Apple’s P2P: Visa Money Transfer

Posted on by
2

Update 13 March 2011

It would seem that there is some amount of disconnect between the bank eCommerce, debit and inter bank teams. The banks are working on a new interbank P2P service. This service will be based on ACH and follows on to what was pulled from the BAC/WFC Pariter scope last year. My guess is that JPM is also a “partner” and is committing to directory integration just as it is with CashEdge (Citi, 5th 3rd and 200 odd banks).

The Visa Money Transfer commitment may be an “accident”, and the banks may not know that Visa is working with Apple. This Visa service would clearly compete with the new bank owned service.  

11 March 2011

In previous blog I spoke about Apple and NFC, although I still don’t know if Apple’s wallet will be ready for the iPhone 5.. it does seem that they plan to launch with a P2P transfer system powered by Visa (See previous blog on Visa Money Transfer). Apple’s iTunes wallet does not “store” funds like PayPal nor Apple does have money transfer licenses. It was therefore searching for a way to allow consumers to pay each other. News I have is that they have selected Visa Money Transfers for this. Is it the only way? perhaps not… but I give it 90% confidence of being in scope for wallet launch.  (Sorry for the confidence thing.. it was Gartner Group’s way of making shit up)

I just can’t believe that bank payment heads are allowing this. I was on the phone with the head of debit for 2 of the top 5 banks..  their eCommerce teams love the idea of partnering with Apple.. but the debit cards head have said “no way”.  It is just a terrible idea for banks to give Visa a way to circumvent ACH.. and it will be very, very hard to shut down once it gets moving. Reasons:

  • – Visa runs it.. Continues to build Visa brand on your ACH
  • – You own the risk, Visa develops new services
  • – Circumvents all of the industry controls on ACH (ex. TCH, Early Warning)
  • – Unfunded Reg E research burden and consumer support reqs.

The big banks that have taken the plunge are JPM and BAC. Not sure if both have committed on debit AND credit.. or just credit. The business case for credit is pretty solid and I don’t have any issues here, but allowing Visa to control transfers on debit is not in the best interest of banks. Why would banks want to allow Visa to develop a consumer directory and a new service that directly competes with ACH (see blog)?

Bankers, my recommendation is to buy Interlink or Star and put it in TCH… then run the this debit service there.

Start ups.. I would not focus on payments in Apple’s platform. Think there would be new opportunities in intgrating POS to Apple’s payment mechanism, or even a “billtomobile” kind of function where you can pay online with your apple ID.  My head is spinning at the chaos this will cause within ISIS AND each carriers own billtomobile efforts. Apple is near a tipping point with the carriers. I would expect them to start aggressively pushing a much more friendly Android model.

Mobile Swipe: Risk is Behavior … not Security

Posted on by
6

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.

Verifone Builds Square Fraud App in 1 hour

Posted on by

I took a look at my blog stats today… and they went through the roof.

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

YouTube Video just pulled.. . you can still view at http://www.sq-skim.com/

Chase Paymenttech is Square’s acquirer, and I spoke to them specifically about the Square risks last year. This is an industry issue.. as stolen cards and fraud generate both issuer losses (card present transaction) and a tremendous hassle for customers. I don’t understand why Chase supported this thing… Was told last week that Square’s fraud is off the charts. As I said back in 16 month ago in January 2010

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

Update Thurs Mar 10

Networks are dependent upon everyone following the same rules. Rules are what make networks work, and are essential in “trusting” the transactions coming in. PCI rules were agreed to by all.. Square’s reader does not comply, nor does its iPhone app.  That said we have a very mixed bag of incentives within the current card networks. Banks and the networks want Square to succeed, as it will drive more transaction volume AND drive card use further down market with small merchants… see Visa’s blog

http://blog.visa.com/2011/02/14/emerging-payment-types-new-opportunities/

Bank margin is driven by the ability to manage risk. This is the nature of banking. Within credit card, Big banks like Chase have tremendous experience in fraud and risk.. they the seek both higher margin and volume.  Chase is comfortable with the risk it is enabling with square as both issuer and acquirer. However, their acquisition relationship with Square (through PaymentTech) enables fraud to enter the network, and other banks may have not updated their authorization rules to accomodate. For Example, Bank of America certainly wants increase transaction volume .. but is it willing to pay the price of  BOTH fraud loss AND of encouraging a change in customer behavior (give their cards to anyone with an iPhone and card reader)?

