Fraudster innovation is a constant. As the defenders of payment transactions thwart one fraud vector, these innovators, playing offense, switch tactics.

Today, the problem of knowing who you are, that you are who you say you are, in the digital domain demands stronger authentication techniques. Many of those rely on the attributes, the data, provided by the user or by the applicants in the case of credit extension.

In turns out that even the data supplied by applicants can be both entirely bogus and sufficient to convince a credit issuer to onboard the applicant and extend credit. This is the problem of synthetic identity.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

First, let’s define synthetic identity using the Fed’s Synthetic Identity Fraud in the U.S. Payment System Payments Fraud Insight white paper as the source:

“The generally agreed-upon definition of synthetic identity fraud is a crime in which perpetrators combine fictitious and sometimes real information, such as SSNs and names, to create new identities to defraud financial institutions, government agencies or individuals.”

Now we’re looking for phantoms. Uh-oh.

There are terabytes of personally identifiable information for fraudsters to use because of data breaches and our own over-sharing of our personally identifiable information. Knowledge-based authentication based on static data like SSNs, birthdays, and the name of our hometown isn’t hard to break. Nor is this static data generally protected by tokenization or encryption in any way.

The fraudsters know what we know. Uh-oh.

And because the real data presented by the fraudster creating a virtual identity is often that of a child or an elder or even the deceased, well, it’s super hard to detect. That comes from my GLenbrook colleague Yvette Bohanan who has years of risk management experience at Amazon, Google, eBay, BofA and others.

Of course, the fraudster’s goal in making up a new identity is to open a credit line in order to subsequently defraud the issuer, perhaps by carefully using a credit line carefully for years to build up a high credit limit before busting out with a lot of spending and then disappearing to a beach somewhere.

Multiple Types of Synthetic Identities

A startling aspect of some synthetic identity fraud is that it doesn’t take advantage of purloined PII. All of the data used by the credit application is made up out of whole cloth and thin air. The proper format of a social security is well known so why not generate a random one? After all, the federal government doesn’t operate a central SSN repository with realtime validation. A variant approach relies on real and fake data, combining, for example real names with made-up SSNs.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

On Payments on Fire® we’ve talked with gateway operators, processors, tokenization specialists, fraud management firms, and others – all providers who help payment acceptors handle their payments.

The range of services and business value they deliver varies a lot. Some providers do everything. Others, like Spreedly, the subject of this Payments on Fire® podcast, focus on a narrower set of functions and business outcomes.

Payment Flow and the Payment Service Provider (PSP)

When we talk about merchant acquiring in the Glenbrook Payments Boot Camp, we highlight the following transaction flow:

1. The merchant or its ISV, perhaps running as an PayFac, accepts the customer’s payment
2. They connect to a gateway or a processor
3. The gateway routes the transaction to an acquiring bank or its processor OR the merchant connects directly to one of these entities
4. The transaction is routed by the acquirer or processor into the payment network and on to the accountholders’s financial institution

That picture oversimplifies the tasks at hand. Depending on what kind of merchant you are, the set of payment-based services you need can vary substantially.

If you answer yes to any of the following, there are payment service providers ready to help you with specific tools:

• Are you an e-commerce merchant
• Is omnichannel commerce important?
• Are you strictly a bricks-and-mortar operation?
• Are you a biller or a heavy user of invoicing?
• Do you operate unattended devices like vending machines and kiosks?
• Are you global or have global aspirations?
• Are you an SMB or enterprise-class payment acceptor?

Some payment service providers (PSPs) are owned or captives of larger upstream entities. Their role is to capture an ever widening stream of transactions to flow on to their parent company. CyberSource, owned by Visa, may not care a lot about who the acquirer is but the company’s transaction handling drives revenue for Visa.

Other independent PSPs like NMI and, in today’s podcast, Spreedly, focus more on the needs of the merchant. NMI anchors it many other talents around its core gateway. Spreedly might be considered is a gateway to gateways. It connects to processors and has developed a broad set of connections into domestic systems around the world. Spreedly is a also payments tokenization provider.

