Apple’s Commerce Future = Square?

My top question for October has been “What is Apple up to” in payments/commerce? It matters to me because investments and strategies have to line up. Is there new risk? Should I be running from NFC? Where do I place my bets?

25 October 2011

My top question for October has been “What is Apple up to” in payments/commerce? It matters to me because investments and strategies have to line up. Is there new risk? Should I be running from NFC? Where do I place my bets?

Data Points (From previous blogs)

  • Apple/iPhone is staying away from NFC…Apple has something brewing that revolves around its iTunes account base.
  • Chase is working with both Apple and Square
  • Square just secured a billion dollar valuation on $3-6M in Rev from one of the best VCs (IMHO) KPCB.. SO they must have some big idea…
  • WSJ Article reports Jamie Dimon is talking to Dorsey on Payment.. what possibly could Jamie be so enthused about?
  • Keith Rabois said he would never have gotten involved in Square if it was just about a doggle and payments..
  • Visa is on board.. so they must have a plan to drive card volume. Visa invested at a time when new mobile  PCI standards were “in flight”
  • The Square doggle is mag stripe only.. (doesn’t work outside US)
  • They are pushing the doggle like mad, expanding distribution to WMT stores this week.
  • My previous blog outlines how Square has shifted into V3 of a business strategy that is about commerce (not payment). V1 was “Payments for Craigslist community”, V2 Small Merchants alienated by terms of today’s Acquirers, V3 Commerce
  • Square card case shows TODAY’s product for working in physical retail. To make this work efficiently (and at scale..) many people have to be “registered” with Square as Payers (to open a Tab). Visa Wallet, and Apple iTunes would seem to be logical extensions to expand this registration rapidly. See Card Case demo Square’s site http://www.youtube.com/watch?v=la0zz-pPEl4
  • As I stated previously, there is no need for NFC… anything that NFC can accomplish can also be accomplished with a single key exchange.. whether that key is biometrics, a loyalty card or your GPS location
  • In this blog 2 years ago (wow I’ve been writing about Square for that long!?), outlines how a commerce process of the future may look like the local country store of the past. I know who you are when you walk in.. ask “would pay like you did last time or put it on your account?”.

Apple/Square – the Anti NFC?

All indications are that Apple has a new “location registration” type of service.. Allowing users to determine “Who” they want to make aware of their presence. I’m sure most of you familiar with Square’s card case can see the immediate link: if you walk into a “registered” store you have given “permission” to be aware of your presence the store will be able to market to you during your shopping experience AND when you go to register it will know who you are based on Voice (Square example), picture, GPS, or some other proximity indicator. Assuming your payment is on file (iTunes/Square) and the retailer is “connected” (to same cloud as consumer): the entire marketing, shopping and checkout process is done without ANY select, scan, tap, swipe or anything … throughout your entire shopping experience. For example, you could be watching targeted iPhone ad videos while shopping with discounts automatically applied at checkout.

Hey I could be wrong … and should have just kept my mouth shut while I go patent this.. but I think this is already in flight.. so my goal is to inform investment decisions. My confidence level?

Square is building this? 60-70%

Apple is participating? 30-40%

This would make Square’s Wal-Mart distribution efforts look brilliant. Give away millions of free doggles to get consumers to sign up.. then leverage this network as the basis for future in store payment network.

Is this really a Killer App?

My response centers around this question: How would retailers (and existing value chain) react?

  • Where is the value to the retailer? In store marketing is not valuable without knowing intent to shop or buy.. or brand preferences..
  • What do Square, Visa, Apple know about physical advertising and retail?
  • What incremental sales with this drive? New customers? Basket Size?
  • Will I lose business if I don’t do this?
  • This use case solves a “payment” problem and an “instore awareness” problem.. What is the benefit to the merchant? Speed? Reduced Interchange?
  • If Chase and Visa are driving this.. retailers will not be jumping over themselves to be first on board
  • IBM has an 80% share registers in top 20 retailers.. Are they going to give up the POS to Square?

On the positive side.. this is certainly MUCH cheaper than NFC.. Merchants: Why should you buy NFC terminals at all? This highlights again why the MNOs insistence in following a “control” model for delivering value through NFC will be such a failure (see related blog). Data should not live on the phone.. but the cloud.

Investment Implications?

