The Financial Services Club's Blog: Cards

March 18, 2011

CNN - not news, but fraud

After my note about identity theft the other day, I got a nice note from Barry Marshall at Identity Intelligence (IDI), who run a database about fraud. Their numbers are staggering, and they define the issue today is not about Card Not Present (CNP) fraud, but Card Not Necessary (CNN).

They noted that over 61,000 stolen credit cards were being used fradulently on the internet during 2010, a decrease of 10% on 2009 (68,000)*.

However, the IDI database held 58 million records of individual personal data that were sold on the internet during 2007 and 2008.

By the beginning of December 2009 the figure had grown to 138 million related to over 60 million individuals, as many people are either phished or have their personal data sold and purchased more than once by criminals.

By December 2010 the database had grown to over 270 million records representing approximately 115 million individuals.

Should we be worried about the end of privacy?

Maybe groundwork for a CNN news report ...

* these stolen credit cards were reported to the Dedicated Cheque and Plastic Credit Card Unit (DCPCU) a joint operation between the Metropolitan Police, City of London Police and UK Payments: http://www.dcpcu.org.uk/. In total, over 325,000 stolen credit cards have been reported by Identity Intelligence to the DCPCU.

Comments (1) | TrackBack (0)

March 15, 2011

Great identity theft infographic

I almost missed this one, but found a wonderful infographic on identity theft produced by Lines & Moodswings.

Here it is (doubleclick to enlarge):

Comments (1) | TrackBack (0)

February 25, 2011

Next generation payments by Peter Ayliffe, President & CEO, Visa Europe

Peter Ayliffe, President and Chief Executive of Visa Europe, presented to the Financial Services Club this week his vision of next generation payments, and how far we could become cashless.

The war on cash is the drumbeat of all card firms, and it was notable that Peter made it clear that he did not believe his competition was American Express and MasterCard, but cash itself.

For example, the proportion of everyday consumer spending at points of sale (POS) across Europe, based upon using Visa cards versus cash, shows that cash is still predominant, with the majority of European countries still heavily dependent upon cash payments at POS.

In fact, 78% of all payments are still cash-based, although what surprised me is that Germany, Switzerland, Italy and Belgium are so heavily oriented towards cash that under 10% of payments are Visa card-based.

Even more surprising is that the UK is one of the top three non-cash based societies, alongside Norway and Iceland (where there is no money!) and above the levels in Finland, Sweden and Denmark.

In a country that keeps beating ourselves up about cash and cheques and being laggards, we’re not.

We’re leaders.

This was reinforced yesterday, when I saw the announcement of Boris Johnson that London would ensure that all public transport systems across London would take contactless payments by the start of the Olympics – a world first.

Not bad for a country that is still trying to get rid of cheques.

Nevertheless, cash is still the issue.

This is demonstrated by one of Peter's slides, which showed that debit is growing rapidly as the focus of payments amongst consumers.

The figures are sourced from UK Payments Association APACS and, to be clear, these figures do not represent total UK payments as it does not include direct debits, cheques and other payments forms but just debit and credit versus cash.

In case you’re wondering, UK cheque volumes dropped from 2,526 million transactions in 2000 to 1,232 million in 2009, whilst their value dropped from £1,885 billion in 2000 to £1,255 billion in 2009. It’s also worth reiterating that we hope to get rid of them by 2018.

So we have the rise of debit cards, the demise of cheques, and the values of cash payments remaining static whilst the volumes decline rapidly.

Peter's presentation then focused upon next generation payments, and specifically contactless and mobile.

Peter began by a chat about contactless in the form of Visa PayWave, saying that the key here is speed, acceptance and security.

People may think contactless is insecure, but it’s more secure than cash.

Lose a few notes from your pocket, and they’re gone.

Lose a contactless card and it’s only good for a maximum of ten taps. At €20 max per tap, that's a maximum of under €200 at risk, and all guaranteed by the bank for reimbursement in many cases.

So the concerns of people about insecurity of contactless are a false concern.

Another key factor is speed.

Contactless is far faster than cash, and Chip & PIN (EMV) for that matter.

A typical contactless payment takes four to six seconds at the POS, versus 12 to 14 seconds for cash and 27 to 44 seconds for EMV or magnetic stripe.

Peter also emphasised the growth of contactless in the UK, and the fact that the Transport for London (TfL) announcement mentioned earlier is a critical moment, as Visa see transit as a “real killer application”.

TfL’s announcement means that Visa contactless will now have acceptance across 8,000 buses, as well as the whole tube and train system, which will normalise the everyday use of contactless.

That means a potential seven million cash transaction from the buses and 160 million cash transactions from the tube is wiped out overnight.

Then in 2012, when the Olympics come to London, Visa – who have are the exclusive payments sponsor of the Games remember – aim to use the games as an accelerator for contactless by embedding it in the everyday habits of London life through the extension of contactless payments to taxis, fast food chains, cinemas and more.

For example, McDonalds will perform a Visa contactless roll out across the UK through 2011.

These movements combined with others means that Visa believes over 60,000 terminals (35% of all POS) and 20 million cards (1 in 5 cards) will be in contactless operation across the UK by the end of the year.

Peter concluded by saying that contactless and cards will, of course, evolve towards the mobile telephone and that mobile will be the future.

This is something I’ve said for a long time, and think it will go one step beyond mobile as it’s not the mobile that’s the focus of all of this, but the chip.

The chip technology will converge over time so that EMV, RFID and SIM chips all become one.

When you can take a chip and stick it anywhere to wirelessly communicate anything, including a payment, then the real next generation of payments will have really arrived.

And maybe, just maybe, by then it will mean just paying with a wave of the hand.

Note: members of the Financial Services Club can get a full copy of Peter's presentation

Comments (2) | TrackBack (0)

February 04, 2011

The Card & Payments Awards 2011

For the third year running, I was involved in the Card & Payments Awards.

This year I was one of the judges and, last night, the sixth annual ceremony took place at the Grosvenor House in London hosted by comedian, Marcus Brigstocke.

Bank of America gained the most awards by clocking up four trophies, two of which were with their co-brand partners Amazon.co.uk for Best New Credit Card Product and Play.com for Best Card Benefits Programme. Both credit cards are easy to apply for via the retail brands’ websites and both have excellent rewards programmes. Bank of America also demonstrated how the online medium was playing an increasing role in resolving customer service issues earning them the Best Achievement in Customer Service. Their fourth award was for Best Industry Innovation showcasing adaptive authentication for ecommerce 3D Secure, which provides for certain online transactions to go straight to checkout without compromising security.

New categories for alternative payment providers and merchant acquirers were won by programmes demonstrating how the payments world can support small businesses and merchants in providing cost-savings and more targeted communications and benefits. Cross-border payments specialist, Earthport, won Best Alternative Payments Programme with their Earthport Direct self-service on-demand payment channel which allows small businesses to make low-value payments to their overseas suppliers and customers. AIB Merchant Services secured the Best Merchant Acquiring Initiative with its AIBMS loyaltyplus programme giving smaller merchants the opportunity to offer loyalty rewards for their customers. Another merchant acquirer to provide solutions to its merchants is HSBC Merchant Services, who won the Best Security or Anti-Fraud Development, with a major advance in security and a step-change in the ease and therefore cost control of PCI DSS compliance for merchants who take in-store transactions. Cost-savings were also demonstrated in the public sector with the Department for Work and Pensions Government Procurement Card operated by J.P. Morgan winning Best Business Card Programme.

Barclaycard took home two trophies for customer-facing programmes. Firstly in the Best Crossselling Programme category for Barclaycard LifestylePlan and secondly for Barclaycard Freedom, which provides customer rewards at the point-of-purchase and which won Best Technology Initiative. Other customer-centric programmes which won trophies included the Best Card Benefits Programme won by Sainsbury’s Finance for its Sainsbury’s Gold MasterCard, aimed at families travelling abroad. LaSer UK helped department store chain, M&Co. target its most profitable and loyal customers and won the Best CRM Programme. The ‘Realise Your Potential’ campaign by American Express had the customer at the heart of its communication, impressing the judges to take the Best Credit Card Marketing Campaign.

Two prepaid card programmes secured trophies. Best New Prepaid Card went to the Post Office for the Budget Card enabling people to budget for their periodic utility bill payments and other products and services available through the Post Office. Best Prepaid Marketing Campaign was awarded to Asda for its Student Shopper Card. The first winner of the Best New Debit Card Product category was private banker, Duncan Lawrie for an innovative dual-function debit and credit card, giving flexibility to the customer.

