Token update – TCH + 2 Big Banks and Paypal

I’ve been writing about this token stuff for over 5 yrs. Wow.. This is an update to my June 2013 blog – Tokens: any volunteers ,  SRC- W3C and Tokens and the Trojan Horse.

First my bias.. I may be naive.. but as I stated in Tokens and the Trojan Horse

Visa and Mastercard provide a level playing field for Issuers and Merchants (with few exceptions). Per my blog Payments Civil War, V/MA are a fantastic creation that have experienced profound success (and growth). As I outlined in the Changing Economics of Payments, the beauty of the V/MA model is that it creates incentives for millions of businesses to invest billions of dollars. For investors, the attraction of V/MA is that it is scale free.. with minimal effort required to add volume. While there are MANY more logical ways to deliver payments.. there are none with more profitable incentives for investment.

Tokens are an enormously powerful control point for the payment networks. 9 years ago the banks were working to “build a new Visa” within an initiative launched by The Clearing House. The idea was to create a new scheme that “wrapped” account numbers with another number (token) and avoid network routing (see wrapping). The networks smartly came down and issued clear guidance, if you wrap my card number with another number …. It is still a Mastercard/Visa.

TCH has been seeking a partner for tokenization since Paul Gallant led the 27 bank consortium 8 yrs ago.  Can you imagine the sales pitch (as I reviewed in the Trojan horse) “give me all of your customer information, I will lock it up.. and give you one of my keys for you to access it”. Google, Apple and Amazon have all smartly said no. What is the remaining “big” eCommerce Cards on File (COF) home? You guessed it PayPal.

While I’m not 100% sure about this.. it is the only group left AND two of these banks told me this week “Paypal is the only one that can move merchants effectively”. I was shocked … paypal can move merchants more than Google? They responded “Google has the best technology, but they just can’t sell merchant more than adwords”.. wow.

Thus my best guess is that 2 of the top banks are working with Paypal as the processor/gateway  to move “W3C” in the direction of the TCH tokenization service. The head of the W3C WG wrote me on twitter

Quite frankly my head is spinning. W3C is a browser standard.. how can Paypal get their TCH tokens in? I haven’t figured this out yet, but what I do know is that the complexity is enormous. We have 3 different token services

  • Visa VTS/MA MDES (Apple is primary customer)
  • Google (see Blog) – had no choice but to develop a new custom “standard” by which the encrypted FPAN flows to the merchant acquirer
  • TCH – Paypal + ??

And also multiple new eCom standards

To read what is happening you must therefore take a matrix view.  Obviously Google is moving with their own token service and W3C. Paypal seems to be moving with TCH and W3C.  Apple with network tokenization and ApplePay.

My head is spinning. I must say I did buy Paypal stock this week. I’m just floored that top tier issuers are innovating with Paypal.. focus, partnerships and execution are moving them into the bank friendly category.

Google/Mastercard.. The new Oil or Uranium?

Bloomberg published a thorough article today on Secret Google/MA Deal and how the data is used in attribution (I wrote about this in May of 2017 Payment Data and Google Attribution). Attribution is big business. Most marketers still grapple with the old adage “Half the money I spend on advertising is wasted; the trouble is, I don’t know which half.”. Accurately closing the loop between advertising and incremental sales allows marketers to know what is working and what is not.  As outlined in Bloomberg,

“Beforehand, the company received $5.70 in revenue for every dollar spent on marketing in the ad campaign with Google, according to an iProspect analysis. With the new transaction feature, the return nearly doubled to $10.60”.

The GREAT news is that cards are an instrumental part of helping retailers improve the marketing! The bad news:  inconsistent controls, “leakage” of payment data, concerns over consumer privacy and the raw “power” google and FB have in gaining further “data advantage” over everyone else.  

