Saturday, October 3, 2015

EMV Cards | October 1, 2015 | Merchants Now Responsible for Fraud

I think we just crossed over a big change in the credit card world which I wish I more fully understood.  We're moving finally away from the weak security of credit cards with magnetic stripes and towards a pin and chip system.

Traditionally, if someone buys something at a retailer with a fraudulent credit card,  the merchant  was in no way responsible for the loss. I guess the issuing bank was responsible for the losses.

Also traditionally, in the US, our credit cards are based on a simple magnetic stripe on the back.  Even though the rest of the world has switched decades ago to a chip with pin system, the US has not.  It's one of the weird things about the US over the last 50 years.  While other countries have gone shooting ahead with innovations that improve the economy for everyone but require investment and some adjustment and some collective planning, the US seems a little too....something... to move forward. Lazy? Complacent? Disorganized? Examples...

Time to go metric which is better for industry and education? England and India and Brazil and China can do it.  But not the US.

Time to teach kids to read properly which means starting with the sounds (not the names) of letters? The UK and France have switched but we, being far more traditional, have not (yes, our rate of illiteracy is much higher than those two countries combined).

Time to move to an all digital cellular phone system?  Most of the world made the switch about 10-15 years ahead of the US.

Time to move from a ridiculously insecure system of credit cards where no pin is required and a fake card can easily be made since it's just a magnetic band on the back?  The rest of world did it decades ago but the US is only switching now and we're not really bothering with the pin part since it's a little inconvenient and it's hard for our highly competitive (with each other) credit card players to make the switch so we're only going to try adding a chip at this time.

OK, I've had my rant, now back to a description of the new system.  Going forward, if a retailer only uses the magnetic stripe reader and hasn't upgraded to or started using the chip system, the retailer will take responsibility for the losses if the card is fraudulent.

For merchants and financial institutions, the switch to EMV means adding new in-store technology and internal processing systems, and complying with new liability rules. For consumers, it means activating new cards and learning new payment processes.
Most of all, it means greater protection against fraud. Quoted from which has a great article on the topic.  It continues to explain liability....
Today, if an in-store transaction is conducted using a counterfeit, stolen or otherwise compromised card, consumer losses from that transaction fall back on the payment processor or issuing bank, depending on the card's terms and conditions.
After an Oct. 1, 2015, deadline created by major U.S. credit card issuers MasterCard, Visa, Discover and American Express, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction.
Consider the example of a financial institution that issues a chip card used at a merchant that has not changed its system to accept chip technology. This allows a counterfeit card to be successfully used.
"The cost of the fraud will fall back on the merchant," Ferenczi says.
However, what the article does not cover and what I'm seeking to understand is what has changed for us Card Not Present merchants? In a separate article, says the problem of fraud for online transactions is going to get worse.  More quoting....
Sophisticated online fraud rings are expected to flourish in the next few years, even as the U.S. switches to credit cards embedded with anti-fraud computer chips.
Following the lead of most other developed countries, card issuers in the United States have begun phasing out credit cards with only the traditional magnetic stripe and replacing them with cards that also contain a newer technology known as an EMV chip, which makes the cards nearly impossible to counterfeit.
However, as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet.

And that might be only the beginning. "As long as we innovate and develop new financial services, there will always be some exploit that will be created and someone seeking to take advantage of a poorly executed or nonexistent control," says Seth Ruden, senior fraud consultant with ACI Worldwide.
In every country that has switched to EMV cards -- and the United States is the last developed country to do so -- online fraud has jumped, says online fraud expert Brian Krebs. "Fraud doesn't go away, it just goes somewhere else, and that somewhere else is always online," he says. "The thieves can still steal the card number and expiration date, which still can be used online. So that's generally what will happen. We'll see a pretty big uptick in card-not-present fraud."

Thursday, August 27, 2015

American Express Replacing Card

Amex sent me an email today which had a "FRAUD MAYBE, click to get called" message. I clicked, checked that the link was a https one that ended with, then clicked. My phone rang. The lady said my name and asked if that was me. I affirmed it was. Then she ran through a list of charges, most of which were fraudulent. Then, and this is where it gets weird, she said that she wanted me to verify an address. I said OK. She asked what it was and I said that I wasn't going to give out my address or any other info over the phone.