  • Be cautious in over estimating the uptake of NFC. It is not a panacea for payment. It is a great tool for machine/tag to machine communication (ticketing, door opening security, RFID reader, music sharing, …).
  • Verifone’s vision of new terminals everywhere should be balanced with a view of no more payment terminals at all.
  • There are some very big bets going on here.. Apple, Kleiner, Visa, Chase.  If you are not aligned to one of the big players you could get stepped on quickly
  • Many opportunities to add value within this “future” scenario.. SAP, Oracle, and other retail experts are well positioned to help retailers
  • Visa and Chase’s involvement make retailers participation less certain… therefore increasing retailer interest in other “retailer friendly” value propositions.
  • My favorite one.. in store bandwidth. Stores are sink holes for radio signals..  Verizon and AT&T could gain control over this entire value chain by selling connectivity solutions (ie microcells) into stores. They can control the content in the phones to a much higher degree.. for example blocking any non-retail friendly site while a customer shops.
  • Government Regs.. We need to start managing who has access to location information in a much more “regulated” fashion.  I’m more concerned about my location information than I am about my payment info. Why? I know I won’t be held liable for my fraudulent card data.. while a bunch of physical thieves could rob me blind if they know where I shop and when I’m gone from my house.  There is an assumption that customers will let this happen. My recommendation is for Square and Apple to spend a little time in Germany..
  • Visa Offers could have a new outlet in store.. unfortunately.. they don’t know how to “sell” offers to retailers..

Make no mistake.. I like this model and think it is brilliant. But others are much better positioned to execute on it.  Starting a network business is hard.. cracking the nut on a retailer value proposition.. harder.

If this is true.. I could be flipping to a fan of Square.. errr… Apple?? I finally see Kleiner’s investment approach at work. As one of their partners said to me “Tom, if we get a great team in place.. they will figure it out… Google had no idea of how it would make money when it started.. they turned out OK “

Square’s $1B Valuation.. its not a payments business any more

Square’s future model depends on both the consumer and the merchant giving up consumer data at the line item level in the POS. I see apparel and large department stores as possible candidates.. perhaps even electronics.. but the challenges are tremendous.

Square $1B Valuation…  ?

29 June 2011

Today’s WSJ Story

What shocked me most about Square today? Kleiner’s lead in the round. I know the KPCB team well, and they are the best VC I’ve ever worked with. Given my negativity… a re-evaluation is in order. Both to protect my reputation with my KPCB friends.. and for my own sanity.

There is no way that Square can justify a $1B valuation as a payment company. At $1 billion in annual processing volume, Square would be roughly the 70th largest merchant acquirer/ISO in the country. Global, the largest pure play, processes $135 billion annually, has other businesses, and has a $4 billion market cap. See data below from my friends at FT Partners (a great Advisory team in payments).

3 years ago, Jack pitched KPCB on the idea of Square as the PayPal of Craig’s list… KPCB passed. The business model has changed substantially, and is now on V3+.

Why did KP invest in this last round? I haven’t spoken to them, but my guess is that it is no longer about payments.. but about changing the checkout process at the POS.

Here is my guess on Square’s V3 Business Model

1) Create a path to exit the transaction business.. they don’t want to manage sub prime acquiring risk.

2) Create a software/platform business for mainstream retail. Work with major retailers to use Square register as the way retail (and retail sales agents) interact with consumers. In other words re-engineer the buying experience at the POS. KP always looks for “big bets”.. this would certainly be one of them.  In this Version 3 business model, Square will interact/integrate to legacy POS systems. They will also attempt to own the mid market and replace current POS vendors in the mid tier. At the low end they may still be working deploying the Square we see today, but it will be challenged by PCI Rules. For a more detailed look at current plans (they evolve rapidly) see this excellent post:http://mashable.com/2011/05/23/square-card-case/

3) Create an advertising/incentive business. We hear them working on this today, but their current customers are dry cleaners and hot dog stands.. obviously they need to move upstream. Advertising and incentive will be the primary basis for their new revenue model.

Perhaps this is why Square is working their employees 20 hours a day.. they know that the big guys are also all over this.  IBM, Cisco, Nokia, NCR, Micros, Oracle, SAP, MSFT … I doubt if they will just sit back and let Square throw out a new POS system. What competency does Square have in Campaign management and advertising? Who owns their current data? This last point is very relevant.

Consumer transaction data collected by Square today is property of merchant. Although hot dog vendors may not care… Large retailers know how sensitive it is..  Square’s future model depends on both the consumer and the merchant giving up consumer data at the line item level in the POS. I see apparel and large department stores as possible candidates.. perhaps even electronics.. but the challenges are tremendous.

Can all of this work? It depends on the retailers.. having Visa on board may actually be a drag on their merchant adoption. One thing is for certain.. their valuation is certainly not based on their success as a payments business.