Given that range, Spreedly refers to itself as a merchant-facing payments infrastructure provider. More casually, Spreedly is a layer of glue between the payment acceptor’s operations and the payment systems that the acceptor needs to support. Payment orchestration is another in vogue term to describe what Spreedly, and others, do.

This is an evolving story and marketplace. Definitely worth a listen to Justin Benson, CEO of Spreedly, as we talk about what his company does and a range of industry topics including tokenization, risk, and more.

In this Payments on Fire® podcast, we examine the role of a payment service offered through a commerce solution targeted at the small and medium business (SMB) market. To do that, we talk with Nan Siler, Head of Payments Strategy and Operations, at Kabbage.

The small and medium business market is important to both the national and local economies. It’s big. According to the U.S. Small Business Administration, over 40% of GDP is generated by this segment. Over the last decade and more, SMBs have come to face new competition (Amazon and the high concentration of Big Retail) and a less willing lender community of traditional financial institutions. Kabbage has stepped into that environment.

Kabbage has loaned over $9B since its inception to some 220,000 customers and last fall added a new service, Kabbage Payments, to ease payment and invoicing for its SMB customers.

SMBs live and die on cash flow. If a big customer’s payment doesn’t come in on time, the business owner can end up paying her employees but not herself.

Kabbage has built sophisticated onboarding and lending models around the needs and realities small businesses. Cash flow management includes, of course, timely access to money, via lending, to fill funding gaps or help expand the operation.

Nan takes us through how Kabbage’s Payments solution complements Kabbage Funding, its lending operation, and how the two come together to provide better insight on the business’s cash needs. With better insight, the goal is to help the small business borrow less money for shorter periods of time when funding the day-to-day with the expectation that Kabbage can provide larger sums to meet the capital requirements of business expansion.

Many independent software vendors (ISVs) bring payments capabilities to their merchant customers to meet functional expectations as well as enjoy payment related revenues. Indeed, the ISV is now the channel through which many SMBs acquire payments acceptance capabilities. The payment-focused PSP group, and especially the Independent Sales Organization (ISO), no longer control that channel.

Kabbage, while not an ISV, has built its payment service to help merchants get paid faster. Every SMB wants that. So, take a listen to Nan as she discusses both the lending capabilities of her firm and how the new payment service complements that funding function.

As our lives shift online, our providers needs strong digital representations of each of us in order to make authentication and authorization decisions. Besides payment transactions, there are the diverse risks they must manage when, for example, we establish new credit relationships, add new payees to our online accounts, and move money in new ways. The providers of these capabilities—and often a single party offers multiple services—must be concerned with the associated risks each poses.

This is the special domain of risk and fraud management companies. In this conversation with Payfone‘s CEO Rodger Desai, we focus on digital identity services and the role of the mobile ecosystem in particular. Take a listen.

Many risk and fraud vendors base their services on different data types, such as the email address, SSN, or phone number.

In Payfone’s case, it is the combination of the mobile number, the device it is connected to, and the mobile network serving it that have powerful attributes to measure against. Relevant data attributes include:

1. Tenure. How long the mobile subscriber has had the phone number tells a lot about the subscriber itself.
2. Phone’s Aren’t Free. Unlike email addresses which are cost-less, almost anything to do with a phone costs money, i.e. the service and device costs. Therefore, phone-based frauds, for the fraudster, cost money. Such hacks don’t scale as well as a card data breach. But when there is a phone-based hack, the impact on the victim can be particularly severe.
3. Lots of Activity to Examine. With 50% of American eleven year olds having phones, we generate a rich history using our phones. For billing purposes alone, that activity is tracked by the mobile network ecosystem and, given appropriate privacy controls, can be used to support risk decisioning.
4. Even More Data. Biometric unlocking of devices, behavioral fingerprinting—how we actually interact with the device user interface—and device fingerprinting—the digital portrait developed from such rich data—expand the data available for risk assessment.