Summary
  • Attribution and “closing the loop” is a strategic priority for Goog/FB because when you know what’s working, you can optimize spend and double marketing ROI. We have seen the same thing at Commerce Signals as we measure the sales impact of client ads outside of the walled gardens. The economic value created is a tremendous opportunity for banks here.
  • Google has “access” to 70% of US transaction data through Mastercard, 1-2 participating processors, a bank data aggregator, and retailers sending data to Google directly (last week’s blog).  However, there are substantial issues with granting Google/FB ad hoc access to payment data. While there are no doubt agreements associated with access and use, the data owner has given up control and thus placed themselves at unnecssary risk.
  • Commerce Signals provides this same closing the loop service in a way that allows the data owner to maintain full control and protects re-identifcation of private consumer financial information.
  • Trust is the core of both banking and marketing. All parties should be able to report on WHO is using their data and HOW they are using it. This requires transparency (and auditability).
  • Building great consumer experiences take collaboration. Collaboration will be the center of all future payment networks (ex Alipay). Commercial networks are transforming – a process which will unlock $2T in value.  (Small Wins and Transformation of Commercial Networks)
  • Data has been called the “new oil”, I would posit that it is the “new uranium”. While great power can be unleashed by refining it, you must control how it is disseminated and used… or it will everyone will be at risk

Transparency and the 3 Rules of Data

There are 3 basic rules to consider for any party participating in a data exchange

  1. Right to have the data
  2. Right to use the data
  3. Right to share the data

Transparency is critical to creating trust and enabling data. To be clear we have no relationship or business with either Google or Mastercard and I have no knowledge of the precise architecture, my educated guess on the structure is below a purely “hypothetical” design based upon experience.

Mastercard sees transaction data, but has no consumer information tied to it. In other words they only have the Primary Account Number (PAN) and no nothing else about you. Within 4 party networks only issuers have consumer information. V/MA schemes are designed to protect consumer anonymity through to the POS. However, there are agents that can map a consumer to a PAN, either through seeing things like online transactions (where you put your name and PAN to order goods), credit card bureaus, …etc. These entities can help holders of PANs map to an anonymized ID.  These anonymized IDs in payments are also held by advertisers. Each party has a “unique” anonymized ID and can’t coordinate with each other without the “key pair translator”

DATA “COLLABORATION” WITH WALLED GARDENS

Google and FB. The issues in making payment data work with Google and FB are the data rules set by Google and FB: they do not let data leave their control (ex media exposure files).  Thus data must go INTO GOOGLE. The 3-4 yrs of delay in MA/Google operation would likely be surrounding where the Google Data and MA data would collectively reside. Google is in a place to financially take risk on this, and my guess is that payment partners (like MA) have agreed to a “white room” where their payment data resides which can be accessed in a controlled/structured manner by Google.

Consumer information leaving Mastercard:  Contractually none as they probably maintain “ownership” of the neutral white room (perhaps a separate legal entity). There are also likely controls placed upon the structure of analysis (example cohorts must be greater than 50 matched consumer records) within an operating agreement.

Issues: Google has ad hoc access to payment data within a set of rules. My rule #3 (right to “share” the data) may be broken here as permissions must be granted by either:  the consumer, merchant, or issuer (depending on data).  Standard questions anyone should ask on this architecture:

  • Who created the operating agreement?
  • Who granted the permissions?
  • Who is managing the controls?
  • What auditability is granted to the impacted parties?
  • Who bears the risk of breach?

Banks and Merchants (the advertisers) must be able to clearly communicate: who used their data for what purpose? For example, while there may be aggregated data controls, what if Google asked the same question for a group of 50 buyers of Joe’s sporting goods, and then changed the cohort by 1 person (Tom). They would know what I bought during the time period.

Federated Data = Controlled Use

At Commerce Signals we do not have any payment data inhouse. We recognized that for data to be controlled it must stay within the premises of the owner, it can only be released if you understand both WHO is requesting the data and HOW it will be used. All data exchanges are tracked and operate within defined terms and agreements. If agreements stop, so does the data flow.  We ask our financial partners a question that like this:

For this group of 1M consumers. What was the total spend of this group during the period before the advertisement and what was the total spend of this group during the media period

Consumer level information leaving financial partner: None. Just the aggregate spend of the group of the 1M. As a neutral party we hold no consumer level payment data, or ad exposure data. We provide all parties with transparent view of both USE and permissions. The only way to make TRUST operaterative in networks is to have a neutral party.

In our Joe’s sporting goods example (above), Commerce Signals monitors ID velocity, and takes actions based upon the direction of the data owner. We work as  the neutral traffic cop that enforces rules of all parties. We enable quality data to play with transparency. For example, we recognize that ID partners must be able to have clarity into how their information was used (example PAN to ID mapping). While ID agents may permission a mapping for the purpose of aggregate measurement, they may choose to defer on others. Enabling ID partners to permission use improves the market for deterministic ID providers (vs probabilistic). Tracking use also allows Commerce Signals to manage opt outs across multiple partners and ID providers consistently.

