Category: Trust

Trust and Authentication in Financial Services

Google/Mastercard.. The new Oil or Uranium?

Bloomberg published a thorough article today on Secret Google/MA Deal and how the data is used in attribution (I wrote about this in May of 2017 Payment Data and Google Attribution). Attribution is big business. Most marketers still grapple with the old adage “Half the money I spend on advertising is wasted; the trouble is, I don’t know which half.”. Accurately closing the loop between advertising and incremental sales allows marketers to know what is working and what is not.  As outlined in Bloomberg,

“Beforehand, the company received $5.70 in revenue for every dollar spent on marketing in the ad campaign with Google, according to an iProspect analysis. With the new transaction feature, the return nearly doubled to $10.60”.

The GREAT news is that cards are an instrumental part of helping retailers improve the marketing! The bad news:  inconsistent controls, “leakage” of payment data, concerns over consumer privacy and the raw “power” google and FB have in gaining further “data advantage” over everyone else.  

Summary
  • Attribution and “closing the loop” is a strategic priority for Goog/FB because when you know what’s working, you can optimize spend and double marketing ROI. We have seen the same thing at Commerce Signals as we measure the sales impact of client ads outside of the walled gardens. The economic value created is a tremendous opportunity for banks here.
  • Google has “access” to 70% of US transaction data through Mastercard, 1-2 participating processors, a bank data aggregator, and retailers sending data to Google directly (last week’s blog).  However, there are substantial issues with granting Google/FB ad hoc access to payment data. While there are no doubt agreements associated with access and use, the data owner has given up control and thus placed themselves at unnecssary risk.
  • Commerce Signals provides this same closing the loop service in a way that allows the data owner to maintain full control and protects re-identifcation of private consumer financial information.
  • Trust is the core of both banking and marketing. All parties should be able to report on WHO is using their data and HOW they are using it. This requires transparency (and auditability).
  • Building great consumer experiences take collaboration. Collaboration will be the center of all future payment networks (ex Alipay). Commercial networks are transforming – a process which will unlock $2T in value.  (Small Wins and Transformation of Commercial Networks)
  • Data has been called the “new oil”, I would posit that it is the “new uranium”. While great power can be unleashed by refining it, you must control how it is disseminated and used… or it will everyone will be at risk

Transparency and the 3 Rules of Data

There are 3 basic rules to consider for any party participating in a data exchange

  1. Right to have the data
  2. Right to use the data
  3. Right to share the data

Transparency is critical to creating trust and enabling data. To be clear we have no relationship or business with either Google or Mastercard and I have no knowledge of the precise architecture, my educated guess on the structure is below a purely “hypothetical” design based upon experience.

Mastercard sees transaction data, but has no consumer information tied to it. In other words they only have the Primary Account Number (PAN) and no nothing else about you. Within 4 party networks only issuers have consumer information. V/MA schemes are designed to protect consumer anonymity through to the POS. However, there are agents that can map a consumer to a PAN, either through seeing things like online transactions (where you put your name and PAN to order goods), credit card bureaus, …etc. These entities can help holders of PANs map to an anonymized ID.  These anonymized IDs in payments are also held by advertisers. Each party has a “unique” anonymized ID and can’t coordinate with each other without the “key pair translator”

DATA “COLLABORATION” WITH WALLED GARDENS

Google and FB. The issues in making payment data work with Google and FB are the data rules set by Google and FB: they do not let data leave their control (ex media exposure files).  Thus data must go INTO GOOGLE. The 3-4 yrs of delay in MA/Google operation would likely be surrounding where the Google Data and MA data would collectively reside. Google is in a place to financially take risk on this, and my guess is that payment partners (like MA) have agreed to a “white room” where their payment data resides which can be accessed in a controlled/structured manner by Google.

Consumer information leaving Mastercard:  Contractually none as they probably maintain “ownership” of the neutral white room (perhaps a separate legal entity). There are also likely controls placed upon the structure of analysis (example cohorts must be greater than 50 matched consumer records) within an operating agreement.

