Payment Authorization – Under The Hood

Retailers should tread very carefully in direct issuer connections

My focus over the last 18 months has been identity, trust, authorization and assertions. Today I thought we would get under the hood a little on the technology of authorization and the current operational issues with a key network service: 3DS. 

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

MRC Recap – Looking up – A Retailers Perspective On Payments

I’m glad I made the decision to attend my very first Merchant Risk Council event this week. For those that don’t know, MRC Vegas is the second largest payment event in the US (after M2020) but with a VERY different focus. MRC is attended by the “hands on” payment leaders from all the top merchants and the vendors that serve them: Stripe, Adyen, PayPal, V, MA, risk, fraud,  …. Etc. Whereas M2020 is attended by FinTech, Crypto, Venture, Institutional investor, and strategy audiences, MRC is much more focused on making payments work

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

Identity, Authentication and Risk

Bridging Domains – Short Blog – Random Thoughts

This is a “Random Thoughts” blog, which means there are many points that I’ve left hanging (not finished cleanly). The blog’s objective is to stimulate discussion, so please don’t hesitate to comment.  Identity is a hot topic for me with 15+ years of previous bosts. Here are a few updates … as well as my evolving perspective. 

Continue reading

Role of Identity and Trust in eCom

Please excuse typos.. Editing not complete. I had a great compliment this week: “Tom you write so dense.. why are you so different”? I’m not an analyst or a blogger, but a guy that has run operational businesses and led venture investments. The only great thing I’ve ever done in life is to meet great people with passion and ability to execute on a vision. This blog is how I chat with all my colleagues. Glad others find it useful..

This is a rather long blog.. if you don’t have time read the wrap up at the end which is a summary of key points.

—————–

Continuing on from yesterday’s blog on Authentify – Bank ID Service, I thought I would outline the role of identity in eCommerce and the problems to be solved. Although most of you know me as a payments guy, I also have deep roots in data working directly with retailers, AdTech, Google/FB and media (in addition to issuers/acquirers/networks). In looking through eCommerce articles I couldn’t find one relating to identity (from a big picture perspective).. So I thought I would write one.

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

EMV in US? No Way

Update Sept 2014

Did EMV in the US happen? Well to the surprise of issuers, Visa announced a scheme change in the US in August 2011 (see PR). The big issuers were not consulted about this program prior to rollout, as the dynamics described below in my previous article were occurring. Additionally banks were working on a new scheme that would leapfrog EMV: Tokenization.  The large banks were working on this scheme without the involvement of Visa and MA. If successful, this new token scheme would have bypassed V/MA altogether. I believe one of the reasons for this EMV push by Visa was to reassert its control of the network. Today we see quite a bit of friction remaining here between issuers and networks. See my blog on Chip and Signature for a view on some of the remaining chaos.

The new EMVCo token scheme announced in October 2013, formalized in March 2014 and rolled out first with ApplePay in Sept 2014 is the new “best” scheme on the planet. In this scheme, the networks have taken over the original bank token model. Of course banks can also serve as TSPs, but none of them are currently prepared (as of Sept 2014).


 

Original Oct 2009 A

As I was reading an article concerning “why US Card issuers should move to EMV”, I was struck by the amount of “disconnectedness” on this topic in the industry.

A quick background for those unfamiliar:

  • EMV is a “Chip” that replaces the mag stripe on a credit card http://en.wikipedia.org/wiki/EMV
  • Rolled out in Europe in 2004 w/ hope that fraud would go down (it actually just shifted to Card not present “CNP” transactions)
  • European issuers are also acquirers. In US these functions have been separated w/ exception of AMEX
  • Europeans banks are complaining that US cards in EMEA markets and EMEA cards in US markets are the weaknesses in their beautiful vision of a “Chip world”. EMEA acquirers are also threatening to stop accepting US (mag stripe) cards.
  • US Adoption of EMV would take 10+ yrs for banks to re-issue cards and for all merchants to replace all terminals that use the mag strip.
  • Issuers in the US don’t collaborate very often because of anti-trust concerns. Rules are set by networks… in which banks are Board members. Big banks like competing through “best practice” in fraud management. Small issuers have trouble in the arms race.

US Issuers are exercising sound judgment in not jumping on the EMV bandwagon, yet many industry pundits (without access to the data) continue to push a POV that we in the US are somehow backward. Just take a look at the UK fraud data, the card losses have grown from 122M GBP in 1997 to 531M GBP in 2007, and 610GBP in 2008. What did the EMV investment “buy” the UK issuers? A detailed look at this fraud data (APACs confidential) shows that fraud adapted to the next weakest point in the card chain: CNP.

The US banks are highly motivated to do the right thing here, but the solution requires coordinated movement by 4+ highly fragmented groups (Issuers, Acquirers, Networks, Merchants).  The US banks do get together to discuss these topics, primarily at the Philadelphia Fed.  The top request from the banks (to their regulators) was to free their hands in working together on fraud and standards without fear of anti-trust reprisals.. A request that took on no owner, as the number of agencies involved were challenged to work between themselves (FTC, OCC, Fed, …)

http://www.philadelphiafed.org/payment-cards-center/publications/update-newsletter/2009/spring/spring09_06.cfm

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together.

  • Old technology (will not last the 10yrs it will take to roll out in US)
  • Expensive (POS, Card). Costs are not borne equally in network
  • No proof point, fraud did not go down in UK, CNP was not addressed. http://www.computeractive.co.uk/computeractive/news/2238913/apacs-releases-fraud-figures
  • Fraud Shifts to the next weakest point, it is not static
  • Big issuers like to compete on risk management
  • No benefit from “incremental” rollout of any technology (below)
  • “Health” of issuers (below)

The “true” benefits of EMV will not occur until there is 100% adoption at POS (complete elimination of the mag stripe), and all other weaknesses are addressed (primarily CNP). That is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout.

Where there is chaos there is opportunity…

With respect to card use at the POS in the US, prospects for NFC in mobile handsets is very exciting. NFC enabled handsets provide great customer convenience and the cost(s) are not borne by the banks. I highly recommend the business whitepaper below for those interested in the subject.

http://www.gsmworld.com/documents/gsma_pbm_wp.pdf

Other Data

NCL losses of Top Issuers for 3Q09

Top 5 issuers have seen their businesses deteriorate substantially, as NCLs moved from ~3% in 2007 to 10-12% currently. 3Q09 Examples (Data is for QUARTER)

  • – Citi.  NCL of $4.2B,
  • – JPMC. NCL 9.41% (ex WaMu) Card Net Income ($700M) for quarter
  • – BAC. NCL $5.47B, 12.9%
  • – CapOne. NCL $2.3B, 10%

 

http://www.javelinstrategy.com/2009/08/06/emv-us-magnetic-stripe-credit-cards-on-brink-of-extinction/