Data has been called the “new oil”. I would say it is rather the “new uranium”. While great power can be unleashed by refining it, you must control how it is disseminated and used… or everyone will be at risk. This is our business at Commerce Signals.

Industry recommendations:

  • Quality data can only play where there is transparency and control.
  • Retailers should view measurement and optimization as a core IN HOUSE responsibility. Card Networks and merchant processors are great partners to accomplish this with no work on your side. You can enable the same optimization described in the Bloomberg article across all of your marketing.
  • Google and FB must recognize that payment data is of greater sensitivity than ad exposure data. While 3rd party data partners have been curtailed, 1st party data is greatly accelerating. I believe consumers will be shocked to find out that their real time purchase information is made available to Google and FB. While there is an immediate media effectiveness impact in turning this on, there are better ways to accomplish it.   
  • Retailers should recognize the double edge sword of data sharing with Google. While it does improve marketing results, and they can write very big checks, it also leaks consumer preferences. 
  • We are at a Data Tipping Point (blog) where all parties must be accountable for HOW data plays with WHOM for WHAT use.  Create a mission control for all of your data interactions. Who is using your data today?  It is your data, and it must operate under your rules (more here)
  • Banks… must work to ensure transparency of data use, and that the actors participating abide by the rules (see my Bank Recommendations)

Payment Data.. Banks are NOT the problem

Loss of Anonymity in Payments and the threats to Banking, Retail and Consumers

Compelling WSJ article yesterday on Facebook and Bank data. This article doesn’t begin to touch the extent of the problem. When it comes to data, there 2 very very distinct camps. Those that care about consumer data and their role in managing it, and those that don’t. 

Banks and payment networks care and are “squeaky clean” compared to the rampant data sharing going on within marketing (retailers directly to the big ad publishers). While Cambridge Analytica brought about changes to 3rd party data sharing the entire ad industry has DRAMATICALLY increased direct first party data sharing. In other words many large retailers are sending their real time SKU level purchase data (for all customers) directly into the big Ad Platforms.

  1. Google Offline Conversions API
  2. Facebook Offline Conversion API
  3. Agency Example
  4. Gartner CDP Magic Quadrant

What enables retailers to identify consumers and send this data to Ad Platforms? Historically, only retailers with loyalty card schemes could do this, but recently Payment cards have transformed to become the virtual loyalty card used to accurately identify consumers (without Bank/Network permission). This is shocking, as Payment cards have a solid track record for protecting consumer identity (ie anonymity in payment), with payment anonymity a core “feature”. Within the 4 party network schemes only issuers could identify the consumer, enabling issuing Banks maintain the critical role of Identity broker (see blog). As former banker this makes my head spin, as the Payment Card Industry (PCI) has invested BILLIONS to protect transaction data.. Only to have it pour out from a hole.

Example

Today, when a consumer uses their V/MA card to purchase the retailer creates an “anonymized ID” and stores the transaction set internally (at ~50% of the top 10 retailers) with the entire inventory of items purchased. There are few rule or privacy issues here (IMHO), as general trends and loyalty are measured.  However, retailers are voluntarily sending this transaction data (mapped to consumer ID not PAN) directly to the big Ad Platforms. The ad platforms then map this activity to the “anonymized ID” customer behavior it maintains (ex preference for soccer and CNN.com). Issues with this model:

  • Replacing the PAN with another Anonymized ID SHOULD NOT cause it to run under a different “rule set”. If ANY card information was used in the mapping, it should run under network rules
  • Neither the issuers, the networks nor the consumers have permissioned this data sharing.
  • Banks will never have a data business if data plays in this way
  • Retailers are giving away enormous consumer insight and strengthening the pricing power of Google/FB
  • The value of the “raw data” will diminish. Once reliable predictive models and preferences are established (ex Tennis player that likes Lacoste) I no longer need the raw data
  • Data is the “new uranium” we must work to control dissemination or it will destroy those touching it.