From my background at 41st Parameter, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. This will be an active discussion for them today. Bank decisions are caught up in the business dilemea of how to respond to Durbin, as well as their own mobile strategies and EMV perspective. Fraud usually develops once critical mass is reached, as fraudsters don’t want to waste their own resources developing a compromise unless there is volume.  My view is that Square’s reader and iPhone application are clearly not compliant with PCI rules and that Visa and Mastercard must shut them down. They have no choice.

Perhaps a story is in order to talk about potential impact. Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars.. and claim that we are responsible for their fraud (they have a decent case).  Verifone’s 1 hour fraud app (www.sq-skim.com) is not a technology issue as much as a behavior one. A good crook would probably spend a few days developing an iPhone app that asked for your PIN…. and took a picture of the back of your card w/ CVV, I noticed in Square’s response that they also ask customers for phone number and e-mail address (normally). This data is beyond the wildest dreams of fraud organizations.  I can just imagine a fraud ring setting up hot dog or ice cream stands that only take cards.. .and sell the ice cream for $.50… they would never even use square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.

As a side note Square is not winning against Verifone. Square has only 5k-10k active merchants (see blog) and $200k in revenue per MONTH… so lets stop this thing before it gets viral.

Payments Innovation in Europe

Posted on by
10

8 March 2011

Why do I like the Payments business? It is ubiquitous, sticky, with good margins and strong annuity revenue.

What do I hate about the payments business?

In the US, it is over regulated, concentrated, difficult to change and frustrating enigma driven by large FSIs with unlimited resources…. Within Europe the situation is little different.

After coming back from last week’s trip the Valley, I was attempting to develop an investment hypothesis on Europe, mobile, payments and innovation in general.

While Europe’s individual talent is second to none, and capital is plentiful, the European market is designed to resist change and thus impedes the development of early stage ideas and companies. Early stage companies can incubate within a single country but are challenged to expand beyond, due to complex regulatory and market dynamics. Navigating these dynamics causes early stage companies to develop more slowly, thus a requiring a higher risk premium on invested capital.

                   – Tom’s European Venture Capital Hypothesis

SEPA Overview 

(European colleagues can skip this section). 

SEPA and PSD (SEPA’s enabling legal framework) attempt to create harmonization of payment schemes across the EU (See SEPA Blog, and excellent PodCast). The result?  837 pages of detailed and contradictory EU law with no business incentive. SEPA has been plagued with delays and issues, as should be expected given that there was no business incentive nor a PAN EU regulator to enforce it. SEPA Credit Transfers and SEPA Card Framework have been in place for a few years (2008). While the SEPA framework commoditizes payments, and while this is consumer friendly, there is no business incentive to for large banks to implement it (see Barclay’s consumer support on SCT).  The same can be said for the SEPA Card Framework (See MA’s Self Assessment). The main points from ECB’s regular status report:

  1. Banks must create greater awareness of SEPA, and must offer better products, based upon the SEPA infrastructure. Government should accelerate programs to adopt SEPA as the standard for its disbursements.
  2. The banking industry must commit to work together to remove obstacles which might compromise the Nov 1 2009 launch date of the SEPA Direct Debit. Debates on the launch date, the validity of existing DD mandates, and interchange fees must be closed out rapidly.
  3. Bank systems need to be improved to enable end-to-end straight-through-processing, originated by files submitted or by e-payment, e-invoicing, and m-payments.
  4. The ECB wants to see a target end date for migration to SEPA products, and for exiting out of older credit transfer and direct debit.
  5. The SEPA card framework in its current form has not yet delivered the reforms which the ECB wants. In particular, ECB wants to see a European card scheme emerging.
  6. The ECB perceives a lack of consistency in card standards. It wants to ensure that a clear set of standards are adopted and promoted throughout the industry.
  7. A common, high level of security for Internet banking, card payments and online payments is needed.
  8. Clearing and settlement organizations in many countries have made good progress on SEPA, and several are upgrading from national to pan-European.
  9. The banking industry, and its representative body, the EPC have not sufficiently involved other stakeholders.

 SEPA’s Impact on Innovation

European harmonization is a fantastic objective, but translating EU guidance in to country law, with each country’s banking regulators responsible for interpretation and guidance, is problematic. This becomes even more difficult when Banks (who were not included in the SEPA design) have an inverse adoption incentive. An analogy in the telecom world would be telling the land line carrier that the must open up the switch to anyone that wants it at no cost.. and they have to assume all of the risk and operational responsibility.

