The security teams are always working to enhance security, the fraud and operations teams are always working to mop up the mess from any holes in security and create proactive processes by which they can stop it. As I said in my blog last week, if I let security guys have their way with authentication …. customer experience would be awful.. and no one would use online banking. Hence we have services like Risk Based Authentication, Honey Pots, Fraud Controls, …

This same Security vs. Fraud dynamic plays out in payments. From the 1970s to the 1990s banks had built their authorization infrastructure around tools like HNC’s Falcon to create rules based authorization, with daily tuning of rules based upon fraud. Today Banks continue to invest billions of dollars in fraud and risk infrastructure (see blog). The metaphor for competition here

If you are camping with your friends and a hungry bear comes to your campsite.. you don’t have to be faster than the bear.. you just have to be faster than at least one other camper.

Thus the rule of thumb: fraudsters always attack the easiest target. Big bank billion dollar fraud platforms thus drive fraud to smaller competitors. This enables the large banks with sophisticated controls to derive higher margins in payment products, which drives incremental investment.  This is one reason why large US banks are so resistant to EMV (it levels the playing field). Fraud numbers in the US are not well reported, the best data is from my friend in the UK (see UK Card Association).  Large US banks were not involved (or informed) of Visa/MA’s plans to mandate EMV. As one CEO told me personally “Tom .. to this DAY Visa has never come by my office to discuss EMV, I found out about it the same way you did.. in a PRESS RELEASE.. “ [Top 3 Issuer].

In the late 90s Banks were not prepared for Card Not Present (CNP) Transactions that came from eCommerce. Their fraud systems (ex HNC Falcon rules) were not tuned for this type of transaction. Actually, banks really didn’t care much here because 100% of fraud loss was borne by the merchant. The only Bank impact was helping the customer deal with fraud (and reissuing cards). Thus RETAILERs began investing in Fraud systems and 3rd Party specialists (GSI, CYBS, 41st P, Digital River, 2CO, PayPal, …) emerged to help manage fraud on behalf of retailers. LARGE retailers followed the same path as large banks, investing in custom fraud infrastructure (ie Amazon, Apple, Google, Airlines, …).

Banks thus ceded eCommerce risk management to 3rd parties until around 2003 where 3DSecure was developed (See Wiki. Implemented as VBV by Visa and MSC by Mastercard). Merchants were incented to adopt the scheme by a liability shift (to banks) and an interchange reduction of 5-10bps. Rollout of the scheme in Europe was a disaster (see UK Guardian). Banks now owned a mountain of new fraud losses (as 3DS technology was broken), with only ONE tool to address: Decline Transactions. See my 2010 blog and Schneier’s: Online Credit/Debit Card Security Failure

Mobile

Banks are determined to avoid their prior mistakes, in eCommerce risk/roles,  and take a leadership position in mobile (ie payments, risk, authentication, data, … ). I’ve detailed their efforts in:

Why is mobile so important to Banks?

#1 PRIMARY INTERACTIVE customer touchpoint. 10 years ago, how did you interact with your bank when you were away from home, work and a branch? The only interaction you had was a piece of plastic.  Mobile enables a new class of Services.. but ALL mobile services must add value. The rest of these priorities pale in comparison to consumer touch… Banks are thus experimenting on what they COULD DO with mobile to remake banking.

#2 Authentication. Confirming identity of consumer.

#3 Risk Management. Both gaining additional consumer insight, and enabling new levels of risk control based on this data.

#4 Remaking of Retail Banking (reducing cost to serve)

#5 Mobile Payment.

#6 Partnerships. Sales, Distribution

I’ve touched on #1 many times, but before I go to Authentication/Authorization/Risk, let me provide a brief recap of my many blogs covering the “other services”. As I outlined in Card Linked Offers, Banks don’t realize is that just because you CAN interact with the consumer doesn’t mean that the consumer WILL. You must actually deliver VALUE if you want to capture consumer TIME. Having run 2 of the largest online banks I know what customers do. Retail Customers log in 3 times a week, check their balance, pay a bill or two and log off (180 seconds later).  Bank CEOs.. I gave my recommendation on what you SHOULD be doing in my Bank NewCo blog.

