June 10, 2006

Naked Payments II - uncovering alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs good for?

Over on PaymentNews they point to an article on the rise of alternative payment mechanisms. These they define as PayPal and the like. It isn't easy for merchants to add them:

On the other hand, DVD Empire's Berry sounded a note of caution. "Of all the payment methods I had grandiose plans of implementing six months ago when Internet Retailer asked me to speak, I've implemented none," she told the audience. Often, she said, new payment methods demand costly and thorough-going changes to existing operations, making it hard to cost-justify them when looking at their transaction potential. Even new technology from an established payment network--Visa USA's Verified by Visa user-authentication system--has proven nearly unworkable. Two years after embarking on the project, Berry said, DVEmpire still hasn't been able to bring the system live. "It took us 14 months just to get this online for one day," she said, and this with the efforts of six programmers. Visa's server farms "go down frequently," she said, while even things like users' pop-up blockers and non-Internet Explorer browsers can frustrate the system.

Which is a salutory reminder of an old FC rule - retail sales of merchant goods are the suckiest application to get involved in. Run like your life depends on it. I recently wrote a b-plan sketch for this very area and only after sending it did I realise I'd broken the rule myself. Still, at least my payments aren't naked nor vulnerable.

More from PN is the "anti-trust" aspects of credit cards versus the rest. A good article from Adam Levitan on the merchant battle to free up the US payments industry from the interchange headlock.

Antitrust suits present a significant short-term threat to MasterCard and Visa and are spurring the reshaping of the U.S. payments industry. In the longer term, however, the antitrust threat may not particularly matter, as the growth of national bank brands has created the possibility of large banks splitting off and forming their own independent payment networks, while developments in payments technology and Internet commerce have created a competitive threat to MasterCard and Visa. The ultimate outcomes of these developments are uncertain, but one thing is not: the payments industry will look very different in a decade.

Levitan's thesis is that the merchants are rebelling across many fronts because the lock on the market by the credit card issuers allows banks to push merchant fees higher by one trick or another. Yes, that's what happens when cartels get a strong grip. Levitant also attempts to cast Paypal and other Internet providers (AliBaba, Peppercoin, 2Checkout) into the mould of the conventional banking payments providers, perhaps so that that banking types can compare. Yes you can do that, and he makes some interesting comments on Paypal. But there are other perspectives, and in dealing with Internet / new payments, starting from a position of conventional banking wisdom is doomed (if you feel like betting I'm wrong, pass a few $$$billions over here and we'll get a working payment system).

Over in Europe there is a lot of talk about SEPA. The Single European Payments Area is a big thing, and it is fair to say that it is the current best European idea of "open". Which in itself presents the old contrast between Europe and the US - as "open" West of the pond means anyone can do a payments system. In the oldy, mouldy East, Europe struggles to get the banks to "open" payments to other countries, so that their citizens can pay cross-border. Moving money across borders in Europe is a disaster - and I often wonder if it would be cheaper to transmit funds by flying with an envelope of cash than using the banks. Not to mention that you get a weekend in an exotic city thrown in for free.

What Europe needs of course is less of that "open" and more of the other "open." People with Paypal, Moneybookers, gold, etc accounts can already pay across borders as if they weren't there, but those new systems are being blocked for banking protection reasons from widespread usage.

Next, in Britain, their rollout of the Chip&Pin system seems to have fallen flat on its face. Slowly the evidence trickles in:

  • they are using static cards, not dynamic cards. Which means once some simple authentication like "yes, that's a card" is done, you can ask the card to do whatever, wherever, with whoever...
  • Lynn Wheeler points to a concentration of thought(lessness) in the direction of the smart card. People there seem to be thinking of the security as the smart card. Curious, I thought only salesmen for smart cards fell for that, I've not come across a bank that fell for it.
  • see Lynn's new metaphor of naked and vulnerable transactions - yes that is what they do in the smart card world, partly because they haven't got the grunt to do full signature processing, and partly because they concentrate on banking models.