Good causes and community featured heavily in this year’s entries with three of them winning last night. Best Charity Credit Card Programme was won by the RSPB with The Co-operative Financial Services. M&S Money demonstrated a culture of volunteering across the company securing the Best Corporate Social Responsibility Programme. Finally Yorkshire Bank supported the work of a local Yorkshire artist, Ashley Jackson, using a painting they commissioned from him as the new card design for their Private Debit MasterCard whilst also using the launch to raise money for Help The Hospices.

As always, The Card & Payments Awards highlighted the importance of recognising responsible lending and for the fourth consecutive year, Nationwide Building Society took the coveted trophy for Most Responsible Credit Card Lending Practices for its ‘More Than Words’ programme.

The full list of award winners is as follows:

• Best New Credit Card Product of the Year – Amazon.co.uk and Bank of America

• Best New Prepaid Card Product of the Year – Post Office and Bank of Ireland

• Best New Debit Card Product of the Year – Duncan Lawrie

• Best Credit Card Marketing Campaign of the Year – American Express

• Best Prepaid Card Marketing Campaign of the Year – Asda

• Best Card Design of the Year – Yorkshire Bank

• Best Card Benefits Programme of the Year – Sainsbury’s Finance

• Best Card Cross-selling Programme of the Year – Barclaycard

• Best Co-branded or Affinity Credit Card Programme – Play.com and Bank of America

• Best Charity Credit Card Programme – RSPB and The Co-operative Financial Services

• Best Business Card Programme – Department for Work and Pensions and J.P. Morgan

• Best Corporate Social Responsibility Programme of the Year – M&S Money

• Best Industry Innovation of the Year – Bank of America

• Best Merchant Acquiring Initiative – AIB Merchant Services

• Best Alternative Payments Programme - Earthport

• Best Security or Anti-Fraud Development – HSBC Merchant Services

• Best Technology Initiative of the Year – Barclaycard

• Best Card CRM Strategy – M&Co. and LaSer UK

• Best Achievement in Customer Service – Bank of America

• Most Responsible Credit Card Lending Practices - Nationwide Building Society

• Industry Personality of the Year – Ron Kalifa

Comments (0) | TrackBack (0)

December 21, 2010

2010 Review: Payments

So, there are a lot of things we’re juggling around with in the payments arena, from real-time to TARGET2 to SEPA to SWIFT ISO20022 to mobile to contactless to biometrics and more.

I guess I can summarise this area best by using the results from this year’s payments survey because the last section of the survey asked people what's hot, hot, hot in payments this year.

EUROPEAN PAYMENTS

What was not hot is the world of the Single Euro Payments Area (SEPA) and the Payment Services Directive (PSD). Interest in these areas due to stagnation and indecisiveness had, to be honest, become flatter than the Flat Earth Society's annual party. In fact, an indication of how much euro interest exists was articulated well in an insight article on CNBC that claims that: “The European Union Is Over”.

I wouldn’t go that far but, in reviewing the developments of this year, I would say that everything in the Eurozone got a bit tired, tainted and tense.

Thank goodness therefore that the SEPA end-date is in sight, with the European Commission approving the forced migration of national instruments to SEPA credit transfer and direct debit schemes 12 and 24 months after the new regulations for migration are approved.

So that puts SEPA to bed (lol), and leaves me to hone in on other key areas such as mobile and contactless payments.

MOBILE CONTACTLESS

Often breathed in the same breath, these are distinctly different areas even though they are converging as we speak.

For example, Orange has just committed to rollout contactless payments and NFC capabilities across all of their European network next year, whilst Google and Apple are committed to incorporate NFC into Android and iPhones.

Picture stolen from Brett King

So we’re definitely in the era of simple mobile payments.

This was voted the #1 item of interest amongst those responding to the survey this year, and is top of mind with everyone.

What’s surprising is that mobile contactless may be top of mind, but it’s transient.

We’re already into using NFC tags everywhere and the mobile operators’ movements will simply decimate the NFC stick-on tag business (sorry taggo, bling nation et al).

Meanwhile, the fundamental issue is still not addressed: where can you use an NFC chip?

Barclaycard have been pushing Visa Paywave for a couple of years now, and yet I hardly ever get a chance to use it.

Sure, we may now have a few London taxi’s wirelessly enabled, but it’s hardly dense terminal acceptance or usability.

And there’s the rub: we need more terminals.

Maybe they could learn something from Zapa in Ireland, where AIB Merchant Services have worked closely with them to rollout terminals that can use the tags.

Half of all AIB’s merchant terminals are now Zapa ready: that’s 40,000 of their 90,000 terminals, with over 1.5 million contactless transactions in the year to September 2010.

Compare that with Barclaycard who have rolled out just 42,500 merchant terminals to date and processing just over a million transactions by November 2010, and you can see the challenging dimensions they face.

Hmmm ... but there’s no doubt that this will grow ... except that by the time it does, technology will have moved on and direct mobile-to-mobile, or M2M payments, will be the order of the day.

Ah well, we always roll out three-year old technologies to meet three-year ahead needs.

Behind mobile contactless, real-time payments is the next big deal.

REAL-TIME PAYMENTS

Real-time payments are big news because everything is moving into real-time, a point I’ve made often.

What real-time really means is real-time information transfer. Information about money moving worldwide in real-time. Not the money itself, which will still be gated and subject to the laws and barriers required to ensure money moves at the pace of AML, KYC, repudiation and revocation needs.

But real-time is a game changer, as real-time information, risk, cash and enterprise management is delivering real differentiation for corporates and clients worldwide.

That’s why banks need to focus upon it.

For example, in corporate treasury, real-time information that consolidates all the knowledge about a corporation's cash positions across all of their operations, geographies and subsidiaries would be invaluable. In fact, it amazes me that most companies do not have this capability.

That is because they are multi-banked and multi-country.

Banks that focus upon aggregation of information in real-time to provide additional knowledge about money will win business.

That's why real-time is important.

OPERATIONAL MANAGEMENT

After these big ticket items, everything becomes a bit more mundane with new pricing models for European payments post-SEPA, SWIFT MX and ISO20022, payments processing hubs, liquidity management and such like being on the ‘must-do’ list.

It’s all about standards, cost reduction and ensuring efficient processing. In other words, good operational management focus.

I could write a lot more about this, but it's covered pretty well elsewhere by SWIFT and other forums, so I'm not going to get all techie today (phew!).

The only point that’s really worth noting on the ‘new for 2010’ model from my side is the fact that there are a lot of new payments institutions appearing out there.

NEW PAYMENTS INSTITUTIONS (PIs)

PIs are new, non-bank payments processors taking out licences across Europe to process payments instead of, or on behalf of, banks.

Funnily enough, when we mention PIs, most people normally think of institutions like PayPal except that PayPal respond by saying: “we are a bank”.

First Data, Western Union, Mobile Telecom firms are also keen PIs, with over 70 licenses registered with EU authorities so far this year to offer payments services in this form.

But the most intriguing new PI for me is Voice Commerce.

Not because they were the first non-bank PI to register with the EU after the implementation of the Payment Services Directive (PSD).

Nor because they were the first PI to become a Visa and, more recently, MasterCard Principle Member.

No, the reason for Voice Commerce being of interest is that they use the idea of the human voice biometric being an identity authentication method.

Bearing in mind that yesterday, all things were moving to mobile and today, all payments are moving to mobile, the idea of using a human voice biometric on mobile seems to be a non-brainer.

And yet, according to our survey, voice biometric fraud management is the least interesting aspect of 2010s innovations.

Amazing how short-sighted we can be when it comes to seeing what may be the most disruptive developments sitting right in front of our eyes or, in this case, right in front of our mouths.

Comments (1) | TrackBack (0)

November 25, 2010

VISA's pride before a fall over the Chinese wall

I was at a fascinating meeting yesterday looking at developments in credit, debit and prepaid cards. There was a standout moment when we had a discussion about China Unionpay (CUP), China’s card processing operator.

First a bit of background.

CUP was set up under the auspices of China’s central bank in March 2002, and is the only domestic credit card organisation recognised by the People's Republic of China as it is owned by 80 Chinese banks and other state entities.

The reason it is disliked by the likes of Visa, MasterCard and Amex is that there are barriers for these processors to get access into the Chinese markets, whilst CUP feeds off their networks to support processing overseas at discounted rates.

For example, the interchange fee structure that Visa, MasterCard and Amex operate is pretty much ignored by CUP.