Amex email fraud alert
Amex email fraud alert

I then realized that she was in a very loud space, not what I think of as an Amex teleservice center. I asked what office she was in and she said that she could not say. Any number that I can use to call you back?  No, what about the caller ID number. She said that might not work. I asked if there was any way to identify her and she said that I could have her agent ID:  CVGA18.  The caller ID was 800 924-9289.

At this point, I asked her to stay on hold and I pulled out another phone and called the number on the back. After several minutes of automated and eventually human efforts to identify me, they finally asked what I wanted.  "I'm trying to see if I'm being spoofed."

As it turns out, I was not. Amex has a policy of requiring the individual to give his address to the agent. They want it verified. Sound weird, they've billed me at that address a hundred times or so but their policy requires them to get me to give them my address, even when they called me, before they'll ship me a new card which is what they want to do.

I hate it when Amex and these other companies just have stupid policies. Doesn't this seem stupid?

Wednesday, May 13, 2015

Comcast are SOBs

I thought I'd share some of my frustration with Comcast with the world. I'm trying to drop some of the services on my Comcast bill. It cannot be done online. There's no way to do it. There are dozens of ways with a single click to increase the services but there is no way in the world that you can drop a service online. You have to call.

Here's the problem that I face. My Mom has passed on and the condo is in probate. Comcast bills us $250 each month, $150 for cable, $50 for internet, and $50 for stuff. Since we often stay in the condo, we want to keep the Internet but not the cable. They will not allow us to make the change.  They will not even allow us to cancel the bill without:
- proof of death. This I have, a death certificate
- lots of other paperwork
- a copy of a court-ordered document proving that the correspondent is the executor of the estate

I've now spent hours on the phone with Comcast with people who think it's absolutely reasonable that they bill us for another 6-12 months while we get our hands on "a copy of a court-ordered document proving that the correspondent is the executor of the estate"

Does anyone know what to do?

Saturday, April 18, 2015

Recuring Monthly Billing Subscription Business Model

My business is a monthly subscription model known as recurring billing with the card not present and for an intangible good.

The core of my business is built on the idea that I have subscribers that I bill monthly, specifically, I hit their credit card. In exchange, they have the right to use my online educational service.  My rate is low, $20 per month.

The metrics on this business:

Bringing in Traffic to my site
SEO success which is SERP and traffic across many keywords and engines
PPC for paid search
Banner Advertising
Email advertising

Conversion Rates and PreSales Engagement
Total Traffic into the site
Traffic into my sales funnel
Traffic that gives an email, that confirms the subscription
Shopping cart abandons
Double or triple subscriptions, Annual Prepayment

Customers with no level of use or engagement - sleepers
Customers with a modest level of use and engagement
High levels of use and engagement
Add a child
Customers that evangelize and recruit: referrers
Credit card declines from expiration, funds not available, cancelled card

Customer Recovery at Quit

Customer Recovery post Quit

Saturday, April 11, 2015

Credit Cards at Retail: Why not take pictures?

Credit Card Terminal At Super Market
Credit Card Terminal
At Super Market
It's amazing that the credit card industry hasn't been totally wiped out of business by a more efficient approach. Everyone knows that credit cards are used for fraud all the time. Yes, somehow, the retail terminals still have us signing onto a screen.

How stupid is that?

Why don't they just require us to look into the screen and take our picture.  Then, if it turns out someone disputes the bill, they have photographic record of us staring into the amount.

Or, like my gym, when they slide the card, my picture comes up on their screen. If my face doesn't match the picture, they call the gym goons to come reshape my face.

Surely it's time for a better idea company, an Apple pay or Square or someone to come up with a card or system that has zero fraud and doesn't waste everyone's time with meaningless signatures?

Recurring Billing Business Models. And Who the heck is Recurly?

