One of the privileges of using a card to make a payment is the ability to dispute that charge should something go wrong. Maybe you ordered one garden rake but got charged for two. Perhaps you ordered a sweater and, as my colleague Allen Weinberg puts it, “got shipped a box of rocks.” Or you discover a charge that you didn’t make on your card account and believe it’s fraudulent.

In all those cases, the dispute process involves a chargeback.

The cardholder disputes the charge, the issuer credits the customer for the amount of that charge if it’s an obvious mistake or fraud, and, depending upon the chain of liability rules and the type of transaction, one party—the issuer, the acquirer, or the merchant—will have to bear the cost of the chargeback.

For merchants, just getting a chargeback message is a cost in the form of a fee paid to its acquirer. How does $5 and (way) up sound? Chargebacks, as a payments cost, are no financial joke.

The card system also views the chargeback rate—the percentage of transactions that result in a chargeback—as a leading indicator of poor merchant behavior. Once a merchant’s chargeback rate approaches one percent of its transactions, the merchant’s acquirer or PSP is going to put it on notice. If the merchant doesn’t lower that rate pronto the merchant could lose the ability to accept card payments.

The chargeback process is also a cost to issuers who are generally the party first called by the unhappy customer (issuers will often ask the customer if she or he has called the merchant, too).

In other words, chargebacks are a result of something going wrong and they can be a costly hassle for everyone because, for many stakeholders, chargeback handling is still dealt with manually.

In this Episode 99 of Payments on Fire® we talk with Rick Lynch, VP of Business Development from Verifi, about the impact of chargebacks on merchants and issuers. He updates us on rule changes by Visa and Mastercard. And he addresses the process and techniques needed to handle these post-authorization events.

While only mentioned in passing during the episode, Verifi is being acquired by Visa, in another example of expansion by card network operators into adjacent payment ecosystem roles.

The global spread of digital payments gets a huge boost from giants like Google. Google’s Google Pay is far more than just a wallet, and the subject of this Payments on Fire® episode with Steve Klebe.

Steve heads Google’s Processor and Partnerships business and has terrific experience in our industry, working with payment gateway CyberSource, payment security firm RSA, and carrier billing firm BilltoMobile. He’s also served multiple times on the board of the Electronic Transaction Association.

In other words, a true payments geek.

Here’s what we talked about:

• The evolution of Google Pay from its 2011 launch as Google Wallet and the various incarnations since then
• Google’s business model for GPay and the degree to which the data generated by GPay transactions influence (or not) the advertisements we see on sites using Google’s advertising services
• Transit payments, Google’s role in the W3C’s Payment Request API, and how Google pulls it into its own tools
• The Google Pay value proposition and how it combines the value of hundreds of millions of cards on file, their organic growth through Chrome’s auto-fill, Google’s own sales, and making those credentials available to third parties via Google Pay
• The new Google Pay APIs that focus more on convenience than payments: event ticketing, airline boarding passes, and more
• Google Pay India, renamed from Tez, and its role in the UPI framework that enables secure bank-to-bank transactions.

We conclude with thoughts on the Open Banking phenomenon and Google’s intentions in that area.

Here on Payments on Fire® we’ve spoken a lot with risk and fraud management firms that generally offer some combination of services and technologies that promises to lower customer exposure to payments fraud, data theft, and operational risk.

There’s another dimension to cyber security that’s based on expertise – before and after a data breach. That’s the subject of this episode.

First, a company needs to understand its overall exposure. What do we have and what can we afford to lose? That takes a technical assessment of the firm’s internal and external defenses. It also takes an understanding of what the company has to lose, from reputation-based good will to loss of R&D investment through the theft of intellectual property. Such concerns are now top of mind for corporate directors tasked with shepherding their companies in the complex cyber domain.

Yes, there’s a role for insurance.

Post breach, there is the work of uncovering what happened, the maintenance of evidence so that proper forensic procedures can be taken, and the painful resolution process that may include fines (PCI) and litigation.

All of this is well understood territory for Chris Uriarte, Chief Information Officer at Aon Cyber Solutions who joins George in this episode.

Topics discussed include:

• The kind of activities and efforts needed to address today’s cyber risk
• How IoT threats are no longer confined to cheap surveillance cameras
• The sophistication of the cyber criminal industry
• The interlocking roles of threat analysis, risks assessment, and insurance
• The rise of ransomware and the particular exposure larger organizations face from this threat

The task of risk management in the payments business keeps getting bigger. Where once the concern was confined to payments alone – starting with counterfeit checks and currency – payment electronification has created a universe of potential risks. Risk now includes fraudulent cards, system and network hacks, data breaches, and account takeover with all the havoc that can produce.

And we’re seeing how these impact the reputation and value of businesses even when the hack has nothing to do with payments. (By the way, bogus checks and counterfeit twenties are *still* a problem.)