Obviously data is following the path of least resistance to centralization points that can act on it efficiently (covered in my blog Equifax, FB and Dangers of Data Centralization). However the ABILITY to act on data is different than the rules which data should act within. Transaction data was developed with VERY thoughtful rules and controls. For example, when a party submits a transaction or request the counterparty is known as is the legal agreement under which the “transaction” operates. Trust developed as a result. Trusted data must be managed.

Russ Schrader (Commerce Signals GC/CPO and Executive Director of the National Cyber Security Alliance) put together these 3 simple rules of thumb when thinking about data use:

  • Right to have the data
  • Right to use the data
  • Right to share the data

To be clear my goal is NOT to create a government imposed GDPR in the US. Rather I want Banks and Retailers to have a data business, and create great new consumer experiences.

Yes I have a bias here, it is what I built my company around (see Federated Data®). Data centralization is the v1.0 architecture of data science. Sure you can learn great things if all the data is mashed together but the value of data is based upon use. If you can’t control use… you can’t control the unique value that is unlocked (or the rights) within a given use.

Bank/Network Actions

Let me be clear.. banks must have a role in data! The economics of payments are changing. Banks must protect their ability to deliver value beyond the transaction. Banking is a commerce function and Alipay has shown what the future holds for “commerce orchestrators” .. payments allow them to become banking orchestrators as well (see WSJ and Ant Financial).  There are both offensive and defensive actions that must be taken. 

  1. Defense. Change the rules to protect your data ensure every party “in the network” is operating on your data with permissions. Your data is playing in the market today.. and you don’t even know it. Banks have permissioned and distributed their data to marketing, loyalty, and shared market insight vendors. While individual transaction data may not be distributed by your partners, consumer level models are built and shared (see Banks as a Data Business). Typical network rules allow for merchants to use card information for the purpose of “loyalty and marketing” these rules need to be tightened up as the rights to share this data with many parties was never part of the original intent.
  2. Retailers are not big enough to force change within the ad world. You are..  Ensure that all data operates within the simple rules above.
  3. Banks must collaborate in data. As a top 3 bank told me “… we have learned some very hard lessons in data, no one bank is big enough to go it alone. What we should have remembered is the success with V/MA. Even though we compete with [Banks] a common network allowed millions of businesses and consumers to work with us consistently….” and another “ The real threat to banks is the Alipay. We need a common data network with common rules. Banks have a role to play in creating great consumer experiences however there are only a very few of them we are poised to lead”.  
  4. Take on the roles of transparency and consumer champion.
Retailer Actions

Retailers have a right to payment data. While big data can create great new insights if we centralized and analyzed all conversations, there is a downside. Digitally, every interaction you have with a consumer is a conversation. Brands must manage who gets to take part in these conversations and build insight from them. If your downstream data “partners” mis-use your data your customers will go to Amazon (which doesn’t share data with Google and FB).  You must create great consumer experiences, but you must balance against consumer privacy and your rights to the data.

  1. Maintain control of your data supply chain. Both WHO is using your data and HOW it is being used. Create a mission control that allows you to see what data is shared with Whom, for which Use under which legal agreement (a shameless plug for our service)
  2. Rather than sending out raw transactional data that improves pricing leverage of Goog/FB build a CDP and enable your own targeting. Make partners bring their insights to you, or ask you to append a propensity score for a specific campaign.. not raw data for all of your customers. This is what Commerce Signals enables. 
  3. Hold all marketing partners accountable to performance against a common benchmark. This does not mean a measuring against a panel of 8M location based “presence” participants. But leverage your transaction data to measure performance consistently. This means Google and FB must be measured against your metrics.. Not report their own. Mark Pritchard of P&G is the most vocal advocate of this approach

For more information, please see my previous blogs

Paypal is on a TEAR.. iZettle and hyperWALLET

Note: I’m not subjective on this one as I’m both an investor and former BOD member of hyperWallet. Of course I’m biased on all of my others too.. but just don’t have much of a financial stake.