Authentication – THE Lynch Pin

As I stated in Who do you Trust,

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software (from NFC to the SIM). …[ If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.

and in Authentication – A Core Battle for Monetizing Mobile

As Ross Anderson said “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past.

Beyond Authentication, mobile also plays SUBSTANTIALLY on the risk side, as it enables Banks to interact OVERTLY and COVERTLY with the customer. For example a risk system could ask: is the customer’s cell phone within 20 yards of their transaction (at X merchant).  Or even issue the customer a one-time PIN (or PIN request) to complete transaction.

Perfect Authentication – A threat to Banks?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

If we made an inventory of payment systems (technical investment) between merchant to consumer bank we would see today’s systems, processes and rules would be DESTROYED by a future state of connectivity and authentication. I’m sure this one line statement will be questioned “prove it”, but I don’t have time.. I’ll leave it to someone else. Take this statement for what it is: my opinion.

Authentication is 0-1, Risk and Fraud deal in shades of grey. For example, if there is a CHANCE that Joe Smith is a really a the end of the transaction, and he is my wealth customer, I’ll let him in the door, see what he wants to do and then risk it based on it. I certainly won’t LOCK HIM OUT.  Another example, if I could authenticate a customer why do I need to make the transaction secure? This is the BEAUTY of the Square “pay with your name” scenario.  Why do I need tokens? Someone just needs to map consumer ID to payment types.

The very concepts of payment “products” begins to dilute. No more credit, debit, pre-paid, Amex, ACH, check, … In a world of perfect Authentication “old line” products evolve toward dumb pipes as competition shifts to speed and cost (not risk).

From Cash Replacement

Networks are designed around a value proposition.  For payments to flourish, a coordinated system of instructions which can be read by trusted participants is necessary. Providers of payment services must consider what network participants are providing in order to collaborate in risk management and settlement; the greater the number of consumers and businesses that participate, the greater the collaboration and interdependency. As more people adopt the payment system, its value increases, since it provides access to more people; this encourages larger networks. Not only do the benefits increase as the network expands, but the per unit cost of service falls. This behavior is the basis for what economists refer to as a “network effect”.

Once a payment system reaches a “critical mass”, economic value will be created at the ends of networks. At the core- the point most distant from users-generic, scale-intensive functions will consolidate. At the periphery-the end closest to users-highly customized connections with customers will be made. This trend pertains not only to technological networks but to networks of banks as well as small merchants and even to consumers who engage in shared tasks9. From a payment network perspective, this means that the “routing” of payments will provide much less revenue opportunity than managing the end points (e.g. the customer interaction or the products which are sold on the network).

…] Payment networks are inherently “sticky” with investments required by consumers, merchants, and banks for effective functioning. Payment networks also have substantial government involvement to support Commerce and Treasury functions that ensure stability, resilience and protection of parties. Innovation in payments is challenged by this network dynamic. As most small companies know, getting a bank to make a decision is tough… but nothing compared to getting 4-6 groups (issuers, acquirers, merchants, MNOs, Regulators, networks, ..) to collaborate in making coordinated change. A level of difficulty that is only superseded by the challenge new entrants face in competing directly against these existing networks.

A truely jaw dropping piece of research was completed last month by philippon_newfig1NYU’s Thomas Philippon (  http://www.voxeu.org/article/where-wal-mart-when-we-need-it).

The cost of intermediation grows from 2% to 6% from 1870 to 1930. It shrinks to less than 4% in 1950, grows slowly to 5% in 1980, and then increases rapidly to almost 9% in 2010

In other words Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). This is BY DESIGN as the orchestrators of banking have successfully created constructs to squeeze COMMERCE. Further demonstrating that existing payment networks are incapable of leading ANY FORM creative destruction. As I stated in Commerce Battlefield

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). … (Also see Push Payments)

Regulation… the KEY

Payments, telecom, commerce, customer data, … all are regulated (merchants … not so much). Banks are completely justified in seeking solutions to their current regulatory burden. After all they bear most of the AML, BSA, CPFB, FED, OCC, .. burdens here. What needs to happen is that regulators must allow non-bank entities to bear risk. This is where innovation occurs. See blog US Payment Innovation and Regulation

Authentication – A Core Battle for Monetizing Mobile

Those of you with more than 15 yrs in the industry will remember dedicated T1 lines that moved data in secure pipes from one location to another. We now have VPNs, transaction signing and encryption that allows for use of generic pipes between COMPANIES. Authentication at a USER LEVEL will now permit yet a finer grained LEVEL of Secure Services and Data ACROSS companies. Today we have Cloud services from Apple, Amazon, Google but how do you navigate amongst them? How can a Start Up develop services that SPAN them? Authentication and is Key…. And MNOs may be best placed to deliver this service.

