Here on Payments on Fire® we’ve spoken a lot with risk and fraud management firms that generally offer some combination of services and technologies that promises to lower customer exposure to payments fraud, data theft, and operational risk.

There’s another dimension to cyber security that’s based on expertise – before and after a data breach. That’s the subject of this episode.

First, a company needs to understand its overall exposure. What do we have and what can we afford to lose? That takes a technical assessment of the firm’s internal and external defenses. It also takes an understanding of what the company has to lose, from reputation-based good will to loss of R&D investment through the theft of intellectual property. Such concerns are now top of mind for corporate directors tasked with shepherding their companies in the complex cyber domain.

Yes, there’s a role for insurance.

Post breach, there is the work of uncovering what happened, the maintenance of evidence so that proper forensic procedures can be taken, and the painful resolution process that may include fines (PCI) and litigation.

All of this is well understood territory for Chris Uriarte, Chief Information Officer at Aon Cyber Solutions who joins George in this episode.

Topics discussed include:

• The kind of activities and efforts needed to address today’s cyber risk
• How IoT threats are no longer confined to cheap surveillance cameras
• The sophistication of the cyber criminal industry
• The interlocking roles of threat analysis, risks assessment, and insurance
• The rise of ransomware and the particular exposure larger organizations face from this threat

The task of risk management in the payments business keeps getting bigger. Where once the concern was confined to payments alone – starting with counterfeit checks and currency – payment electronification has created a universe of potential risks. Risk now includes fraudulent cards, system and network hacks, data breaches, and account takeover with all the havoc that can produce.

And we’re seeing how these impact the reputation and value of businesses even when the hack has nothing to do with payments. (By the way, bogus checks and counterfeit twenties are *still* a problem.)

We’ve touched on this topic in multiple ways on Payments on Fire®. We’ve spoken with Ethoca about its data sharing capabilities. We’ve spoken with Feedzai about its AI and machine learning technology. We’ve spoken with White Pages Pro and its data correlation capabilities. And we’ve spoken to companies deeply involved in the problem of online identity.

Each of those has a particular approach, a particular technology, or a combination of approaches, to apply to the problem of eCommerce or CNP fraud.

In this podcast, we talk to Tricia Phillips, SVP of Product and Strategy, at the fraud and risk management firm Kount. Protecting some 6,500 eCommerce merchants, banks, and payment platforms, Kount takes a deeply layered approach to the risk and fraud management.

This deep dive discussion takes us into not only Kount’s approach but into what fraudsters are doing today and the damage they can do, even to non-payments companies like Yelp. It’s a scary scene. Tricia takes us through it with insight and experience.

If Risk in Payments is a topic of interest, check out our upcoming Insight Workshop by the same name. Led by Russ Jones and Yvette Bohanan, you won’t find a more knowledgeable team to guide you through what is, as I hope we’ve demonstrated, one very complex topic.

One of the biggest payments challenges for merchants is how to handle payment data – whether it’s at the POS or in the remote domain where eCommerce and mobile payments take place. A lot of this concern is driven directly by PCI DSS compliance and broadly by the reputational risk data breach represents.

One of the major techniques merchants employ, in order to remove the need to store payment data, is tokenization – the replacement of the high value card data with a low value representation managed by another party. Merchants just store the token for lookup purposes while the third party maintains the database that links these low value tokens to the true primary account number or PAN.

At Glenbrook, we refer to these as merchant tokens because they are specific to and paid for by the merchant. We’ve also heard them referred to as acquirer tokens because the tokenization function is often performed by the merchant’s acquirer, processor, gateway, or payment service provider.

Makes sense, right? Put the radioactive payment card data into another party’s hands.

But for large and mid-size merchants, the provision of tokenization services to an acquirer has a few downsides:

1. The token database maintained by the provider is specific to the merchant. If the merchant wants to shift to another provider, tokenization portability can be an issue and a costly one.
2. In our merchant work, we are seeing the largest ones looking at a multi-acquirer topology for cost, redundancy, and channel flexibility purposes. But each acquirer will use its own tokenization scheme, adding complexity and limiting functionality.
3. Omnichannel merchants may employ one provider for POS transactions and another for eCommerce. That doesn’t work when you want to provide a consistent experience to your returning customer. You want a token that works across channels, i.e. an omnichannel token.

In this Payments on Fire® episode we talk with Alex Pezold, CEO of TokenEx, an acquirer neutral, independent tokenization provider. We talk a lot about protecting payment and bank account data. But we also address the growing need for protecting other data assets and how tokenization can help accomplish that.

Digital identity is one of the most solution-resistant challenges to online commerce and, indeed, our online lives. It is basic to online trust, an elusive condition undermined by data breaches, abuse of our data by service providers, and fraudsters.

That’s not to say we aren’t trying. Providers of all stripes are applying their value add to the problem. Smartphone makers have a role. Fraud management providers see themselves as having a role because they see so many users visiting their merchant customers’ websites or using their apps.