Early stage companies and “payment innovators” are left with a complex set of constraints.

  • Dependent on local national relationships to launch a product,
  • SEPA creates harmonization, but country specific laws and regulatory guidance are unique
  • ECB initiatives (ex. See ELMI) create opportunities for non-bank participation in payments,  but SEPA has removed all margin from the business

So in Europe we see the consequences of over regulation.  While SEPA was designed to increase competition and create new European schemes, there are few business models capable of supporting investment. Hence Europe is not the place to start a retail payments business.  Hence Asia, LATAM  and Canada are all great places to start a payments business (my picks: PH, HK/China, Brazil, Malaysia, SG, Colombia, Indonesia and New Zealand).

Europe and Advertising

I don’t have time to finish the thought here. For those of you that read my blog you know I’m very enthused about the prospect for advertising to be a future payments revenue driver. Unfortunately for the EU, consumer privacy regulations (and subsequent “tracking” issues) are the most onerous in the world. In Germany for instance, my Citi team was forced purge the web log of IP addresses every 30 minutes.. for our own customers. The point here is that we could not even maintain loosely correlated consumer information in regulated accounts. Google has similar problems today (see Das ist verboten).

Where is the EU opportunity?

Where there is an intersection of: low margin payments, businesses with frequent cross border (within EU) transactions, without need or desire for banking relationship. MoneyBookers is an excellent example of this model in gaming.

Other possible  investment drivers relate to when payment transaction infrastructure is a commodity:

Arbitrage – Move intelligence to new regions or countries where the cost of maintaining it is lower

Aggregation – Combine formerly isolated pieces of dedicated infrastructure intelligence into a large pool of shared infrastructure that can be provided over a network

Rewiring – Connect islands of intelligence by creating a common information backbone

Reassembly – Reorganize pieces of intelligence from diverse sources into coherent, personalized packages for customers

 Thoughts appreciated.

NFC Update – Zenius/InsideSecure

Posted on by
Reply

7 March 2011 

Previous Blog: OpenNFC 

I met with the Inside and Zenius folks last week, and am impressed with both teams. Their mutual objective is to make development of NFC applications “easier”. Both have developed a chipset independent framework (common API layer) which creates a layer of abstraction between an NFC application (ex wallet) and the underlying hardware. Both have also developed example applications that leverage this API layer (wallet, ticketing, loyalty, … ). My summary thoughts on the 2 teams are I like them both. Inside has expertise from hardware through software delivery. Zenius’ expertise extends from POS to Handset across multiple hardware architectures.

Comparison

Zenius

  • NFC API framework
  • Chipset independent (proven)
  • Vendor independent
  • Handset Applications
  • POS Applications
  • MNO experience

Inside

  • NFC API Framework
  • Marketed as Chipset independent (no proven)
  • Handset NFC Applications (5 of them)
  • Discourages Multi SE environment
  • Discourages Application Development (Use on of its 5 Applications)

What I struggled with was Inside’s insistence that there should only be 5 NFC applications. In other words, its NFC middleware layer was only for its own internal use to ensure that its applications work across all (competitor) NFC chipsets. The implication is that there will only be 5 NFC applications… for eternity. For example, ISIS selected the C-SAM wallet that sits on top of a custom built NFC stack.  In the Inside model, ISIS would need to jettison both CSAM and its custom middleware.  (Yeah, I had the same reaction).

Zenius has a much more mature model, driven from their legacy working within Verifone and VivoTech. The Zenius guys had to make their applications work across multiple hardware solutions, and hence developed a framework that is now productized. They have also developed 5 standard application, that are “reference implementations” of their APIs, you can use them in a white label fashion, customize them.. or take them apart to see how they leveraged the API layer. This is a better approach hands down.

Inside’s approach seems a little unrealistic, and could be perceived as a “land grab”.  What do I like about Inside’s OpenNFC? The middleware and their end-end experience. In the end they are driven by chipset volume.. my guess is that they would be willing to give away OpenNFC if it would drive their chip sales. Problem is that giving it away may only commoditize their core product, hence they would be tempted to ensure that their product “works best” with OpenNFC. This is one reason that middleware vendors (MQ, Tibco, WebMethods, ..etc) developed separate from software companies.

