Authentication – In “Value” Nets

March 3, 2014

Today’s blog brings together: the Role of Authentication in Value Orchestration, Apple’s Role in Commerce, Constructs for Compensating Authentication Agents, and Ability of Payment Networks to Adapt. The ability of other parties to assume risk in payment is the key shortcoming of all of our existing payment systems (see last week’s Blog). The recent activities around tokens can best be explained through this Risk Lens.

My use case for today: Assume Apple has the best biometrics system on the planet, and Consumers trust Apple with all their credentials. How can non-Apple Service Providers use Apple’s Authentication service (pay them)? As I outlined in Who do you Trust (Sept 2013)

The “KEY” [prerequisite] in value orchestration is owning the Consumer relationship. Therefore Identifying and Authenticating the Consumer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.

This goes hand in hand with my other favorite payment quote from Ross Anderson with respect to payments:

If you solve for Authentication.. Everything else is just accounting

The Role of Payments in Commerce

As I’ve stated before payment is just the last (easiest) phase of a long commerce process that involves design, manufacturing, marketing, advertising, retail, payment, …etc. (see Payment enabled CRM). Payment is the key PROCESS by which these parties measure the effectiveness of their activities (think attribution). To measure effectiveness (and value) participants tie their activity to Consumer and: items, activities, processes, and behaviors. Answering questions like “did the consumer see our ad on facebook?”, “did our campaign influence the consumer’s buying behavior”?

Before we can assess the value of Apple’s Authentication we need to identify the processes and participants that can use the service. My bias is that the greater value to be unlocked is around the attribution than payment (as a side note Apple has constructed a new platform to manage an Advertising Identifier around this “identity arbitrage”). My personal bets are around the hypothesis (outlined in Apple and Commerce): that Apple’s biggest asset is their ability to change consumer behavior, and are working to make the iPhone the centerpiece of physical commerce (not payment). However, since I have no interest in writing a novel on the subject, I’ll give my highly condensed views on authentication in today’s payment instruments.

Value of Authentication in Payments

What is value of authentication in payments? To whom does the value accrue? We should not assume payment methods will change in anything shorter than a 20 yr horizon (analysis of value in existing payment networks). The value flow in a 4 party payment network is fairly simple: Merchant pays with the Issuer receiving 80% of the revenue. Any payment for Authentication must therefore come as “cost” to the issuing bank. There are 5 models for extracting authentication fees from Banks:

  • Bank chooses to pay (or exchange something of value … like data)
  • Network forces payment
  • Authentication provider forces payment
  • Consumers force payment, or Choose to pay themselves
  • Regulators force paymentGAO payment flow

Optimally a service cost would be based upon value (if the value declines … the cost should decline). Of course nothing in payments work this logically. Issuers like to have all the control, so that they can retain all the margin. In fact, Top Issuers would be fine keeping mag stripe with no authentication (see Perfect Auth… a Nightmare to Banks). Perfect authentication would eliminate all risks not credit related (ex ability to pay). It would therefore be very hard for Banks to justify any payment fees (interchange) beyond the cost of operation. Banks make their money on the ability to manage risk (not eliminating it). Mobile Authentication (biometrics) provides a mechanism to reduce risk outside of the bank’s services.

Startups.. this is the challenge in selling banks improved risk management or identity solutions that are not in their control. It is also why Banks want their services manifested through applications they control (not others). However, Banks must live in a world where their payment product does live outside of their environment (not that they like it, but Amazon does have a little potential to sell :-)).