The union of all this data paints a crisp digital identity once algorithmic power has been applied to it.

In this episode of Payments on Fire® we discuss the risk assessment capabilities the mobile ecosystem provides with Payfone’ CEO Rodger Desai. His long experience in mobile “phone intelligence” informs this discussion. He explains how some very large clients are using Payfone’s scoring capabilities to assess transactional and account risk while addressing the challenge of improving the user experience. Risk and convenience are often at odds. Payfone’s services are designed to mitigate that conflict.

Today’s digital identification capabilities are powerful. But fraudsters are fast moving and well funded. For the relying parties—those enterprises that take on the risk—the role of defense is a tough one. Priorities, cost, business goals, even awareness vary. Each and every party’s approach to risk assessment is unique. Risk tolerance for the same transaction will differ from bank to bank, from enterprise to enterprise.

In other words, individual enterprises can assemble strong risk assessment and mitigation capabilities while, from a systemic view, there will always be gaps to be exploited. The best we can hope in today’s environment is for each enterprise to raise its security game.

The U.S. has just come off a record setting holiday shopping season with e-commerce sales rising over 18%. While the numbers aren’t in yet, there’s no doubt the fraudsters also had a record year. There are so many ways to defraud consumers, merchants, and financial institutions.

At Glenbrook, we are optimistic about our longer term ability to deter, prevent, and detect fraud. Our kit is getting better. The combination of tech and rule making will payoff: strong authentication enabled by standards-based smartphone-enabled biometrics; regulations requiring strong authentication as put forward in the EU through its SCA rules; and our expanding ability to detect new attacks using tools that operate within the transaction flow.

It is this last area that is the topic of this Payments on Fire® episode. Fraud detection tools operated by or on behalf of merchants that examine transactions are today’s major line of defense against payment, loyalty, and coupon fraud. In this conversation with Colin Sims, COO of fraud prevention company Forter, the development, deployment, and maintenance of a modern fraud management platform is the topic.

Colin and George discuss how fraud management and prevention technologies continue to evolve, Forter’s own approach, the role and impact of PSD2 and SCA regulations in the EU, and how fraud continues to adapt. While machine learning is a central technology, Colin makes clear that human effort and insight is what makes the difference.

Deployment of “clean sheet of paper” payment systems is a once in a generation event. In over 50 countries, new account-to-account push payment systems are either in full scale operation, implementation, or fully committed planning stages. The U.S., for example, has the RTP Network in operation and, in a few years, the FedNow system will be online.

This is hard, serious work. Technology decisions need to be paired with equally rigorous rules making. One of the major concerns for these systems is what to do when a transaction is sent in error or initiated by a fraudster. In contrast to card systems, dispute resolution capability is not a standard feature. These choices should reflect clear agreement and follow through by the system’s key participants.

In this Payments on Fire® podcast, Glenbrook’s Elizabeth McQuerry talks with builders of dispute resolution, complex messaging, and connectivity capabilities developed around Australia’s New Payments Platform (NPP).

Joining Elizabeth are Jack Baldwin, Chairman of BHMI, a U.S.-based developer of bank-grade settlement and reconciliation systems, and Nathan Churchward, Head of Product, Emerging Services at Australia’s Cuscal Limited. Cuscal is a developer of payments capabilities that include card issuing and acquiring, mobile payments, fraud prevention, switching and settlement.

There’s a lot to be gained by learning from someone else’s experience. Nathan and Jack address the dispute resolution process, ISO 20022 messaging, and the significant effort needed to build out systemically important payment infrastructure. Take a listen and you’ll gain a deep appreciation of the interplay of rules, regulations, technology, and effort.

Glenbrook Partners is working with the U.S. Faster Payments Council to help shape rules in the U.S. and address significant concerns around system interoperability, directory services, and dispute management. Take a look at the Faster Payments Barometer based on our industry survey. And visit the U.S Faster Payments Council site for more.

