Identity, Authentication and Risk

Bridging Domains – Short Blog – Random Thoughts

This is a “Random Thoughts” blog, which means there are many points that I’ve left hanging (not finished cleanly). The blog’s objective is to stimulate discussion, so please don’t hesitate to comment.  Identity is a hot topic for me with 15+ years of previous bosts. Here are a few updates … as well as my evolving perspective. 

Continue reading

Part 2 – The Power of Bank Networks

The Bull Case for V/MA (24 pages). 

© Starpoint LLP, 2022. No part of this site, blog.starpointllp.com, may be reproduced in whole or in part in any manner without the permission of the copyright owner.

Part 1 – US Payments Environment covered the complexity of the US payment environment and the challenges faced by top banks in modernizing their systems (where all systems live forever). There are many types of payments: bill payments, A2A, P2P, wires.. Today the focus is on how banks intermediate commerce. Banks MUST have networks as every bank can’t connect to every consumer/merchant. Effective Bank networks (aka rails) are NOT a commodity service, but one that allows the banks to leverage their unique ability to assume risk.

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

FedNow

Very short Blog – Recapping a few tweet streams.

I think FedNow is a great effort to provide an open alternative to TCH’s RTP. I’ve spoken with, and consulted for, the KC fed on a number of occasions and provided my input to the FedNow service back in 2013. Per my blog last week the survey result from the Fed’s efforts found “emergency bill payment” as the top consumer use. Paying someone faster brings on risk. The Fed depends on banks to manage risk and price that risk. As a former banker running payments at 2 of the largest banks I have a view here.

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

Payments and the Observer Effect

Most of you techie’s out there had a physics class at some point and can recall the Observer Effect in Quantum Physics: the act of observation can change the measured results. Observation in payments has become the second largest driver of margin and has enabled many new specialists…. so I thought I’d outline some broad thoughts and tell a few stories. 

Why is observation important? Payment behavior is truth marked data of what a consumer actually did (offline). While I may search for Ferrari’s, or visit dealership (mobile location) what I actually bought is much more important in predicting behavior and evaluating risk.  Purchase data is the most valuable data for that reason (and issuing banks had a lock on it.. Until about 5 yrs ago). The lock has been broken and payment data has become the “missing link” to unite heterogeneous data sets. 

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

PayPal Threats – 2020

I’m a big fan of PayPal, but as they approach 100x earnings I’m on the look out for risks. While PayPal is BEST positioned as the ONLY company to solely focus on eCommerce payments AND A UNIQUE ability to “own the rules”as a 3 party network, they are not without significant risk. 2020 has 2 major threats that can hit them very very quickly.

#1 Apple Pay in Browser

I’ve been writing about this for 5 years and it is finally here. While I was certainly off in my projected 2016 timing, I was not off in the user experience. Take 2 minutes to do the following

You need to be logged in to view the rest of the content. Please . Not a Member? Join Us

MasterCard follows Visa’s lead on EMV Push

31 January 2012

http://www.mastercard.us/mchip-emv.html

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but it is important to note that neither large US issuers nor retailers are enthused about this push for one primary reason: there is no business case for the change (on either side). Historically, networks do not change without sound financial incentives ( or there is some sort of regulatory mandate).

A Bank makes money by managing risk. Within the payments space large banks have invested billions of dollars in custom fraud infrastructure. The effect (if not the goal) of bank investment in custom fraud infrastructure is to push fraud into the weakest link (or bank) in the network. Smaller banks must seek partners like FIS, FirstData and the Networks to help them keep up. The EMV standard is used by card issuers in just about every market globally, except the US. EMV is effective in addressing certain kinds of fraud such as counterfeit and skimming. Within an EMV environment, international issuers and acquires thus could relax in maintaining related fraud controls IF cards existing in an EMV only environment.  However international travelers to the US and US travelers abroad lead to fraud “leakage”. US issuers did not suffer, due to their fraud infrastructure, but the other banks have.

Thus the “true” benefits of EMV cannot occur until there is 100% adoption at POS (10M in US), complete elimination of the mag stripe in the plastic that we all carry (approximately 1.5 billion in US). This is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout, nor is there a business case for either issuer or retailer to implement. Take this on top of the fact the EMV is 20 year old technology and we have a very challenging environment.

What are the benefits in retail? Both Visa and MA have established a carrot and stick approach. Given only the issuer can reduce interchange, the carrot is reduced PCI compliance costs and some terminal subsidy. The stick is a liability shift for to the merchant  if a consumer presents an EMV capable card and the merchant terminal does not accept it.  Given that the big issuers have no plans to reissue cards, the merchant risk is fraudulent EMV cards (starting in Oct 2015 for Visa). Perhaps if retailers see an EMV card, they should request an ID.  For issuers, the compliance dates are longer and the stick which Visa and MA have constructed is weaker given that US issuers already bear costs of card present fraud.