Paypal has been on a tear in 2018, and is the leading payment stock performer in last 12 months – up over 60%. Continue reading “Paypal is on a TEAR.. iZettle and hyperWALLET”

Data Tipping Point.. Good things will happen

Recent issues with Facebook, Equifax, GDPR compliance, … have brought us to a tipping point in data. The basic structure of how data is: permissioned, shared, used, accumulated, analyzed, sold, regulated, … must change. Google and FB operate in a Big Data 1.0 architecture powered by the “virtuous cycle”. Edward Snowden showed us how the NSA also acts in this centralized model as a data vacuum (not so virtuously). Literature and entertainment have created broad awareness of the dangers of centralization and loss of privacy: 1984, the Borg, The Circle, Black Mirror, … etc.   Continue reading “Data Tipping Point.. Good things will happen”

Tokens and the Trojan Horse

I can’t believe I’ve been writing about this stuff for almost 10 yrs. If any of you have suffered through my 20 blogs (on tokens) I certainly don’t want to rehash anything.. just bring everyone up to speed on what I see as major issues on the horizon for V/MA, Issuers and Merchants.trojan-horse-small

Headline: Visa and Mastercard have made it easy for millions of businesses and billions of consumers to work together consistently. V/MA are a thing of beauty, creating incentives for multiple parties to invest in payments (and grow network). Continue reading “Tokens and the Trojan Horse”

Banks as a Data Business – Example Amex Advance/Acxiom

Traditionally the core of bank margin is in risk management. The core of risk management is data.. thus Banks have been the among the best data businesses (as IBM knows). Banks “learn” about their customers through bank interaction: payroll, card transactions, lending. This has helped banks make better risk decisions (both credit and fraud/identity). Within the bank data cycle the traditional use of data is for an internal benefit: risk and cross sale of the bank’s products and services (not that of consumers or merchants).  However the “virtuous cycle of banking data” is very different from that enjoyed by Amazon and Google, both in the scale and type of data and consumer facing use.  Continue reading “Banks as a Data Business – Example Amex Advance/Acxiom”

PayPal surpasses Amex in Market Cap

WSJ Friday – Paypal Passes Amex in Market Cap

Paypal’s stock has been on an absolute tear this year up over 70% and pushing their market cap over $80B, with 55x P/E (compared to Visa’ 40x and Mastercard’s 36x)paypal-stock

eCommerce and payments are both hot sectors…. PayPal combines both. Most would tell you that the “real progress” for PayPal’s stock started July of last year with the V/MA peace treaties (blog).

Paypal’s biggest advantage is focus… they are 100% focused on payments. This gives them advantage in both innovation and execution, particularly when they are not dependent on getting the “permission” of anyone else. Venmo’s massive success is a great example of speed and finding a niche that no one else saw.

I tell Dan that I see 2 primary vectors for further growth: long tail (small retailers) and international (particularly small merchant acquiring). Wirecard sees the later as well given they just purchased Citi’s acquiring business in Asia.

Paypal’s competitive environment, the bundling of payments, and tech (new authentication/payment in OS ) creates a very challenging environment for growth. Their ability to focus and execute is what will differentiate them as a new tech standard is meaningless if no one uses it. Example is Apple Pay in store continues to be a flop.. where as apple pay in-app is a crushing success.

What most impresses me this week? Paypal’s partnerships (see Dan present on this topic – CNBC). Parnterships are a HUGE driver of volume (look at eBay’s impact). Consumers just want the easiest/default payment approach.

Congrats to Bill, Dan and team.. making this progress while REMAKING a technical infrastructure in a highly competitive environment is tough!

CORRECTION
In a post entitled “What to expect from Money in 2020” posted on October 5, 2017, I stated that Bank of America had “pulled out of their relationship with Cardlytics”. Cardlytics has informed me that this is false and that there is no change in the relationships with Bank of America or Citi. I
apologize and regret this error.

I look forward to getting another update on the CLO space from both banks this quarter.  It sure is nice that someone reads page 3 of a blog on Money 2020 to notice this stuff. I’m always open to correcting errors or omissions.

 

Equifax, Facebook and Dangers of Centralization [of Data]

Equifax. It’s hard to sit on sit my hands and not write on this one. My perspective is shaped through running 2 of the largest online banks in the world, developing state of the art fraud prevention systems with the top 20 banks, working with Google and today creating Commerce Signals.

Enron has new competition for the company name that denotes loss and fraud. Equifax may be the single largest breach of consumer information in history…. It is everything from social to DOBs, DL #s, …. How did Equifax get our data? Continue reading “Equifax, Facebook and Dangers of Centralization [of Data]”