A 2-year old company, out of Toronto, Canada, named SafePay is leading the charge towards securing transactions online using the mobile phone to authenticate transactions. GigaOM reports "While online merchants have been getting better at combating online fraud, it still cost them $3.4 billion last year, or about 1 percent of online revenues."
The article also states "Safepay gives merchants an added layer of protection against fraudulent purchases and helps users prevent someone else from putting purchases on their card."
GigaOM reporter Ryan Kim told us how it works: "A consumer downloads the free SafePay app (on iOS for now with Android, Windows Phone and BlackbBerry coming later this year) and enters in their billing address and the first and last six digits of all the credit cards they want to register with SafePay. When that customer or someone who obtains the user’s credit card number tries to make a purchase at a site that uses SafePay, the user is sent a real-time in-app push notification alerting them to the transaction and providing them 60 seconds to approve or decline the sale."
SafePay’s founder and CEO Mick Bhinder, a veteran of Visa, American Express and Discover, is quoted as saying "The service will roll out first with five unnamed online retailers. Retailers will pay a $240 annual subscription for SafePay. He believes many merchants will find this valuable because of the potential for reduced fraud liability. The credit card companies and banks have said merchants are 100 percent liable for fraud. Our solution prevents losing bottom line revenue from fraud and it also protects consumers.”
The GigaOM article states "SafePay, however, is different in that it takes a merchant angle and also asks for every purchase to be verified, not just suspicious transactions."
I recently spoke with a Visa executive at the April's Electronic Transactions Association annual meeting about V.me and though the service provided, will in no doubt enhance security, it relies heavily on purchase spending patterns to detect fraud. As far as I could discern, the V.me service may deny larger transactions, but the service, but like credit monitoring services, will notify you of suspicious behavior or transactions via fraud alerts. Don't get me wrong, the service is a good one, but it does not appear to provide real-time denial of authorizations for Visa or other card network transactions.
SafePay faces some significant hurdles to adoption and seamless integration with multiple processors, networks, POS systems and retailers.
The GigaOM article goes on to state "But it faces some big challenges to really make a dent in online fraud. Merchants will only find protection and significant cost savings if a large number of users sign on. But users will not have much need for the service unless a lot of big name retailers are on board. Even if a user signs up and there are a good number of sites participating, a thief could still use stolen card information on thousands of sites that don’t employ SafePay. Unless it’s somehow comprehensively rolled out on most big retail sites, it’s going to be hard for SafePay to really cut into online fraud."
Ryan Kim of GigaOM says "I’d be more optimistic if SafePay was used by banks or credit card companies, who can encourage their merchants to participate. But the financial institutions don’t bear as much penalty for fraud as the merchants do so they might not have a big sense of urgency. Still, I’d like to see a smartphone powered service like this gain acceptance at some point. We have smartphones with us all the time and they can act as a real-time tool to spot and prevent fraud."
I'm in agreement with Ryan Kim's assessment of SafePay and am excited about their chances. Their chance at success will increase if they are able to increase their reach by partnering with processors and networks and banks.
Another Method to Secure 'Card Not Present' Transactions
Using Dynamic CVV's to protect card not present (e-commerce, phone and mobile) transactions could also be used to prevent fraud. A Dynamic CVV provides a one-time use, random CVV code. Dynamic CVV's are being used with card not present e-commerce, phone and mobile) transactions.
CVV stands for Card Verification Value. This first type of CVV code, CVV1, is encoded onto the magnetic stripe of a credit or debit card, along with your card number, expiration date, bank routing info and data that identifies the transaction as a "Card-Present" transaction. The information encoded onto this card is "static" and will not be changed, but may be "skimmed" by thieves to make a copy and used just as original card. The second type of CVV, CVV2, is the 3-digit value on the back of your MasterCard, Visa or Discover card or 4-digit number on the front of the card. This CVV, is of course used for phone or e-commerce transactions and is also a static number.
A company named M2 Systems has patented technology it is licensing to banks to provide Dynamic CVV's to consumers for use to secure card credentials. M2 announced their technology and how it work less than 2 months ago. According to the release, M2 Systems offers their "SAFE Technology" to consumers through use of their "SAFE App."
M2 Systems tells us how it works: "Cardholders request a unique Dynamic CVV code via the SAFE app for iphone and Android devices, or via text messaging request. The one-time use CVV code is issued and available for a single transaction, allowing the authorized transaction to occur, and then immediately becoming invalid."
M2 also states the benefits to payment service providers and retailers: "SAFE Technology protects merchants, issuing banks and card processors offering similar benefits: ease of use, no modifications to their checkout page or website, elimination of chargebacks and lost revenue due to fraud, and no additional costs, plug-ins or registration. Any card issuer can license SAFE Technology, adding a significant level of comfort and security to cardholders. SAFE Technology is capable of supporting any size implementation from thousands of cards to multi-millions, and can be supported in any country.
