ICA Sydney Seminar

Payment and Billing Systems

Wed July 12 5.30pm - 7.00pm - Sydney

Presenter: Duncan Unwin, Product manager, QSI Payments, Inc.

http://www.tomw.net.au/2000/icaqsi.html

Good evening. I’m Duncan Unwin and I’m a Product Manager for QSI Payments, Inc. For those unfamiliar with QSI, we are an independent software developer based in Brisbane. For the financially inclined, we are privately owned and Goldman Sachs is our major external investor. We have just nudged 100 people, mostly developers and engineers and we mainly work outside Australia. In fact, last year 90% of our project effort was overseas, mainly in Asia and Europe, with offices in Brisbane, Melbourne, Hong Kong, London and San Francisco. Our customers include HSBC, Royal Bank of Scotland, MasterCard, Cardcard and Virgin Airlines. We have been focused on ePayments since 1996. We first became involved in this area via a pilot of a secure Internet Pin-based Debit Scheme, called Project Huntsman (also involving the Qld TAB, Metway bank and Eracom, with QSI writing the software). Back then we were known as Queensland Systems Integration. We started out 10 years ago as a JV between Mincom, BHA and Stallion. It may come as a surprise for some in the Audience to realize that there are technology companies north of Ryde. There are, and even some focusing on payments. After Huntsman, we undertook more work in e Payments, particularly with the then Tandem organization, later to be Compaq. We would claim, for example, that we have as much experience in implementing SET solutions as anyone in A/Pac. We realized at that point that there were few complete ePayment architectures and that the point solutions were immature, fragile, poor performing and, in a word, dead-ends. By doing integrations, we realized that this was something that appears, at first glance, to be simple, but when you get into it, it is quite complicated. We saw the opportunity to build an unified payment architecture, as a product, that made life a bit simpler for banks, merchants and their customers to get together, and to do this is a secure way. This was the start of the journey that would turn Queensland Systems Integration, into QSI Payments. While we started doing SET, most of our systems used in anger today are doing SSL Credit Card processing. In the past year, we have seen a strong move into other payment instruments (such as funds transfer and debit) and into the B2B space. Enough of the Ad. I wanted you to have some context to put my comment in tonight and because Andrew McPherson, when giving the brief for tonight, stressed that I should emphasize the practical over the theoretical, and I want to ensure you that the comments I make come from that perspective.

I want to talk tonight on the topic the ‘what’s wrong and right with ePayments’.

I will focus on a continuum from B2C and B2B, as I don’t believe there are many fundamental technology differences, but more a continuum with different market applications. I will also try to give a global perspective, rather than an Australian or US view.

I will also be taking the Merchant and Customer’s view as much as possible. In my experience this is something often missed in discussions of payment systems. So apologies to the Bankers in the audience, but you will find I do not address intrinsic country or counter-party risks, fraud management, regulations or back-end technology in an adequate manner. I take this stand because I think, unless we establish the value proposition for Financial Institutions, Merchants and Buyers, then we cannot be successful. This is the lesson learnt from the failure of SET.

I will have a virtual assistant in this task, Rene Pelegero. Rene is the Director of Payments for Amazon.com and he gave the keynote speech at Payments 2000, the main NACHA conference. I think it reasonable to assume that Amazon has some experience in this area and I will be quoting him on several occasions.

What does the e-business agora look like today?

And what do the billing and payment relationships look like?

And what about traditional payments over the Internet?

Of course these are still an issue. We all want to pay our phone bill and get paid by our employers. We will often do this via a check or with cask. There is also increasing traffic from IVR and call centers needing to be processed. All of this leads to lots of complexity for merchants integrating ePayments, but more on that later…

Its worthwhile looking at the payment instruments being used out there on the Internet.

Of course, credit and charge cards are the most common. My prediction is that for consumer payments, this will continue to be the case for some time, if not forever. They have many attractive features – most particularly their near universal acceptance and the well-established authorization and settlement networks. There are negatives.

