Community

Just as 9 ot of 10 online purchases are reportedly made using a card, 9 out of 10 people reportedly never check their card statements! For people who don't mind disclosing their card account credentials to a third-party, the recently launched BillGuard service could prove to be a more practical option (Full Disclosure: Neither my company nor I have any business interest in BillGuard). According to its website, BillGuard uses crowdsourcing techniques to scan "...your credit cards daily, alerting you to hidden fees, billing errors, forgotten subscriptions, scams and fraud."

@Stephen W: It's refreshing to read the full picture about EMV, especially the fact that it cannot mitigate CNP fraud, which reportedly constitutes 70% of all card fraud. While a smartcard reader for each customer could provide total protection against fraud, the savings achieved from such a solution needs to be carefully weighed against its additional cost and potential to shrink the target market (e.g. mobile shopping would become impractical; not many people would like to carry a cardreader around). Existing 2FA technologies like VbV/SecureCode could provide a viable alternative. Of course, they also introduce additional friction in the checkout process, thereby threatening loss of revenue from increased shopping cart abandonment. Unfortunately, there seems to be no magic bullet to solve this problem - yet!  

@George R: Given that (a) SMBs are currently on retail banking platforms, and (b) Mobile banking for retail is more powerful and mature as compared to that for corporate banking / cash management, there's also the possibility that, when viewed solely through the prism of mobile banking, SMBs might prefer to continue with their use of retail banking platforms. On the other hand, let's take the example of Mobile RDC, which IMHO is one of the first killer apps for mobile banking and payments. If banks made Mobile RDC and such mobile killer apps available only on their corporate banking / cash management platforms, they might see greater success in migrating SMBs to these higher-margin platforms.  

I'd be more than happy if banks simply get their house adequately in order to respond quickly and coherently to my telephone calls and emails instead of trying to "build relationships" with me over social networks. I see more of an unobstrusive role for them in social media where they pick up the general sentiment as expressed in updates / tweets about them and fix what's not working internally. Anything more at this stage does appear, as Alexander d L says, to be efforts designed to "hide the fact that the basics ain't workin'!"  

According to this page from its website, Google Wallet is an mWallet and not another method of payment. Its basic mobile payment feature seems to work wherever MasterCard PayPass POS can be found without needing any specific adoption by the merchant. It's only to push out offers and loyalty rewards to Google Wallet users that merchants need to sign up with Google Wallet. As a result, the merchant's business case pivots largely around the cost of PayPass contactless POS equipment and needn't be impacted by adoption rate of Google Wallet since the same POS can support many other form factors including contactless cards and competing mWallets that work on PayPass.

Can the regulators or someone else clarify whether Michaels (and SONY PlayStation Network, for that matter) didn't get PCI-DSS right, or, despite getting it right, couldn't prevent the identity theft they recently suffered? While EMV seems to be the low-hanging fruit, heaping new compliance requirements on top of existing ones might not work. The popularity of Mint, OfferMatic, BillGuard and other services that directly access the customer's bank account on the basis of a simple username and password suggests that two factor authentication solutions haven't been implemented by many banks so many years after it was mandated by FFIEC.   

Some five years after the launch of VbV / SecureCode / 3DS, I haven't come across too many US e-commerce websites diverting customers to these third-party authentication websites. While it might have announced support for 3DS, an actual order placement on Travelocity doesn't ask for any password. The friction contained in these additional steps perhaps introduces a far greater risk of shopping cart abandonment and lost revenue compared to the risk of fraud that they seek to mitigate. 

I sometimes can't help getting the feeling that this whole fraud thing is overhyped, leading to too much time and money being spent on mitigating it, but spoiling the customer experience and risking abandonment in the process, especially while shopping from mobile phones and tablets. 

@Stanley E: Props for making a very valid point and so eloquently at that.    

We've faced similar situations many times when a customer / prospect has rapped us on our knuckles for not keeping them informed about a new product / service / milestone etc., when the fact is, we have - it's just that their company's overzealous spam filters placed our emails in their junk folders.

I've heard it said that one reason why Twitter gained mass following during its heydays was because a tweet would always get into someone's timeline - in other words, Twitter guaranteed the email equivalent of "delivery" and "inbox placement" at no cost. For short updates, we use Twitter a lot nowadays. For longer ones, we're seeing better results with paper letters. For invoices, which anyway don't get settled at the speed of the "e" in email, it's back to snail-mail / courier - at least they reach safely that way!

Let's hope that spam filters become better and riddled with fewer 'True Negatives' and 'False Positives' over time, so that email can get restored to its days of former glory!

Credit card transactions lack strong authentication - at least in the Card Present non-EMV world - so backend transaction behavior profiling systems are placed on the frontline of defence against credit card fraud. While they have proved their worth there, they still seem to be fraught with not insignificant levels of 'False Positives' i.e. declined transactions that were genuine, which results in lost revenue and customer dissatisfaction. 

On the other hand, online checking accounts have typically been using username-cum-password based single-factor authentication since their inception. Some 4-5 years after FFIEC mandated two factor authentication to boost security, it's not clear if all banks in the USA have achieved compliance to it.

Although backend behavior profiling solutions will likely be useful in the long run, more widespread adoption of 2FA might itself suffice for now in the fight against ACH fraud.

I remember reading a recent observation that the Top 3 IT Services Vendors are not among the Top 3 Cloud Solutions Providers. Cloud or IT services, banks might be looking for the same qualities but they might not find them among their existing vendors!