SPEAKER_00 0:00

Welcome to this episode of Spence Chat with Jason and Hayden. Let's jump right in to make the payment made sense. Hayden, as much as I hate to admit defeat, the consensus from our listeners is you are indeed the pretty face. So it's great to have you back in the office, pretty face and all.

SPEAKER_01 0:32

Yeah, it's great to be here, Jason. It's great to see you too. Being in here is the only thing that escapes my quarantining lifestyle. So let's dig into these stories. The first story, the missing multi-factor mindset. Don't be dragged through the headlines like Zoom.

SPEAKER_00 0:45

Next, we'll cover PayFAC paralysis, which is not another symptom of coronavirus.

SPEAKER_01 0:50

Lastly, class action chaos. Is there about to be a frenzy around food delivery? Approximately 500,000 Zoom username password combinations were compromised due to a credential stuffing attack. Is Zoom to blame for this?

SPEAKER_00 1:04

Well, Hayden, not really. Our friends at Zoom have really been dragged through the ringer in the last few weeks over security concerns. And I'm a huge fan of Zoom, but I can't fully fault them for this. Credential stuffing is a practice where hackers use previously compromised passwords and they essentially brute force particular service providers, in this case, Zoom was the target, to figure out if any of the existing combinations they have work for a particular service provider. Anything that they find that they're able to log in with, they turn around and they sell those on the dark web for pennies per set of credential. So the the actual compromise itself did not stem from a data breach or hack of Zoom, but stemmed from utilization of credentials that were previously compromised from other websites.

SPEAKER_01 1:58

You say Zoom is not really to blame for this, but what could they have done better? It seems like this type of attack could potentially target any company.

SPEAKER_00 2:06

Hayden, you're absolutely right. Almost anybody is vulnerable to this type of attack if they're not utilizing multi-factor authentication. And I know that is a security feature that Zoom has available on their web-based platform. However, it's not built into their desktop client. I think just about every company out there should have multi-factor authentication enabled by default when a new account is created and encourage their customers to be more cautious with their credentials and the services that they use. I think the other side of it, and this is where I don't fault Zoom, is that security administrators for the customers of these products have the ability to enable multi-factor authentication, usually company-wide, so that every user is forced to use multi-factor authentication. The second piece of it is corporate policies on password security management. All too often, people use the same passwords for every website that they log into, which is exactly how these credential stuffing attacks happen. If you've got the same password on every website and one of those websites is compromised, those credentials can be used for a variety of other vendors, right? Online banking, stock trading, video conferencing, you name it, right? The the list is limitless.

SPEAKER_01 3:32

Jason, you say unique passwords for every website, but that seems like it could potentially be a lot of passwords to remember.

SPEAKER_00 3:39

Yeah, especially for an old guy like me. Every time somebody asks me how old I am, I have to calculate it because I can't even remember my own age anymore. But there's great password management solutions out there. The way that I handle this personally is I use a product called Dashlane, and every website that I have credentials to has a very long, randomly generated, complex password that's stored encrypted locally on my computer. That means that every website has a unique password, and if one website were to be compromised, the rest of my accounts would still be safe.

SPEAKER_01 4:17

Jason, multi-factor authentication is an added step that a lot of customers don't seem like they are ready to embrace.

SPEAKER_00 4:23

Hey, and I agree, it is an added step. But I think as security administrators or responsible vendors, we need to protect our customers from themselves. And multi-factor authentication is one of the simplest ways to prevent account compromise and account takeover. All of our products that we build all have multi-factor authentication enabled by default. And at some levels, depending on your roles and permissions, it can't be disabled. We continuously have conversations with our customers to educate them on the importance of multi-factor authentication and also make it as easy as possible for them to implement so that it poses as little burden as possible. The other thing that I think is important, especially if you're in the financial services industry and the possibility of an account compromise could deal with theft of funds or misappropriation of funds, I think it's important to have the customer acknowledge that if they're going to disable multi-factor authentication, that you as a service provider are not liable for any activity that happens if their account is compromised.

SPEAKER_01 5:34

I agree with you, Jason. And if you are concerned that maybe your data has been leaked in one of these breaches, you can go to Cybersecurity Cybels Am I Breach Data Breach Notification Service, and they'll tell you exactly where your data is going if it was breached at all. Well, Jason, I know your credentials are safe, but let's talk about your time. I can't even add up the amount of hours that I hear you talking to ISVs about what's involved in becoming a PayFact. Hayden, you're not kidding.

SPEAKER_00 6:01

I think PayFact is definitely the shiny new thing in payments. I one of my favorite analogies is it's like the web 2.0 trend of payments. And I get it, it makes a lot of sense. You have some great software companies out there that are building niche market products for specific industries. And a lot of them, when they start out, their idea is, you know, we'll use Stripe, we'll use Braintree, uh, we'll use Addion, we'll use one of these guys that makes it really easy to enroll as a merchant and start processing payments. And that's how a lot of them start. And then once they get a little momentum, they realize that payments is a revenue opportunity. And all along, they've just been essentially donating that additional revenue stream to the stripes of the world. And they develop what I like to call payfack paralysis, where they start spending so much of their time and efforts on researching and trying to become a PayFAC. And I don't think what they realize is what's really involved. There's a reason that there's companies that are solely dedicated to providing payment services. It's really a huge undertaking from a technology, risk, and underwriting perspective for somebody who doesn't have the core payments competency to become a PayFAC.