Square will “do better” than PayPal? Yeah.. and Pigs Fly

Keith Rabois has been around payments a long time.. and given his PayPal background, his view shouldn’t be ignored. $1B TPV sounds like a big number.. but equates to only $3M in revenue (30bps take rate). PayPal has a 330-390bps take rate driven by its 3 party model (both merchant and consumer have accounts). Yes, that’s right… Paypal makes 10x more revenue for every dollar processed than Square. So for Square to Surpass PayPal, they need $1T in TPV

May 25, 2011 (Updated.. I was 25% off on TPV)

TechCrunch Today (Square has 95% chance to do better than PayPal)

TechCrunch – Square Register (May 24)

Keith Rabois has been around payments a long time..  and given his PayPal background….  his views shouldn’t be ignored. $1B TPV sounds like a big number, but equates to only $3M in revenue (275bps take rate, 30bps margin). PayPal has a 330-390bps take rate (230bps margin) driven by its 3 party model (both merchant and consumer have accounts). Yes, that’s right… Paypal makes 7x+ more revenue for every dollar processed than Square. So for Square to surpass PayPal, they need $700B in TPV… (in their current revenue model). Given that total US Credit Card TPV is $1.3T (Visa $781B , MA $515) that seems a little unrealistic.  (for more detail see http://tomnoyes.wordpress.com/2011/02/24/do-squareups-square/).

So what is “do better”? Number of accounts? Square is sitting on about 20k active customer accounts.. this is a long way from PayPal’s 100M..

The new Square register is a decent idea.. but Square is NOT competing in a vacuum. During PayPal’s early days there was a problem that needed a solution (CNP). PayPal delivered a strong value proposition.. a 3 party payment platform for online purchases. Solving this problem was critical for commerce (on eBay) to take place. The online payments problem, which PayPal solved, was a roadblock to delivering commerce value.

What are the problems that Square is attempting to solve?

  • Help Visa drive credit card volume
  • Help small merchants accept cards
  • Help small merchants communicate to consumers (Square registers)?
  • Provide Consumers a Wallet on their phone?
  • Help a Craig’s list seller use a card next time they sell something?

Square has done a great job in consumer experience, across all of their applications,  but their challenge remains value delivery. Chase and Visa have billions of reasons for sustaining CREDIT card TPV, but this is NOT a retailer friendly value proposition. As I’ve stated, the challenges of increasing card usage with small merchants is not a technology problem, it is a business (value proposition) issue. Square is doing a great service to many small merchants in bringing down the cost of accepting the card, and improving the consumer/merchant experience.

What is their opportunity?

Retail Sales in US is about $2.4T (excluding Auto, Gas, Resturants). This is certainly a larger market than the $176B spent in US eCommerce. What is your guess on % of merchants that do not currently accept cards, and their categories? Take a look as the US Census data, and I would say total sales for “square prospects” are around $100B.

Take a look at the recent Micros/Verifone announcement as an example. Existing POS and terminal manufactures are not sitting on their hands. Who would want to invest in Square? What kind of platform are they building? This is not a group which will rally the industry, but rather spur it to action (or isolate it to individuals/small businesses).

We will soon see mobile value propositions that contain payments.. but payments are just a supporting mechanism of a larger commerce related value proposition.  Square is making card acceptance nice and neat for small merchants.. this is a good niche opportunity. I will shave my head when Square “does better” than PayPal.. I give this a .0005% chance..

Visa’s Mobile Strategy: Portfolio Manager

Visa is playing the role of a portfolio manager and evangelist. Selectively supporting and investing in mobile initiatives in an attempt to leverage their network. This is a “services” approach to their existing network. The structural challenge is that new services on Visa’s existing network equates to lipstick on a pig.

Visa’s Mobile Strategy: Hedge your bets

I frequently write this blog just to provide a little structure for my own thoughts. While I attempt to avoid “stream of consciousness” writing.. my efforts are not always successful. Top of mind today is the question: what on earth is Visa doing and why? Any time you see a major company come out with a press release with no customers, or proof points it bears a little research. Last week I wrote on Visa’s mobile wallet announcement (or non-announcement). Why would they do this?

