Transactors: Are Cards Ready for Their Closeup?

 

By Karen Epper Hoffman

 

A technique that allows consumers to capture card information with PC or mobile-phone cameras could make for faster, more secure transactions. Is anything wrong with this picture?

 

 

 

A picture may be worth a thousand words, but is a picture also the surest way to eliminate online card fraud?

 

Technology is emerging that puts a new spin on card verification in online or mobile scenarios: To confirm that the shopper is using a valid credit or debit card, take a picture or a video clip of the card at the point of payment using the camera on a computer or cell phone.

 

Over the summer, Silicon Valley startup Jumio Inc. launched NetSwipe, a solution that allows consumers to shoot a short (quarter of a second) video clip of their payment card using their PC’s Webcam, ensuring that they really have a valid card and limiting the need for tedious data entry on the checkout page.

 

While Mountain View, Calif.-based Jumio’s service is currently targeted at desktops, chief executive Daniel Mattes says a mobile application and developer tools should be available later this year.

 

San Francisco’s card.io, founded a year ago September, boasts an offering that’s similar. Card.io’s mobile application allows purchasers to take a picture of their credit card using the camera phone on their Android or iOS handset to authenticate their transaction.

 

Within the transaction, when it’s time to enter payment, the user holds up their card in front of their cell phone’s camera; the software helps indicate to the cardholder when the card is centered and close enough to be read clearly.

 

Card.io, which is targeting developers, promotes a software development kit for those two mobile operating systems as well. Users so far include Venmo, a social-payments network, processor Merchant Billing, Qthru, a retail-shopping application, and TaskRabbit, an online household-services marketplace.

 

Unlike Jumio, card.io focuses on mobile commerce, and users take a picture of the face of their payment card, not a video clip. Why focus on the mobile platform when most e-commerce transactions are currently taking place via PCs? “Mobile is where there’s a lot of friction for [e-commerce] transactions,” says Mike Mettler, co-founder and chief executive for card.io. “That’s why most users won’t take the time to make a purchase on their phone.”

 

Off-line to Online

 

The concept takes a page from remote deposit capture, a service that in recent years has grown in popularity as well as reach, from larger businesses to smaller ones and most recently to consumers. In remote deposit capture, the customer uses a basic flatbed scanner, a specialized device, or the camera on their mobile phone to take a picture of their checks and send those online to their financial institution as images for deposit.

 

In some ways, though, snapping images of a card might have an advantage over scanning a check. “It’s an interesting idea,” says Beth Robertson, director of payments research for Javelin Strategy & Research, drawing the comparison to RDC. “And, in many ways, there’s not the same issues you might have with [remote deposit capture technologies] because you’re not trying to verify the handwriting as you are with checks.”

 

Mattes, who previously founded voice-over-IP company Jajah, became interested in the idea of “bringing the security and convenience of the off-line world online” by using the cameras that are increasingly being built into computing devices. After selling Jajah to Telefonica in December 2009, Mattes approached a group of Israeli engineers and acquired the source code for what has become Jumio’s NetSwipe.

 

Taking a picture or video clip of the card, proponents say, will not only make payment faster and more convenient for customers, but will reduce the likelihood of fraud. Mattes claims that Jumio’s NetSwipe application can determine whether a card is made of plastic (rather than, say, glossy cardboard), whether the numbers are embossed properly, and if the card’s hologram is genuine, limiting the opportunity for crooks who steal card numbers or simply try to use a fake photocopy of a credit card.

 

Customers using NetSwipe are directed to hold their card up to a field of view on the Webcam for at least 250 milliseconds while the video stream is shot and then verified. Using mouse clicks as a security measure, customers enter their PIN to enable PIN debit transactions. An encrypted video stream will also stop keylogger attacks, Mattes adds. He says the video feed is not saved by Jumio.

 

Gary Glover, director of security assessment for SecurityMetrics Inc., says using video is preferable to just snapping a photo of the card, as it “makes it easier not to save [the video] somewhere.”

 

Mettler says that, like Jumio, card.io never saves card images. He argues that taking a snapshot of a consumer’s card can work functionally as well as Jumio’s video scan. “At a high level, it’s a computer vision problem. There’s only two things to consider: Is it secure and does it [read] the card? Video or not is not the key question,” says Mettler, who helped start card.io after working at AdMob, an online advertising network.

 

“A Long-Term Process”

 

The beauty of this design, whether as embodied by Jumio or card.io, is that it requires little from the consumer or even the merchant, according to Javelin’s Robertson. “It could give the ability to authenticate and authorize transactions … using technology that’s already built into the laptop or the phone. That’s a real benefit, not to need extra hardware.”