Issues: Google has ad hoc access to payment data within a set of rules. My rule #3 (right to “share” the data) may be broken here as permissions must be granted by either:  the consumer, merchant, or issuer (depending on data).  Standard questions anyone should ask on this architecture:

  • Who created the operating agreement?
  • Who granted the permissions?
  • Who is managing the controls?
  • What auditability is granted to the impacted parties?
  • Who bears the risk of breach?

Banks and Merchants (the advertisers) must be able to clearly communicate: who used their data for what purpose? For example, while there may be aggregated data controls, what if Google asked the same question for a group of 50 buyers of Joe’s sporting goods, and then changed the cohort by 1 person (Tom). They would know what I bought during the time period.

Federated Data = Controlled Use

At Commerce Signals we do not have any payment data inhouse. We recognized that for data to be controlled it must stay within the premises of the owner, it can only be released if you understand both WHO is requesting the data and HOW it will be used. All data exchanges are tracked and operate within defined terms and agreements. If agreements stop, so does the data flow.  We ask our financial partners a question that like this:

For this group of 1M consumers. What was the total spend of this group during the period before the advertisement and what was the total spend of this group during the media period

Consumer level information leaving financial partner: None. Just the aggregate spend of the group of the 1M. As a neutral party we hold no consumer level payment data, or ad exposure data. We provide all parties with transparent view of both USE and permissions. The only way to make TRUST operaterative in networks is to have a neutral party.

In our Joe’s sporting goods example (above), Commerce Signals monitors ID velocity, and takes actions based upon the direction of the data owner. We work as  the neutral traffic cop that enforces rules of all parties. We enable quality data to play with transparency. For example, we recognize that ID partners must be able to have clarity into how their information was used (example PAN to ID mapping). While ID agents may permission a mapping for the purpose of aggregate measurement, they may choose to defer on others. Enabling ID partners to permission use improves the market for deterministic ID providers (vs probabilistic). Tracking use also allows Commerce Signals to manage opt outs across multiple partners and ID providers consistently.

Data has been called the “new oil”. I would say it is rather the “new uranium”. While great power can be unleashed by refining it, you must control how it is disseminated and used… or everyone will be at risk. This is our business at Commerce Signals.

Industry recommendations:

  • Quality data can only play where there is transparency and control.
  • Retailers should view measurement and optimization as a core IN HOUSE responsibility. Card Networks and merchant processors are great partners to accomplish this with no work on your side. You can enable the same optimization described in the Bloomberg article across all of your marketing.
  • Google and FB must recognize that payment data is of greater sensitivity than ad exposure data. While 3rd party data partners have been curtailed, 1st party data is greatly accelerating. I believe consumers will be shocked to find out that their real time purchase information is made available to Google and FB. While there is an immediate media effectiveness impact in turning this on, there are better ways to accomplish it.   
  • Retailers should recognize the double edge sword of data sharing with Google. While it does improve marketing results, and they can write very big checks, it also leaks consumer preferences. 
  • We are at a Data Tipping Point (blog) where all parties must be accountable for HOW data plays with WHOM for WHAT use.  Create a mission control for all of your data interactions. Who is using your data today?  It is your data, and it must operate under your rules (more here)
  • Banks… must work to ensure transparency of data use, and that the actors participating abide by the rules (see my Bank Recommendations)

Who do you Trust?

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?

9 Sept 2013

(sorry for typos.. on the road and will proof later)iPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

WSJ article today on Apple’s biometric led me to believe the mainstream press is “missing” it. As I outlined in Payments as Part of the OS, generically for all handsets in Stage 4 Value Shift, and specific projections for Apple in Apple and NFC – Part 2:

  • Handsets are becoming a commodity, cameras screen resolution, battery life are no longer differentiators
  • New differentiator is “Value Orchestration” across physical and virtual worlds
  • Apple and Google are best placed to perform this service, and do so today from “cloud access” to music, pictures, calendars, documents, to storage of personal information like cards, social,
  • The “KEY” to value orchestration is owning the customer relationship. Identifying and Authenticating the customer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.
  • Authentication is of little value if the platform is not “secure” and offers no unique services to Authenticate. IOS and Android started life as relatively unsecure operating systems, where “control” over individual app access to phone data was “regulated” by testing vs. enforced in platform security.NFCActors

Platform Future

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software. From NFC to the SIM. Once security is in place, there is no reason Apple could not release a version of their phone with SIM virtualization/emulation. Could you imagine having 2-5 options at any given instant, using whatever carrier has best coverage and least cost given your current location… Perhaps even competing w/ Wi-Fi ? Of course this would destroy carrier subsidies.. but perhaps it may be worth buying an unlocked phone.. and carriers become dumb pipes competing to deliver the best service. There are a few regulatory roadblocks in the way.. but I am painting a future view that is already occurring in some markets (See dual SIM phones in India).