Here is a short inventory of Visa’s (and Visa EU) mobile “related” announcements over last year

Clearly Visa has been thinking about mobile for quite some time (listen to Bill Gajda). As I’ve stated many times the great thing about a (well designed) global network is resiliency.. it is resistant to failure.. the challenge in running one is the same: resistance to change. Every network evolves around delivering value to the core constituents (nodes) who are CURRENTLY using the network.  Networks also evolve around a business and revenue model, as a network matures value evolves out from the process of coordinating transactions to managing interactions (HBR Where Value Lives, Jan 2001)

modularization takes hold, the ability to coordinate among the modules will become the most valuable business skill. Much of the competition in the business world will center on gaining and maintaining the orchestration role for a value chain or an industry. … Connected by networks, different companies can easily combine their capabilities and resources into temporary and flexible alliances to capitalize on particular market opportunities. As these “plug-and-play” enterprises become common, value shifts from entities that own intelligence to those that orchestrate the flow and combination of intelligence. In other words, more money can be made in managing interactions than in performing actions.

Why is it so hard for Visa to change? Visa’s history is that of a bank owned consortium and although they are a public company today, their legacy and network was built around a bank centered model.  The banks were very thoughtful in constructing Visa and its rules, to attract smaller banks the majority owners (Chase, BAC, WFC, C, USB) created a structure to ensure no single bank could take advantage of the network, and a rule making process that was optimized for “stability” not “adaptability”.

For those outside of the payments business, Visa operates like the NFL League Office. It cannot make rules in a vacuum, nor does it own the teams, the network rights or the ticket sales. Innovation teams in Visa are more like “advocates” and “evangelists”, they can not force change on their member banks, but rather paint a picture on what is possible. The Visa “franchise” thus has tremendous difficulty adapting to a new game just as if the NFL would have a challenge in coordinating a new sport like snow boarding. Although the fan base may be the same.. and the team owners are interested in generating additional revenue.. it’s a stretch for their network to adapt.  This dynamic correlates to why Visa failed in eCommerce and companies like PayPal and Cybersource excelled.  Both POS and CNP were payments, but the environment of the transactions were very different, particularly in fraud and required new “rules”. To stick with my NFL analogy, both POS and CNP required fraud services to surround transaction authorization.. just as both snow boarder and football player need safety equipment.

So what is Visa’s strategy? Internally, they know they missed out on eCommerce.. but it wasn’t their fault, they were bank owned until 2008. What they see is a new wave of mobile that will effect all of commerce (US $4T .. excluding Auto) not just eCommerce ($176B). They can’t afford to miss this boat.

The problem is that Visa’s existing, bank centered, network is rigid and ill suited for more than POS payments. The mobile revolution at the POS will be much more than payments, particularly as both the POS and the Mobile phone are each able to coordinate across many different networks. Technologies like NFC will also provide much greater potential for authentication and authorization separate from any single network (note I didn’t say payment).

The biggest challenge for Visa to overcome is value delivery. With the prospect of Durbin killing upwards of 20% of overall revenue (70%+ of Debit Rev) Visa is “squeezed” between preparing for a new world order driven by a new network (not yet profitable) and driving its existing business growth (moving along at a respectable 15% clip). The TOP ISSUE with Visa’s mobile NFC Payment is VALUE. Banks are looking to drive NFC to drive CREDIT volume (as opposed to Debit). This is why certain retailers with narrow margins (ex Grocery) are not supporting NFC (See my blog on BestBuy’s experience). The ISIS consortium in the US was leading with a “debit like” payment product that received strong interest from retailers.. with prospect for very low interchange. Alternatively, bank and Visa led schemes have the merchants paying for the “privilege” to take NFC.

If Visa’s mobile efforts were removed from the revenue pressure of the parent we would undoubtedly see Visa work to establish a new, more cost effective network built around Debit (See my previous blog on the “evolution” of debit networks) and they have worked to some extent on this with VMT. Or even build “new mobile rails”, as they attempted to do with Monitise and are now rumored to be investing in Fundamo for same (targeting emerging markets).

As it stands today, Visa is playing the role of a portfolio manager and evangelist. Selectively supporting and investing in mobile initiatives in an attempt to leverage their network. This is a “services” approach to their existing network. The structural challenge is that new services on Visa’s existing network equates to lipstick on a pig (or a snowboard on a running back). How can Visa deliver value to a POS transaction when it is forced (by issuers) to be credit only (250-350bps). To be perfectly clear this is NOT a technical challenge, it is a business model challenge. Bank/Retailer/Card relationships are very strained right now. A good example is “coupons”, Visa has their own coupon service (referenced in PR above) and has every technical capacity to offer a great experience. Visa could actually deliver a killer app in this space if retailers would only give up line item detail on what was actually purchased. The technical capacity for Visa’s network to deliver “level III item detail” has been in place for many years. Do you know how many merchants give up this information? Almost none.. (example Office Depot has it on their Chase co-branded card). Merchants trust neither the networks, nor the issuers with their price list or customer information. Visa is not able to “pay” for this information as it does not own the customer and cannot leverage this either. This all goes back to why Visa took 3+ years to roll out the offers service in the first place.. it had to get issuer permission for each consumer.