So they bungled the risk management. Why is that? They used cards that were much cheaper than the ones used on the mainland, so one could speculate that they took on a higher risk. But the card systems I've seen in use on the continent also pay much more attention to merchant terminal fraud, and it is not as if the Brits then compensated by improving the merchant terminals. Indeed, that was at least one of the attacks - walk in and swap the terminal for another.

On the face of it, I'd speculate that they didn't do the risk assessment, or it was swept aside by higher management principles as unacceptably pricey. IOW, cheapskates, and now they pay for it. Which means, having spent a billion or more on rolling it out, the banks are likely to have to fork out more and do it properly this time.

I would love to point to the Russian model here, as I frequently point out that software systems are two orders of magnitude cheaper than hardware systems, which allows for a lot more mistakes. Lynn points to the intention of bankers to add two orders of payload bloat for fun and giggles, but let's call that correlation not causality for now. I gather that WebMoney does great business including with telcos and with purchasing of scratch-it cards in the streets, so they have drifted away from honest software roots. From what I recall, WebMoney turned up at EFCE and presented a fairly conventional "digicash" model and then went and migrated that to "web-site plus digicash client." With a few millions in investment (?) they seem to have shown how to do it. The FC audience craves more historical writings!

Finally, Decot & Lee, a couple of student MBAs at Haas, wrote their term paper on Google v. eBay. They called eBay cooperation with Yahoo correctly, and these predictions seemed to have earnt them a job at both places. (Funny, 5 points.) John Battelle says "Remember, this is the work of students, not industry experts, but it's quite valuable nonetheless." Nonsense, I say! The MBA brings breadth and integration of many disciplines to the table, and that's even more so when the student is freshly looking at a new industry. The so-called industry expert has already been purchased, bribed, perverted and sold so many times he wouldn't know an unbiased analysis if his life depended on it.

Seriously though, the lesson here is that it is possible to do much more analysis on public sources than is normally done - all you have to do is .. do the work (having an MBA helps!).

Much of the predictions you see here in FC are much lighter-weight than found in that term paper, but for all that, it is the same basic stuff, being the integration of other disciplines into the mix. The number of "spot-ons" far exceeds the count of "dead wrongs," much to the chagrin of those buried in their own single discipline think. It's just basic MBA stuff, it is possible to integrate crypto with governance, software engineering with finance, etc. Indeed, if you are doing FC, you'd be either mad or negligent not to. Or naked and vulnerable.

Posted by iang at June 10, 2006 07:51 PM | TrackBack

I have seen it asserted that the real "gain" of chip+pin isn't any additional security, but elimination of signatures.

An obscure bit of uk banking law states that the risk of failing to recognise a paper-and-pen signature is the banks - not the customers, or the retaillers, but the banks. the bank has to eat the loss if fraud takes place based on a handwritten signature.

On the other hand, if you use a pin, then that doesn't apply - and currently, the new merchant agreements state that the risk falls squarely on the retailler, just like customer-not-present transactions always did.

Chip and pin has already cleared its profit - not due to increased security (although it also makes skimming a bit harder) but due to the offset of risk onto people who can't alter the risk at all (the retailers) so have to deal with it statistically. Any actual reduction in fraud is a bonus, but to be honest doesn't matter to the banks, as it goes into retailer bank accounts, not theirs.

Posted by: Dave Howe at June 11, 2006 05:32 AM

Dave writes:
> On the other hand, if you use a pin, then that doesn't
> apply and currently, the new merchant agreements state
> that the risk falls squarely on the retailler, just like
> customer-not-present transactions always did.


other subsequent posts also make reference to possible transfer of liability


has this reference:

UK bank card security flaws warning


has this reference:

Chip and SPIN; The switch to Chip and PIN may be for the benefit of banks rather than consumers, suggests Gervase Markham

and now comes this more recent article that has been
picked up in several places:

UK Banks Consider Making Customers Liable for Online Fraud
UK Banks Consider Making Customers Liable for Online Fraud
UK Banks Consider Making Customers Liable for Online Fraud

and this article

Consumer groups, banks battle about components of ID theft legislation
Consumer groups, banks battle over ID theft legislation

Posted by: Lynn Wheeler at July 16, 2006 09:07 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.