Given that developing native NFC applications is difficult, the experience largely sits within companies like: Inside, NXP, Verifone, VivoTech, Device Fidelity, Tyfone.. .  People within these organizations all know each other.. after all it is a very small community. I asked them how many of their colleagues are at Apple. The answer across the board is that they don’t know of anyone.  This tells me that Apple is probably more than a few months away from launching an NFC wallet, or that they are dependent on a vendor (?Gemalto) for all development.

Since ISIS has already completed development of its own NFC wallet (not on iPhone), what are Apple’s plans?  I’m told that Apple wants a wallet tied to their 200M Apple accounts, this could be mere speculation, but it seems logical. I’m also told that Apple has their own NFC wallet. If Apple does indeed have an NFC application, it is something they have procured (licensed and modified) from Gemalto.  This is not a bad thing, particularly if Apple is more focused on hardware architecture, and plans for managing secure elements (SEs). The first wallet will undergo significant testing, through a new hardware and software stack. They must have something they control (not ISIS) and that is tested (Gemalto) to reduce complexity. Apple will likely need additional applications, but they must start somewhere.

All of this just spells further trouble for ISIS, who was hoping to focus more on POS issues now that they have a working wallet application. If RIM and Apple are successful in keeping control of the NFC wallet, ISIS can only hope to be another “card” in the wallet… one that speaks Discover ZIP initially. Quite a different value proposition than what they started with 6 months ago.  

For Apple, this allows them to strike a strategic relationship with a card issuer (like Chase) who will likely invest in both marketing and POS infrastructure. I’m sure that Apple’s plan is to also integrate iAd… although it can’t possibly make it for 2011 (my guess).

Do SquareUp’s $$ Square?

Posted on by

Update 1May

Dorsey just tweeted Square’s numbers. See here on Tech Crunch

Looks like analysis below is directionally accurate, actually a little kind.  TPV moved to $2M on that day (of Tweet).

Note that Square revenue is $59k for the $2M TPV, or 295 bps. Transaction Margin is revenue less Square’s processing expense: issuer fees, processor fees. As listed below, this should translate into net square transaction revenue of $10k (note on my post last night I was wrong.. never post at 2am.. error rate is high).

Dorsey picture shows 9k active customers (merchants) on this particular day, which is again consistent with estimates below. Total Active is probably 3x-4x of this, so average transaction amount is probably around $10-$15.

Funny that Visa bought into Square on the same week that it rolled out new mobile swipe security standards. Visa is highly sensitive to Chase needs, and given Chase’s equity stake here they wanted to show support.

Could Square work out? sure it could.. but it is an intermediary solution at best as it is US only (No EMV), and will compete with new mobile solutions which we will see rolling out by fall.

Original post below

24 Feb 2011

Today’s TechCrunch Article

http://techcrunch.com/2011/02/22/mobile-payments-startup-square-ups-the-ante-drops-transaction-fee-for-businesses/#

Following Square is a Hobby. My alarm bells go off whenever a non-payment team “innovates” in payments. My December blog Square Up Update  estimated that Square had 5-15k users. Today’s TechCrunch says Squares 1Q11 TPV is $40M and that they are “signing up” 100k merchants per month. My guess is that “signing up” means downloading Square on your iPhone.

From this TPV we can derive Square’s revenue and their “active” customer base

Rev = TPV * Transaction Margin

Transaction Margin = Merchant rate less cost of funds = 275bps – 225bps = 50bps

Square 1Q11 Rev = $40M* 50bps = $200,000

Rev lost from eliminating $0.15/tran fee = 0.15* 40M/$10 = $600k

Active Customers (Merchants)

Lets assume that average ticket size is $10 and average square merchant accepts 50 transaction per week (10/day, $6,000/ quarter).  This means that Square has 6.7k active merchants. For other iterations see chart below

Is Square really shipping out 100k doggles every month, while only 6-7k merchants are active? I have no idea, but it cannot be a good thing if they are.. see www.sq-skim.com.

Summary

  • Square’s active merchant numbers are likely to be around 5k-30k
  • Eliminating the $0.15 fee is a very big revenue hit… 1Q Rev looks like $200k now
  • Square’s doggle is still not on the PCI compliance list (see PCI org’s list of approved applications )
  • Just as in any merhant account, settlement funds are held to mitigate risk. Does a small merchant want to wait 60 days for payment and pay 3% for the priviledge of accepting a card? This is not a Square issue, but an industry issue in moving down market into cash replacement.  PayPal solved a real problem (CNP Transactions) for a real community of buyers and sellers that coordinated (eBay).