Consumers who use cards which simply display a China UnionPay logo will not only be exempted from brokerage fees but also will enjoy various services provided by China UnionPay. However, if they choose to use Visa's settlement channel, they will be required to pay a currency transaction fee of 1 to 2 percent of the total amount they have paid or withdrawn ...

At the end of March, the three major global credit card companies, Visa, American Express and MasterCard, pushed the American government to urge China to open up its credit card market to foreign competition. The companies estimated that there was the potential for a 997.8 billion yuan ($150 billion) credit card market in the country. Meanwhile, China UnionPay has expanded its settlement network to 90 foreign countries and areas. They accept not only cards with the China UnionPay logo but also those that display both the Visa and UnionPay logos.

The figures above are actually low-balling it, as the firm describes themselves as follows:

To date, the total number of CUP card issued worldwide has exceeded 2.1 billion; in 2009, the number of CUP card inter-bank transactions reached 7 billion with an amount of USD 1.1 trillion; the overall merchants, POS terminals and ATMs reached 2.13 million, 2.88 million and 930 thousand respectively. China UnionPay has also established partnership with around 400 financial institutions all over the world. As of now, CUP card international acceptance network has been extended to 90 countries and regions. Over 10 of them, including Japan, Korea, Singapore, Russia, Mongolia etc, have issued CUP card.

So the figures are more like over two billion cards transacting over $1 trillion a year.

Wowser.

For a market that size, it does seem a bit strange for Visa to take the bold action of attempting to block CUP users from using their network outside China in June this year, as it resulted in CUP retaliating by blocking Visa from China for a year.

I say strange as Visa has shot themselves in the foot.

Rather than trying to pressure China into opening their borders to trade through international lobbying, whilst trying to partner with them, they have now become an enemy.

Meanwhile, firms like Amex and PayPal have partnered with them.

In a press release last week:

November 18, 2010

China UnionPay and American Express today announced that they have signed a memorandum of understanding that calls for both companies to explore the expansion of their current cooperative activities. For the past several years, China UnionPay and American Express have cooperated within China where American Express Cards run on the China UnionPay network. This new MOU will establish working teams to develop potential new areas of cooperation between the two companies within China and in markets outside of China.

And in a press release in March:

17 March 2010

PayPal and China UnionPay, China's bankcard association, today announced that China UnionPay (CUP) card members will be able to use PayPal to shop online, representing a new opportunity for international retailers to sell to a large base of Chinese customers who, combined, hold 2.1 billion CUP cards ... Chinese consumers have more disposable income than ever before and are starting to look for the best products the world has to offer. CUP card members will be able to use PayPal in the third quarter of 2010. This gives merchants the opportunity to spend the coming months preparing their Web stores for Chinese consumers, including adding Chinese translation and fast, cost effective shipping methods.

What this says to me is that firms who see China as the land of opportunity must be willing to adapt their business models and, potentially, their principles to gain access. You could admire Visa therefore for not dropping their values ... or view them as foolish for sacrificing access to this trillion-dollar opportunity by not changing their business approach.

Meanwhile, a nuance of this story is here in the UK, where RBS WorldPay has been opening access across UK POS and ATMs for Chinese tourists in partnership with CUP.

Chinese tourists only started arriving in London in 2005, and are now the biggest spenders in our country. Apparently, the average Chinese tourist spends about £800, compared to American tourists who spend an average £650 each.

Who would have thought the wealthiest tourists in the world would be Chinese a decade ago?

And who would have thought that RBS would be doing so much to bring wealth to our impoverished nation during these austerity times.

Bravo ... or is it shame on you?

Totally depends on your own point of view.

Comments (1) | TrackBack (0)

September 27, 2010

Why does the card securities council not care about card security?

I mentioned that I spent last Friday morning with card fraud and security experts. The conversation began with a wide view of what’s happening, and a focus upon PCI DSS Standard 2.0, which is yet to be published.

The Payment Card Industry (PCI) Securities Standards Council (SSC) have developed new versions of the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) for release at the end of October, which will then last three years in implementation.

After that period, there will be a one-year sunset before the next generation of PCI standards take over.

This is based upon the new agreement in the cards markets which means that every three years a new standard is released to keep up with market and technology change, with a year to implement the new standards and phase out the old one.

Source: PCI Lifecycle Factsheet

The fact that the new standard appears to be an evolution of the old standard, with no changes to merchant technology, is a good thing some say, as it means no major budget changes to card machines.

However, it’s not a good thing as it ignores many key areas of technological development within the card community, such as server and desktop virtualization, tokenization of regulated data, end-to-end encryption (E2EE) of card holder information and the use of cloud-based applications.

This is interesting as card processors, such as Visa, are offering guidelines in these areas, such as Visa’s best practices for tokenization.

Tokenization is a relatively recent practice whereby credit card data is changed to ensure data thieves cannot steal it, for example by only communicating the last four digits of the credit card. The view being that if the data’s not there, it cannot be stolen.

Their report makes an interesting read:

“In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-related and ancillary business functions.

“Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).

“How Tokenization Works

“Tokenization defines a process through which PAN data is replaced with a surrogate value known as a ‘token’. The security of an individual token relies on properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value. As a reference or surrogate value for the original PAN, a token can be used freely by systems and applications within a merchant environment.

“Where properly implemented, tokenization allows merchants to limit the storage of cardholder data to within the tokenization system, potentially simplifying an entity’s assessment against the PCI DSS. As a reference or surrogate value for the original PAN, a token can be used by systems and applications within a merchant environment without having to consider the security implications associated with the use of cardholder data.

“The security and robustness of a tokenization system is dependent upon the secure implementation of four critical components, and the overall management of the system and any historical data:

Token Generation: Defines the process through which a token is generated.
Token Mapping: Defines the process for associating a token to its original PAN value.
Card Data Vault: Defines the central repository of cardholder data used by the token mapping process.
Cryptographic Key Management: Defines the process through which cryptographic keys are managed and how they are used to protect cardholder and account data.”

I’ve placed most of this explanation here, to ensure the dialogue is clear in these areas, with the other big discussion area being E2EE.

End-to-end encryption (E2EE) ensures sensitive credit and debit card data is protected from the card being used at a PIN Entry Device (PED) or other card reader, throughout its transmission via the network to the payment processor.

This is achieved by using the latest card readers, which scan and encrypt the cardholder information prior to performing an electronic payment transaction.

These sophisticated devices use Triple Data Encryption Algorithm (DES) Encryption with a Derived Unique Key per Transaction (DUKPT) to encrypt and transmit cardholder data securely over any network.

The terminals also use tokenization to ensure that the encrypted cardholder data transmitted is not the same as the original cardholder data in any way. This means that even if the encrypted data were to be intercepted and somehow compromised, it would be useless to data thieves.

So why is that the PCI SSC is producing a new standard that appears to ignore areas the key areas of tokenization and E2EE, when these clearly help to get to the dream of fraud proofing card payments?

According to the conversation with the guys last week: cost and bias.

The cost issue is an easy one: it would cost a lot of money to upgrade all terminals to be compliant with a mandate for tokenization and E2EE. Think of the UK’s investment in Chip & PIN and make that global, and you get the picture. After all, these standards are mandates, and this is why the SSC is clarifying and making recommendations rather than mandating for these changes to be incorporated.

The bias one is more interesting for me however.

The bias exists in two forms: first, geographic and second, who sets the standards.

The geographic bias exists in the form of many of the key decisions being made to cater for US markets which lay way behind the worlds’ markets. The fact that most card fraud is now emanating from US markets is because they are so far behind.

In fact, it does amaze me that the world’s most advanced economy and undisputed internet and technology leadership should be stuck in the 20th century model of cheque payments and mag stripe card readers. What is all that about?

Cost and laziness.

I mean, come on America, get with the 21st century and start thinking about Chip & PIN and EMV.

Or maybe not.

As PCI Guru sees it: “EMV will save US banks and merchants a total of around $394 million dollars annually. Given the estimated ten billion it will cost to convert totally to EMV, is it any wonder why banks and merchants have no incentive to convert?”

OK, but the SSC still has some questions of bias based upon who sits on the Council, which includes firms such as Cisco, First Data, PayPal and Verifone, alongside banks, merchants and the EPC.

The accusation made by those over here, who have to follow their directions, is that some of these organisations are more there to promote and protect their own systems and solutions, rather than the promotion of best practice in the industry.

Not sure I agree with that accusation, but it was an interesting one.