 

Indeed, Mattes often refers to NetSwipe as “Square without the hardware”—comparing his card-authentication solution to the mobile-based card reader that has been capturing a lot of attention and arguably merchant adoption in recent months.

 

Aside from security and automatic hardware availability, Mattes believes the biggest selling point of NetSwipe for merchants and users will be the convenience of not having to enter as much information, which in turn, he adds, will result in fewer transactions abandoned at the point of purchase. “The main advantage is simplicity,” Mattes says. “If you can reduce the churn [of] people dropping out from entering their card information, you can increase revenue.”

 

In the first half of this year, Jumio conducted a pilot with 2,500 users, and then surveyed them. The percentage of customers who aborted their transaction during the data-entry stage dropped from 52% without NetSwipe to 21% when they used NetSwipe. Additionally, 97% of these pilot users said that they prefer NetSwipe to traditional mechanisms for keying in credit card details, and 89% thought that it adds extra security comparable to a card-present transaction.

 

While early-adopting consumers may be sold on the idea that making online card payments via NetSwipe is equivalent to a card-present transaction, card networks may take a bit more convincing. Since networks typically price card-present transactions with lower interchange than card-not-present payments, that could limit the potential advantage of reduced transaction costs for merchants.

 

While Mattes claims the use of NetSwipe could reduce the potential use of fake or stolen card numbers to “zero,” he admits that “achieving card-present status is a long-term process.” Another drawback is that prepaid cards aren’t eligible, since too few come embossed, says Mattes.

 

“Prove It”

 

Nonetheless, Jumio is finding meaningful support, both in terms of financing and merchant adoption. In March, it received $6.5 million in funding from a group of investors led by Facebook co-founder Eduardo Saverin, who also sits on Jumio’s board of directors.

 

“I am very excited to be involved with Jumio, which has developed a ground-breaking technology that fulfills two of the most important aspects of payments processing: heightened security and a simplified user experience,” Saverin said in a prepared release at the time of his funding.

 

In August, blogging behemoth WordPress announced it would offer the NetSwipe plug-in through its Web sites, so that bloggers could encourage more payment for digital goods and products or donations. Mattes says Jumio has a number of other unnamed merchants signed up as well. Smaller merchants that connect to Jumio through the cloud pay a flat 2.75% fee per transaction, while larger merchants will integrate NetSwipe into their checkout system and pay a negotiable rate.

 

Meanwhile, card.io said in late September that its application was live on 80 apps, with another 750 waiting in the wings. Enthusiasts include Venmo, which has said publicly that card.io takes 20 steps out of the process of entering card information. Pricing is 15 cents per scan, with no contract required and no setup fees. This is on top of ordinary card-acceptance fees.

 

Still, the road to a picture-perfect future for this payment approach could be a tough one. While Jumio and card.io boast impressive early support and a simple approach that doesn’t require much of users, there are still several issues that need to be brought into focus.

 

One of the key concerns for online merchants is lowering interchange, and as yet, as noted, even transactions conducted through NetSwipe are not necessarily considered card-present, and therefore eligible for lower discount fees. “If you can’t offer merchants lower interchange, they’re going to question how this saves them money,” says Paul Tomasofsky, president of Montvale, N.J.-based Two Sparrows Consulting. “They’re going to say ‘prove it.’”

 

Also, Glover questions whether the video stream could be compromised or accessed en route. Unlike a dedicated point-of-sale device, a laptop is not designed to be locked down as securely and used for the sole purpose of communicating transactional information. This could become an even more pronounced issue when NetSwipe moves to mobile, Glover adds, since there are so many open applications on the average smartphone.

 

As for card.io, some payments experts question whether consumers will go to the trouble of reaching for their wallets each time they need their card for a transaction. Instead, they may prefer a mobile wallet stored on a secure chip inside the phone, a scenario embodied, for example, by the emerging near-field communication systems being developed by Google Inc., Visa Inc., and Isis, a joint venture of the nation’s largest wireless operators.

 

Also, as Glover points out, until a significant number of customers start embracing this technology, online merchants will have to keep accepting payments the old-fashioned way, without viewing the card and with customers typing in their card details.

 

While Mattes estimates that 90% of PCs now ship with Webcams, “not everyone has a Webcam or knows how to or wants to use it,” Glover says. “I can’t imagine a Web commerce merchant that would only take Jumio.”