My guess is that Square sees the light at the end of the tunnel and knows it will not be a pretty collision. Evidently Square is burning through its newly received $27.5M (courtesy of Sequoia and Khosla) to grow the merchant base as fast as possible in hopes of attracting an acquirer. Square’s last round closed on a $240M valuation, assuming trailing revenue of $2.5M on $100M TPV, valuation is 16x revenue. However now that the /transaction fee is eliminated.. we are looking at 75% reduction in revenue and valuation on forward revenue is near 240x.  Believe or not.. OBOPAY was still more highly valued.. In both cases, investors have just doubled down and created valuations driven toward an exit strategy.. not on a sustainable biz plan.

The only entities that would be interested in Square are large card issuers who could unilaterally charge a different interchange rate for their own cards (ex Chase and BAC). But the bank business case for an acquisition would be very tough, as a single bank could only reduce interchange for the cards it controls, resulting in a 10% improvement in transaction margin (at best).  A Visa or MA acquisition would alienate the acquirers and processors. I just don’t see a logical exit for them with anyone. Issuers don’t want to pick winners in this space.. they want broad adoption. If JPM and BAC cut special interchange deals w/ Square then they will be pressed to do the same for PayPal.

eBay’s analyst day conference 2 weeks ago showed how aggressively paypal plans to move in the POS space. PayPal’s Virtual terminal not only lets merchants take cards with NO CARD READER, it has partnered with Verifone to act as an acquirer. Next month, we will see some super applications at APSI conference. One of which will demonstrate the current Nexus S operating as an NFC acquiring terminal. .. You don’t even need the doggle or the “signature”..

OpenNFC – Game Changer

Posted on by
4

24 February 2011

Monday I wrote about Apple’s “NFC Twist” and how a multi SE environment impacted MNO’s NFC business case. From Monday (I hate to quote myself.. but it keeps from following the link)

The champion of Multi SE architecture is Inside Contactless (OpenNFC).. a very very smart “Judo” move that leverages NXP’s substantial momentum (in integrated NFC/controller/radio) against itself. Inside’s perspective is that there is no reason for the ISO 14443 radio to ONLY be controlled via NFC (treat it like a camera). Inside’s OpenNFC provides for “easily adaptable hardware abstraction software layer, which accounts for a very small percentage of the total stack code, meaning that the Open NFC software stack can be easily leveraged for different NFC chip hardwalet multiple applications and services access it”. Handset manufactures love this model.. MNOs hate it. As I stated previously, closed systems must develop prior to open systems as investment can only be made where margins and services can be controlled. OpenNFC changes the investment dynamics for MNOs, and provides new incentives for Google/Apple/Microsoft, … to transition their closed systems into NFC platforms.

For Banks, Handset Manufacturer and Startups…

I cannot understate the importance of this approach.  My guess is that Apple, Motorola and RIM are all planning to pursue “OpenNFC” .  Multiple applications can now leverage the 14443 radio IN ADDITION TO the MNO controlled (SWP/SE) environment. Applications can then ride “over the top” independent of carrier controlled (TSM Managed) OTA provisioning.

In business terms, what does this mean? ISIS was founded under the assumption that it controlled the radio and all applications accessing it under NFCs  secure element (SE)  single wire protocol (SWP). Nothing could use the radio unless the ISIS TSM (Gemalto) provisioned it. Visa, Mastercard, Amex were all looking at a future where the BEST they could do was exist as a sticker on the back of the phone. In the OpenNFC model, the radio can be accessed directly through the handset operating system (assuming the OS integrates to the Inside OpenNFC controller).  This provides the ability for applications on Android and iPhone to access the radio. In this model, Mastercard DOES have the ability to get PayPass into the phone. My guess is that one driver of MasterCard’s hiring of Mung-Ki Woo from Orange was his unique perspective on how to make PayPass work within this InsideContactless model.

For ISIS? This is a tremendous impact to their business model. Perhaps something they cannot recover from. MNOs invested tremendous effort in developing NFC, now they are having their legs taken out from under them by a contactless vendor and the handset manufacturers. For ISIS to succeed they must run much faster and expand scope from a narrow payment pilot (over next 18 months) to building a platform that can compete AND interoperate against Android. Yeah.. that big. Their advantage is in control, security and provisioning. Unfortunately, because they have focused on the “control” aspect as the centerpiece of their  business model, they have developed no alliances. In this, ISIS may well follow the failure of Canada’s Enstream. A group that got all of the technology right but failed to develop a sustainable business model.