We’ve touched on this topic in multiple ways on Payments on Fire®. We’ve spoken with Ethoca about its data sharing capabilities. We’ve spoken with Feedzai about its AI and machine learning technology. We’ve spoken with White Pages Pro and its data correlation capabilities. And we’ve spoken to companies deeply involved in the problem of online identity.

Each of those has a particular approach, a particular technology, or a combination of approaches, to apply to the problem of eCommerce or CNP fraud.

In this podcast, we talk to Tricia Phillips, SVP of Product and Strategy, at the fraud and risk management firm Kount. Protecting some 6,500 eCommerce merchants, banks, and payment platforms, Kount takes a deeply layered approach to the risk and fraud management.

This deep dive discussion takes us into not only Kount’s approach but into what fraudsters are doing today and the damage they can do, even to non-payments companies like Yelp. It’s a scary scene. Tricia takes us through it with insight and experience.

If Risk in Payments is a topic of interest, check out our upcoming Insight Workshop by the same name. Led by Russ Jones and Yvette Bohanan, you won’t find a more knowledgeable team to guide you through what is, as I hope we’ve demonstrated, one very complex topic.

One of the biggest payments challenges for merchants is how to handle payment data – whether it’s at the POS or in the remote domain where eCommerce and mobile payments take place. A lot of this concern is driven directly by PCI DSS compliance and broadly by the reputational risk data breach represents.

One of the major techniques merchants employ, in order to remove the need to store payment data, is tokenization – the replacement of the high value card data with a low value representation managed by another party. Merchants just store the token for lookup purposes while the third party maintains the database that links these low value tokens to the true primary account number or PAN.

At Glenbrook, we refer to these as merchant tokens because they are specific to and paid for by the merchant. We’ve also heard them referred to as acquirer tokens because the tokenization function is often performed by the merchant’s acquirer, processor, gateway, or payment service provider.

Makes sense, right? Put the radioactive payment card data into another party’s hands.

But for large and mid-size merchants, the provision of tokenization services to an acquirer has a few downsides:

1. The token database maintained by the provider is specific to the merchant. If the merchant wants to shift to another provider, tokenization portability can be an issue and a costly one.
2. In our merchant work, we are seeing the largest ones looking at a multi-acquirer topology for cost, redundancy, and channel flexibility purposes. But each acquirer will use its own tokenization scheme, adding complexity and limiting functionality.
3. Omnichannel merchants may employ one provider for POS transactions and another for eCommerce. That doesn’t work when you want to provide a consistent experience to your returning customer. You want a token that works across channels, i.e. an omnichannel token.

In this Payments on Fire® episode we talk with Alex Pezold, CEO of TokenEx, an acquirer neutral, independent tokenization provider. We talk a lot about protecting payment and bank account data. But we also address the growing need for protecting other data assets and how tokenization can help accomplish that.

Digital identity is one of the most solution-resistant challenges to online commerce and, indeed, our online lives. It is basic to online trust, an elusive condition undermined by data breaches, abuse of our data by service providers, and fraudsters.

That’s not to say we aren’t trying. Providers of all stripes are applying their value add to the problem. Smartphone makers have a role. Fraud management providers see themselves as having a role because they see so many users visiting their merchant customers’ websites or using their apps.

Networks do, too, as evidenced by Mastercard’s recent interest in identity services.

Then there are specialists in identity who play a role between the end user and the party granting access to a service, i.e. a bank. Today’s podcast is with SecureKey, a Canadian firm that has built a system to generate online trust while not sharing too much data between the parties.

Blockchain technology has increasingly gotten the attention of those in the identity space because the idea of having an immutable database as a single source of truth for identity credentials just seems so obvious.

Well, it’s not exactly as simple as putting your drivers license on a blockchain. SecureKey has partnered with IBM to use blockchain technology in support of its function as a provider of identity services.

SecureKey’s Verified.Me service gives the user the ability to quickly identity themselves and to share only the personally identifiable information they consent to share. Customers include Canadian banks CIBC, Desjardins, RBC, Scotiabank and TD. BMO and National Bank of Canada will be available later this year.

Take a listen to this conversation with Andre Boysen, SecureKey’s Chief Identity Officer, and Glenbrook’s George Peabody and imagine the power of coupling a service like this to strong authentication services that use biometrics.

Ever wonder about EMVCo’s role in the development and implementation of its technical specifications? Take a listen to Bastien Latge, EMVCo’s director of technology and Glenbrook’s George Peabody as they discuss EMVCo’s EMV®* QR Code Specification for QR code-based transaction initiation in the card system. While developed card markets are shifting to contactless cards and NFC-using mobile phone wallets to kick off payments, the QR code offers a flexible, very low cost alternative. There’s a lot to learn here.

Most of us are familiar with QR codes to retrieve product information from websites or print media, or perhaps when authenticating a mobile device to a web page.

In payments, many of the caffeine-reliant among us use the Starbucks app with its 2D barcode to initiate the transaction. It makes it so easy to know when we have enough gold stars to ask the barista for a drink on the house.

