Category Archives: Payments

I really want Apple Pay to fail. So much.

5 Replies

Let’s start with qualifications. I am not a payments industry pundit, and whatever payments experience I’ve had, it’s always been more on the risk and data side. I’m also a bit out of touch because I’m focused on my company, TrueAccord.

I’m also not an Apple fanboy or hater. I own a great 2 year old Macbook Pro and a Nexus 5; I don’t wake up at 3am to buy the latest model but if it’s good, I’m going to get it.

Still, I want Apple Pay to fail. So much. Why, you ask? WHY?

29cf7acf1a772005d650b0005f4f3bf7

(tough choice: Platoon or the Reddit “why” meme? ugh)

Here’s why.

First, it’s been just a few weeks and already I hear VCs who previously didn’t care about payments, random entrepreneurs, and journalists talking about Apple Pay like it’s the third coming. The data! What they could do with it! I didn’t hear these people talk this way when previous installments of phone + NFC wallets were introduced, and for a good reason – they are not that interesting, and I think Apple Pay is not interesting in exactly the same way[1].

Second, the talk about Apple now disintermediating banks. Anyone who makes the jump from storing credit cards in a “wallet” to going after issuers or retail banks in one sentence should be awarded a gold medal in mind-athletics. These are completely different activities and mind sets. Most infuriating is the suggestion that disintermediating banks is a corollary to what Apple did with iTunes. You don’t just unbundle banks and sell services through a clunky iInterface. The regulatory and operational impacts are incredibly complicated and Apple, if it ever does anything in the space, will likely partner rather than reinvent. This will further demonstrate what Apple Pay is for me: putting lipstick on a pig.

To further this point, I don’t believe Apple has real payments chops. I didn’t believe that in 2011 and I don’t believe it now. Like Google Wallet, I think Apple will use Pay to do what it knows best; in its case, sell hardware. This isn’t a new sentiment, but it’s still true; I don’t believe the commotion around Apple Pay because I don’t think Apple believes it either. They’re not here to reinvent payments.

Finally, going back to my first point, I don’t think Apple Pay is solving a real problem. That’s the main reason that other wallet providers failed to gain traction. While I understand the idea of Nash Equilibriums and accept that a huge investment in marketing could buy a stake in the market, I’d be surprised (and disappointed, if you couldn’t tell) to discover that consumer behavior was just a marketing campaign away. I don’t believe that, though – I still don’t think Apple Pay solves a problem, I don’t think using it does any good to anyone other than Apple, and I’d rather all that energy put into fitting Apple Pay would be spent on something else.

And that is why I really want Apple Pay to fail.

[1] I guess that makes me a reverse hipster. I hated the idea before it was cool.

Dealing with Account Take Over? Here are my top tips (O’Reilly post)

Leave a reply

Online payments and eCommerce have been targets for fraud ever since their inception. The availability of real monetary value coupled with the ability to scale an attack online attracted many users to fraud in order to make a quick buck. At first, fraudsters used stolen credit card details to make purchases online. As services became more widely used, a newer, sometimes easier alternative emerged: account takeover.

Account takeover (ATO) occurs when one user guesses, or has been given, the credentials to another’s value storing account. This can be your online wallet, but also your social networking profile or gaming account. The perpetrator is often someone you don’t know, but it can just as easily be your kid using an account you didn’t log out of. All fall under various flavors of ATO, and are easier than stealing one’s identity; all that’s needed is guessing or phishing a user’s credentials and you’re rewarded with all the value they’ve been able to create through their activity.

Read more on O’Reilly’s programming blog here.

Why did PayPal buy Braintree?