Networks do, too, as evidenced by Mastercard’s recent interest in identity services.

Then there are specialists in identity who play a role between the end user and the party granting access to a service, i.e. a bank. Today’s podcast is with SecureKey, a Canadian firm that has built a system to generate online trust while not sharing too much data between the parties.

Blockchain technology has increasingly gotten the attention of those in the identity space because the idea of having an immutable database as a single source of truth for identity credentials just seems so obvious.

Well, it’s not exactly as simple as putting your drivers license on a blockchain. SecureKey has partnered with IBM to use blockchain technology in support of its function as a provider of identity services.

SecureKey’s Verified.Me service gives the user the ability to quickly identity themselves and to share only the personally identifiable information they consent to share. Customers include Canadian banks CIBC, Desjardins, RBC, Scotiabank and TD. BMO and National Bank of Canada will be available later this year.

Take a listen to this conversation with Andre Boysen, SecureKey’s Chief Identity Officer, and Glenbrook’s George Peabody and imagine the power of coupling a service like this to strong authentication services that use biometrics.

Ever wonder about EMVCo’s role in the development and implementation of its technical specifications? Take a listen to Bastien Latge, EMVCo’s director of technology and Glenbrook’s George Peabody as they discuss EMVCo’s EMV®* QR Code Specification for QR code-based transaction initiation in the card system. While developed card markets are shifting to contactless cards and NFC-using mobile phone wallets to kick off payments, the QR code offers a flexible, very low cost alternative. There’s a lot to learn here.

Most of us are familiar with QR codes to retrieve product information from websites or print media, or perhaps when authenticating a mobile device to a web page.

In payments, many of the caffeine-reliant among us use the Starbucks app with its 2D barcode to initiate the transaction. It makes it so easy to know when we have enough gold stars to ask the barista for a drink on the house.

Some merchant apps use a QR code for the consumer to present when initiating a payment transaction that calls on card on file payment credentials. Walmart Pay for example.

In China – and really throughout Asia – providers like Alipay and WeChat Pay have been hugely successful with QR code-using payment apps.

In Japan, the proliferation of closed loop QR code-based payment tools, each encoding data differently, has created a cacophony of incompatible approaches. A new industry collaboration effort is attempting to lower the technical noise level by using a common technology provider.

The card industry, named because of those 85.60 mm × 53.98 mm (​3 3/8 × ​2 1/8 inches) pieces of plastic we carry around, is, of course, far more than the cards it uses to initiate a transaction. Their rules and global networks are unparalleled in reach and sophistication.

But at the edge of those networks, the card format is becoming less important (think mobile wallets) and useless in those markets lacking a terminal infrastructure. To make sure card network transactions can take hold in card-less regions, the card brands put their technical specification organization to work.

In 2017, EMVCo released its EMV QR Code Specification, designed to encode and represent the card message structure in QR code format.

A major hallmark of the EMV Chip Specification in cards is the generation of dynamic data, of a cryptogram unique to that transaction, that prevents replay attacks. The EMV QR Code Specification supports such dynamic data as well as the issuer tokenization framework also codified by EMVCo. Even the payment account reference number (PAR) is accommodated here.

To accelerate use of QR code EMVCo recently built self-assessment tools for both merchant- and consumer-presented that validate the QR format. Certification to individual networks and acquirers is not supported by the EMVCo tools.

* EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Payments on Fire® usually focuses on a single topic, typically a fintech company and the business or personal challenges it addresses. In this episode, we take another direction by bringing together three fintech leaders to talk about their company offerings, how they connect up to payments, and some of the obstacles they’ve faced.

George talks with the leadership of three companies working in very different areas: remittances, small business logistics payments, and healthcare.

• Mike Gaburo, CEO of Brightwell Payments, a company delivering a mobile payments app to global workers for their payroll distribution, enabling card-based purchasing as well as remittance services
• Robin Gregg, CEO of RoadSync, a business software provider that enables electronic payments to SMBs in the logistics sector; and
• Alan Nalle Chief Strategy Officer of Patientco, a payments platform with intuitive, mobile-friendly tools for Health Systems to enable patients to pay their healthcare bills.

This conversation illustrates the breadth of payments and the focus required to solve the specific payments needs of each industry segment.

Robin, Mike, and Alan will join Glenbrook partner Beth Horowitz Steel on her panel called Innovative Solutions – Solving Difficult Payment Needs at the Fintech South conference, held April 22 and 23 in Atlanta.

Five years on from Apple Pay’s release, contactless payment cards are just getting off the ground here in the U.S. but in much of the rest of the card world, contactless payments of both kinds are common practice. In London, half of the card transactions are contactless. The same is true in Canada. While it’s true that the vast majority of these are card-based, not via mobile wallets like Apple Pay and Google Pay, even the mobile wallets are gaining momentum.