If you thought bitcoin was dead as a payments system, take a listen to George and Jimmy Nguyen, founding president of the Bitcoin Association, as they discuss Bitcoin SV, a new version of bitcoin that is a significant upgrade to the performance and capabilities of the original bitcoin protocol put into the world a decade ago.

From a payments perspective, bitcoin has failed. While successful as an albeit volatile store of value, its failings include:

• It is slow, only able to handle 2 or 3 transactions per second with a peak rate of 7. Visa handles 50K at peak holiday times with aplomb.
• While transactions are irrevocable, they are not immediately written to the blockchain. Core design specifies that that happens every 10 minutes but when the network is under load it has taken hours.
• Processing cost is too high, measured in dimes and dollars, and also volatile
• As the processors, known as miners, are rewarded with fewer bitcoins for their work, they’ll have to rely on processing revenues, transaction fees, to stay viable. Costs are already too high
• There’s the high power usage of the network that’s needed to maintain consensus, essentially trust in the network.

If you thought bitcoin was dead as a payments system, take a listen to George and Jimmy Nguyen, founding president of the Bitcoin Association, as they discuss Bitcoin SV, a new version of bitcoin that is a significant upgrade to the performance and capabilities of the original bitcoin protocol put into the world a decade ago.

Jimmy brings a refreshing view on cryptocurrencies and payments. Jimmy provides a great review of how bitcoin works and why both its performance and its economics are broken. He explains the advantages of the Bitcoin SV fork and why it was necessary. Suffice it to say, bitcoin’s evolution is subject to the often fractious politics of that community where competing interests inhibit long term thinking.

Bitcoin SV has intriguing potential. Micropayments, sub $1 transactions, have never found a home in electronic payments. BSV could apply there.

BSV is also designed to use enormous blocks in order to keep processing costs low and provide the ability to store massive amounts of data about the payment.

Join Jeff Brown, president of VPay, a firm specializing in insurance claims payments, and George Peabody of Glenbrook Partners in this deep dive discussion of how the work of claims processing is done and how he approaches B2B payments, compliance, and the value-added services needed by the company’s customers.

The B2B Domain

We’re all familiar with the card present POS domain, card not present Remote domain, P2P payments, and the Bill Pay domain. A phone tap here, a card swipe there, a bill payment to the utility company. On a day to day basis, our personal experience with payments is these areas.

The B2B and B2C payment domains are very different. There is a wide range of industries with very specific payment needs. (Listen to episode 92  to hear how customized payments can become. Roadsync’s Robin Gregg talks about the special paper check type built just to serve independent long haul truckers.)

Insurance is Huge

One of the biggest industries is insurance. Premium payments in the U.S. alone are over $1.2 trillion. Payouts by stakeholders, such as healthcare systems and property & casualty insurers, and made to individuals claimants and service providers amount to trillions more.

Insurance is definitely big enough to be a very attractive vertical to a payments service provider.

Knowing Your Customer’s Business

If you are a PSP serving a particular vertical market in the B2B space, you have to know at least as much about the vertical you serve as you do about payments operations and services. For example, if you’re making healthcare payments, you have to comply with the strict data privacy requirements specified by HIPAA regulations. You may have to support specific data formats. And you should help your business customers deliver useful features to their own customers.

If you want a great explanation of how payments fits into a vertical market, you can’t do better than listening to this episode of Payments on Fire®.

Digital disruption and financial inclusion are focus areas throughout the developing world and the topics are white hot in Colombia. Listen in as Hernando Rubio, CEO of Moviired, speaks with Elizabeth McQuerry and George Peabody about Movii and payment / financial inclusion ecosystem in Colombia.

Financial Inclusion in Colombia

Although one of the first countries in Latin America to make a big policy push for financial inclusion, those efforts focused a “banking correspondents” or agents in local stores carrying out basic financial services on behalf of banks. While these correspondents greatly improved access to financial services, they have not fully produced the desired results. According to the World Bank, fewer than half of all adults have a bank account and only a handful (less than 5%) have a transaction account from a telco led service. Very few Colombians use those accounts to pay bills or buy something on the internet. Cash is still preferred.