Maybe this means there should be more interface, dialogue, discussion and cooperation between gropus such as the PCI SSC and the MRC (Merchants Risk Council).

In fact, the most surprising outcome of my dialogue with securities assessors, card encryption firms, and PCI DSS experts last week, is that they had not heard of, or were even aware of, the MRC.

Whoops.

“The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally. The MRC was formed when two entities decided to join forces: the Merchant Fraud Squad and the Internet Fraud Round Table.

“The Merchant Fraud Squad was founded in September of 2000 by American Express, ClearCommerce and Expedia. The membership quickly grew and, by the end of 2002, the primary focus was to educate online merchants on how to prevent fraud.

“In 2001, HP and ClearCommerce founded the Internet Fraud Round Table, a grassroots group of large retail merchants, to share best practices through twice a year face-to-face meetings and monthly conference calls. By the end of 2002, the Internet Fraud Round Table had grown to over 60 marquee e-Commerce retailers.

“At the end of 2002, the two groups teamed up to form the Merchant Risk Council.”

If you like the Finanser, check out the books of the blog: the new Complete Banker Series

Comments (1) | TrackBack (0)

September 24, 2010

If you like card fraud, this one's for you

Just spent most of today talking about PCI DSS compliance issues with QSAs focused upon E2EE.

What?

Yea, you heard me right.

Delving into an area that I talk a lot about at higher levels usually, but rarely at these levels.

Today, I was plumbing the depths of the Payment Cards Industry (PCI) Data Security Standards (DSS) and evolution towards End-to-End Encryption (E2EE) standard. This is basically all to do with fraud and risk in merchant terminals from point-of-sale to virtual terminals for online payments.

Merchants are tiered, based on card volumes and values, from Levels 1 to 4, and assessed for compliance through the use of Qualified Securities Assessors (QSA).

As there was so much to discuss, I’ve had no time to write up a blog entry today.

Instead, for those of you interested in cards, security, authentication, identification, verification, identity management and so on, here’s the list of questions I took into the room for discussion:

New PCI-DSS v2.0 - Adjustment or Major change?

The Payment Card Industry Data Security Standard (PCI DSS) has been one of the strongest drivers for investment in IT Security in the past years. Why do we need a new version?

What is changing and how to prepare to the new PCI DSS v2.0? Is it about rewording to adapt to new technologies, or does it bring a new approach to IT Security?

What’s really driving PCI DSS – Is the US government motivated to stem the flow of money to illegal narcotics and arms industries?

How have the long-term consequences of the Heartland data breach on the PCI SSC and the behaviour of QSAs impacted the PCI DSS programmes of merchants?

How can merchants better understand and process the demands made by QSAs in order to maximise the benefits of implementing requests by meeting key security as well as compliance requirements?

Do businesses understand the importance of PCI DSS compliance?

Why is becoming compliant so costly to businesses?

Can all merchants be categorised together when there is great diversity in terms of operating, sales and fulfilment channels?

Tick-box compliance vs. risk-based security: it is said that PCI DSS is based on security best practices, but does it really constitute a risk-based approach?

Are the regulations able to keep up with emerging trends, such as virtualization, cloud computing and mobile technology

PCI compliance and Virtualisation: what are the key differences between the traditional “physical” computing model and virtualised computing models, and what does that mean for your compliance strategy?

Adapting security models to a dynamic, “instant-on” environment: what dynamics must be considered as regards virtual machines and the risk of mixed trust-level virtual machines when striving to reduce security risks to both cardholder, and other sensitive data?

While the adoption of Chip & Pin has been successful in reducing card fraud, it has led to an increase in data compromises in the Card Not Present (CNP) space, what measures might be taken by merchants and acquirers to curb this trend?

What new challenges do mobile payment platforms present us and how can they be overcome? For example, how can we stop merchants from using applications that process CNP payments for transactions where the card and customer are present?

We have seen increasingly that criminals have deployed new methods such as man-in-the-middle attacks that exploit areas that the PCI DSS does not currently cover; what counter measures can be taken to combat them now and in the future and does the standard need to change to account for these exploits?

How do modern banking Trojans inject themselves into systems to overcome security provided by PIN, TAN (Transaction Authentication Number), and iTAN (Indexed Transaction Authentication Number) http://en.wikipedia.org/wiki/Transaction_authentication_number to steal and manipulate transaction data 'on the fly', and how do they cover up their tracks?

What techniques do criminals use to distribute malicious Browser Helper Modules and, why is it so difficult to detect compromised browsers, and what risks do they expose to the end user?

If companies rely on SSL (Secure Sockets Layer) as an effective last line of defence against Trojans that embed themselves into the browser, are they offering any real protection to their end users?

What steps can businesses operating in the online commercial environment take to protect their customers from these threats?

Reducing scope – is E2EE the holy grail? Where are the weak links in the E2EE chain?

The PCI Securities Standards Council (SSC), what have they done well? What could they have done better?

What are the key points on which the PCI SSC need to provide clarification that would help large merchants both secure their data and meet compliance, and by which avenues can merchants lobby for such change

PCI SSC has set up working groups to better understand End to End Encryption and tokenisation –what are the pro’s and cons of working group?

What guidance will merchants need with new regulations on E2EE and tokenisation?

Do merchants focus on wrong areas? Do merchants approach compliance in the wrong way, spending too much time on money on something which only secures a small piece of the whole project?

Why are merchants not always 100% forthcoming to auditors, and what are the top ten things merchants don’t tell their acquirer?

What will the payment security compliance landscape look like in the future and what should merchants do to ensure they stay ahead of the curve?

There’s a whole load more where that lot came from, and I’ll blog a simplistic overview of what the dialogue was all about next week ... bet you can’t wait can you?

If you like the Finanser, check out the books of the blog: the new Complete Banker Series

Comments (0) | TrackBack (0)

April 12, 2010

Online payments is far more than PayPal

As those who follow this blog know, I write regularly about services such as Facebook and PayPal.

This is because they are disruptive and fresh, as well as being incredibly successful.

For example, Facebook is now the world’s #1 website, bigger than Google.

Not bad for a five year old.

Meantime, PayPal is still growing fast, making over $95 a second in revenues based upon $3 billion in revenues this year. This makes them the interweb’s sixth most successful website by earnings.

Not bad for a ten year old.

But these sites are not the be-all and end-all. You have to bear in mind that they are purely popular in their language of origin: English.

As a result, there are several other search engines, social networks and P2P payment services that are succeeding out there, from China’s QQ to Russia’s Yandex.

Here's a world map of social networks, taken from the blog of Vincos, Italy (doubleclick to enlarge picture):

Although Facebook is a big hit worldwide with 400 million users, it’s tiny in some countries like the Czech Republic (Lidé is the #1 social network), Hungary (iWiW), India (Google’s Orkut), Japan (Mixi), Netherlands (Hyves), Philippines (Friendster), Poland (Nasza-Klasa), Russia (vkontakte), South Korea (Cyworld), Taiwan (Wretch) ...

Similarly, PayPal is hardly recognised in some countries.

In the Netherlands, for example, the banks launched iDEAL, a set of standards to facilitate online payments.

iDEAL was created in 2005 by a range of participating banks with ABN AMRO, ASN Bank, Fortis, Friesland Bank, ING, Rabobank, SNS Bank, SNS Regio Bank and Triodos Bank on board today.

Some of the major features of iDEAL include the fact that it offers both real-time payment initiation and authorisation by both the issuing and acquiring bank, followed by irrevocable credit transfers to the merchant at the time of online purchase.

The participation of the banks along with real-time processing, has created a strong perception of iDEAL being SAFE. As a result, iDEAL has gained over 15,000 participating merchants and 5.8 million users, resulting in a total of 45 million transactions in 2009 worth over €3.4 billion (up 60% over 2008).

* maandtotalen = monthly total

In other words, iDEAL has a 40% market share of all e-payment transactions in the Netherlands, with an acceptance rate at almost 9 out of 10 online merchants (88% of all Dutch merchants) compared with only 1 in 4 for PayPal (although that’s up on 1 in 5 a year ago, thanks to the decline of AMEX in the Netherlands).

So the banks do have a PayPal service equivalent ... but, right now, only in the Netherlands, although iDEAL aims to expand across more of Europe by gearing up for SEPA Credit Transfers (SCT) and the Unify XML standards.

Meanwhile, in Russia, their version of Google Checkout has taken a place ahead of the market.

Google Checkout is actually called Yandex.Money run by Yandex, Russia’s largest search engine.