Their security is weak and transactions must be processed under the MOTO (Mail Order – Telephone Order) or Card Not Present rules. A major problem is the inability to authenticate the cardholder and prevent repudiation of transactions. This leads to increased fraud and higher merchant charges. One point the industry has been slow to respond to is scaling the Merchant Service Fee to reflect the risk of the individual merchants. We see wide variations in sophistication and fraud rates between different merchants. Amazon, for example, has quite a low consumer fraud rate. There is often the misconception that without cardholder authentication via a SET wallet, there is nothing that can be done here. This is not the case. There are practical steps that can be taken by merchants, processors and financial institutions to control and manage fraud. Let me give a real world example. A merchant of ours was complaining of losses from fraud. I asked them to categorize the attributes of customers who had initiated charge backs. This merchant sold 98% of their goods in Queensland. In fact, the information they were selling was likely to be useful mainly to a Queensland marketplace. Interesting most of the charge backs came from overseas customers. The solution was to handle these orders via a different process. Rather than allowing an immediate download, the customer was contacted via phone and a fax was dispatched requesting a signed authorization to be returned. The result has been zero charge-backs with no impact on sales. There are actions the banks can also do to improve the situation. I met recently with an card issuer in South America who has email addresses of their customers on file and every time a MOTO transaction comes through BASE1 (the card scheme authorization stream), they automatically generate an email saying that a charge from this merchant for this amount has been received and to contact the bank within 24 hours if they did not perform the transaction. This is a very simple and cheap, yet effective, measure. The card schemes are also active, post SET. VISA and MasterCard are both working on non-SET payer authentication schemes, loosely based on a server wallet at the issuing bank (or hosted by the card schemes). Expect these to make a debut within 12 months. Fraud is something we need to manage but its not going to stop e-Commerce. The insurance companies can smell a buck underwriting merchant and cardholder risk and this poses a real threat in the longer term to the Bank’s market. In response, some of the more proactive issuers and acquirers are ‘guaranteeing’ e-commerce transactions for fraud. Consumers consistently list fraud as a concern but this does not seem to inhibit growth in e-retailing.

In the B2B space, purchase cards are likely to be increasing popular over the web. Of these, the VISA purchasing card and Amex seem to be leaders. Expect this to be popular for ad hoc purchase less than $10,000. This is quite a larger percentage of business transactions.

There are some places in the B2C market place that Cards will not fit well. Low value payments and sales to minors are examples. In the B2B market place, cards are a bit of a square peg. So what other payment instruments are out there.

In the US Checks are widely used for payment and we are seeing this translate into the virtual world. The use of e-Checks (which today means entering you’re a/c number of the bottom of your check book and having the transaction cleared by the ACH!) is increasing, particularly for C2C and B2B payments. Typically these transactions are lower cost than credit cards. Conceptually, in terms of what these instruments DO for you, these ‘E-Checks’ are very similar to funds transfer, direct debit and direct credit, so I’m going to talk about them as one family of payment instruments, funds transfer. In Australia many companies pay suppliers and employees via BECS Direct Credit and I would think it logical that this will move to using the Internet. In fact, I am aware of such initiative under way at present. There are also streams for high value clearing. If you want to send money overseas you need to use a TT. That is one of the issues: every country is different. I want the same global reach as credit cards but this is some way off for funds transfer. With direct debit, the absence of electronic payment authorities and rules designed for the physical world has held back uptake. There are initiates such as WATCH, which are trying to solve these problem – about two years too late but we must not get impatient.

