Tag Archives: fraud

Square Up update

Posted on by

11 Dec 2010 (updated)

Previous post http://finventures.wordpress.com/2010/03/02/squareup-take-4/

Today’s Telegraph (UK)

Dorsey is a marketing machine! It’s just amazing how much buzz he has been able to create (yes I am envious). The Square application is stellar from a customer experience perspective. Although appshopper shows them in the top 20 free finance apps (~1M downloads), I estimate they are sitting on only 5k-15k active customers (this is the nature of a “free” app).  It also seems that they are in a holding pattern until they resolve fraud and risk issues (I covered this in last blog). From their FAQ

Until recently, Square was facing a big hardware shortage, but that’s now coming to a resolution. The problem has transitioned to something we’ve been working on simultaneously, a credit processing and risk issue: we need to strengthen our underwriting infrastructure so that we can handle the huge demand for readers and still manage the risk of chargebacks and fraud. This is the last thing preventing us from shipping readers as fast as we’d like, and we have almost the entire team working on it. We look forward to sending you a Square!

My guess on the hold up? iPhone cannot be made PCI compliant without first encrypting the card BEFORE it gets into the iPhone (see the Verifone solution). As you can see from the Visa PCI DSS list, Square is certified in 3 areas:

  •  IPSP (E-commerce)
  • Payment Gateway
  • Process Magnetic-Stripe Transactions

 This means that Square’s data center is approved to handle card data in these areas (ex. not leaving card numbers sitting around unencrypted). This does NOT mean that the Square Application or Doggle have been certified. In fact, a search in the PCI org’s list of approved applications has no mention of Square. Where Verifone’s Payware is shown approved (below).

This is certainly a driver for PayPal’s recent partnership with Verifone to enable PayPal to act as merchant acquirer (see Verifone Press Release)

My (somewhat educated) guess is that Square must redesign the “Square” for encryption AND its Application AND get it certified by the issuers. This is a 12-18 mo process … as I said last year.  Of course I could be wrong on this.. perhaps they are indeed near certification. Assuming they do get the US mag stripe issues resolves it will not translate into any global adoption. I laughed quite a bit after reading the UK Telegraph article.. particularly given the EMV (Chip and PIN) requirements in EVERY country outside of the US.  So a new “redesigned” Square for magstripe won’t work in europe.. that is yet another design challenge with its own certification process. Who said payments was easy?

The card networks and issuers want Square to be successful, as increased card acceptance means increased payment volume. But there is a reason that acquirers and merchant agreements exist. Fraud usually is 18mo-2 years behind a new payment method as its not worth the fraudsters time (and resource) to invent a compromise. Square will face unique risks not seen before by any acquirer. For example:  merchants accounts denied by other acquirers, physical card fraud rings, skimmers looking to take the cards and auth codes for use off line, virtual card fraud rings looking to “pump” card data through 100s of easy to set up Square accounts.

Square has a use, but the market is small. I expect many small merchants to give the service a try, but once they realize that it takes 30-60 days to settle and that they have a new burden (under reg z) for returns and consumer transaction dispute (ex reserves) they will decide that the headache is not worth it.  In other words they will face the same barriers that the large acquirers have in moving down market.  Dorsey was in a WSJ video yesterday outlining potential benefits for issuers using square. This is a soft repositioning of his company for a potential exit. He knows that the market is limited and is hoping for alliance plays with large issuers/acquirers. Banks are certainly in a better position to roll this out.. particularly because of their ability to manage card risk (but customer support is a “little” more robust as well). As I stated previously, smart money would wait for Dorsey to gain adoption and struggle through the issues before investing.

The problem that Dorsey is trying to solve is core to the acquiring business: how to grow card use among small merchants. Question remains on whether this is this a “technology problem”, or a business problem? For banks wanting to dip their toes in the technology: it is already available through teams like Verifone. For Small Merchants with a need for a convenient easy to use method for accepting cards:  go to www.paywaremobile.com and sign up with FirstData. For consumers: think twice about giving your card to the hot dog vendor..   banks own the risk (in the US), but there is still a big hastle in shutting down your account.