Start-Ups

Start building to OPEN NFC. Game IS ON. Assume that Android and iPhone will let you access the radio…. For a fee.

For Consumers

CHAOS. What do you do when 5 applications all want to submit your payment.. .or read an RFID.. which one do you use?  For a view on the mess this will cause, see the Stolpan whitepaper

I believe this approach benefits Apple much more than Google. Apple’s platform “control” and QA testing will be essential to getting this off the ground. My guess is that Apple will have only ONE NFC payment option.. APPLE PAYMENTS. Perhaps a gatekeeper model where multiple cards can be store but Apple collects a fee.

Although Apple has an advantage in control. Google has the opportunity to deliver a much better value proposition to consumers, businesses and application developers. I’ll stick by my Axiom that new networks must start as closed systems delivering value to at least 2 parties. But can Apple compete with its Gosplan (USSR State Planning) like controls against open Android?

Background

NFC Background for non-techies reading the blog, there have been many, many global pilots of NFC.. but no production rollouts. From my previous blog

What is NFC? Technically it operates on the same ISO/IEC 14443 (18092) protocol as both RFID and MiFare so how is it different? I’m not going to get into the depth of the technology (see Wikipedia), but the biggest driver was  GSMA/NFC Forum’s technical definition (UICC/SWP) that ENABLED CARRIERS to control the smart card (NFC element). This in turn enabled carriers to create a business model through which they could justify investment (See NFC Forum White Paper).

BilltoMobile Case Study for Start Ups

Posted on by
4

23 February 2011 

BilltoMobile is a case study in how to innovate and work with 800lb Gorillas. Founder Paul Kim is a genius in the way he structured this thing.. just a brilliant business model that helps the MNOs monetize their network. Boku and Zong skipped a very important step in their evolution: no carrier relationships. BilltoMobile’s success demonstrates how important detailed knowledge (ex Denal’s telecom billing systems) and relationships are in delivering “innovation” within someone else’s network. What makes BilltoMobile such a great model?

  • Integrated into carrier billing systems (significant barrier to entry both in technology and in contractual relationships)
  • MNO value proposition. MNOs take NO RISK in enabling these payments. MNOs take a percentage of merchant fees AND they increase sales of their digital goods.
  • NO CUSTOMER REGISTRATION. I cannot understate the importance of this to both merchants and consumers.. its like a credit card you never knew about
  • Can be used both online and mobile
  • Ability to raise limits payment limits $25/mo
  • Reduces cost structure (now independent of premium SMS rates)

As stated in the CNN Article

BilltoMobile CEO Jim Greenwell says the spate of carrier wins reflects the hard work the company and its majority shareholder, South Korean’s Danal Corp., have done in the carrier billing field. In 2006, BilltoMobile was spun out of Danal, a leader in carrier billing in Asia. The company quietly began approaching U.S. carriers after the spin-out about using carrier billing, but it took a few years before the company could establish its first deal with a major carrier, which it did with Verizon in March of last year. 

…the challenge was to migrate carriers away from premium SMS, which other mobile payment services like Zong and Boku have used in addition to direct carrier billing. The problem with premium SMS was that premium SMS providers often charged 35 percent to 50 percent fees on top of transactions, which made it only good for digital goods. By tying directly into carrier billing systems, BilltoMobile can bring those fees down to the mid-teens

Zong and Boku never attempted to tackle the “hard work” of carrier integration.. they just leveraged and existing Premium SMS services… now they have paid the price. From an investor perspective this is extremely important. Zong and Boku ARE NOT acquisition targets because they have not constructed a sustainable business model.

The BilltoMobile Sprint agreement will bring a total of 240M US customers  to the service (when combined with recent deals with Verizon and AT&T).  Now that billing to your mobile phone is free from the premium SMS constraints, I would expect to see a move beyond the $25/mo limit once BilltoMobile updates their risk models. As the CNN article above mentions, stepping away from premium SMS also gives carriers a cost structure compete with card payments.   There will be a very interesting play for the MNOs as they combine this service with NFC payment at the POS.