Dynamic CVCs have also been integrated into EMV terminals such as Mastercard's PayPass. The ISIS mobile wallet uses them to limit fraud (if compromised by a data theif).
It seems to me that M2 or Dynamic CVV technology could be used to facilitate SOFT system transactions and their technology or like technology is also being used to secure mobile transactions through mobile wallets. Could technology from or akin to that used by M2's SAFE App and the SafePay App be made to work together and be extended to protect our credit files, bank accounts, tax returns and prevent medical fraud? I'd now like to highlight a solution that could end most fraud and ID theft as we know them today. I'll provide an overview of the key problems, describe the solutions and address the barriers to adoption.
Fraud Alerts vs. Fraud Prevention
Credit monitoring only tells you after theft may already occurred. Fraud alerts work better, but are temporary and can still allow fraud to slip thru. Credit freezes are effective but are difficult to set up and extremely inconvenient as they can take up to three days to turn on and off.
Given the choice would you rather prevent crime against your financial accounts or would you prefer to be told that fraud may already have happened and that you may still be able to stop it by contacting your bank? It's time to migrate beyond legacy limitations and embrace the future of security.
We have a pin or password for our email, computer and bank accounts, but no such protection for our credit file or credit cards. If all credit and online/mobile transactions required user authentication prior to the release of a credit file or a payment authorization, then Social Security and bankcard numbers would become useless in the hands of ID Thieves.
Watch this 2-minute video that highlights a solution to Secure Our Future Transactions (SOFT).
Important Questions about Your Credit
1. Is your good credit as valuable as your cash or is it more valuable?
2. If access to your cash requires a pin, why doesn't your credit?
3. What is stopping the protection of your credit as your cash?
We could go on to ask WHY things are the way they are, but for now let’s go over the SOLUTION in detail and then address the why.
SOFT Landing: A Blueprint for Securing Our Financial Transactions
What if, in seconds, you could simply turn your Money ON & OFF or LOCK & UNLOCK all your financial accounts? What if you could automate this LOCK & KEY control using your mobile phone’s GPS? What if no financial transaction was authorized without your mobile/web authorization? Would this not end most fraud?
You may have answered YES, to these questions, but are left with the following question: Is a system as such simply not possible due to legacy systems and the nature of the fractured, proprietary closed and open loop networks that manage our financial transactions? There is no validity to support this argument in a pure logistical or programming sense, but let’s continue to provide further detail into how SOFT will work and how it will provide a smooth and seamless transition to more secure transactions.
User Authentication and Enrollment
With SOFT, a user would sign up online through their bank, either online or in branch and complete the process by answering a knowledge-based questionnaire provided by the credit bureaus, the same one as when you access your own credit file. Additional and immediate authentication could be performed via cross-referencing IRS, US Post Office, mobile carrier and FBI databases.
The system would need to be centralized and accessed by financial and government service providers through an API. All transactions would require service providers to gain authorization from the SOFT system prior to after conventional authorization and authentication. Post signup the consumer or end-user would see all accounts listed in their name as provided by service providers. Users will be enabled to login online or by phone and set the parameters for authorizing financial transactions for their accounts. By the way, the SOFT system could be used to solve the $720 million dollar per year problem (estimated dollar figure is by NACHA and was relayed by the June, 2012 Digital Transactions).
Consumer/End-User Mobile Authorized Transactions
A mobile phone/web app could be used to control all financial authorizations. It could be automated using mobile GPS or users could set parameters permitting or denying transactions by area/zip code, by state/country, by card or financial account, by merchants or by merchant type or category including ecommerce or mobile merchants. Facebook could be used for a 2nd factor of authentication to eliminate the need to login into the SOFT mobile app/web, but mobile authorization would still be used to confirm transactions.
Lock/Unlock Credit File
Online of via mobile app/web the Consumer enters the phone number or website of the bank or creditor to issue a credit report to. Alternatively, the credit merchant runs a credit report as normal and the SOFT system would send a text or notification requesting permission to issue a credit file to the ‘named creditor or bank’. The user is given the options to reply ‘Yes, no, fraud’. Under the SOFT System Credit bureaus will not be enabled to issue a credit file without the consumer’s permission. Right now only credit freezes work like this, but they do not work in real-time, can take days to activate or deactivate and are difficult and expensive to set up.
What Stands in the Way?
Legacy system configurations do not take into account using the account holder for authorizations. Even bleeding edge solutions, such as Visa’s V.me, recognize fraud by a user’s spending pattern and not real-time authentication. What is needed is for the authorization chain to include end-users. This requires developing a SOFT central database.
There are a few possible ways to accomplish this. With card transactions, the SOFT authorizations could be rerouted by; 1) Processors prior to gaining authorization from the network, 2) Networks prior to obtaining authorizations by Issuers or 3) By Issuers prior to granting conventional authorization or confirmation.