Click for a Summary of Subscription Recurring Business Model Metrics

I just followed some link to the recurly website. It's the first credit card processing company website that I've seen that looked like it belonged in this century!

And, check out this content marketing!  Want proper metrics for measuring customer churn?  Why, yes I do.  In fact, I'm delighted that somebody else out there even understands the question!!!

They seem to be backed by some slick first rate VCs.

 Board of Directors 

  • Dave Barrett Polaris Partners 
  • Shervin Ghaemmaghami Devonshire Partners
  •  Irfan Salim Independent 
  • Isaac Hall Recurly Co-Founder, 
  • Chairman Dan Burkhart Recurly CEO & Co-Founder 
 I wonder how much they know about credit card recycling?

How did we miss them when we were exploring all the credit card companies out there?

 But I'm not sure that I agree with their focus on doing the detailed curn rate based on man days. Is it the right place to start?

 I think the first metric to understand is the general pattern of quits. For instance, for January, with a company, there might be a 100 sign-ups. I'd first measure:- how any asked for their money back either directly or thru a charge-back. - how many paid a 2nd time - how many paid a 3rd time etc. Then I'd compare that with where the customers came from, other segmentation of the customer base, and what month they signed up in.

 This feels like it produces more actionable datat than the Recurly point of departure on analysis.

 Click for a Summary of Subscription Recurring Business Model Metrics

Thursday, July 10, 2014

Merchant Account Contracts

OMG, the credit card processing industry is so messed up.  I'm tempted to go start my own and cut through the industry like a knife through butter.

First, a little background, I run a ~$10M online business based on recurring monthly billing.  It's all about efficiency, effective handling of credit card data, and cost control. Also reliability. After a decade with one vendor that we have totally outgrown, we are finally switching vendors. After a few months of talking to vendors, we finally found one with great technology and prices for the handling of recurring card not present data.

I'm ready to sign and they send over the contract. OMG!  So poorly written and one-sided that instead of signing, we are now going back to our candidates two through five to see what's going on.

Our third favorite candidate immediately flew in (I'm going to see them this morning) and said: "You are a great merchant, we'll do whatever you want contractually."

Meanwhile, the first choice company just sent me a revised version of the contract which still has:
- a three year initial term during which there's no way out unless the processor messes up, gets notified in writing formally, and fails to address it within 60 days.  So they could stop answering the phone and  go down weekly and my business would be legally stuck with them for two months.  I don't think I'm going to sign that.
- no clarity (despite my request) that the customer's credit card data is ours and is available upon request to move
- not a single obligation by the processor to us that they'll remain compliant with all laws, stay solvent, safeguard data, do their best for us, etc etc But there's probably 1-2 pages of such certifications requested of us. Here's a for instance. They claim the right to see all of our financial statements upon request. Fair enough since they are underwriting. I told them in the conference call that this sort of thing needs to be clarified. For what purposes do they get to pull our data? Who gets to see it?  This will be confidential data etc etc.  Oops, it's not there!  Does this mean that other vendors agree to provide their financials but they do so with no if, ands or buts about it?
- they did in the latest draft agree to freeze prices during the initial 3 years but they didn't agree after that to any prior notice period before changing prices.  They did say that in the long term if they change prices, we can complain in writing and if they fail to address or reprice within 60- days, we would be allowed to change vendors.
- the agreement includes five specific references to processors "standard operating procedures."  Remember, this is a contract, not a conversation. I asked about getting a copy of the standard operating procedures. It turns out that these are not written down. I asked about the transparency of these procedures to an outsider and if there was any way that the Merchant could verify them or was it just: "whatever the Processor says it is."  Of course, it's a totally nebulous opaque concept. Yet they left it in the contract.  Who does that?

Of course, I understand that mostly, contract don't matter. People and companies do what they want to and the contract is one of many pieces of the process and relationship so focusing on the contract too much is not smart business.  But still, my minimum requirements;
- freedom to move if it's in our business interest
- clarity on the cost and mechanism for us getting our credit card data
- nothing weird in the rules that will come back to haunt us.