Thoughts appreciated

– Tom

iPhone 5 – NFC “Twist” (OpenNFC)

Posted on by
3

Update Mar 14

No NFC for iPhone 5. Too many architecture considerations.. (below). So while their patents clearly indicate it is in their plans.. they have not been able to coordinate all of the design into their iPhone 5 program (from hardware through software and apps).

See article from UK’s Independent

Update Mar 3

Multiple SEs are too complicated for Apple. Think they actually want to control everything and have one wallet with multiple cards. So much for ISIS having a TSM. Verizon/AT&T must be pushing back.. why subsidize the iPhone and let Apple control it? My guess is that JPM and Visa are also Apple launch partners (which further diminishes ISIS value prop). The downside of controlling everything.. is that YOUR TEAM becomes a throttle to success.

Feb 21 2011 (Updated)

Apple is a tremendous company, beyond its design and technical prowess the factor that most impresses me is its unique ability to maintain confidential information. How can such amazing innovation come out of a company that seems to operate as a mix between the CIA and the Hotel California (checkout any time you like… but you can never leave…)?

Last week Brian White of Ticonderoga Securities spoke of Apple’s plans for NFC with a unique twist. So what is the “twist? My guess is that the TWIST relates to Apple’s plan to support multiple Secure Elements (ie, one embedded,  another in UICC).  This would allow Apple to “support” MNOs driven initiatives and also create a closed system (described in many patents below).

For background on multi SEs see GSMA whitepaper

The GSMA NFC project recommends the UICC as the most appropriate secure element (SE) in mobile phones. It is foreseen that other secure elements (removable and non removable) may be implemented in mobile phones. As a consequence, applications may be hosted in secure elements other than the UICC. The selection of the secure element hosting the targeted application shall be solved. This case only applies in card emulation mode.

Most NFC pilots have launched with a single application in a simplified environment. The long term future of what NFC really looks like is very, very hazy. Many potential complexities arise, as best described in the Stolpan whitepaper (a EU consortium now largely defunct, an irony in its own right). Apple (or ANY MNO) certainly can’t build a business on this complexity. A multi SE architecture could also provide Apple with a mechanism to address anti-trust challenges on platform fees and openness/control (Washington Post – Apple’s Subscription Model Sparks Antitrust Concerns).  Apple would compete on quality of service and integration, but allow other applications to also “exist” in a separate environment with a different “trust”.

The champion of Multi SE architecture is Inside Contactless (OpenNFC).. a very very smart “Judo” move that leverages NXP’s substantial momentum (in integrated NFC/controller/radio) against itself. Inside’s perspective is that there is no reason for the ISO 14443 radio to ONLY be controlled via NFC (treat it like a camera). Inside’s OpenNFC provides for “easily adaptable hardware abstraction software layer, which accounts for a very small percentage of the total stack code, meaning that the Open NFC software stack can be easily leveraged for different NFC chip hardwalet multiple applications and services access it”. Handset manufactures love this model.. MNOs hate it. As I stated previously, closed systems must develop prior to open systems as investment can only be made where margins and services can be controlled. OpenNFC changes the investment dynamics for MNOs, and provides new incentives for Google/Apple/Microsoft, … to transition their closed systems into NFC platforms.

Along these lines (Apple AppStore into NFC Platform), I need to correct the assertion I made in my previous blog Apple and NFC.  In it I stated that NFC “control” for Apple was about advertising control (not payment revenue).  What if Apple evolves all of its current applications into a “trusted” (in NFC context) environment, with secure storage and access restrictions (GPS, Alerts, phone, camera, NFC element, payment, advertising, enforced customer anonymity, …)? Apple could also enable this new architecture to support new secure areas for the Mobile operator (or other TSM) to provision secure services, or even an “open area” where the customer can run anything they want.  In this multiple secure element example, Apple would seek to control (and monetize) access to device services and seek to INCENT all providers to run within the APPLE SECURE ENVIRONMENT.. but would provide an alternative (that it does not manage, support or control).