To expand contactless usage, Mobeewave has developed software tools for financial institutions to integrate into their merchant app that turn the merchant’s smartphone into a contactless acceptance device. No added hardware: software only.

We’re talking with Maxime de Nanclas, Mobeewave’s co-CEO and co-founder. A firm based in Montreal, Mobeewave has worked to turn smartphones into general purpose contactless payment terminals.

This is cool tech and, as Maxime tells it, a great journey for the company. Take a listen as he describes what their software does, how they built it, and their experience navigating the complexities of device certification.

The U.K. and the EU take a very different approach to payments industry evolution than here in the States; the former directed by government mandate, the latter by marketplace dynamics and the lighter touch of regulators. But both are responding, at different speeds, to the need of fintechs and enterprises for access to bank-based data and services.

The Payment Services Directive 2, PSD2, written in 2015 and in effect since January of 2018, addresses a range of concerns including a ban on surcharging on card payments and limiting consumer fraud liability exposure from 150 to 50 euros. But its major impact is its enablement of Open Banking through the granting of access to payment rails and payment data managed, up until PSD2, only by banks. Banks are required to open up programmatic access, via APIs, to that data.

In this Payments on Fire® episode, we dive into the U.K. and EU experience with the PSD2 a year after it going into effect. We take a look at its impact on Open Banking, the opening up of payment rails to these fintechs and other non-bank players.

To do that, Myles Stephenson, CEO of B2B payments firm Modulr, discusses his firm’s experience as an Electronic Money Institution, an organization chartered by the U.K.’s Financial Conduct Authority (FCA) under PSD2 rules. Under its provisions, Modulr gains, or will gain, the ability to initiate payments on behalf of its customers as well as access customer data.

While incumbent financial institutions are hardly thrilled at the prospect of opening up their systems to fintech competitors and the cost of doing so, the operational improvements for customers and increase in competitive activity are expected to generate many benefits.

Cross-border B2B payments are frustrating, time consuming, and expensive, especially for small and medium businesses. To dig into why and what’s being done to overcome those concerns, join George and Marwan Forzley, CEO of Veem, for an explanation.

SMB B2B payments, particularly cross-border payments, have always been time consuming to accomplish and expensive to do.

They are time consuming because sending an international “wire” payment was historically slow with uncertain delivery timing and with uncertain, and high, costs to both the sender and the receiver. For the sender, the process of initiating a cross-border payment has always taken no little time compared, for example, to writing a check.

Cost is a second concern because cross-border payment economics are not always transparent. At least a few times a year, when Glenbrook gets paid by one of our international clients, the funds we receive are less than what we invoiced. While our client sends us the correct amount at the prevailing exchange rate, intermediaries along the way may take “bene deduct fees” – beneficiary deductions – from the funds in transit in order to compensate themselves for their services. I prefer the more accurate term of “lifting fees”.

This uncertainty of timing and cost affects millions of small businesses participating in the global supply chain.

Companies like Veem, Western Union, TransferWise, PayPal and many others compete on speed, predictability, low cost, and global reach. Super helpful integration into business accounting and AR/AP functions is a big plus.

Veem’s story is compelling as it began using the bitcoin blockchain to send money between its operations in multiple countries. Since then, the company has added other partners and its own in-country account balances to fund transactions. Veem’s SMB customers can send money to 90 countries and receive funds in 25. The company has served over 100,000 SMB customers.

If blockchain, cross-border, B2B, small business and fintech are terms that interest you, take a listen to George and Marwan as they catch up on the company, SMB pain points, and the impact of Chinese tariffs on Veem customers.

If you’re in Atlanta in April, check out the Fintech South Conference. Glenbrook partners Elizabeth McQuerry and Beth Horowitz Steel will be there. Get in touch!

The digital marketplace model brings together buyers and sellers and, frequently, handles the money and payouts to the sellers.

As my guest today has determined, digital infrastructure, eCommerce usage, competition, and workforce characteristics influence a country’s ability to establish a flourishing marketplace component to the economy.

This marketplace economic model is a useful one enabling, among other use cases, the gig economy. Adopted in countries like China, the U.S., Canada, the U.K., Australia, and other established markets, this episode’s guest, Tomas Likar, Head of Business Development and Strategy at Hyperwallet, has done a lot of thinking about its role in these and other countries.

This podcast was prompted by Hyperwallet’s February 2019 release of its Marketplace Expansion Index report, the MEI, that evaluated the marketplace readiness of some 36 countries.

A surprise is the early stage of marketplace adoption in a number of otherwise highly developed countries.

The application of the marketplace model to human labor is, of course, not without controversy and concern. Steady employment with guaranteed benefits is no longer an attribute of employment in many countries, replaced by the uncertainties of the gig economy. That’s the downside concern. On the other hand, these marketplace services provide access to otherwise unavailable work and that is good news for individual and, by extension, domestic economic well being.

Take a listen to this conversation with George and Tomas Likar of Hyperwallet for an overview of marketplace adoption and the variables affecting its uptake.