Archive for payments

virtual payments nirvana

Posted in General with tags , , , , , , , , , on July 4, 2010 by newideasconsult

I often converse with companies and individuals seeking to ‘reach the un-banked’ through various technology solutions, either based on cards, ‘e-wallets’ or mobile phones, and am quite surprised when during the conversation the issue of where the cash for such solutions would be processed is met by some confusion or inaccurate responses by those very business people.  I specifically state it like I do, because ultimately no matter how ‘sexy’ or ‘sophisticated’ or ‘uncomplicated’ such a solution sounds, it always needs bank accounts behind it.  The unbanked will still need a place where cash is loaded and dispensed and those funds found within this solution will still be settled into and out of the solution owner’s own transactional (bank) accounts under customers instruction.  All solutions I have seen and or experienced work this way, though many may hide those bank accounts under several digital layers or they process those virtual account transactions through individual physical bank accounts or combined project bank accounts.  So to call these solutions anything other than banking solutions would be wrong in my opinion.  The line ‘how to reach the unbanked’ would make more sense if it reads ‘how to bank the unbanked’.  This may result in more regulatory appreciation by the ‘non-bank’ owned payment solution providers and their customers in the future, but is that such a bad thing?  It still stuns me that many people use PayPal for example without reading its own T&Cs that clearly define just how little regulation it is required to abide by…  The rush to new technology or the latest fad payment solution should become tempered when merchants and ‘account holders’ alike realize that there is no ‘virtual payments nirvana’, no silver bullet solution for the unbanked, and no ‘easy’ compliance process, though history shows otherwise.  If they are offered such, I would suggest they take a long hard look at the company’s terms & conditions, as well as the regulations they are subject to or not.  ‘Access to cash’ is what technology either makes easier, cheaper, more difficult or more expensive, and most if not all new ‘virtual payment’ services give you access to your own funds or enable you to access digital services using cash. What you as both a customer and a merchant need to figure out is if the choice you made makes your life easier and more risk free, and your banking and or payments less expensive, or not.  Your cash either sits in a bank account in your name or in someone’s else within such solutions, and they are either regulated or they are not.  For many customers, such clarity of the issues comes too late.

Advertisements

Debit card terminology

Posted in General, Standards with tags , , , , , , , , , on May 13, 2010 by newideasconsult

There are many misleading terms that have been bandied around in the payment card industry that confuses customer and service provider alike, especially these days with so many ‘white label’ resellers marketing their debit cards as ‘credit cards’ and what not!  For example the word ‘prepaid’ does not mean the same to me as ‘pre-funded’ for example, though many card product marketing documents use them interchangeably.  Fixed value versus reloadable makes the ‘prepaid’ card even more confusing for some.  I’m not an expert on such terms, but having things cleared up a bit would make me a much happier consultant.  So if you deem yourself to be an expert on these matters, please feel welcome to comment as much as you like.  I’ll make up a little cards industry thesaurus as it were from all contributions 😉

Payments future landscape

Posted in General, Innovation, technology with tags , , , , , , , , , , , , , on April 25, 2010 by newideasconsult

These past few months have been rather interesting in terms of the payments industry and the subtle shift in consumer perceptions.  One of the most amusing to me has been the clear lead Paypal has in the e-venture payment space to any other brand, card associations included.  This may not be a good thing in my opinion, but undoubtably it has happened.  Ask any e-venture owner what payment method they will be accepting on their platform or site, and at least 7 out of 10 will tell you Paypal.  Not Visa or Mastercard, but Paypal, regardless the obvious issues around its regulation and the bad risk prevention policies it employs.

This to me indicates a real challenge traditional payment companies may face during the next few years, which is how they can win back the market from ‘upstarts’ such as Paypal, Moneybookers, mobile networks, and the many alternative payment methods in the market today.  With the strength of the Paypal brand on the Internet, and to me this means their brand strength in terms of the Internet savvy generations, as well as the rapidly growing mobile payment services, what will the PCI (payment card industry) founding members (Visa, Mastercard, Amex, Diners and JCB) do to retain their brand strength or for some regain their brand strength?  Seems to me that as one accepts virtual payment instruments and mobile phone based solutions as the way forward, it removes or distances the payment methods used from a card, the base tool used in the credit card growth the past 4 decades.  Once NFP, mobile payments, and the next generation of Paypal type solutions have rolled out, the card brand will be completely hidden, and in my view, forgotten in the not-so-distant future.