Leave a reply

(Pasting my Quora answer here)

PayPal wants to be anywhere payments happen and it seems to be willing to pay a good price for that. Beyond the standard dynamic where the leader buys one of its most affordable up and coming competitors, PayPal acquired a few nice assets:

– The Braintree team is strong, with multiple highly talented folks that are both well known in the industry (= strong advocates) and generally capable.
– The product is superior to anything PayPal has in gateway tech. PayPal acquired Verisign’s gateway a long time back but that integration was not synergistic. With new PayPal management and Braintree’s product, they can get better access to a large and growing volume of gateway payments. This is a good and needed complement to PayPal’s portfolio.
– Last but not least, PayPal bought a foothold in the upmarket – medium and large merchants that usually do not use standard PayPal products due to lack of UX flexibility and integration, as well as strong presence in mobile payments.

So, bottom line, PayPal acquired a team, a product and a market. A smart move.

Fraud in Digital Goods Sales 201 (Signifyd post)

Leave a reply

The Signifyd blog has a blog post worth reading today:

Selling digital and virtual goods is a lucrative business, but one that also attracts a lot of fraud attempts. The logic is obvious: no shipping requires no physical presence or appearance of one, fast delivery allows fraudsters to quickly buy multiple items and exploit much more of every stolen card, recourse by the seller is almost impossible due to the speed and finally, reselling stolen products is much easier than tangible goods. After our blog was featured in Balanced’s post about fraud, we saw multiple questions about fraud in digital goods. One of them was this comment on HN. One reason for Signifyd getting a lot of retailer attention is our ability to provide quality fraud prevention decisions that help reduce fraud in cases where there’s little recourse. We wanted to share some insights.

Common wisdom about preventing fraud in digital goods is abound. We’re not looking to repeat the regular tips – using IP address to billing address distance, purchase velocity, email domain type and device fingerprinting as indicators. What we’d like to do is add some more details as to why these things often fail, and suggest a few best practices. Here are some:

  1. Digital goods purchases provide a quick feedback loop, allowing fraudsters to test and learn fast and adapt. Deploying rules with a single threshold or indicator (e.g. number of past purchases over 4, or IP country must match BIN country) and rejecting 100% of purchases immediately simply provides faster feedback. Either compose rules that have multiple indicators, randomly reject less than 100% of purchases, or implement a random delay in your response.
  2. IP to billing address location is a complex indicator. Simply measuring distance won’t work when the network is mobile, and setting a single threshold won’t work in most countries. Use sources like GeoIPOrg to understand what connection this IP comes from, and implement bins to your distance function.
  3. Email domain type is relevant but simplistic. After you weed out the free but rare ones (bad) and corporate emails (usually good) you remin with a ton of Gmails. What then? Using online searches to determine that this email is actually tied to a person is an important next step.
  4. Customer browsing patterns are highly indicative. New customers, returning customers and fraudsters all navigate differently on your website. Count the number of clicks to initiating a purchase, as well as which types of pages new customers pass through. You’ll see obvious patterns emerging.
  5. Don’t wait for chargebacks to come. Have one person on staff reviewing purchases randomly to detect emerging trends and respond to them.
  6. Machine fingerprinting is helpful, but is often a glorified javascript. Build basic matching in house based on information you collect from consumer sessions, and watch for users who look similar to previous ones but always have new cookies. Fraudsters know how to flush cookies – it’s not the linking that gives them away, but rather the attempt to not be detected.
  7. Don’t use 3DS. You will pay much more in lost business than prevent fraud.

Fraud in digital goods is a real problem, but a solvable one. Don’t let the threat of lost money shut down your business and drive you to blocking whole countries from your system. And, give us a buzz. We’d love to see how we can help you.

Don’t pitch me, bro: 4 common payment startup ideas that you should avoid

5 Replies

You think I’m kidding? I’m not. The days of payment providers and payments companies set-up and grown the way they have, trying to replicate a PayPal model, are gone. Consumers don’t care enough and cannot effectively differentiate your service from others to really choose to sign up. I looked at that several times in the past.

Still I get pitched on ideas I find far fetched and, frankly, a waste of time for smart entrepreneurs. There are many possible smart, ground breaking and really difficult directions to take in payments; the following ones are not, and anyone who understands payments will advise you to stay away from them.