16 October

I was delighted to see yesterday’s announcement on Verizon’s updated authentication efforts (UIIS), the American Banker Article pointed to a consumer focus,

“We want to be the world’s largest identity provider,” says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions.

I’ve always held this is a tremendous opportunity for MNOs given their distribution, ability to physically site and verify both consumer and phone, as well as their network management capability (ex. know where the device is). In fact one of my oldest blogs (4 years ago) laid out the high level opportunity.

What are some of its problems on web today? Junk mail, Spam, Phishing, Pharming, Trust, Fraud, Passwords everywhere, card numbers everywhere, consumer data/cookies, beacons, …  much of this is caused by ubiquitous anonymity. Consumers should have the right to be anonymous, after all I don’t give a physical store my ID when I walk in to shop.  But what if I wanted to be known?

Remember the early visions of “web services” A technical panacea where I could combine distributed processes from multiple providers acting on distributed data. Much of this never came to fruition because there was little trust, no service levels, and no way to distribute revenue.  Web service architecture took off fantastically within an organization… but corporate success required  resolving the issues above (as well as securing the pipes).

Those of you with more than 15 yrs in the industry will remember dedicated T1 lines that moved data in secure pipes from one location to another. We now have VPNs, transaction signing and encryption that allows for use of generic pipes between COMPANIES. Authentication at a USER LEVEL will now permit yet a finer grained LEVEL of Secure Services and Data ACROSS companies. Today we have Cloud services from Apple, Amazon, Google but how do you navigate amongst them? How can a Start Up develop services that SPAN them?  Authentication and is Key…. And MNOs may be best placed to deliver this service.

What problems could authentication (via mobile) “solve”?

#1 Payments – Of course this is the top of my list. My favorite quote from Ross Anderson “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past. I could write a book on this topic alone. A key REQUIREMENT for authentication to IMPACT payments is that ALL ACTORS (Bank, Retailer, Regulators) must RECOGNIZE and TRUST the services of the AUTHENTICATION PROVIDER. I would love to see the Fed lead here in creating a certification process…

In a perfect world, the following happens

  1. Legislation to create requirement (by Banks) to: recognize independent authentication services which comply w/ Fed, clear authorized payments in under 24 hrs, absolve banks of compliance responsibilities for authenticated payments (if they don’t own authentication).
  2. Fed creates Payment Authentication certification, requires banks to keep Auth at transaction level and absolves banks from compliance issues for authenticated transactions (assuming authenticated party was NOT on an AML list).
  3. Banks adapt systems to comply, or Fed enables transactions directly in a new real time service (with integrated authentication per transaction).  This is what happens when international banks provide remote consumers wire transfer capabilities (as in James Bond)
  4. … 10 yrs later…

#2 Fraud. Medicare, Obamacare, Welfare, Pension, …  A phone with integrated biometrics could make a very significant dent in $80B of false claims (FBI estimate).

#3 Better Auth leads to DUMBER PIPES. Look at what happened to our economy the last time we had a generic network where anyone could build.  Better authentication will allow us to REWIRE COMMERCE… with the Banks as a primary loser (note I spelled it correctly today).

#4 New Services. A corollary to #3. Integrating cloud and data across providers and across platforms.  The realization of an early web services vision… Consumers could have control over provisioning and “orchestration” of their data. For example allowing health care data to be shared with doctor (for second opinion), or allowing merchant transaction data to be shared with Google or Proctor and Gamble for a fee.  The receiver must be able to trust both the consumer’s permission and the source (3rd party validation). … Possibilities are endless (and exciting).