According to Liveinternet.ru, Yandex increased its share of search traffic from 56% in January 2009 to 59% in December to 62% in February 2010.

Yandex.Money claims to be the leading online payment system in Russia as a wholly owned subsidiary of Yandex. Founded in 2002, Yandex.Money has seen payment volumes grow 135% CAGR, processing 21.5 million transactions per year worth $350 million.

This may sound small, but the appeal of Yandex.Money is for the vast numbers of unbanked and underbanked Russians who want to deal online.

Yandex.Money provides over a million prepaid cards per year through 100 distributors, to be used in over 50,000 participating outlets all over Russia. They have over 200,000 participating terminals to load cash on the cards in 80 of Russia’s largest cities, and 1 in 5 customers use them as top-up wallets. Meanwhile, 61% of users pay directly from the Yandex.Money interface online.

So Russia’s online payments market has developed a slightly different way.

Meanwhile, China has an incredible story of the success of Alipay, a division of Alibaba the B2B ecommerce portal.

Alipay is China's primary payment platform thanks to being the preferred payment system for sister firms Taobao and Alibaba.com, along with over 460,000 external merchants. The result is that Alipay has a 49% market share today for all online payments in China:

Q1 2010 market share figures from iResearch

Equally, it has a larger userbase than even PayPal with over 300 million registered users as of March 2010, with five million transactions per day worth an average RMB 1.2 billion (US$176 million).

Why should this be of interest to our global banking community, and PayPal specifically?

News Headline, April 11th 2010: “Alipay, China’s largest online payment network, has announced that Alibaba Group will invest a total of RMB5 billion (US$732 million) over the next five years to upgrade the payment solution for e-commerce in China and around the world.”

Serious stuff!

Meanwhile, in a non-exhaustive list, there are many other online payment services worth a look including 2CO, AlertPay, Bill Me Later, C-gold, CashU, Dotpay, E-Gold, LiqPay, Mobile Wallet, Nochex, PayPay and Z-Payment.

So in future, when I talk about PayPal, don’t forget that we’re also talking about their national equivalents such as iDEAL, Yandex.Money and Alipay. Similarly with Facebook, don’t forget that there’s also Mixi, Hyves, Orkut and Friendster.

The implications of these services on core banking is exactly the same which is that we are seeing the creation of many disruptive, fresh and incredibly successful web services for social and P2P finance ... leading, in future, to social B2B finance.

Comments (9) | TrackBack (0)

April 01, 2010

Who remembers our flexible friend?

Just chatting with a chap over the phone to make an order for some bathroom stuff, when he asks for my Visa or Access card details. Of course he meant MasterCard not Access, and soon corrects himself apologising for his age.

“Oh no, I remember our flexible friend well”, I say ...

It just goes to show the power of branding and a catchphrase, as the card has been defunct since 1996 when it merged with MasterCard.

Originally introduced in 1972 by National Westminster Bank, Midland Bank (now HSBC), Lloyds and The Royal Bank of Scotland, as a rival to the established Visa Barclaycard ...

... Access was one of the UK's best known and loved credit cards.

The reason why this chap happened to mention it to me, he explains, is that he took the second ever Access payment in the UK, way back in 1972.

“What was that for”, I asked, “and where were you working?”

“I was a store clerk back then with Selfridges”, he replies. “And the second payment ever made on Access was for a washing machine.”

“So what was the first ever Access payment for?” I enquired.

“Ah, that was for an Aston Martin”, he enthused. “That got a lot of publicity as it was an Aston Martin purchased by the Duke of Westminster, no less.”

Now that’s something you don’t find out everyday on Google, isn’t it?

Comments (0) | TrackBack (0)

February 12, 2010

The Card Awards 2010

BLOG ENTRY SPONSORED BY:

I've just received the magazine announcing the winners of this year's Card Awards (last year's winners can be seen here).

And the envelope openings went to:

Best New Credit Card Product of the Year
PayPal and Santander Cards

Best Credit Card Marketing Campaign of the Year
Barclaycard

Best New Prepaid Card Product of the Year
O2 and the Royal Bank of Scotland Group

Best Prepaid Card Marketing Campaign of the Year
O2 and the Royal Bank of Scotland Group

Best Affinity or Co-Branded Credit Card Programme
Virgin Money and Bank of America

Best Business Card Programme
HSCB Bank

Best Card Benefits Programme of the Year
American Express

Best Card Cross-Selling Programme of the Year
Marks & Spencer Money

Best Charity Credit Card Programme
Cancer Research UK and Lloyds Banking Group

Best CRM Programme
American Express

Best Corporate Social Responsibility Programme
Bank of America

Best Online Initiative
Barclaycard

Best Achievement in Customer Service
Nationwide Building Society

Best Security or Anti-Fraud Development
Marks & Spencer Money

Best Technology Initiative of the Year
Home Retail Group Financial Services

Best Industry Innovation of the Year
Barclaycard

Most Responsible Credit Card Lending Practices

Nationwide Building Society

Best Card Design of the Year
Barclaycard

Industry Personality of the Year
Peter Godfrey

Not surprisingly, Barclaycard’s Waterslide Marketing campaign won the award for Best Campaign of the Year (blogged about that one a few times) and the O2/NatWest partnership gained a few nods too (see the campaign here).

More surprisingly is the detail in the M&S Security Award for using the SAS Fraud Management solution which resulted in:

the fraud referral rate reduced to 0.05 per cent of total transactions
complaints have fallen by 30% due to Flexible Blocking
the actual value of net fraud losses is 12% lower in 2009 than 2008
the point of compromise model has helped the false positive rate (FPR) to reach 5:1
M&S Money identifies nearly 90% of total fraud cases before the customer does
80% of fraud cases result in no financial loss

Must look into that SAS software.

Mind you, bit fishy that the Best Technology Initiative Award happens to revolve around a TS2 install, as TSYS is the Awards main sponsor.

You can see details of all the awards by registering and downloading the Awards Magazine.

Comments (1) | TrackBack (0)

Chip & PIN is broken (UPDATE)

As many readers know, I've disliked Chip & PIN pretty much since it was launched, as there are better solutions out there. Here's my comment from 2006:

Chris Skinner, CEO of financial services think tank Balatro told silicon.com: "I'm an anti-chip and PIN person. Sorry Apacs - I like them very much but it's not an appropriate technology today. Chip and Pin is very old in a very modern society - it started in France in 1994.

"In Eastern Europe [Hungary and Russia] they have a much better system than chip and PIN - when you make a payment you get a text. You can ignore it or if there's a problem, you get in touch with your bank. It's very cheap but there's been a 93 per cent reduction in fraud - that's far more successful than chip and PIN."

Now, just to add insult to injury, Steven Murdoch discusses how they've cracked Chip & PIN on Finextra, and references a 13-page research paper which explains how it works:

'EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN.

'In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all.

'The paper considers how the flaws arose, why they remained unknown despite EMV’s wide
deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken.

'This failure is significant in the field of protocol design, and also has important public policy
implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems.'

Download the 13-page white paper

Watch the BBC news report video

Read Steven's views in-depth

UPDATE 13-02-10 11:10

The UK Cards Association dismissed the claim, saying that while the research had shown what it was possible to do in theory, this did not mean it was practical or even possible to do in reality.

A spokeswoman said: "We believe that this complicated method will never present a real threat to our customers' cards.

"It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry's systems."

She added that figures due to be released by the group shortly would show that fraud committed on lost or stolen cards during 2009 had fallen to its lowest level for two decades.

Comments (0) | TrackBack (0)

January 25, 2010

Are you taking the PSD?

Interesting article on the guide to all things Europe today, Euractiv, about the Payment Services Directive.

The Directive “has been transposed in all but 11 of the 31 EU/EEA countries”.

Hmmm ... that would be Cyprus, Estonia, Italy and Latvia (Jan); Norway (Feb); Belgium, Greece, Spain, Finland, Malta and Poland (Mar); whilst Sweden is last (Apr).

December 2009: January 2010:

Note: the above are the official charts of the European Commission. Is someone pulling the wool?

“Observers agree that it favours banks and card companies over the merchants, retailers and consumers who will be using the scheme.”

Hmmm ... would the banks agree? The banks that have spent eight years pulling SEPA together? The banks that have spent billions on change and lost billions of margin? The banks that have been arguing that there is no benefit to merchants, retailers and consumers being communicated by the Commission or public authorities?

“The directive may lead to more fragmentation.”

That’s the point isn’t it?