Every network begins with delivering value to at least 2 parties. My bet on mobile payment is based on a history. A history where banks (and Visa) have demonstrated poor competency in retaining their role as intermediary between consumer and retailer. A new retailer friendly network, that conveys much more than payment information is needed.

Visa for you to execute in this space, spin out Bill Gajda and team to build a new network. You certainly have the capital and intellectual horsepower to do it.. Don’t think of mobile as a service on VisaNet.. We will know this is moving when we see PayWave Debit volumes taking off.

Analysts.. lets start making Visa publish transaction volumes for NFC, VMT, eCom, Offers.. shining the light on this investment “hole” will help them in the long run.

Why Visa, Apple and Chase are Square

Visa formalizes mobile swipe security.. ” Visa’s guidelines lay out some of the more important security measures that should be taken, including encrypting all account data at the card-reader level and in transmission between the acceptance device and the processor.” just like the Verifone CEO said..

Why did they do this on same day as announcing Square investment. All of these non-compliant doggles. What is Square’s Plan?

http://www.visaeurope.com/en/newsroom/news/articles/2011/visa_europe_releases_mobile_ac.aspx

http://www.businessinsider.com/visa-square-investment-2011-4

Why is Visa, Chase and Apple all aligning on Square?
1) Apple does not have NFC in iPhone 5
2) Chase is taking a portfolio approach. This one is a bet against NFC.. They also have plenty of bets in NFC
3) Visa knows it cannot control NFC and is taking a 3 pronged card focused approach to mobile marketing independent of NFC. Too much to say in this short Blog

Visa formalizes mobile swipe security.. ” Visa’s guidelines lay out some of the more important security measures that should be taken, including encrypting all account data at the card-reader level and in transmission between the acceptance device and the processor.” just like the Verifone CEO said.. 

Why did they do this on same day as announcing Square investment. All of these non-compliant doggles. What is Square’s Plan?

http://www.visaeurope.com/en/newsroom/news/articles/2011/visa_europe_releases_mobile_ac.aspx

http://www.businessinsider.com/visa-square-investment-2011-4 

Why is Visa, Chase and Apple all aligning on Square?

1)       Apple does not have NFC in iPhone 5

2)       Chase is taking a portfolio approach. This one is a bet against NFC..  They also have plenty of bets in NFC

3)       Visa knows it cannot control NFC and is taking a 3 pronged card focused approach to mobile marketing independent of NFC. Too much to say in this short Blog

Square “Violations”

Issuer Top 4 reasons to decline Square

PABP/PCI compliance
Collection and use of ancillary customer information
Paper Signature requirement
Chase has all of the equity upside

16 March 2011 (Updated 17 Mar)

My top issue w/ mobile swipe is clearly customer behavior and potential data loss.  I’ve been asked to provide a basis to decline Square transactions (debit particularly) so, rather than sending out multiple e-mail responses, I thought I would share. Issuer Top 4 reasons to decline Square

  • PABP/PCI compliance
  • Collection and use of ancillary customer information
  • Paper Signature requirement
  • Chase has all of the equity upside

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data.

http://usa.visa.com/download/merchants/validated_payment_applications.pdf

 

Phase V of PABP went into effect on July 1, 2010. This phase required all Acquirers to ensure that their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP /PCI DSS is available at www.visa.com/pabp. Note Square is missing, how can Chase acquire for merchant/aggregator that is in clear violation?

UPDATE 17 Mar (Thanks Bob Egan) Evidently PCI has revoked certification of all mobile swipes until new rules have been created. See related post  http://storefrontbacktalk.com/securityfraud/pci-council-confirms-multiple-mobile-applications-delisted/2/

From the Visa Operating Reg, (pg 428)

While Square does not “require” mobile number or e-mail address, it is collecting it at time of transaction (plus your location). As this information is associated with the transaction, it must be managed within PCI. The business risk here is that Square will use address and location information for something else.. or Chase gets the e-mail address of all of your card customers. This is why the rules were created.. so this does not happen.