  1. The mobile wallet: Square (PayWithSquare) isn’t gaining traction. gWallet is failing. Serve isn’t taking off and ISIS is… well, you get the picture. Mobile wallets aren’t working: merchants are slow to adopt additional hardware that will allow them to accept these. NFC is years behind in adoption and many large and small players, including me, just don’t believe in it. Consumers are slow to adopt a solution that gives them no advantage over credit cards, and even giants with big pockets can’t get them hooked.

    Signing people up and getting to add their credit cards is impossible without high, unsustainable customer acquisition spend. No startup can grow this way.

  2. Micro-payments: I understand the rationale. Payments should be as easy as Liking something. People don’t pay for content because it costs too much. We can start from digital goods and charge a large percentage that will cover costs.

    It all sounds good until you realize that it doesn’t work. Consumers don’t pay for content by the pound since they are used to free content. Paywalls have limited success and even that success is always with big brands that spend millions on advertising, reducing market size to a minimum. More importantly, zero cost of goods sold – a blessing and a curse – allowed large take rates and supported many interesting business models, ones that cannot expand to any other vertical. Once you’re hooked on these sweet 30% (or 10%), you can’t really go to tangible goods with their lower margin and fraud and other issues. No payments company really grows out of that niche.

  3. Split bills: oh, the ever eluding perfect offline shopping experience. Entrepreneurs mean well – the experience does need a revamp. Is it really about not having to split a bill at a restaurant or the downtime of waiting for your check to arrive? As it turns out, these are very weak drivers to action when they are required to (again) sign up and add a credit card. It’s not that consumers don’t respond to call to action at those points; apps like OwnerListens prove that they do. They just don’t respond to THIS call to action. They want to do something, just not split the bill.

    The reason is simple: the actual shopping experience, while indeed a big issue, is just the tip of the iceberg when you approach it as a payment application. What you’re trying to build is the network of merchants and consumers, and you’re again faced with the two sided chicken and egg problem, with a weak call to action to consumers and not so easy integration for merchants. Adoption never crosses the usual suspects on Emerson street in Palo Alto, and even they are growing tired.

  4. Facebook Connect checkout: an alternative to the previous idea, here we have an attempt to streamline online checkout. This one fails not only because consumers are not too enthusiastic about giving their Facebook details in financial settings – they are not – but also since much like with the mobile wallet idea, they have a current option they like just as much. Credit cards work, and no incremental solution is going to displace them anytime soon.

The payments landscape is fragmented, commoditized and highly competitive. It is ripe for disruption, but that disruption will not come from new card-based services but from innovations in payroll, cross border trade, emerging markets, new identity trust authorities and other interesting ideas. Research those, and stay away from ideas that will take you nowhere. We need your energy focused on the right things if we are to really see a change in the coming years.

 

What are the risks of mobile POS systems?

Leave a reply

I’m embedding another Quora answer, since this is a topic that gets debated quite a lot. I don’t view mPOS as inherently more vulnerable, and frankly, the limited scale is (as always) the reason why I believe fraudsters will go elsewhere. Online is almost always easier.

Read Quote of Ohad Samet’s answer to Online and Mobile Payments: What are the risks of mobile POS systems? on Quora

Why isn’t anyone using MoneyBookers?

3 Replies

An excellent answer on Quora shows what old school (10 years old) payment services look like, and also explains why is MB only active in adult and gambling (without mentioning it’s obscene pricing).

EDIT: See Daniel’s response below, it seems like the facts here are disputed (as well as my understanding of Skrill’s business model. I haven’t looked at the company deeply since 2005 or maybe a bit later). My apologies to the team.

Read Quote of Patrice Laperriere’s answer to Why nobody uses Moneybookers (now called Skrill) anymore? What’s wrong with this payment system? on Quora

Forget Big Data

4 Replies

These are the slides from a talk I gave last week. The gist of it: “Big Data” in Fraud and Risk prevention for payments won’t suffice, and must be augmented by domain experts (including a few notes about reasons for that, a bit about domain experts, and some real life examples). Nothing new for readers of this blog, but you may find the slides or wording helpful.