Still some way to go before we can say goodbye to the plastic card (magstripe and chip), but it seems to me the subtle shift in market direction may just ring in that future much sooner than many may have thought.  Unlike the media industry’s late wake-up to the power of virtual distribution, the card payment industry may just have enough time to learn the new rules of the payments game, and hopefully apply them wisely to retain their future market share and brand strength.  Some may not be able to transition, as the departure from card may be too big a shift in paradigm for them, but those that do would have their years of payments experience married to new tech solutions that could eat the Paypals of the future for breakfast.

Demand driven mobile solutions

Posted in General with tags , , , , , , , , , , , , , , , , , , , on March 20, 2010 by newideasconsult

One of the issues we see surfacing during an economic drought is the demand test for products and services, especially in the ICT market.  These are the days of tighter budgets that see suppliers of services forced to shut down some services or products because they’re not being used.  Previously generous budgets allowed free reign in launching service after service, and short of our own egoes we were pretty much untethered in terms of what those offerings were.  To be the first with a service tended to be more important at times than giving the customers what they want.  I think today this type of approach has undergone a radical change and we are quickly starting to see a more realistic picture come to the fore in terms of what customers want.  For example, smart phones have changed many things for the consumer and quite often each model’s launch also causes a wave of goodwill that produces the most elaborate of services, supplied by retailers, content providers, and even banks.  Internet banking was slow in its initial uptake by financial insitutions in the late 1990’s early 2000’s, and I often wonder whether that tied to looser purse strings have seen these same companies now rush to launch mobile services to their customers regardless the need for them.

Nowhere can this be seen clearer than with mobile banking, where solutions have popped up from everywhere by everyone and sold as the ultimate customer service by many, including myself.  Mobile applications are definitely growing in demand , but I believe we may be missing some very obvious signs of what the customers actually want or need.  Today’s mobile banking product range reminds me of the Internet boom years, where everyone, regardless of country or creed, are being sold the most fantastic, high end, feature rich applications you can dream of, from balance enquiries to inter account transfers to P2P payments to 3rd party billing to prepaid MLM sales, and many more.  However the iPhone in the middle of Manhattan delivering the most wonderful financial application to a very appreciative sophisticated market, will fail miserably in Ho Chi Minh City, where an equally sophisticated market would be utterly frustrated by the same application.  A Blackberry service in Johannesburg is equally fantastic in bringing the world to its user, but fails fantastically to do the same for the farmer in Kimberley.  Yet we find that corporations behind these applications keep trying to sell them to everyone, from the East to the West, from the businessman in London to the farmer in Philipines, and time and again they fail to satisfy their customers or revoke the service completely.

Two reasons that jump to mind would be the wrong product for the wrong market, and the other a very crowded market place.  I have had some interesting chats with fellow technologists about mobile applications that may work in one country, but will suffer in another.  Person to Person payments must be one such an example, with the negative press recently caused by Citi Bank’s decision to shelve their P2P mobile service last December, causing quite a few hot debates.  P2PP works, just not in the USA right now and where it does it is not yet profitable and won’t be for some years to come.  Americans (and Westerners in general) have choice, and lots of it, and so thinking that they will rush to their phones to start transferring funds from one to the other, when they have many services in the market already enabling such a transaction, services that are known and trusted by those who would use P2P payments, was ridiculous.  Forcing those same parties (or at least one) to have a Citi bank account to enable the use the service was even crazier and showed a lack of understanding the P2PP early adopters market.  Another reason would be that a crowded market can often delay the take up of a new format of an old offering, which is exactly what mobile phones offer.

P2PP on the mobile platform works fantastically well in a 3rd world environment, minus a lot of Western bells and whistles though.  Banking applications in Vietnam or Zambia or South Africa or where ever, are often so basic in their format that the Western market would scoff at it, but they work and their use is growing rapidly.  This is because they offer their customers just what they need, a quick no-pains way to send money to someone.  They work because quite often they are the ONLY service available to the consumers in these regions that offer such a facility.   They work because they are almost always designed to work on any Java enabled phone, even the most basic models.  SMS banking too is similar in its acceptance in these regions because again it is an unsophisticated service that does what it says it can, and is easy to use.  Again no need for high end smart phones or changes to customer practices.  Mobile phone users can SMS, most do, and basing such a service on this most basic of mobile skills, makes a lot of sense to do.