SPEAKER_01 7:28

Yeah, it sounds like part of the driving force is the ISV looking to get in on the payments action and increase revenues, but is there a way to do this without becoming a PayFAC?

SPEAKER_00 7:38

You're 100% right. That's that is what is driving them down this path. And I think there are a lot of viable alternatives for ISVs to get a piece of the payments action without actually becoming a payment facilitator themselves. We work with a number of banking partners and wholesale ISOs that their core focus is working with ISVs. And it's almost like a pay fac in a box or a pay fac incubator type scenario where they can get all of the added benefits of being a payment facilitator without having all of the overhead and expenses of doing it themselves. And we've created some super viable partnerships between ISVs and acquiring banks who have an appetite for technology-based companies that have a payments component to their platform. In the long run, it's a much more profitable opportunity for the software company because they're not diverting resources into an area that they don't have core competency.

SPEAKER_01 8:45

Yeah, that certainly sounds like a much quicker roadmap. And speaking of roadmap, it looks like a lot of ISVs sacrifice developing new features to attract more customers in order to build payments technology.

SPEAKER_00 8:55

Spot on, Hayden, you know, my my message to most of the ISVs that I talk to who don't have a lot of payments experience is focus on your product, right? You've built a great product in whatever vertical that you specialize in. Maybe it's salon software, maybe it's gym software. You know that business inside and out. And diving into payments is a massive undertaking. Find the right payments partner, right? You get all the upside of being a payment facilitator when you find the right payments partners, and then you don't sacrifice building the features and functionality that your customers want. At the end of the day, most of an ISV's customers don't care whether they're a PayFac or not. What they care about is the value that that product adds to their business. So focus on adding more value to your customers' businesses instead of trying to become an expert in something that you're not.

SPEAKER_01 9:55

Knowing about the years you have spent developing payments and compliance technology, I can attest to the complexities and overhead of being a payments company. So let's talk about a few pay facts that took the long road Uber Eats, Postmates, DoorDash, and Grubhub.

SPEAKER_00 10:10

Yeah, I've definitely dedicated a lot of my life to payments technology. And in fact, if it weren't for that group of companies, I probably would have died of starvation with the long hours in the office.

SPEAKER_01 10:21

Yeah, I'm right there with you, Jason.

SPEAKER_00 10:22

So you mentioned that those guys were in a lawsuit. Tell me more about it.

SPEAKER_01 10:26

Yeah, well, the lawsuit has been said to have no ties to the coronavirus and was filed last Monday in a federal court in New York. But these food delivery service companies are being accused of charging exorbitant fees and forcing restaurants to raise prices for dining customers, which in some severe cases is up to 40% of the sale price.

SPEAKER_00 10:46

That's ridiculous considering the average cost to process a credit card transaction is around 2%. The fact that they're charging 38% above their cost is probably indicative that they're trying to offset huge payment technology expenses in addition to their core application development.

SPEAKER_01 11:06

Yeah, well, several customers even allege that they have monopoly power that wields against restaurants and consumers. They're basically forcing restaurants to charge uniform prices for restaurant menu items throughout all purchase platforms, which then prevents restaurants from charging different prices to meal delivery customers than they charge to dine-in customers for the exact same menu items. And based on the lawsuit filed, that restriction is what qualifies as an unlawful price restraint.

SPEAKER_00 11:33

I'm certainly not in that vertical, so I don't understand all of the expenses associated with it. But I know every time I use one of those services, they're also charging me delivery fees and other fees on top of the items that I purchase. So it just doesn't add up. I think one of the possible outcomes of this is restaurants start doing something very similar to cash discount programs, where in order to comply with the terms of the meal delivery services, they offer discounts to their customers that pay with cash in-house. And I think it only creates complexities and mistrust with the business's patrons. But I understand it, right? The the business has to make money too.

SPEAKER_01 12:17

Yeah, I think it's gonna be interesting to see how this shakes out in court, but it sounds like there's definitely gonna be a big opportunity for some new players in the food delivery service vertical.

SPEAKER_00 12:27

You're right, Hayden, and they're already popping up. In fact, we've been working with a ISV that is in that exact vertical, and they're going to market charging their merchants three and a half percent. So I think there's a big opportunity for companies who structure their payments relationships right to come in and compete against the big names. And I'm sure the restaurants will be more than glad to jump on board and pay three and a half percent as opposed to 40%.

SPEAKER_01 12:58

All right, Jason, it is time to make payments make sense. Give me the takeaways.

SPEAKER_00 13:03

Well, payment supply chain, if you're not heavily pushing multi-factor authentication to your customers, you're asking for some negative press. ISVs, focus on your core product and the features that help you get new customers, find the right payments partners. And lastly, if your pricing structure ultimately hurts consumers, you're only painting a target on your back for new competitors.

SPEAKER_01 13:26

Thanks for joining us today. And if you've got a topic you would like us to discuss, follow and message us on social media at SenseChat. And as always, we would love your feedback. Hey now.