So what are Visa and Mastercard trying to accomplish? From a political standpoint they must address the international issuer concerns and be viewed as supportive of the EMV standard. But more importantly Visa and MA want to cement their control of the network, particularly in two areas: mobile and US debit cards. In mobile, Visa and Mastercard are aggressively trying to make mobile POS payments a “premium” service used exclusively by credit cards. A key to success in mobile is POS readiness to support contactless payment. The EMV mandate certainly helps provide another incentive to merchants. With respect to the Debit, the Durbin Amendment has impacted the incentives for US banks to continue support of Signature Debit. In the US, PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (96% of PIN fraud losses assumed by issuers, vs 56% in Signature). PIN debit transactions do not need to be routed through Visa and MA, and PIN only cards do not require their logo. EMV debit cards may be a tool for Visa to maintain a US debit business (MA US debit penetration is low).

What to expect?

Note that in virtually every geography, EMV was a regulatory driven initiative. In the US this is not the case, as the large banks have proven capable of managing fraud. Large issuers are thus reluctant to undertake any mass reissuance of cards, and US regulators are reluctant to have US Banks pay for a system that will primarily benefit issuers outside of the US. My guess is that we will start to see a trickle of new cards being issued on EMV starting in 2014 or so.

Retailers will have a similar adoption dynamic as they assess cards being used at their stores, and what future payment networks may offer not only in terms of compliance and interchange, but also in delivering customers through incentives and advertising.  I’m certain that the retail “first movers” in NFC must be pulling their hair out as they discover that their new NFC payment terminals are not equipped to accept the mandated EMV card. These retail CEOs will discover that the “stutter” in reterminalization was intentional and it will be a cost they will bear twice in 2 years.

In this dynamic environment, there will be high demand for companies that can help retailers develop a plan and navigate this chaotic environment. Oddly enough, start ups like Square and Payfone may have a tremendous advantage in simplifying the checkout process. In other words, EMV could actually provide the impetus for new payment networks to gain a foothold.

Mobile Swipe: Risk is Behavior … not Security

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.

Visa – New Mobile Payment “Rails”?

25 November 2009

Word on the street is that Visa is set for a major mobile payments announcement in next 6-8 weeks. Separately, US MNOs are also rumored to be collaborating on Near Field Communications (NFC) payments with acquirers. Could it be that the log jam on NFC is about to be broken? Is Visa developing new rails to support mobile payments? Let me say up front that this blog represents “connecting the dots” more than a definitive market projection.

The US market is ripe for a break from the 6 party political “fur ball” that is hampering delivery of mobile payment (Card Issuers, Acquirers, Network, Merchant, MNOs, Handset Mfg). For those outside the US, MNOs have substantial control over handset features and applications, and have been leveraging this “node control” to “influence” direction of payments. The central US MNO argument being: “it is our customer, our handset, our network we should get a cut of the transaction rev”. Unfortunately existing inter-bank mobile transfers/ payments are settled through existing payment networks that provide limited flexibility in accommodating a “new” MNO role and the network rules leave much room for improvment in: authorization, authentication and consumer “control”. 

Outside the US, the situation is much different, as consumers have great flexibility in switching MNOs, have ownership of their handsets, and are largely on pre-paid plans. The MNO challenge for payments in this environment is largely regulatory. Many countries (EU, HK, Korea, Japan, SG) have open well defined rules for MNOs role in payments (example: ECB ELMI framework within the EU), while other countries are highly restrictive and are in the midst of developing their legal and regulatory framework. Even in the countries where MNOs participation is defined, they have largely benefited from the complimentary role that the service plays with pre-paid plans (not in interchange at POS).

Globally, MNOs are looking for a payment platform where they can benefit from interaction between consumer and merchant, with flexibility to deal with a heterogeneous regulatory environment. The competitive pressures on Visa/MC are much different then they were 5 years ago (when both were bank owned). The network fee structures and rules were written with banks and mature markets in mind. Emerging markets present a much different set of opportunities, as MNOs lead banks in brand and consumer penetration within every geography.

All of this leads to the case for a new “Mobile Payments Settlement” network, a network which will alienate many banks. I expect to see Visa roll out the initial stages of this network in the next 2 months with an emphasis on NFC. Quite possibly the best kept secret I have ever seen from a public company. I’m sure many Silicon Valley CEOs are crossing their fingers (with me) on this, as a “new wave” of innovation is certainly close at hand that will drive growth (and valuations).

For those not keeping up with the 50 or so product announcements a day on NFC, handset manufacturers committed to have NFC enabled phones to consumers in mid 2009 in the GSMA 2008 congress. NFC capabilities are numerous (Vodafone YouTube Overview), and may represent a true disruptive innovation surrounding payments. There have been many very recent product announcements that will enable existing phones to use NFC, and P2P Capability. All of which will blossom in a more “fertile” mobile settlement environment. See one example “future” Visa mobile service here: http://tomnoyes.wordpress.com/2009/09/24/googleoff/

Side note: This is not all bad news for Banks, as the structure will certainly provide for existing cards (debit/credit) and may deliver substantial revenue through cash replacement (small < $50) transactions. More details on structure of MNO in settlement 2 weeks….

Select Product/Alliances Below:

[youtube=http://www.youtube.com/watch?v=2AmeM33r7wM]