For me and others in the industry, the mobile phone offers only another channel for the consumer to transact and access their accounts with, nothing more. Mobile applications too are for global markets what horses are for courses, to each its own.  You cannot apply a universal approach in product or service design to the mobile channel, and you cannot launch such services globally simply because it is fashionable in one city, country or region.  One of the most important considerations to make as a mobile service application developer is to ensure local representation or experience in the design team or you may miss the mark altogether.  Doing so for each market you enter, may sound like overkill, but could save you considerable losses in the long term.

There is so much more on this topic and my post has already been hacked to pieces to fit, so for now I will lay this issue to rest for some new post in the future.  Your comments though are most welcome and your opinions equally valuable in the debate about what works and why.

Reporting on alternative payment systems

Posted in General with tags , , , , , , , , , on March 17, 2010 by newideasconsult

There is a plethora of  articles on the Web announcing new payment methods or convenient ways to pay for services or similar, that often misleads both consumers and retailers into thinking that they are somehow better than the traditional methods like the banking systems, automated clearing houses, and credit card interchanges.  The traditional models of payment are often aged and frustrating, I will give you that, but the new kids on the block are often gungho, inexperienced or plain expensive for little more than a nicer user interface to an existing bank account.

New or alternative payment methods are exciting and I do not wish to detract from them at all.  I love the fact that we can still think innovatively in an industry dominated by regulation and banking or payment monopolies.  What I do not agree with is throwing caution to the wind when informing others of these new services.  Reporting on technology should not be approached in a similar way as reporting on Paris Hilton’s latest handbag for example.  Consumers especially, and retailers too, often get misled by the cheerleading approach many technology writers take these days when writing about the latest and greatest new services.

It really is up to those very journalists to ensure they report in a balanced, clear and transparent manner so that the choices people make based on their article will be at best done with more circumspection that most do today. We live in an age where there are many people who simply follow trends, whether the latest fashion or the newest payment brand, regardless of the risks involved.  We need to bring the reporting standard back to a place where we relate clearly the issues without advertiser bias, without personal preference, without starry eyed language.  Straight up articles written in a clear and concise manner that educates the uninformed about everything pertaining to the latest and greatest service, so that they can make more informed decisions as consumers and retailers in the future.

Update 1: I chose to change the title of this article to avoid confusion about its content. My apologies to anyone who found ‘Alternative Payment Systems’ misleading, and I hope the edited title is found to be more inline with the post itself.

SAS70, PCI DSS, and software

Posted in General, Standards with tags , , , , , , , , , , on March 13, 2010 by newideasconsult

I love this quote:

‘All data is important until proven otherwise.
All data is tainted until proved otherwise.
All code is insecure until proven otherwise.’
(my source – Wikipedia)

Recently more and more company executives are talking about SAS70 (Statement on Auditing Standard No70) as the essential certification requirement for a vendor prior to any interest on their part to purchase the vendor’s offering. It seems SAS70 has mirrored my experience with PCI DSS (Payment Card Industry Data Security Standard) compliance, where clients expect the software vendor or system vendor to show compliance through certification on one or both of these, prior to any conversation to sell their solution into the client company.

Before I continue let’s explain some basics:
SAS70 – this standard is defined as follows: ‘SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. The issuance of a service auditor’s report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor’s report, which includes the service auditor’s opinion, is issued to the service organization at the conclusion of a SAS 70 examination.’ – SAS70.

PCI DSS – this standard is defined as follows: ‘The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.’ – PCI Security Standards Council

What is important to understand is that both standards apply to the integrity and safeguards of measures within a company environment to protect the financial and customer information data that the company is a custodian of.  A long-winded way of saying that these standards try to create measurable guidance for an auditor within a company, often external auditors, that may or may not lead to certification of the company as ‘compliant’.

Now to return to the main reason for this post.

Company executives of companies where transaction management, financial, accounting, auditing, erp, and any software systems are sold into, that in their application manage financial or personal data, must themselves be audited for either SAS70 or PCI DSS.  The subtle difference between these two data integrity standards to me is that PCI DSS is specifically applicable to the payments industry from e-commerce to ATM networks to POS ISO’s to retailers and of course their banks and interchanges.  By the way, this standard should be applicable even to those companies within the payments industry who do not switch PCI (Visa, Mastercard, Amex, Diners, JCB) branded cards.  It is an excellent measure to test the integrity of a company’s processes, procedures, systems, networks and applications that manage cardholder data security in any way.

SAS70 does this too, in terms of the general ICT controls and safeguards, but again is applicable to the service organization itself, not to the vendors supplying the product on which the service is based.