By introducing new payments institutions, it creates more competition which leads to lower prices which leads to better markets, is the contention of the legislators. This was the same view with the other Directive, the Markets in Financial Instruments Directive, that led to market fragmentation for investing with the rise of Chi-X, BATS and many dark pool investment vehicles, where things are traded outside the line of sight of the public market.

Markets do fragment thanks to these Directives. Over time, they then consolidate. That is why Chi-X stands out as a clear leader in the post-MiFID trading world and, over time, the same will happen in the post-PSD payments world.

So fragmentation isn’t necessarily a long-term issue, but a short-term concern.

“The PSD's weaknesses lie in its opt-outs”.

Absolutely. Checkout our research if you want to know what they mean as derogations and opt-outs have created a truly uneven playing field for payments.

“Card companies argue that the EU's new rules do not address the issue of catching fraudulent transactions.”

In the words of an old Tina Turner song: “what’s fraud got to do with it?”

The card companies are right by the way. The PSD is purely concerned about moving towards a level playing field for payments in terms of the legal structures of cross-border transactions. The focus was primarily around direct debit and credit transfer operations, as this is where SEPA had focused and needed support. Cards were not centre of the radar for the legislation, nor was fraud. Watch out for the PSD II in 2012 however, when these things do move to centre stage.

Postnote:

At the end of the article is the line: “SEPA is being treated as a low-priority project in Sweden and Finland because their respective ministries of finance have limited resources to roll out the scheme, according to Elemar Tertak from the European Commission.”

I think the person who wrote this mistook PSD for SEPA.

If they want to know more about SEPA then come along to our meeting tomorrow night at the Club:

"Is SEPA happening and does it matter?" a panel discussion with:

Gilbert Lichter, CEO, EBA
Fred Bär, Managing Director Euro Services, VocaLink
Paul Smee, CEO, the Payments Administration
Simon Bailey, Director, Logica

Chaired by Bob Lyddon, Managing Director, IBOS Association.

Started in 2002, in response to the Lisbon Agenda and Regulations on fees for cross-border cash withdrawals, the Single Euro Payment Area (SEPA) has been in the planning for a long time. In fact, it has been discussed for so long by so many that, for a lot of people, it’s become as dull as dishwater.

This view may be wrong though as, after seven years of gestation, SEPA Direct Debits (SDDs) were finally born in November 2009 and the Payment Services Directive (PSD), which legally supports SDDs, was transposed and implemented in most European countries. So all is good is it not?

Or maybe it is not as, according to the survey the Financial Services Club performed during the Autumn, most nations and most banks are not supportive or implementing SEPA and the PSD correctly. What is the truth? Is SEPA here? Even if it is, does it actually matter?

If you would like to attend, click here.

The Financial Services Club is sponsored by

For details of sponsorship email us.

Comments (1) | TrackBack (0)

January 20, 2010

Twitter's Jack Dorsey reinvents US card payments

Everyone's getting real excited about Jack Dorsey, the co-founder of Twitter, and his new payments application for the iPhone called Square.

If you haven't seen it, here it is:

In a lengthy interview with Pymnts.com, Dorsey says:

"We can provide a lot of things that I think have been missing in payments – specifically like around the receipt, for instance. We all get these receipts, these paper receipts, that most of the time people are just annoyed to receive because they're not really useful. So what if we could really turn the receipt into more of a publishing medium, into something that lives on and something that is actually clickable and useable, and something that just exposes the various end points of the transaction. That's exciting."

I agree and the full interview is worth a read / listen.

The thing is that Square is good for the American markets, but it is very last century because it focuses upon a card's magnetic stripe and signature for authentication. That's the way Americans pay for things but other markets have moved away from this as it is so insecure.

For example, watching the video of how you might pay using Square, the idea of fraud pops into my head with big alert signs, probably because it would make it easy to access a person's credit card using Square. In particular, a signature based upon scratching away with my fingernail ...

This is why so many other markets, most recently Canada, has moved over to a Chip and PIN world, leaving America languishing in the past.

That is why Square has a limited market.

Now then, if Mr. Dorsey can take the Xiring terminal and build that into Square, he could be onto something. For example, here's Barclays guidance video for online secure payments (2:50 is critical point here, the Xiring terminal):

Or maybe it's just something as simple as combining Square with text message alerts to the credit card holder every time a Square payment is made.

Nothing like simple solutions to complex problems, aren't there?

Comments (2) | TrackBack (0)

December 02, 2009

The Card Awards 2010

Last year, I was a judge with the Card Awards.

This year I couldn't make it, but they have just announced the shortlist.

Here it is:

Best New Credit Card Product of the Year

Barclaycard - Barclaycard Goldfish Low Rate Product
Egg - Egg Money World MasterCard
Leeds United and LaSer UK - Leeds United MasterCard
National Australia Group - NAG Business Card
PayPal and Santander Cards - PayPal MasterCard
The Royal Bank of Scotland Group - Natwest Savings Accelerator

Best New Prepaid Card Product of the Year

E.Z. Pay and Newcastle Building Society - Escape Card
Hiten Cards and Newcastle Building Society - Hiten Card
O2 and The Royal Bank of Scotland Group - O2 Money Card Services
TUI and PrePay Solutions - TUI Travel Card Programme
White Eagle and Newcastle Building Society - Freedom Card

Best Card Design of the Year

Bank of America - MBNA Platinum Card Choice
Barclaycard - Simplifying Payments
Egg - Egg Money World MasterCard
Hiten Cards and Newcastle Building Society - Hiten Card
White Eagle and Newcastle Building Society - Freedom Card
WWF and Bank of America - WWF Credit Card

Best Credit Card Marketing Campaign of the Year

American Express - Platinum Cashback Credit Card
Bank of America - Football Season Ticket Acquisition
Barclaycard - Barclaycard Waterslide
Egg - Egg Money World MasterCard
Santander Cards - Alliance & Leicester Direct Mail Campaign
Virgin Money and Bank of America - Virgin Money Card

Best Prepaid Card Marketing Campaign of the Year

Debenhams and PrePay Solutions - Debenhams Beauty Club Reward Card
E.Z. Pay and Newcastle Building Society - Escape Card
Hiten Cards and Newcastle Building Society - Hiten Card
O2 and The Royal Bank of Scotland Group - O2 Money Card Services
Pizza Express and G-T-P Group - The Pizza Express Summer Pass
White Eagle and Newcastle Building Society - Freedom Card

Best Card Benefits Programme of the Year

American Express - Preferred Seating
Barclaycard - Barclaycard Unwind
Celtic Football Club and Bank of America - Celtic FC Credit Card
Egg - Egg Money World MasterCard
E.Z. Pay and Newcastle Building Society - Neon Card
The Royal Bank of Scotland Group - RBS Business One Premium

Best Card Cross-selling Programme of the Year

American Express - 'Back on Track'
Bank of America - Cross-sell Card Choice
Lloyds Banking Group - Lloyds TSB ID Aware
Marks & Spencer Money - M&S Premium Club, Something Special

Best Affinity or Co-branded Credit Card Programme

bmi and Bank of America - bmi Credit Card
Flybe and LaSer UK - Flybe MasterCard
Liverpool Football Club and Bank of America - Liverpool FC Partnership
Post Office and Bank of Ireland - Post Office Credit Card
Virgin Atlantic and Bank of America - Virgin Atlantic
Virgin Money and Bank of America - Virgin Money

Best Charity Credit Card Programme

Amnesty International and The Co-operative Financial Services - Amnesty International Credit Card
Breakthrough Breast Cancer and Bank of America - Breakthrough Breast Cancer Card
Cancer Research UK and Lloyds Banking Group - Halifax Cancer Research UK Charity Card Comes of Age
National Trust and Bank of America - National Trust

Best Business Card Programme

Bank of America - MBNA Business - Flying the Flag for Small Business
Becta and Barclaycard Commercial - Becta Home Access Card
HSBC Bank - HSBC Commercial Card
The Royal Bank of Scotland Group - RBS Business One
Travelodge and G-T-P Group - Travelodge Business Account Card
Tuxedo Money Solutions and Newcastle Building Society - Tuxedo Corporate MasterCard Prepaid Card

Best CRM Programme

American Express - Targeted Merchant Treatment
Bank of America - American Express Life Inserts
Bank of America - Department Store & Motoring Merchant Category Code Campaign
Bank of America - Football Card Spend Stimulation
Bhs and Barclaycard - Barclaycard & MasterCard SKU Analytical Tool
InterContinental Hotels Group and Barclaycard - Priority Club Rewards Visa Card life stage targeted emails

