In Business 2.0 John Occhipinti from the Woodside fund wants to pay $5M in venture capital for a fraudproof credit card authorization via cell phones and PDAs. I found this via Nathan’s hilarious Odio.us Elevator Pitch generator.
Lets first look at why John wants this from us:
Credit card fraud is more rampant than ever, and consumers aren’t the only ones feeling the pain. Last year banks and merchants lost more than $2 billion to fraud. Most of that could be eliminated if they offered two-part authentication with credit and debit purchases — something akin to using a SecureID code as well as a password to access e-mail. Occhipinti thinks the cell phone, packaged with the right software, presents an ideal solution. Imagine getting a text message on your phone from a merchant, prompting you for a password or code to approve the $100 purchase you just made on your home PC or at the mall. It’s an extra step, but one that most consumers would be happy to take to safeguard their privacy. More important, Occhipinti says, big banks would pay dearly to be able to offer the service. “It’s a killer app no one’s touched yet,” Occhipinti says, “but the technology’s within reach.”
Let’s identify the problems with what John wants:
His ideas as he says is that the merchant sends a SMS with a payment request to your phone. You then perform some sort of digital signature to authorize it and the payment goes through.
This is already very doable and I have seen lots of similar applications from either smaller entrepreneurs (eg. Luup) in Europe or from various kinds of mobile operator funded initiatives (these always fail though for a variety of political reasons). For the full lowdown on all of these just take a stroll over to Scott’s Payments News Mobile Payment page.
While reading through the latest on Scott’s site I came across UPaid, which looks fairly interesting. They have just got the deal for a massive roll out for Visa CMEA (that is middle eastern region). I’m sure there a loads of startups doing this as the technical side of this is not particular hard. PayPal actually even was originally founded as a similar style application for Palm.
About Credit Cards. Now in the US and arguably for international cross border e-commerce the CC is king. In regional or national markets outside North American and the UK it is arguably not the only horse though.
The CC was a brilliant 1950’s style design, which just is not compatible with open networks in a secure way. This is why lots of contractual padding is necessary around it. Did you every wonder why you need a credit check for a merchant account or for a debit card? Well this is the banks who well understand the risk embedded in an unauthenticated payment device and they need to place the risk somewhere. All the rules about who is liable for what in case of fraud are also based on this.
The CC networks are basically multi party electronic networks, where the only thing circulating are account numbers and amounts. There is no digital signatures or anything like that. When you sign a cc slip, the merchants bank keeps it on file in case of fraud. It never gets sent to the card holders bank or anything like that. What all of this means is that every link in the CC network is insecure and open to fraud. Just because you secure the link between cardholder and the merchant doesn’t secure all the other links in the system, just see the whole CardSystems case as the most extreme case.
The problem with all of these rules and legal safeguards around the card is that the end user has so little liability with the card and is happy with that. All of the attempts by the credit card operators to move more liability on to the card holder by using improved technology have so far failed. See MasterCard SecureCode and Verified by Visa.
If these massive programs have failed, why would a $5M startup offering the same thing but in a mobile package succeed? They are up against the exact same forces.
The only that will improve the security of credit cards is to get rid of the non authenticated credit card completely. This does not mean getting rid of the credit card, but it does mean that you couldn’t just enter your credit card on a web form and over the phone. This could not just be a regional or an optional initiative it would have to be international and compulsory. If this was made John’s company could provide an ideal system for authenticating credit cards for phone orders.
Now the merchants and their banks (the acquiring banks) would love this to happen and have been pushing for it. Currently they are the only ones who have been affected on a large scale by CC fraud. The other side of the transaction are the card holders and their banks (the issuing banks), who until recently have had very little incentive to change anything. The reason for this is as mentioned above, the card holder has little risk with credit cards and likes the convenience. The issuers are in a very convenient business and none of them want to rock the boat by say requiring Verified by VISA for internet transactions. So nothing will happen until the cardholders and issuers get part of the liability of the insecure system.
I believe that there really is no good way to fight this essentially internal politics within the card associations. The only people who can change these rules are the associations themselves.
It’s much more interesting to work outside of the credit card system and in reality outside the banking system as they really have no incentive to give you what they perceive to be their own business.
The traditional abstraction away from the banks is the electronic money system, which has it’s own money (or gold) backing the funds in circulation. This is relatively simple to create. You have a bank account, a Ledger, a web front end and customer service staff. I was personally involved with one of these. The big problem here is lack of convenience for the end users, who have to “load money” into the system somehow, before they can use it. With roughly $37 Million in circulation E-Gold is pretty large now, but it’s still no where near as big as PayPal for these same reasons.
Many mobile payment systems have wanted to get rid of the reliance on banks by linking into the mobile operators billing system. This has almost always failed as for some reason the European and (even worse) the US operators have shown to be almost more conservative than the banks. It seems like South Korea and Japan have some interesting mobile operator led payment systems that are taking off. But seriously can you imagine Vodafone or T-Mobile do anything like that?
The only large player that is on the market today that could be used to bootstrap a new system is PayPal. I am sure they have their own plans in this area, but this is where I would see something interesting. For a smaller but growing player I would look at Skype as a very possible player. They have a very widely deployed PKI system and a currently untradeable currency of their own called SkypeOut balance.
I’ve written about payment systems before and have strong opinions on it. The last startup I was in was payment related and I’m more than likely going back there at some point, once I’ve cleared my mind a bit with StakeItOut.
I have some ideas that may or may not work to get past the idea of a stored value electronic money system. However I’m not quite ready to spread them out yet ;-). Probably in the new year if I can find someone with equally large hairy cojones who also has an interest in disrupting things a bit.