Wednesday, June 17, 2009

What a difference a few letters make - "a" or "the"

A lot of companies claim to be "the" leading provider in this or that. This is a common issue in the payment processing and infrastructure realms. Of course, rarely is there one true "the" and of course you can immediately tell the difference between a start-up claiming "the" and a public company which has to actually defend their claims and therefore more often saying they are "a" leader.
Personally I have always argued for the more mature stance at the various start-ups that I have worked for claiming "a" leadership role in the various realms. Actually nothing is more satisfying than being "the" and everyone actually knows it but you do not have to claim it.
Credibility, quality, execution, etc. really do matter.
So, my advice is to question anyone that claims to be "the" leader in their realm. If they are stretching the truth about that, what else are they stretching?

Wednesday, June 10, 2009

Bill Payment +/-

This post is from a user's perspective rather than a provider's perspective. I use both my bank's bill payment service and I have enrolled in a variety of merchant direct bill payment programs. I use the bank approach mostly for the gardner, dentist, etc. I use the merchant approach for my wireless, water, gas&electric, etc.
It surprises me that there is so much inconsistency in the way the "biller direct" models work. I have also signed up for paperless statementing from most of my providers. Regardless of how I get notified that a bill is pending, some statements include the dollar amount and the date that the payment will be processed and others make you log-in to get one or both of those pieces of information.
I am sure that some very smart and well meaning programmers/product managers had good reasons for their individual approach to this, perhaps security concerns about email exposures, and/or the information they needed to populate the fields was not easily available.
It would seem to me that some studying of the Best practices in this area could help to further the adoption of these great programs since consistency is key to massive adoption and reduced costs for customer service.
I personally prefer that I be reminded of three key pieces; How Much, When, What Account (Credit Card or Checking) is going to be hit without me having to log in and probe for that info.

PCI DSS (Payment Card Industry - Data Security Standard)

Much has been and will be written about this program. Like a lot of other aspects of the payments industry, there seems to be an endless supply of confusion on this topic. To be fair, it is a somewhat complicated topic. There are so many layers in the eco-system that can touch and/or store cardholder information and there are multitudes of ways that merchants implement their payment systems. During a recent discussion with a merchant client of ours and one of the qualified assessors, the assessor acknowledged that the program was designed for the common mainstream models, both ecommerce and retail, and that this particular merchant's situation did not easily fit. Nonetheless, this merchant, who could also be characterized as a quasi-service provider was faced with a complicated dilemma.

While a lot of progress has been made on key aspects of PCI such as the consolidation of requirements across payment brands, there is no end in sight for a simple PCI for Dummies tomb that will answer all the questions.

Another relevent point for ecommerce merchants to consider is the +/- of allowing your gateway to handle PCI for you through what is called Tokenization and/or a fully hosted order page. In both cases, while the appeal of avoiding PCI is tempting, it is important to make sure that your contract gives you the ability to get your data back if you end up deciding to switch vendors or take the process back in-house. Otherwise, those of you with 1-Click shopping or subscription payments will place your business at serious risk.

p.s. Having been involved in both retail and ecommerce payment infrastructure for close to 30 years, it never ceased to amaze me how much focus was placed on the fear of compromises coming from the Internet channel and little to no concern or governance was focused on retail until pretty recently. At least in the Internet, with the standardization around SSL, the one part of the threat around transport security was pretty well covered. Things really started getting crazy when retail terminals started being switched from communicating over private lines (dial or leased) to using the Internet for transport and neither the terminals or the applications running in them were architected from a security perspective.