Best Corporate Social Responsibility Programme

Bank of America - Team Bank of America
Barclaycard - Barclaycard Horizons
Barclays Bank - Basic Bank Account Conversion

Best Industry Innovation of the Year

Barclaycard - Mobile Payments
Barclaycard Commercial - Visa CodeSure Card
Becta and Barclaycard Commercial - Becta Home Access Card
Ghana International Bank - Ghana International Bank Debit Card
The Royal Bank of Scotland Group - Natwest and RBS Savings Accelerator
The Royal Bank of Scotland Group - Open Contactless EMV Payments on Buses

Best Security or Anti-Fraud Development

Bank of America - MBNA Travel Flag
Barclaycard - Customer Fraud Alerting Service
Barclays Bank - Cardholder Travel Registration
The Co-operative Financial Services - Cutting Credit Card Fraud
Marks & Spencer Money - Focussed on Fraud, Committed to Cardholders
Nationwide Building Society - Fighting Debit Card Fraud with ACI Proactive Risk Manager

Best Technology Initiative of the Year

Bank of America - Enhanced IVR
Barclaycard - Mobile Payments
Barclaycard - MyBarclaycard
Bhs and Barclaycard - Bhs MasterCard Colleague Portal
Home Retail Group Financial Services - Argos and Homebase Cards – a heart and lung transplant
The Royal Bank of Scotland Group - Open Contactless EMV Payments on Buses

Best Achievement in Customer Service

American Express - Customer Service Centre 'Listen' Strategy
Barclaycard - MyBarclaycard
Barclaycard - Pre-application Checker
Home Retail Group Financial Services - Argos and Homebase Cards – a customer centric approach
Nationwide Building Society - Speed, Simplicity and Security

Best online initiative

American Express - Online Welcome Journey
American Express - Realising The Potential of Online Services
Bank of America - MBNA Personalised URLs
Barclaycard - Barclaycard Breathe
Barclaycard - MyBarclaycard
Barclaycard - Pre-application Checker

Most Responsible Credit Card Lending Practices

American Express - Transparency and Customer Advocacy
Bank of America - Mortgage Shock Initiative
Bank of America Ireland - Bank of America Ireland Credit Decisioning
HSBC Bank - Your Credit Card Through Good Times and Bad
Lloyds Banking Group - Helping Hands - Customer Support For The Journey
Nationwide Building Society - Working Together

Comments (0) | TrackBack (0)

November 24, 2009

End of the cheque: open outcry! (UPDATE)

The Daily Wail, Britain’s second largest daily newspaper after the Pun, has finally got wind of the imminent demise of the cheque, as discussed here the other week. This is because the banks vote soon as to whether 2018 is the year of its removal or not.

In their article, they have some good bits, such as these great factoids:

The ancient Romans are believed to have used an early form of cheque known as praescriptiones in the first century BC
The English word cheque comes from the Arabic sakk, which refers to a written note of credit used by Muslim merchants
The predicted number of cheques written per day in the UK in 2018 is 1.6m
The average value of a personal cheque payment is £227
The amount of retail spending still paid for by cheque is 3.9%
According to the Guinness Book of World Records, the largest ever oversized cheque was 12m by 25m (39 ft × 82 ft)

But then the main body of the article provides the usual unhelpful rubbish such as: "the move was criticised by consumer groups, business lobbyists and charities representing the elderly. They raised fears that vulnerable people, who have relied on their chequebook all their lives, will be left confused."

This is even though the Payments Council's research proves this is not the case and, in reality, it is like reading an article calling for us to give up the internet and return to logarithmic tables.

No wonder the almost 300 comments from readers say things like:

"If so few cheques are now being written out then surely it isn't beyond the wit and capability of the banks to be able to deal with them?"

"Of course they want to abolish cheques, why spend a £1 to process them when they can charge us a couple of quid for a direct debit. This will be the start, what next a £50.00 charge to open an account?"

"Electronic financial transactions are not secure, and the banks put the onus on the customer to prove that they the customer are not the fraudster."

"Without a cheque book I will no longer want a bank account, I will have to revert to using cash everywhere, and go back to gettinng pension from the post office in 'real' money."

What these comments demonstrate is that cheques may be a paper-based piece of ancient history, but it is not one that can easily be replaced by alternative means.

When you need to send a payment by post or are managing cashflow in a small business, the cheque is still the main method of payment and even with online and mobile banking, cards, PayPal and more, the cheque still has a place.

Until the banks provide a clear alternative, the arguments about the removal of cheque payments will continue.

More commentary today in lead opinion column by Rowan Pelling in the Daily Telegraph:

"My bank is always offering me indescribably useless "benefits", such as insurance I don't need, to justify charges on an account that's almost always in credit; now it's threatening to withdraw the one thing I find indispensable ... I just wish someone would set up a bank that gave you what you wanted: no fees for those in credit, handsome chequebooks, like those you used to get from Coutts or Drummonds, and freedom to phone your branch's manager directly. There would be a stampede."

Plus top reader's letters:

SIR – Last week I found I had not received the new cheque-book that usually arrives, so that I always have one to hand (Letters, November 24).
I phoned Lloyds, and was informed that it no longer sends out cheque-books automatically, as many big firms were no longer accepting cheques. It was the first I had heard of the bank's new policy and I asked for an objection to be registered because:
1. Paying utility bills by cheque gives me control over the date of payment. Where I have been forced to pay by direct debit I find it difficult to keep a check on payments;
2. Cheques are the only way to make a safe means of payment by post;
3. Cheques save keeping large sums of cash in the house;
4. They are a simple way to send money to private individuals and small societies.
Over the past two months, 20 out of 25 cheques that I have written have been to private individuals and small societies.
Diana Morgan
Swanage, Dorset

SIR – I am very fond of my cheque-book but those troubled by their possible demise should take heart.
When I lived in Amsterdam, I discovered that banks in the Netherlands do not supply cheque-books. My initial consternation was won over by their simple system of everyone from utility companies to charities supplying tear off forms on bills and the like, which one sent directly to one's own bank, asking it to make a payment.
This saves the roundabout method of writing a cheque, sending it the payee, their sending it to their bank, that bank sending it to one's own bank and the payment being made. It also removes the grey area of clearing, when money is in limbo.
The banks could reject the payment directly if, as often in my case, sufficient funds were not in the account.
If British banks abolish the cheque, could we not adopt a similar system?
Christopher Leach
London W11

SIR – I suspect that many a one-man business and their customers are looking forward to the demise of cheques.
Just think of the income to be hidden and VAT evaded through payment in cash.
Patrick O'Hara
Arden, Warwickshire

The Finanser is sponsored by Vocalink and Cisco:

For details of sponsorship email us.

Comments (5) | TrackBack (0)

November 16, 2009

Mashup technologies in real-world banking

For quite a while, I've been trying to find some real-world examples of mashup technologies in banking. I use these services extensively in other areas of my life - on this blog (the widget for search for example), my Facebook account (feeds and videos), my Twitter account and more.

However, I've never found a bank that is using these technologies in the real-world.

I have found some examples internally for services, and in some corporate to bank services but real-world with consumers? No, although I suspect there are a few out there such as BBVA.

But I have found an IT provider who gave me a great example as to how this might work.

Here is their mashup mockup.

OK, imagine you're looking through your bank statement online and you spot a dodgy transaction (double-click the image to enlarge) ...

Mmmm ... don't like the look of that cash transaction at an ATM, let's have a look at my last few card transactions.

Here's the real reason I'm posting this. Now we see the card transactions integrated with Google Maps, context based advertising and other services to make the card experience part of a mashup of my web experience.

In this case, I can now click to check that ATM transaction using Google maps:

and remind myself as to whether I was really there or not.

Love it!

And thanks to Toni Plana for the screenshots.

The Finanser is sponsored by VocaLink and Cisco:

For details of sponsorship email us

Comments (2) | TrackBack (0)

October 21, 2009

Barclaycard contactless strikes again

Following on from their campaign using the waterslide to promote their contactless cards, Barclaycard strikes again.

This time it was a surprise that popped out as I was looking through the shelves of our local newspaper shop.

Eyeing the shelves, this week's Retail Week stood out.

It's not a magazine I would normally buy, but there was a wrap around advert over the front page that caught my eye:

Mmmmm, methinks, what's this?

Aha, it's Barclaycard getting the contactless message out there again, this time targeting the key audience: merchants.