Here I’m going to get a bit controversial. Most of these Funds Transfer Internet schemes are based on Public Key Infrastructures (PKI). This is logical. One of the most sensible ideas I have seen for a while in the Indentrus initiative, where the banking industry is trying to be the issuers of identity for commerce. This makes sense to me, as this has been a traditional role for banks. Personally, I have more faith in this type of approach than relying of governments to roll out identity services- something they have not been very good at in the past. I do have concerns about some of the technology, however. Specifically, I am dubious if Smart Cards are the right choice for holding the certificates. Not because I’m against smart cards or think they are insecure, but because there is a minefield of problems in rolling out the readers into different operating system and browser platforms. At QSI we test our web applications on 16 different O.S./ browser combinations. Our work with the software ‘standards’ for interfacing with the readers and cards and variations between manufacturers, suggest that this is a pretty much an impossible task in a heterogeneous environment. If you have ever rolled out a PKI infrastructure, you will appreciate it is possible but requires a lot of effort. Add a current generation smart card, reader and software and you have real problems. If there are any Smart Card manufacturers in the audience, consider this a request for the industry to rapidly mature before we get into prime time. If you do, then perhaps QSI will sell more copies of its Mondex gateway <pause>. If there are bankers in the audience working on such schemes, can I suggest you do a practical test? Ask your IT people to role out a PKI infrastructure on smart cards to the people in your own workgroup, say to sign emails, before committing to doing it for every business and consumer in the land. To make it fun, make sure you have a windows 95, 98, NT4.0, Windows 2000, IE4.0, IE5.0, Netscape, Apple Mac and Linux environment. Lets not do another SET. Lets get real - how about using CD’s or floppy disks to store the private key – it’s simple, cheap, relatively secure and easy to roll out – at least in the mean time.

There is other negative of funds transfer – the cost of integration. It is another payment instrument for merchants to deal with and, in the traditional world; the integration is complex and difficult. I remember a project I was on, many years ago, paying bills with BECS files. It cost us, as an SME, about $30K for the integration into our MIS system. Most of this was the complexity of exception handling. This was when $30K Ozzie was still worth something. This is a problem that QSI is trying to address at present – we want to make this a non-issue for merchants and I think we have a reasonable chance of doing this.

What other instruments may feature in the year ahead? This year in the US we will see the launch of SafeDebit, a pin debit equivalent scheme that routes transactions into the traditional debit network and requires no change to that back-end network. This is backed by NYCE and supported by the other major processors. It uses a small CD as the authentication token. There are a number other initiatives, such as Nacha and Maestro, but we think that with several million cards issued by next year, SafeDebit will be a major US player. QSI certainly believes so and have been a leading developer and I’m please to announce that next week will see the announcement of a major project overseas based on this Scheme. Debit will be attractive for merchant wanting to sell to minors and for on-line gambling, where credit is prohibited. It will also be much cheaper per transaction, and so merchant selling low-ticket price goods will be attracted. I think there is also a good chance that this type of scheme can play a role in the short to medium term for Business to Business Payments. Most of the infrastructure is there and all we need to do is fix the problems with limits on the debit interchange links.

EMoney. When I was last in Hong Kong, the level of subway advertising by Beenz.com amazed me. They may not yet have many Beenz but they are spending a lot of hard currency in Ads. I think there may be some penetration for these e-money schemes but at present there are too many providers with too few users and merchants. I suspect that after some consolidation, this market may establish itself in certain market segments but I have not bought any shares in these companies as yet.

Enough of the practical. Some interesting things on the horizon include:

Returning to the main thrust of my talk. What do merchants want?

What do Consumers want?

What do business want for B2B Payments?

In conclusion, you can see that there is progress in ePayments. I think more and more banks and merchants must deal with the issue of payments on the Internet. There is a lot of FUD (Fear, Uncertainty and Doubt) out there – particularly in regards to credit card payments from consumers. There is also a certain naivety in the B2B space. For example, I frequently hear B2B being equated to funds transfer. In fact a whole range of payment and finance instruments are required for different business requirements. Never the less I am optimistic that we are seeing increasing sophistication from the designers of the payments systems tempered with the lessons learned from first generation internet payment schemes. It may not be happening in Internet time, but it is certainly happening. Thanks you and I would now like to take any questions you may have.

Further Information

Comments and corrections to: webmaster@tomw.net.au
HTML Markup Copyright © Tom Worthington 2000.