Enter the SEDPEs

In 2015 regulators in Colombia created a new category of licensed financial institutions called a   special company for electronic deposits and payments, or SEDPE by the Spanish language initials. While a bank can also pursue this type license to focus financial inclusion efforts, the main conceptualization of SEDPEs are fintechs that gain authorization to take deposits and make payments – the two most basic (and still lacking) aspects of financial inclusion. SEDPEs are not allowed to make loans but can partner with others to make small credits available.

Movii

Rubio’s Movii was the first SEDPE to be authorized by regulators. Movii is a classic digital service that offers a wallet for storing funds, access to a reloadable debit card from Mastercard for buying in stores and on the internet, bill payment, mobile top ups and transfers to other Movii users. Movii also recently connected to the new national real-time payment service (Transferencias Ya) in order to be able to reach all account holders in Colombia. Movii builds off the company’s experience managing Moviired, an extensive network of physical agents in stores and bank correspondents throughout Colombia, that people use for those basic payments. Hear how a company disrupts itself as it lays the foundation for the next generation of financial services.

The merchant acquiring industry continues its large scale shift from a payments-led to an operations-led purchasing decision for the merchants it serves. Historically based on independent sales organizations (ISOs) and non-bank acquirers, the party that increasingly provides payment acceptance is the independent software vendor (ISV).

This makes sense for a number of reasons:

• Software is Vertical. Today, the first IT choice more merchants make is the software they use to run their business. This makes sense. Tools that improve overall business operations have a greater impact on success than the comparatively minor differences among payment providers. Auto parts stores need inventory management. Salons need scheduling. Ice cream and coffee shops need quick order entry. Daycare providers need security controls.
• Payments are Horizontal. Every merchant, regardless of its segment, needs to take payments. While many segments have particular requirements for payments, payment acceptance alone is a commoditized service.
• The ISV is the First Point of Contact. Given its primary role, the ISV has moved into an excellent position to sell and profit from payment acceptance.
• Taking a Back Seat in Selling, Payments is Infrastructure. The payments industry has multiple ways of enabling ISVs to sell payments. The ISV may use a gateway to reach multiple acquirers with the gateway itself selling value-added capabilities in areas like fraud management. The ISV may use the payfac model for fast onboarding of new merchants. The ISV may, itself, become an ISO. Multiple forms of business relationship all provide some measure of revenue sharing with the ISV.

Differentiation in Payments Via New Paths

Differentiation based on value-added services drive revenue in payments. For that reason, we have seen non-bank acquirers and ISOs focus on particular vertical market segments to drive and secure long term revenues. A decade and more ago, Heartland Payment Systems (acquired by Global Payments) doubled down on the restaurant vertical by developing special services for restaurant operators as well as acquiring restaurant-focused ISVs. That lesson has been learned by many since.

Over the last few years, differentiation has also stemmed from how well the payments provider serves the ISV and its developers. Integration of payment services both into the ISVs code and within the provider’s own code base is important. A single API that exposes all of a provider’s services is preferable to integration work requiring knowledge of an API tied to each function. Micro-services based capability is also welcome.

Payment Facilitation as Enabler

While not, in and of itself, a new approach, the payment facilitation model is a major enabler of payment service delivery via ISVs. The payfac model is based on network rules that allows an intermediary to act as the merchant of record in order to provide payment system access to smaller merchants. PayPal did this first for ecommerce merchants. Stripe is another card not present example. Square used the payfac model to offer sellers in the physical world access to card acceptance.

ISVs who become payfacs assume responsibility for the activity of their small merchant customers. So, choosing to become a payfac has its complexities and risks. A number of providers, including Finix, bring expertise in the payments facilitation model to help ISVs make that decision.

In this Payments on Fire®, take a listen to Glenbrook’s Nicole Pinto, Drew Edmond, and Finix CEO and founder Richie Serna as they discuss the payfac phenomenon and the larger shift to the ISV as payments provider. This is a cool conversation about a sea change event in the merchant services industry.