And it's all backed up by their website which makes it sound so easy:

How accepting contactless payments helps your business

This innovative card reader lets customers pay for products that cost £10 or less, like a coffee or newspaper, in less than a second. Using contactless technology, small value transactions are processed securely at phenomenal speed, so you no longer miss out on sales because customers don't have enough change.

The benefits of going contactless

…for your business

Card payments of £10 and under, are processed in less than a second.
No authorisation, signature or PIN is required, unless cardholder details need to be verified.*
Reduced queues allow you to serve more customers.
Become the preferred retailer for contactless card users.
Higher spend from customers who aren't limited by the change in their pocket.
It uses the same secure network as chip and PIN.

…for your customers

They always have the correct 'change'.
No need to worry about PIN numbers or signatures, unless their details need verification.
Shorter queues as customers are served faster.
No contact is required, speeding up the transaction.
Contactless keeps a record of their spend.

A step-by-step guide to using a contactless terminal

Any debit or credit card with the Wave symbol can be used to pay for products worth £10 or less, in these simple steps:

Cardholders simply touch their card to the reader and the payment is made.
This contactless payment is processed through the same secure network as chip and PIN.
The whole transaction is complete in under a second.

How to start accepting contactless payments

To join the revolution, all you need is a contactless reader at your checkout. It simply plugs into your existing chip and PIN terminal, for instant installation.

When other banks launch contactless payment cards, our reader will be able to accept those too, with no need to upgrade or change your terminal.

Just after posting this, I notice the mainstream Barclays Bank were hit with the old Lebanese Loop trick. Maybe they could learn a thing or two from their innovative brother.

Comments (4) | TrackBack (0)

October 07, 2009

One step ahead of the card fraudsters

The UK Payments Administration released the latest fraud figures today (doubleclick to enlarge):

This shows general card fraud is down 23% to £232.8 million in the first half of 2009 although, of concern, will be the fact that online fraud is increasing at a rapid click (55%) year-on-year. This rise in cardholder not present activity is probably due to cardholder present fraud declining rapidly thanks to Chip & PIN.

Mind you, even the rise in internet fraud isn't too bad when you think that losses from phone, internet and mail order shopping fraud overall have fallen for the first time ever and now stand at £134 million.

According to the Payments Association, this is because of the increasing use of sophisticated fraud screening detection tools by retailers and banks, as well as the continuing growth in the use of MasterCard SecureCode and Verified by Visa by both online retailers and cardholders.

It all sounds rosy ... but for users of such services, it is still proving challenging as card readers and Chip & PIN are still called into question.

Just this week, consumer groups are telling banks that they must not always assume the customer is to blame if a payment is made with a PIN for example.

PINs can be compromised.

All in all, it seems to show that the anti-fraud measures are just about keeping ahead of the fraudsters however ... except when it comes to online.

Mind you, with most email accounts compromised this week, it just shows how difficult this battle will be ... after all, if Google, Microsoft and company can be phished, who's next?

The Finanser is sponsored by VocaLink and Cisco:

For details of sponsorship email us.

Comments (0) | TrackBack (0)

October 01, 2009

The branch-based banking model is dead (UPDATE)

Here’s a summary of the presentation I gave at the conference this week.

The headline is that the traditional model of banking is dead, long live the new bank model.

The dead model is the one where 80% of costs of retailing are in stores (branches).

Branch based banking is dead.

Branches are not dead ... just the concept of branch-based banking per se.

UPDATE: the critical point here (which some are missing - see comments) is that branches are not dead. You still need some for sales and relationships. But about a tenth of the number that most banks have today as the majority are just administration or transaction outlets that can be automated.

For those who read the blog regularly , you’ll know what I mean but, just in case, the point is that 8 out of 10 branches were opened as administration centres to service the transaction needs of communities. Those needs are now being self-serviced so what are those transaction centres there for?

In particular, as 95% of customer contact is now being delivered remotely through technology channels, including corporate customers, this should mean that at least 80% of the cost goes into the staffing, processes and technology used in those channels.

In other words, 80% of the old bank operational costs for retailing were in branches. Today, it should be in technology channels.

But there’s more to it than that.

It’s about relationship and connections.

People get technology today not because it’s gadgets but because it is connecting their lives to the lives of countless friends and strangers.

This is why Facebook can go from nothing to a place with the population of the United States in under four years, and why Twitter can go from off-the-radar to on-everyone’s-radar in just under a year.

Last year, no-one mentioned Twitter.

Today, it’s an integral part of the show.

But it’s only integral because it helps people manage, share and organise their lives and loves.

And that’s what banks have to do if they are to reconnect. They must connect people to their money and finances in a simple and easy way.

The presentation draws on all the materials you can find in our directory of social finance, and is themed around the human connections that make up our lives.

This is why each point ends with human faces, as that’s what it’s all about, and empty branches, as that’s what it’s all about.

The Bank Model Is Dead (download)

View more documents from Chris Skinner.

By way of a little more explanation of the flow.

To start with, today’s kids see the computer and its operating system as a history lesson.

They don’t care how technology works, just as I don’t care how electricity works.

I just like what it can do, and that’s how kids see technology.

They also see banks as a history lesson.

Their grandparents went into branches, their parents used ATMs and they just think of money and banking as being like Mint, an internet service that organises their finances for them.

What’s a bank branch for therefore?

Equally, everyone keeps referring to the Facebook and Twitter generation, or the twitfaced generation as some might call them.

Who are the twitfaced generation?

They’re not the under 25’s.

They’re not the under 35’s.

They are the over 35’s.

Most Facebook and Twitter users are average age of 40.

So when we talk about social networks, we are not talking about the next generation of customers. We are talking about the current generation.

If anything, the new generation of customers should be called “the Mob”, as they are all about being mobile connected youth (the Mobile Youth website is brilliant if you want more on that).

So what we’re really saying is that you need to completely rethink the bank around social technologies and rethink the branch network by closing most of it down and reinvesting that saving into social finance.

If you don’t, you’re dead.

Give it less than a decade, and you’re dead.

I’m serious.

Mainstream media fought this battle ... and lost.

That’s why television and newspapers are shutting down by the bucket load as today’s media is created by me on YouTube and Typepad.

So stop fighting the lost bank cause of the branch network.

Rethink it.

Keep the branches you need for sales, and shut the rest down.

Replace them with ATMs.

Equally, start thinking about new ideas such as microtransactions.

A billion iPhone app downloads in nine months.

Charge 50 cents a download and you’ve generated $500 million.

That’s the future.

It’s the grains of sand that will build the future.

And some banks get this stuff.

eBank and Jibun Bank in Japan; Wells Fargo and Bank of America in the USA; BBVA, Caja Navarro and a few others in Europe; but these are few and far between.

By way of example, I’m still waiting for my bank to start a blog or anything ... instead I just have a locked out website with activation codes that don’t work (long story).

In summary, the bank of the future will connect with me intimately via my mobile lifestyle 24*7. They will not only be proactive, but predictive of my needs and will provide me with a connection not just to a payment or to my money, but to my financial lifestyle.

That’s what MINT is doing today and BBVA has delivered too, but it requires bravery to go down this route.

Being brave by shutting down transaction centres, opening hi-touch 21st century sales centres and pushing the rest down a common technology platform that supports access via mobile, laptop, music player, television, car ... any internet-enable device basically.

And this changes your business model as the old model would involve massive investment in the business case to launch new technology platforms.

Today, technology is free and disposable.

So get on with it.

Retail bankers of the world, unite.

Shut down the branches and bite the bullet.

Stop fighting the old fight and start focusing on the future.

Otherwise you’re just dead meat, and who are we all going to sell to then?

The mobile phone companies?

p.s. as mentioned, all the case studies supporting this can be found at our directory of social finance

The Financial Services Club is a unique service designed for Senior Executives and Decision Makers from any firm interested in understanding and planning strategies for the future of banking and finance.

March 18, 2011

March 15, 2011

February 25, 2011

February 04, 2011

December 21, 2010

November 25, 2010

September 27, 2010

September 24, 2010

April 12, 2010

April 01, 2010

February 12, 2010

January 25, 2010

January 20, 2010

December 02, 2009

November 24, 2009

November 16, 2009

October 21, 2009

How accepting contactless payments helps your business

The benefits of going contactless

…for your business

…for your customers

A step-by-step guide to using a contactless terminal

How to start accepting contactless payments

October 07, 2009

October 01, 2009

Twitter FSClub

Recent Comments

Recent Posts

The Financial Brand

NetBanker

Payments News - from Glenbrook Partners

Payments RSS

Tomorrow's Transactions blog

Analytics