Last is Visa requirement for paper receipts. From Visa’s Transaction Acceptance Device Guide

Chase bears all of the burden here, I hope they have taken a holistic view of the fraud and data compromise risk.. not just approving their own cards… but for every card ever swiped by Square.  Advanced fraud schemes take 18mo-2 years to develop.. so it may take some time for risk to materialize.. and for them to pull back.  Chase.. these future losses will easily wipe out the 15% of Square equity that you hold.  Perhaps they are moving so aggressively here because one of their key partners (ie Apple) is falling down in NFC.  Which brings to mind the larger question: Is Chase Anti NFC? 

Remember just 4 weeks ago that all of the US banks were looking at a future where ISIS would control NFC on the handset. Perhaps this is Chase’s way of developing an alternate strategy to address NFC’s biggest weakness: infrastructure.  If this is true.. then Chase I apologize.. your strategic play here was indeed valid. As of this month, we are looking at a ISIS crash and burn and NFC control with RIM, Google and Nokia. My hope is that Chase will abandon Square once the threat, of MNO control over payments, has been eliminated. 

Recommendation for banks

  1. Educate your customers. DO NOT give your personal information out when you use your card
  2. Start to educate your customers on mobile payments in general.. how will it work?
  3. Encourage use of credit over debit.. greater consumer protection and better margin for you
  4. Set some common sense rules .. use your card with trusted vendors (Apple, Grocery, … )
  5. Educate your customer facing employees from branch to call center..
  6. Think about your small business value proposition, how can you help small businesses accept cards?
  7. Issuers, think about declining Square transactions.. particularly for debit

Mobile Swipe: Risk is Behavior … not Security

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.

Verifone Builds Square Fraud App in 1 hour

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

I took a look at my blog stats today… and they went through the roof.

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

YouTube Video just pulled.. . you can still view at http://www.sq-skim.com/

Chase Paymenttech is Square’s acquirer, and I spoke to them specifically about the Square risks last year. This is an industry issue.. as stolen cards and fraud generate both issuer losses (card present transaction) and a tremendous hassle for customers. I don’t understand why Chase supported this thing… Was told last week that Square’s fraud is off the charts. As I said back in 16 month ago in January 2010

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

Update Thurs Mar 10

Networks are dependent upon everyone following the same rules. Rules are what make networks work, and are essential in “trusting” the transactions coming in. PCI rules were agreed to by all.. Square’s reader does not comply, nor does its iPhone app.  That said we have a very mixed bag of incentives within the current card networks. Banks and the networks want Square to succeed, as it will drive more transaction volume AND drive card use further down market with small merchants… see Visa’s blog

http://blog.visa.com/2011/02/14/emerging-payment-types-new-opportunities/

Bank margin is driven by the ability to manage risk. This is the nature of banking. Within credit card, Big banks like Chase have tremendous experience in fraud and risk.. they the seek both higher margin and volume.  Chase is comfortable with the risk it is enabling with square as both issuer and acquirer. However, their acquisition relationship with Square (through PaymentTech) enables fraud to enter the network, and other banks may have not updated their authorization rules to accomodate. For Example, Bank of America certainly wants increase transaction volume .. but is it willing to pay the price of  BOTH fraud loss AND of encouraging a change in customer behavior (give their cards to anyone with an iPhone and card reader)?

From my background at 41st Parameter, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. This will be an active discussion for them today. Bank decisions are caught up in the business dilemea of how to respond to Durbin, as well as their own mobile strategies and EMV perspective. Fraud usually develops once critical mass is reached, as fraudsters don’t want to waste their own resources developing a compromise unless there is volume.  My view is that Square’s reader and iPhone application are clearly not compliant with PCI rules and that Visa and Mastercard must shut them down. They have no choice.

Perhaps a story is in order to talk about potential impact. Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars.. and claim that we are responsible for their fraud (they have a decent case).  Verifone’s 1 hour fraud app (www.sq-skim.com) is not a technology issue as much as a behavior one. A good crook would probably spend a few days developing an iPhone app that asked for your PIN…. and took a picture of the back of your card w/ CVV, I noticed in Square’s response that they also ask customers for phone number and e-mail address (normally). This data is beyond the wildest dreams of fraud organizations.  I can just imagine a fraud ring setting up hot dog or ice cream stands that only take cards.. .and sell the ice cream for $.50… they would never even use square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.

As a side note Square is not winning against Verifone. Square has only 5k-10k active merchants (see blog) and $200k in revenue per MONTH… so lets stop this thing before it gets viral.

Do SquareUp’s $$ Square?

My guess is that Square sees the light at the end of the tunnel and knows it will not be a pretty collision. They want to grow the merchant base as fast as possible in hopes to attract an acquirer.

Update 1May

Dorsey just tweeted Square’s numbers. See here on Tech Crunch

Looks like analysis below is directionally accurate, actually a little kind.  TPV moved to $2M on that day (of Tweet).