A recent example of external network driven services: Verified by Visa (VBV) and Mastercard Secure Code (MSC). VBV/MSC rolled out in 2003 (Europe) and shifted eCommerce CNP risk to Banks. It was a complete and utter failure, not just from a tech view but also from a customer experience and business model. Merchants were incented to put the technology in place (10bps and fraud shift to Banks). VBV/MSC failed to catch the fraud… who was motivated to fix the flaws? Not the merchants.. they had given the fraud loss to the Banks and received a discount. It was rather the Banks, which were left with declines as their only tool (as I outlined in Perfect Authentication – A Nightmare for Banks). In other words, Banks had no way to pay the merchant to do a great job at managing risk in VBV/MSC, but only penalize a merchant for poor performance (through declines). This is why we don’t see VBV or MSC running in Amazon, Apple, Paypal, … etc.. Merchants fear declines much more than they do managing the fraud.

But how do a Banks pay external parties (ex Experian, EWS, …) for assisting in the risk management of payments? Usually a per transaction fee of $2-$5 in account opening, and then 10bps for transaction risk scoring (think check verification, although not all transactions need to be scored). The Networks themselves offer services for authentication and account management.

Authentication Fee Structures

Issuer Controlled

  • Interchange Rate Reduction ~15-30 bps based upon performance
  • Fraud Shift (for CNP + Auth in eCommerce)
  • Data Sharing (quid pro quo)

Network Controlled

  • New Category – Mobile Card Present with Authentication (30bps below current)
  • Network Enhancement Fee – Charged to Issuer (for Token and for Auth)

Platform Controlled

  • Authentication Fee (Nothing gets passed to Issuer unless they choose to use service)
  • Network support of new field(s) for Authentication information

My preference (for Authentication) would be for last item in the list, where Apple and Google assess an authentication fee to Banks which choose to leverage Authentication. This allows for performance based pricing. If the service is not providing benefit to the Banks, it is stopped. Issuers which invest in using the service will receive benefits that can be passed to consumer.

Oddly enough the danger in this approach is for Visa and Mastercard. As Issuers work with Google and Apple directly, it provides them an opportunity to end-run V/MA and define their own rules for CP/CNP, as well as Tokenize their existing portfolio and gain access to data.

Mobile Auth and Payments – Today

The scenario on biometrics and tokens is happening today… Apple’s new iPhone will have both biometrics, a secure enclave, and  patented Point of Sale Interaction. Host Card Emulation has evolved so quickly because Banks were told by Apple that they would have to pay for their cards operating within Apple’s scheme. As I outlined in Token Acceleration, the Banks responded by telling V/MA “we are not going to let our Cards operate under an Apple Patent… you guys killed our TCH project and said you would own this… so are you owning it or not?” Hence we have this Press Release.

The networks are committing a fair amount of brain power here. Clearly the benefits and control of a token led scheme will flow quickly to issuers unless there is a solid process to lock up the token standards and token translation. For example, assuming V/MA certify an HCE scheme that provides for “transparent” EMV compliant Paypass transaction.

This is why NO ONE has seen the token spec… and why it is not evolving as quickly as hoped. Not only must V/MA/Amex make the Spec functional, they must also work to control the token creation, authentication and routing rules. Arrggghhh…

Big Picture Thought

What we REALLY need is a payment network where risk and data can be owned by non-banks (selectively). This was my input to the Federal Reserve, and the driver behind last week’s post Risk: Carving it up in Payments.  Real time payments is not holding up innovation, the ability to take risk and manage it is (just as it is in our economy). While I believe Ross Anderson’ view that Authentication is the key to value, the dumb pipes are all owned by non-aligned Banks.

What if American Express created a new payment network that allowed for merchants to selectively own risk for clearing? In this model, Amex could operate as charge card, Bank, prepaid card, or link to another banked account. Merchants could assume risk depending on consumer history, payment type, purchase type, reputation, … Some merchants would choose to allow the consumer to decide. Others (like Grocery and WalMart) would encourage the consumer to choose the lowest cost instrument (selective settlement risk), or even change their relationship (banking, data sharing, … ).

If the value of authentication and the value of “payment” is not in settlement and risk but in the attribution, then we must have much more flexibility and consumer participation.What will glue together these new Value Nets?

 

Apple Services