As I stated in my Jan 2010 blog, Square presents a risk to the payment system

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

[youtube=http://www.youtube.com/watch?v=svzZxB0o8J8]

Visa Acquires CyberSource for $2B

Posted on by
2

22 April 2010

CYBS/Visa Presentation

CYBS 2009 10K

126x earnings? $3M/employee  Why? Did  Carl Pascarella (former Visa CEO added to  CyberSource Board of Directors on March 5, 2009) intend to drive this when he joined the CYBS BOD?

Part of the job of any payment network is to ensure a balance between network efficacy, profitability, risk and “value” received by each participant. (http://en.wikipedia.org/wiki/Network_effect)

CyberSource bills itself as the “The World’s First eCommerce Payment Management Company” and initially focused on enabling “bricks and mortar” retailers expansion into the online channel. CYBS has evolved to provide global turn key services to any retailer selling goods online… from payment to distribution (ex. Digital software).

CYBS 1009 10K

Our customers range in size from small sole proprietorships to some of the world’s largest corporations and institutions. Our customer base includes leading companies such as Air France, Borders Group, British Airways, Christian Dior, Eastman Kodak, Home Depot, Louis Vuitton, Massachusetts Institute of Technology, Microsoft, Nike, Starbucks, and Yahoo!, among thousands of others. To properly serve this diverse set of needs, we divide our potential market into two customer profiles, enterprise and small business merchants, which require different solutions.

Enterprise merchants have high sales volumes and generally demand the greatest range of payment options and the most sophisticated risk and management tools. These customers often sell in multiple countries and require support for local currencies and local payment options. Enterprise merchants also frequently need to integrate payment processing with one or more internal business systems. We serve enterprise customers by providing solutions that address and simplify the breadth of these requirements.

Small business merchants generally seek simplicity and ease of use. We serve small business merchants by providing bundled services and integrations into popular online shopping cart software, while bringing to the small business market some of the advantages of our enterprise-level services, including important new payment options such as electronic checks, as well as high-reliability and quality customer support.

Retailers face huge hurdles in building teams capable of navigating the complex rules and regulations associated with processing payments from PCI, Sepa, CARD, Reg E, Reg Z, … etc.  The very existence of CYBS (and competitors below) show the market for value added services as a precondition to Visa’s goal of: EXPANDING THE NETWORK.

We face competition from merchant acquirers, independent sales organizations, and payment processors such as Chase Paymentech, First Data Corporation, and Royal Bank of Scotland. We also face competition from transaction service providers such as PayPal and Retail Decisions, as well as eCommerce providers such as Accertify, Inc., Digital River and GSI Commerce Inc. Furthermore, other companies, including financial services and credit companies may enter the market and provide competing services. Another source of competition comes from businesses that develop their own internal, custom-made systems. Such businesses typically make large initial investments to develop custom-made systems and therefore, may be less likely to adopt outside services or vendor-developed online commerce transaction processing software.

Cybersource will provide Visa with an enhanced portfolio of services which could address merchant needs, particularly in risk, compliance, payment/fraud operations. However the expansion of Visa into these services poses a substantial risk to its business model as it runs the risk of alienating acquiring banks and other processors. Currently, I would view that risk as small because of the tremendous issues associated with online (eCommerce/mCommerce) payment system integrity and fraud.

This is a bold move by Visa to drive network expansion, in mCommerce and eCommerce, and expanding value added services which cover ownership of payment risk and operations. The price does seem high if we view integration without synergies (CYBS will have to run at a 45% CAGR to be accretive in a 10 yr horizon). Therefore, Visa’s business case must be driven by new services which can be offered in the short term to all merchants and acquirers (ex Fraud data sharing, digital goods distribution, …).

Can Visa grow this business more effectively under the Visa brand? Absolutely, but expect other network participants (issuers, acquirers, processors) to pressure Visa into managing CYBS as a separate entity. It is important to note that there is no love loss between most merchants and Visa. To address this, Visa should lead with a road show on how it will deliver value. Example.. it will take on fraud loss responsibility, improve marketing and take on compliance risk.

Tangentially, I believe Visa will also likely add significant $$ to merchant marketing programs. Visa is investing heavily in a new mobile marketing/advertising engine... that will sit on the Visa switch. Their existing merchant agreements do not handle this kind of “marketing” services agreement so they needed a new contract vehicle. Given CYBS’s merchant footprint, they now have vehicle which can be leveraged to expand the advertising business in a turn key model which also tracks fraud and fulfillment.