The implications for Android are much more significant than for IOS, given the number of Telecos that have leveraged Google’s baseline Android to create customized versions. If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

Trust – Everyone wants to play

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.where value lives

Bank strategy seems to center on control of existing networks. What they don’t realize is that the harder they work to build barriers to entry, the greater the value of finding ways around them. A public example is Google’s acquisition of Zave Networks in 2011.  Prior to taking your credit card at the POS, there is another settlement process in place.. one around coupons (which are a legal form of tender). In this coupon environment, P&G or General Mills’ accounts are debited and the consumers account is credited. In this financial settlement system, there is no limit on what accounts can participate… This example perfectly represents the “innovator’s dilemma” where a “good enough” network supplants an incumbent as the nature of competition changes.

I was with a top 3 bank CEO this year, who was confident that they would win the MCX business. I asked why. Response was “we have these Retailer’s investment banking business and handle most of their processing today”.. My response “when did you bring them customers or help with them compete”? He just did not understand the nature of his competition, it was not about cost of processing… the NATURE of competition in payments is changing.  (See Retailer as Publisher)

Who do I trust?

I’m an ex banker and can tell you that Banks take the trust role very seriously. They are regulated and monitored.. I had to take 40 online tests a year to ensure I understood compliance, regs, …etc. What a nightmare! Is it any wonder why this environment is not ripe for innovation. Can you imagine what the CFPB would do to a big bank when it had customer data not related to an account? It would have to explain why they had the data, how they obtained it, the customer agreement terms, what they would do with it, the safegaurds around use, storage, retrieval, how they planned to make money from it..  Its like your mother in law sitting next to you everyday asking you what you are doing.  I certainly Trust a bank.. but they will never ever get anything done here.  They need partners, but they want to dominate the relationship.. The country w/ most advance model of Bank led “trust” authority is Korea (see link).

I love Google and think everyone of their employees is working to “do no evil”. They are the most well meaning and least “nafarious” fortune 50 I have ever worked with.. but they are use to getting data for free and selling it back in services. Consumer safeguards seem rather absolute.. and their data stores are so massive and intertwined its hard to pull it apart, particularly when a “consumer” relates to an account(s) and device(s)… Google knows things about me that I have not specifically permissioned them for, They have the capability to be secure, but few current services where that is an imperative (payments, Google Drive).

Apple is from another planet, there is just no one else like them in keeping secrets. How do they do it? Yes I trust Apple.. they only know what I tell them…. I like this model.. If I added healthcare info to my iCloud account.. I have confidence it would be secure.

MNOs. This is a breakout business for them (See KYC $5B opportunity). GREAT authentication means physical verification of customer/credentials. I believe US MNOs are in a position to deliver this service through Payfone… but it must be integrated to local physical distribution channels for a “new” account type. This is where digital signatures could really take off… from signing mortgage documents to account applications..  I believe MNOs are best placed for the Trust role because of their physical distribution channels and knowledge of consumer.  Forget about ISIS.. if you own authentication everything else is dependent on you.

Side Note: Paypal is getting far too much attention

They had a slew of new product releases last week. All focused on “convenience” not on COST or customer acquisition. As I outlined.. Paypal is nowhere in off-ebay mobile payments ($1B – see my 10k Breakdown), they are under attack as processors like FirstData refuse to route their physical payment. The only prospective customers of Paypal are services, or Branded retailers that restrict distribution, as the eBay marketplace encourages price competition for distributed CPG products. Jamba Juice, Dunkin Donuts, and Under Armor are example prospects.. Consumer adoption is driven by frequency of use.. If Paypal can’t make traction in Grocery, Gas or Transit their prospects are very bleak.

From a network perspective Physical POS was NEVER PayPal’s focus.. it is not what they do, or why their current consumers and merchants use them.