Note that Square revenue is $59k for the $2M TPV, or 295 bps. Transaction Margin is revenue less Square’s processing expense: issuer fees, processor fees. As listed below, this should translate into net square transaction revenue of $10k (note on my post last night I was wrong.. never post at 2am.. error rate is high).

Dorsey picture shows 9k active customers (merchants) on this particular day, which is again consistent with estimates below. Total Active is probably 3x-4x of this, so average transaction amount is probably around $10-$15.

Funny that Visa bought into Square on the same week that it rolled out new mobile swipe security standards. Visa is highly sensitive to Chase needs, and given Chase’s equity stake here they wanted to show support.

Could Square work out? sure it could.. but it is an intermediary solution at best as it is US only (No EMV), and will compete with new mobile solutions which we will see rolling out by fall.

Original post below

24 Feb 2011

Today’s TechCrunch Article

http://techcrunch.com/2011/02/22/mobile-payments-startup-square-ups-the-ante-drops-transaction-fee-for-businesses/#

Following Square is a Hobby. My alarm bells go off whenever a non-payment team “innovates” in payments. My December blog Square Up Update  estimated that Square had 5-15k users. Today’s TechCrunch says Squares 1Q11 TPV is $40M and that they are “signing up” 100k merchants per month. My guess is that “signing up” means downloading Square on your iPhone.

From this TPV we can derive Square’s revenue and their “active” customer base

Rev = TPV * Transaction Margin

Transaction Margin = Merchant rate less cost of funds = 275bps – 225bps = 50bps

Square 1Q11 Rev = $40M* 50bps = $200,000

Rev lost from eliminating $0.15/tran fee = 0.15* 40M/$10 = $600k

Active Customers (Merchants)

Lets assume that average ticket size is $10 and average square merchant accepts 50 transaction per week (10/day, $6,000/ quarter).  This means that Square has 6.7k active merchants. For other iterations see chart below

Is Square really shipping out 100k doggles every month, while only 6-7k merchants are active? I have no idea, but it cannot be a good thing if they are.. see www.sq-skim.com.

Summary

  • Square’s active merchant numbers are likely to be around 5k-30k
  • Eliminating the $0.15 fee is a very big revenue hit… 1Q Rev looks like $200k now
  • Square’s doggle is still not on the PCI compliance list (see PCI org’s list of approved applications )
  • Just as in any merhant account, settlement funds are held to mitigate risk. Does a small merchant want to wait 60 days for payment and pay 3% for the priviledge of accepting a card? This is not a Square issue, but an industry issue in moving down market into cash replacement.  PayPal solved a real problem (CNP Transactions) for a real community of buyers and sellers that coordinated (eBay).

My guess is that Square sees the light at the end of the tunnel and knows it will not be a pretty collision. Evidently Square is burning through its newly received $27.5M (courtesy of Sequoia and Khosla) to grow the merchant base as fast as possible in hopes of attracting an acquirer. Square’s last round closed on a $240M valuation, assuming trailing revenue of $2.5M on $100M TPV, valuation is 16x revenue. However now that the /transaction fee is eliminated.. we are looking at 75% reduction in revenue and valuation on forward revenue is near 240x.  Believe or not.. OBOPAY was still more highly valued.. In both cases, investors have just doubled down and created valuations driven toward an exit strategy.. not on a sustainable biz plan.

The only entities that would be interested in Square are large card issuers who could unilaterally charge a different interchange rate for their own cards (ex Chase and BAC). But the bank business case for an acquisition would be very tough, as a single bank could only reduce interchange for the cards it controls, resulting in a 10% improvement in transaction margin (at best).  A Visa or MA acquisition would alienate the acquirers and processors. I just don’t see a logical exit for them with anyone. Issuers don’t want to pick winners in this space.. they want broad adoption. If JPM and BAC cut special interchange deals w/ Square then they will be pressed to do the same for PayPal.

eBay’s analyst day conference 2 weeks ago showed how aggressively paypal plans to move in the POS space. PayPal’s Virtual terminal not only lets merchants take cards with NO CARD READER, it has partnered with Verifone to act as an acquirer. Next month, we will see some super applications at APSI conference. One of which will demonstrate the current Nexus S operating as an NFC acquiring terminal. .. You don’t even need the doggle or the “signature”..

2011: Tough Start for Mobile Payments

2011 has been a rough start for mobile payments. Early bets in the space are running out of cash, and established industry players are placing $1B+ bets to compete with new MNO ecosystems.

