Congrats to CyberSource!!!
I take a great deal of pride from having developed, signed and managed the relationship with Visa 11 years ago in spite of much skepticism both internally and externally!!! Visa invested $1.5m in CyberSource pre-ipo and agreed to the joint product, CyberSource Advanced Fraud Screen Enhanced by Visa. :-) Oh, the stories I could tell you!
Wednesday, April 21, 2010
Thursday, April 15, 2010
Data Portability in a PCI Crazy World!
I have written previously about service providers such as gateways and payment processors holding their customers data hostage using PCI as the excuse.
There are two new efforts underway to raise the awareness of these inappropriate practices;
portabilitystandard.org
groups.google.com/group/credit-card-data-portability
Please check out these two web pages and join the Google group on the subject.
Welcome your feedback!!!
Note - that the story I wrote about last fall is still not resolved.
There are two new efforts underway to raise the awareness of these inappropriate practices;
portabilitystandard.org
groups.google.com/group/credit-card-data-portability
Please check out these two web pages and join the Google group on the subject.
Welcome your feedback!!!
Note - that the story I wrote about last fall is still not resolved.
Tuesday, April 13, 2010
Do Not Assume Payment Methods Are Universal! Neither Demographically or Geographically!
One of the challenges we all face is being able to step out of what works for us and understand what any one or group of our customers is going to have a preference for. This is especially true for payment choices. The closest thing we have to “universal” in ecommerce is Visa/MasterCard. But, if you are selling to Germans, you better support something called ELV which is a form of direct debit or move on to another country. And, as a person with a marketing degree I have a hard time saying this, but surveying your customers to ask them what payment methods they want or what is most important about those choices, may lead you down the wrong path. What people say they want and how they act in this regard can be significantly disconnected. ie; Is security important to you? Who is going to say “no”? But, many payment methods have fallen flat on their face if the hurdles to usability are significant due to security. What was one of the things that made PayPal grow incredibly fast? All you needed was an email address. Of course, their fraud rates were through the roof too but they had the luxury of taking in a whole bunch of VC money and being able to tolerate the cost and eventually they dug themselves out of the hole. Two of the most important questions you have to ask yourself are; 1) what is my target demographic and 2) what geographies do I want to serve? Then and only then can you seriously research the options and start making decisions about what to offer.
Monday, March 29, 2010
More on New Text Alert System...
So, there it was this morning, the email from Wells about this transaction that took place last Thursday.
The only comment that I would make about this new mobile text alerting system from Visa that Wells has now deployed is that it should have been automatic that when I enrolled for that, the previous (and mostly useless) email alerting enrollment should have been cancelled or at least I should have been able to modify/cancel it.
My guess is that I was actually enrolling for the mobile alerts on a Visa hosted page, branded Wells Fargo. Even if it is not hosted by Visa on Well's behalf, it is clear that the two systems are not in synch. I had to go this morning and de-select the overlapping alerts. The site is; https://rapidalerts.wellsfargo.com/rapidalerts/ .
Referencing my background dealing with Phishing issues (ie; PassMark Security), the Catch-22 with all of these things is the possibility that something potentially good, like these real-time text alerts, can be just another oppty for phishing attacks. A url like the one above could (or should) make someone like me suspicious of if I am really at a legit Wells Fargo page or not. It is also interesting to note that Wells (or Visa) chose not to invest in a "secure" url for such a sensitive page as this. You know those green urls from Verisign and others called Extended Validation SSL Certificates. While I do not put much stock in these (or any of the "trust" seals), I doubt they cost considerably more and I guess they cannot hurt.
The only comment that I would make about this new mobile text alerting system from Visa that Wells has now deployed is that it should have been automatic that when I enrolled for that, the previous (and mostly useless) email alerting enrollment should have been cancelled or at least I should have been able to modify/cancel it.
My guess is that I was actually enrolling for the mobile alerts on a Visa hosted page, branded Wells Fargo. Even if it is not hosted by Visa on Well's behalf, it is clear that the two systems are not in synch. I had to go this morning and de-select the overlapping alerts. The site is; https://rapidalerts.wellsfargo.com/rapidalerts/ .