#5 Digital Signatures. Applying and COMPLETING a loan application, college application, commitment to purchase, contracts, licenses. Enabling the US to catch up with Singapore on eGovernment, and making our lives easier. Improving the ability to open new accounts also increases competition as intuitions must compete for our business daily.

Other thoughts appreciates.

Apple and NFC – Part 2

Could the new iPhone run Visa Paywave? sure.. however it may need an add on antenna.. my guess is that NFC in the next iPhone was not built around supporting someone else’s project (Visa/Banks) . This is the paradigm which must be broken. Don’t think of NFC in terms of payment, it is just another radio

Previous Blog – Apple and NFC 

Well, I was right last year… a lone voice in the wind with BGR. Let’s see if I can repeat.

Prediction: Apple iPhone 5s/6 will have NFC.

Caveat.. it will operate MUCH differently than what you think of todayExposure: 000 : 00 : 00 . 156%Accumulated%=0

Hardware? My bet is  Broadcom’s BCM43341 or BCM20793 chip 

Broadcom has launched the industry’s first quad-combo chip. The BCM43341 combines NFC, Wi-Fi, Bluetooth and FM radio on one chip and, says Broadcom, “offers OEMs unmatched size, power and cost advantages.”

A second new product is a single card solution that pairs a BCM20793 NFC controller as used in the Google Nexus 4 with an 802.11ac (5G) WiFi radio and is aimed at high end mobile phones and devices.

Broadcom’s BCM4334 combo chip (dual-band 802.11n, Bluetooth 4.0+HS & FM receiver) is already in the iPhone 5, and other versions in  iPad  yet other possibly extending into Mac  success as well. What I find most interesting is the BC 2079x family of “stand alone” controllers. Broadcom has also contributed its NFC software stack to the Android Open Source Project. A generic controller with software stack which manages both secure storage and multiple radios in multiple frequencies. This is NOT the NFC which MNOs and Bank’s envisioned (see SWP).

HOW WILL APPLE LEVERAGE NFC?

This is the billion dollar question.

My guess is that Apple will focus on creating a new security and authentication infrastructure on the phone, and in the cloud. This infrastructure has both software and hardware components, and will change the way other “apps” interact with customer data, customer sensitive information (ie location) and the OUTSIDE WORLD.  For example, today apps that require location must adhere to policies consistent with “location services“. Think about extending this type of control over your credit card information, name, address, e-mail.. what apps get access to which data? Now also think about this new service which can identify you are who you say you are (identification) which will be present with AuthenTec capabilities

iPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

Apples new lightening connector extends the iPhone security “platform” from the phone to external devices via proprietary cables which must contain embedded Authentication chips . I bet the folks at RIM just fainted reading this.. RIM built the most secure mobile platform in the world, with secure integrated corporate e-mail.. no developer community, “average” user experience.. and a completely STUNTED internet browser. Apple is going after security last.. after they have everyone hooked on the platform. Apple is completely brilliant, it took a “good enough” approach to security to build user base.. now it is adding services and security. .

All of this is completely consistent with what we see in Patents, acquisitions, evolution, phone architecture, … and Apple brilliantly evolving the company into orchestration as I outlined in blog on Stage 4 Value shift.

Could the new iPhone run Visa Paywave? sure.. however it may need an add on antenna.. as the design of NFC within the iPhone was not built to around supporting someone else’s  project (Visa/Banks).

where value lives

This is the paradigm which must be broken. Don’t think of NFC in terms of payment, it is just another radio.. actually it has 3 parts.. the radio, controller, and secure storage.. each of which can take on very different roles in a new Apple architecture. Why transfer data view NFC/ISO 14443 @  424kb/s when Bluetooth V2.1 is 2.1 Mbit/s and Bluetooth V4/V3 is 24Mbit/s… (60x faster).

I predict all of the phone platforms will spend whatever is necessary to retain ownership of customer and customer information. All commerce and financial services are dependent on consumer Authentication… it is the lynch pin for retaining the “hub” role in value orchestration and future margin..

Handset manufactures (Apple, Google, Samsung, …) are flipping the NFC value equation. From a SIM based SWP approach to an multi functional embedded approach with integrated consumer authentication. I’m amazed that there is not more press here. The implications are tremendous.

See previous blog KYC – $5B opportunity (I may have guessed low).