10 January 2011

I learned my lessons on the Valley hype cycle early (from the source). In 1997, at the ripe old age of 32,  I joined GartnerGroup with the goal of participating in a great research and advisory team. Well… that lasted about 11 months. I learned that there was no research and their business model never broke away from its roots as a division of McGraw Hill. It was all about reporting, writing, buzz and sensationalism (with a very few exceptions .. Schulte/SOA).  It was great fun listening to buyers of IT talking about new products issues and then meeting with the software vendors (with more information on hand then their product heads had) to watch them watching them turn green.  But fun aside, I wanted to go run a business…. not become an industry analyst (this blog serves as an outlet for my minor competencies here).

The Gartner experience reinforced the importance of marketing in creating new products, of creating “buzz”. After all  IT periodicals and research firms must fill their pages with something every week. Of course ISVs and start ups are happy to oblige… Buyers and Investors must be able to cut through the fog and assess business viability, valuation and risk.  My data indicates that mobile payments is at the top of the hype cycle. I read the Nov 2010 Javelin report on mobile with great amusement: $7B in P2P mobile transactions in 2010!?  I would be very surprised if the number broke $100M.  Obviously the $7B number is driven by Javelin’s methodology, perhaps a mobile payment includes when I get an SMS message that my bank paid a bill….

Javelin’s methodology obviously does NOT include looking at financial statements. If it had (and the $7B number were real), we would not have seen the continued bloodshed in the space. 2011 has been a rough start for mobile payments. Early bets in the space are running out of cash, and established industry players are placing $1B+ bets to compete with new MNO ecosystems. An industry status of early movers here:

In every case above, there was complete failure in a value proposition. For Example, Obopay charging $0.50 to send money.  The key lesson learned (over and over) is: small companies cannot LEAD development of a payment network. The industry is replete with examples which substantiate this point(see list here). Payment networks are 2 sided, and compete against well entrenched competitors with deep pockets. Payment networks must start with delivering value to 2 parties (ex PayPal Consumer to EBAY). Going at consumers alone (p2p) or as a bank partner alone (Monitise) will not drive volume. As Clayton Christensen asks in Innovator’s Solution: “what problem are you solving”? Moving money through a phone does not create value.

To be clear, there is a very real potential for mobile payments (and NFC) to be the driver 100s of new companys. But their business models must deliver value today (example NFC to unlock doors), or serve  in a supporting role to new industry ecosystems. This supporting role requires a FUNDEMENTAL change in how valley firms typically operate: Start Ups must learn to work with and support multiple large companies and ecosystems. Supporting ecosystems is a B2C model.. NOT a direct to consumer model. This supporting role has new risks, as VivoTech (one of my favorite companies) has learned.  Small Companies which support emerging ecosystems are challenged to influence their overall shape and value proposition. Further, if transaction volume is low, there is minimal revenue or pricing power without a clear value proposition (see Google/Boku).

New ventures operating within NFC ecosystems have prospect of attracting  30-50% of the $6B in mobile venture capital. Investors should be wary of  hype and tag along investing as risk profiles are unique (ie NFC ecosystem play vs. consumer mobile app).  Look hard at the talent running the company (see investors guide). Social networks are much different than payment networks. Payment networks require alliances, regulatory/risk acumen, understanding of history, experience and relationships (see key skills). Banks can win in the move to electronic payments. The top 5 US banks are in a much better position to influence ecosystem development (see lessons learned) than the mid tier, however the mid tier is in a much better position to partner (ex. Barclays US in Discover).

Deal of the Week

From a valuation perspective, the latest “head scratcher” in mobile payments is Square’s $27.5M raise at a $240M Valuation. From VentureBeat:

Rabois acknowledged, but he pointed out that Square is already achieving impressive growth without paying for traditional advertising or other promotions. He said Square is processing millions of dollars in transactions every week, and that it’s signing up 30,000 to 50,000 new merchants every month. Rabois said many of those merchants were previously cash-only, but they were attracted by Square’s ease-of-use (the card-reading device plugs into iPhones, iPads, and Android phones) and low financial risk

I estimate they are doing about $20-$30M TPV per week (5k users $5k/wk) this translates into revenue run rate of $6M/yr … which would equate valuation of $240M to 40x REVENUE. Square may have 30k downloads of their iPhone app /wk, but does that translate into transactions. This valuation is NOT based upon financials, but upon the people involved in this company. Existing investors took a bigger stake.. they have every right to set the price. This makes complete sense,  particularly if they are looking for a Revolution Money kind of exit.