Some merchant apps use a QR code for the consumer to present when initiating a payment transaction that calls on card on file payment credentials. Walmart Pay for example.

In China – and really throughout Asia – providers like Alipay and WeChat Pay have been hugely successful with QR code-using payment apps.

In Japan, the proliferation of closed loop QR code-based payment tools, each encoding data differently, has created a cacophony of incompatible approaches. A new industry collaboration effort is attempting to lower the technical noise level by using a common technology provider.

The card industry, named because of those 85.60 mm × 53.98 mm (​3 3/8 × ​2 1/8 inches) pieces of plastic we carry around, is, of course, far more than the cards it uses to initiate a transaction. Their rules and global networks are unparalleled in reach and sophistication.

But at the edge of those networks, the card format is becoming less important (think mobile wallets) and useless in those markets lacking a terminal infrastructure. To make sure card network transactions can take hold in card-less regions, the card brands put their technical specification organization to work.

In 2017, EMVCo released its EMV QR Code Specification, designed to encode and represent the card message structure in QR code format.

A major hallmark of the EMV Chip Specification in cards is the generation of dynamic data, of a cryptogram unique to that transaction, that prevents replay attacks. The EMV QR Code Specification supports such dynamic data as well as the issuer tokenization framework also codified by EMVCo. Even the payment account reference number (PAR) is accommodated here.

To accelerate use of QR code EMVCo recently built self-assessment tools for both merchant- and consumer-presented that validate the QR format. Certification to individual networks and acquirers is not supported by the EMVCo tools.

* EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Payments on Fire® usually focuses on a single topic, typically a fintech company and the business or personal challenges it addresses. In this episode, we take another direction by bringing together three fintech leaders to talk about their company offerings, how they connect up to payments, and some of the obstacles they’ve faced.

George talks with the leadership of three companies working in very different areas: remittances, small business logistics payments, and healthcare.

• Mike Gaburo, CEO of Brightwell Payments, a company delivering a mobile payments app to global workers for their payroll distribution, enabling card-based purchasing as well as remittance services
• Robin Gregg, CEO of RoadSync, a business software provider that enables electronic payments to SMBs in the logistics sector; and
• Alan Nalle Chief Strategy Officer of Patientco, a payments platform with intuitive, mobile-friendly tools for Health Systems to enable patients to pay their healthcare bills.

This conversation illustrates the breadth of payments and the focus required to solve the specific payments needs of each industry segment.

Robin, Mike, and Alan will join Glenbrook partner Beth Horowitz Steel on her panel called Innovative Solutions – Solving Difficult Payment Needs at the Fintech South conference, held April 22 and 23 in Atlanta.

Five years on from Apple Pay’s release, contactless payment cards are just getting off the ground here in the U.S. but in much of the rest of the card world, contactless payments of both kinds are common practice. In London, half of the card transactions are contactless. The same is true in Canada. While it’s true that the vast majority of these are card-based, not via mobile wallets like Apple Pay and Google Pay, even the mobile wallets are gaining momentum.

To expand contactless usage, Mobeewave has developed software tools for financial institutions to integrate into their merchant app that turn the merchant’s smartphone into a contactless acceptance device. No added hardware: software only.

We’re talking with Maxime de Nanclas, Mobeewave’s co-CEO and co-founder. A firm based in Montreal, Mobeewave has worked to turn smartphones into general purpose contactless payment terminals.

This is cool tech and, as Maxime tells it, a great journey for the company. Take a listen as he describes what their software does, how they built it, and their experience navigating the complexities of device certification.

The U.K. and the EU take a very different approach to payments industry evolution than here in the States; the former directed by government mandate, the latter by marketplace dynamics and the lighter touch of regulators. But both are responding, at different speeds, to the need of fintechs and enterprises for access to bank-based data and services.

The Payment Services Directive 2, PSD2, written in 2015 and in effect since January of 2018, addresses a range of concerns including a ban on surcharging on card payments and limiting consumer fraud liability exposure from 150 to 50 euros. But its major impact is its enablement of Open Banking through the granting of access to payment rails and payment data managed, up until PSD2, only by banks. Banks are required to open up programmatic access, via APIs, to that data.

In this Payments on Fire® episode, we dive into the U.K. and EU experience with the PSD2 a year after it going into effect. We take a look at its impact on Open Banking, the opening up of payment rails to these fintechs and other non-bank players.

To do that, Myles Stephenson, CEO of B2B payments firm Modulr, discusses his firm’s experience as an Electronic Money Institution, an organization chartered by the U.K.’s Financial Conduct Authority (FCA) under PSD2 rules. Under its provisions, Modulr gains, or will gain, the ability to initiate payments on behalf of its customers as well as access customer data.

While incumbent financial institutions are hardly thrilled at the prospect of opening up their systems to fintech competitors and the cost of doing so, the operational improvements for customers and increase in competitive activity are expected to generate many benefits.