For this to work 100% of transactions, whereas accounts are registered with SOFT System, would need to be routed to SOFT in a manner that would not require any change to the existing legacy routing other than delay of a 1/10-1/4 of a second or less. For this to occur, the customer would already have approved the transaction. If not, an error message would be sent to both the cashier and the customer. Included in the error message to the cashier, would be a message telling the cashier to tell the customer, they needed to pre-approve the transaction and to check their phone. The customer would receive a message telling them to approve or deny the transaction or report as fraud. With the sophistication of ecommerce and mobile transactions, authorizations may also take place prior to routing to processor and may take place via the payment gateway or even via the acquiring system. At the end of the day, it is the Networks, in agreement with their Member Banks, that would set the standard protocol to securely connect via API to the SOFT System for secondary authorizations.
Regarding credit file issuing via SOFT, this could be a bit less complex as systems are not set up for real-time authorizations. The credit bureaus would need to simply reroute every request for a credit file to the SOFT System. The system could work identically to the card authorizations, without the need to inform the merchant, but only the customer.
SOFT Working with the Mobile Wallet
SOFT would require not changes for merchants at POS, but integrated POS systems or terminals should, for convenience and clarity of communication's sake, be required to convert a 'Decline Code (for SOFT Declined transactions)' into a message telling the consumer or cashier the transaction was denied because their card was locked. With mobile wallets a pin and/or biometric authentication will serve as a big part of front line of defense. Even if a mobile wallet is compromised, SOFT would automatically deny any transactions using the mobile wallet. The payment card credentials, if obtained, could not be used to make fraudulent purchases in the physical world or online. For consumer convenience and merchant expediency, SOFT should be easily be incorporated into any mobile wallet schema. We'll dig a bit deeper in Week 2 of our series "The 7 S's Required for Success in Mobile Payments.
If SOFT was fully adopted as the new standard to secure transactions, PCI would no longer be required, or perhaps this SOFT model of moving card credentials away from devices and POS and to secure servers that are complaint with all network, federal and state laws and regulations, would become the new standard of protecting financial data of all types.
Enhanced Revenue Potential with a SOFT System Launch
The credit bureaus and banks might fear a loss of income, but with improved services and a massive decrease in fraud losses, the opportunity for increased income is abundant.
It is estimated 25 million Americans pay an average of $12.50 per month for credit monitoring services. Does is not make sense that many more would pay $10-$15/month, for the peace in knowing all their financial accounts are more secure? Providing an improved service should increase adoption and even allow for increased fees, however, 100% of Americans could be covered at a cost of just $1/month equaling approximately the $3.75 billion in fees charged for credit monitoring services today. However, to be fully embraced by banks, credit bureaus and ID credit monitoring service providers, the opportunity for increased revenues much exist.
If those paying $12.50/month for credit monitoring services doubled to near 50 million Americans or about 20% of all Americans, this would add about $3.75 billion. Javelin Research estimated fraud cost consumers and businesses $54 billion in 2009. CNN reports the Healthcare industry alone, is bilked of $100 billion/year, half being paid by Medicare with our tax dollars. The total estimated cost of Identity Theft to America is near $150 billion/year.
If banks, credit bureaus and credit monitoring service providers were to be paid 50% of the savings in the reduction of the cost of Identity Theft and costs were reduced by 1/3, an additional $8.3 billion in revenues would be added for companies providing ID Theft prevention services. In total, new revenues for those protecting our financial accounts could increase by $12 billion/year, thus replacing the estimated (Javelin Research) $6.6 billion in revenues banks lost from debit card processing, post-Durbin Amendment, and add $5 billion in revenues for those providing ID Theft prevention services. Plus, American consumers, businesses and government agencies would save about $33 billion/year and billions of hours/year!
How to Move Forward
It is my opinion that additional regulation for banks and credit bureaus is not needed if OUR TRUSTED SERVICE PROVIDERS and GUARDIANS OF OUR CASH and CREDIT, step forward to make this SOFT System a reality ASAP. They have a great opportunity to increase lost revenues and maintain or rebuild our trust in them. Once this solution is relayed by a credible mass media source, the ‘Cat is out of the bag’ and the status quo must adhere to Secure Our Future Transactions or be left to the scrutiny of the answering the question of ‘Why not?’ There is no VALID reason this solution should not be immediately adopted and built. It all starts with the word being spread by the media and credible industry professionals, FI’s, networks and credit bureaus voicing support for a SOFT System.
Be sure to watch a 2-minute video to learn more about this solution at MyCreditVault.com, showcasing the blueprint of the SOFT solution and rally point for it. The best way to support this solution is to refer others to do the same. Now the ball is in your court. Ending ID Theft is now a matter of employing the SOFT, or AKA, MyCreditVault system. I have additional ideas, regarding revenue models for banks and credit bureaus that I’m willing to discuss. This plan would be in congruence with Sandy Weill's proposal to reduce risk of bank investments. Interested FI’s, credit bureaus and media organizations should contact me promptly > randy@MobileWalletMedia.com or randy@MyCreditVault.com.
Join the conversation! Get first notice of new articles, posts and latest industry news!