Why do I stress this point so?  Software is pliable, very changeable, and specifically when supplied into companies as customizable solutions, as they should be.  Though the vendor’s coding practices could be secure or defensive in nature, the solution still offers too many variables in terms of customization to be certified PA DSS out of the box.  PA DSS attempts to act as a guideline for auditors by certifying software to a degree by setting out the requirements for an off-the-shelf software product to be DSS compliant, but it does not apply to customized or in-house developments.  Vendors that provide the tools for bespoke solutions then cannot be held to such a standard, and rightly so.  Too many changes later, the software simply would not be the same as that version tested for PA DSS.  I would even contest that off-the-shelf software products in the payment space can claim PA DSS compliance throughout, as I have experienced too many projects where such products underwent large-scale changes to fit the client’s requirements.

So for me there is only one rule to apply when selecting a software product either for bespoke development or for off-the-shelf provision.  And that would be that the vendor commit to secure or defensive coding practices in one form or another.  Basic steps to prevent abuse or intrusion can be put in place during the design and coding of applications, and this would relate to any development regardless the industry it is developed for.  Basic preventions are to verify inputs, only output essential data, don’t store sensitive data in the open, encrypt where possible, hash passwords, partially mask sensitive user data when displayed, simplify code, double up on defense to ensure no single point of failure, and so on and so on.  I have heard this many times, and often thought ‘that’s obvious’, then realized that it is not, but implementing and keeping to a single secure coding policy within a team, project, program or company is something we all should do.

As for the company execs who wish to purchase vendor solutions such as those I promote, SAS70 applies to your whole organization regardless the certification of the software or solution you buy, and if in the payments industry, so too does PCI DSS.  It is unavoidable for the company wishing to use a payments solution, whether bespoke or shrink-wrapped, to be certified for PCI DSS, as with SAS70 for general ICT.

If you touch on any cardholder data anywhere in the processes of your business, whether physical or virtual, you must be certified.  And by this I mean you must change the way your company works with such data, and ensure that this change becomes the defacto standard within your organization so that it becomes culture to your employees and management.

EDITED: Also check out this article by the PCIGuru – http://pciguru.wordpress.com/2010/07/03/why-the-pci-standards-exist/ – for more on PCI DSS. Though more focused on the US market, the article and the others on PCIGuru are very well researched and superbly written.

Twitter’s founder, Jack Dorsey, reveals his latest venture, a mobile phone enabled payment system called Squirrel, now Square!

Posted in General with tags , , , , , , , , on December 9, 2009 by newideasconsult

The system is nothing new, it must be said upfront. The fact that Jack Dorsey has been working in the payments industry since only May 09, explains his naivety about the viability of this venture in its current form.  Jack’s own words – “The financial world is amazing right now because there’s a clean slate. A lot of these industries are looking for something very small and innovative,” – shows to me just how little the man really understands of the payments industry. A clean slate??? Innovative???

Two things come right to mind that in my opinion will cost any new EFT or card device credibility if they cannot change.  Firstly swiping cards through card readers is no longer acceptable, as the PCI wish to move to PIN and card verified transactions, such as Chip & PIN in the UK, Europe and elsewhere. The first major problem with this device is simply this, it has no ability to verify the card, as it reads the magnetic stripe only. The second major problem is the fact that the device cannot take a PIN securely, a demand PCI PED would place on such a device should it be redesigned to accept Chip cards in the future.  Secondly biometric verification through a non-standard process, such as the limited fingerprint reader the Square software enables on the iPhone, also makes for a very hard sell to the banks who acquire transactions (acquirers) or who issue cards (issuers), and the interchange networks behind them, including of course the major PCI brands.

There have in fact been many mobile phone based solutions out before Square and will be after Square. I am reminded of one that used to be called Funge, a fantastic concept product patented many years ago and launched in 2000/2001. What could it do?  Swipe cards for payment on a mobile phone…  But hey, this is Twitter’s founder and therefore he MUST be lauded and slapped on the back, we must report as much as we can about our wonder-child that is Twitter, and Jack, it’s ‘brilliant’ founder, because he is now an inner circle man, funded and loved by the same group of backers who brought us the crash of 2000/2001! I bet he will have funders in no time and a listing around the corner! Not that I am blaming Jack at all, but rather the YES-men one so often find grouped around the Jack’s, Mark’s and Sergey’s of the world.

Jack, what you need is a group of people who know this industry and can walk the walk with you PRIOR to announcing any further news about Square! What you need is some solid advice that covers all the issues and requirements of a very mature global industry that has a very messed-up ‘slate’ in fact.