Referencing my background dealing with Phishing issues (ie; PassMark Security), the Catch-22 with all of these things is the possibility that something potentially good, like these real-time text alerts, can be just another oppty for phishing attacks. A url like the one above could (or should) make someone like me suspicious of if I am really at a legit Wells Fargo page or not. It is also interesting to note that Wells (or Visa) chose not to invest in a "secure" url for such a sensitive page as this. You know those green urls from Verisign and others called Extended Validation SSL Certificates. While I do not put much stock in these (or any of the "trust" seals), I doubt they cost considerably more and I guess they cannot hurt.
Thursday, March 25, 2010
Fair is Fair....Hats off to Visa...Genuine progress in fraud prevention!
Wells Fargo announced a few days ago that they were taking advantage of a new Visa feature. Of course, I had to immediately enroll. You then receive text message alerts when certain types and size of transactions occur. The idea is that if it isn't you, you can immediately respond and become part of the fraud prevention paradigm. I was somewhat skeptical, as usual, but as it turned out hours later I was picking up my wife's BMW from the shop (ouch $1200!!!) and while I was still standing at the check-out desk, my phone got a text reporting the transaction to me. It was very descriptive, telling me that my "Wells Fargo Card ending in xx was used at xxx Motors in xxx town for $xxxx.xx ....
This is real progress.
I had previously enrolled in their alerting offer but due to the number of different acquirers and issuers and the batch nature of credit card processing, these often did not arrive until days later.
Since, Visa's switch is involved in the authorization of all Visa transactions, these alerts can go out literally in real time.
Of course someone will try and call this a mobile payment! (see my article in Venture Beat!)
http://venturebeat.com/2010/03/10/what-will-it-take-to-make-mobile-payments-mainstream-in-the-us/
This is real progress.
I had previously enrolled in their alerting offer but due to the number of different acquirers and issuers and the batch nature of credit card processing, these often did not arrive until days later.
Since, Visa's switch is involved in the authorization of all Visa transactions, these alerts can go out literally in real time.
Of course someone will try and call this a mobile payment! (see my article in Venture Beat!)
http://venturebeat.com/2010/03/10/what-will-it-take-to-make-mobile-payments-mainstream-in-the-us/
Sunday, March 7, 2010
Progress...Finally!
Interesting tidbit in the WSJ yesterday - The Fed is down to one site in Cleveland, Ohio from forty five sites 7 years ago that processed paper checks. I specifically recall sitting with the CEO of the company I worked for back in the early '80s as he proclaimed we would be completely checkless within that decade. And you wonder where I get my skepticism about the pace of change in payments!!!!
Monday, March 1, 2010
FasTrak...example of over the top login protocols
The other day I went to log in to my FasTrak account online. I was amazed at how unfriendly their approach to the simple act of logging in was. It reminded me of how something that should be very standard, has taken on a life of its own and god bless them, but developers and bureaucrats left to their own devices, will get this wrong more often than not.
Instead of a simple username/password, with perhaps some underlying risk based analysis and if suspicious maybe some add'l authentication step, they first make you select one of three different username schemes that you have set up (as if you are going to remember which one you chose) and then once you work through that, they make you pick a 6+ digit password with not only a mix of letters and numbers but one letter has to be capitalized (as if you are going to remember). Then, the icing on the cake, is they force you to enter a CAPTCHA on every log-in.
Now, if I was logging in to NORAD, this approach might be remotely reasonable, but FasTrak?
Instead of a simple username/password, with perhaps some underlying risk based analysis and if suspicious maybe some add'l authentication step, they first make you select one of three different username schemes that you have set up (as if you are going to remember which one you chose) and then once you work through that, they make you pick a 6+ digit password with not only a mix of letters and numbers but one letter has to be capitalized (as if you are going to remember). Then, the icing on the cake, is they force you to enter a CAPTCHA on every log-in.
Now, if I was logging in to NORAD, this approach might be remotely reasonable, but FasTrak?
Subscribe to:
Posts (Atom)