If this is indeed Apple’s plan I will have to update my prognostication on the death of mobile apps (in favor of HTML 5). Particularly for Apps that leverage any of the Apple services I list above. This scenario is consistent with Apple’s  Patent US10200082444 PORTABLE POINT OF PURCHASE USER INTERFACES

[0088] Close range communication may occur through the NFC interface 60. The near field communication (NFC) interface 60 may operate in conjunction with the NFC device 44 to allow for close range communication. The NFC interface 60 may exist as a separate component, may be integrated into another chipset, or may be integrated with the NFC device 44, for example, as part of a system on a chip (SoC). The NFC interface 60 may include one or more protocols, such as the Near Field Communication Interface and Protocols (NFCIP- 1) for communicating with another NFC enabled device. The protocols may be used to adapt the communication speed and to designate one of the connected devices as the initiator device that controls the near field communication. In certain embodiments, the NFC interface 60 may be used to receive information, such as the service set identifier (SSID), channel, and encryption key, used to connect through another communication interface 58, 64, 66, or 68.

[092] … The security features 74 may be particularly useful when transmitting payment information, such as credit card information or bank account information. The security features 74 also may include a secure storage area that may have restricted access. For example, a pin or other verification may need to be provided to access the secure storage area. In certain embodiments, some or all of the preferences 72 may be stored within the secure storage area. Further, security information, such as an authentication key, for communicating with a retail server may be stored within the secure storage area. In certain embodiments, the secure storage area may include a microcontroller embedded within the electronic device 10.

There are 4 market forces at work which may drive a multi-SE approach

  • Protect App Store/iTunes Model
  • Support MNO Models
  • Anti-Trust Concerns
  • Control Platform

Your feedback is welcome

– Tom

Other Information

Digital Goods: Where to Invest?

Posted on by
Reply

 17 Feb 2011

Digital goods are everything that can be sold and shipped online (music, movies, articles, ring tones). John Doerr (legendary KPCB Partner) certainly turned heads in Nov 2010 when he said Zynga is “our best company ever”.  What is driving the explosive growth in digital goods? Social gaming. The nice thing about running a credit card network is that you can see who is making money. No doubt a factor in last week’s $190M Visa acquisition of Playspan.

A key benchmark in the category of “digital goods” is Apple. Within Apple’s annual 10k digital goods revenue is accounted for within the  “Other Music Related Products and Services” category.  This category also includes app stores. For FY10 Apple saw a 93% increase in iPhone sales, but there was only a 23% uptick in “digital goods” (growth in line with previous 2 years). This makes intuitive sense given that Apple customers did not need to repurchase their iTunes library from iPod 1 to iPhone 4. But Digital Goods has certainly NOT been a key source of  growth for Apple. 

Lets take a look at Zynga. As I stated in previous blog,

…three years old with an estimated market value above $5 billion with more than 320 million registered users and estimated revenues above $500 million… From my perspective, Zynga’s secret sauce has been its ability to get 1-2% of their customer base to pay for game credits (see Gawker article). Although they have recently agreed to a 5 year deal with Facebook, this patent (if granted) will provide them leverage in future negotiations and extending their services outside of the Facebook platform.

For more info see TechCrunch / Steven Carpenter Zynga analysis (excellent)

The fortunes of Zynga have been tightly tied to the success of Facebook. Facebook’s new payment policy (mandating use of Facebook credits) will enable them to capture 30% of revenue. Zynga’s margins are obviously impacted in this move.. I’m sure many people immediately see the analogies here with today’s WSJ article (Apple Risks App-lash…) on Apple’s 30% digital goods tariff.  

As an investor, where do you place your social gaming bets?

A foundational digital goods investment question is your view on how social gaming can exist. Can social gaming survive in a model disconnected from Facebook and Apple? If you believe so, then possibly place bets in the Google model. Over the past 6 months, Google  has made five acquisitions in the field: SocialDeck, a mobile social gaming company; Angstro, a social networking search application; Like.com, a social fashion store; Jambool, a social gaming virtual currency; and Slide, a social game maker, and a $100M+ stealth investment in gaming giant Zynga.  Beyond Google, other views exist for social gaming in a mobile context  (MNO driven model).

Now that you have chosen the model (I’m tired of using the word ecosystem), where will your bet play? I see 5 categories:

  • Games (Zynga, EA, …)
  • Analytics/Incentives/Advertising
  • Distribution
  • Gaming Infrastructure. Example Payment, Hosting, Mobility, Support, …
  • Confluence. game-community, game-retail, game-mobile, game-mobile operator, … Example.. earn farm $$ by visiting a retail store and checking in..

Is social gaming a sustainable category? My personal preference is to place bets in common infrastructure until the next Zynga flourishes. Something I learned from Larry Ellison “when there is an arms race, don’t fight.. sell the guns”

Feedback appreciated..