Monday, September 21, 2015

How Do You Want To Pay For That?

Magnetic stripe cards, touchless cards, chip cards, what does it all mean?  Read this to use the payment methods that will keep you safe from fraud.

I'll also talk about the opportunity toward the end in the "Business Opportunity" section.


Introducing The Credit Card
First of all, a review of traditional cards:  Your card has a short, 15-16 digit account number printed on it.  You can use this number wherever you can't find a card machine, such as when you buy things online or over the phone, and it's raised so that the next time you step into a taxi without an electronic card reader, they can easily get the card number with their machine that inks the bumps on the card.  The trouble with that is it's really short and easy to steal, so the card manufacturers came out with magnetic card reader machines in the 1980s to make it more difficult to copy.

The CVV code is written on the card and is never raised like the account number is.  Payment Card Industry requirements dictate that the CVV should never be stored, though it may be used to reassure the card processor that the user had the card in hand at the time the account number was stored.

Single Use Card Numbers
If you have authenticated yourself at your cardholder's site (or another site you trust), the card provider trusts your active session more than any payment made with a 15 or 16-digit account number entered on another web site or over the phone.  Several of the cardholder sites offer a single-use alternative account number you can use to charge things to your regular account.  Simply login, generate the card number, copy it to your computer's clipboard, and paste it into the vendor's web site.

Single use card numbers can be used for a single transaction or a single vendor.  They are quite secure, cheap to issue, and though not as easy to use as a plastic card, they can be entered via any machine and provide reasonably good security, rivaling magnetic card security.

Despite their advantages, customers aren't using them, and many card issuers have discontinued this technology packaged in this form, but as you'll see below, the technology is available in similar formats that are more convenient.

Magnetic Cards
Your credit card has a magnetic strip on it.  Overall, the technology is similar to a cassette tape, using magnetized parts of the strip to store the information, which is easily scanned by the machine.  Besides including the account number and name you see on the face of your card, the magnetic strip provides additional information you can't see on the outside of the card.  This extra set of numbers is like a really long password, designed to tell the machine that the genuine card is present at the transaction, and provides some degree of assurance to the card processor that the consumer is probably there, and that this is not a scam.

When the card is swiped, a pulse of on and off signals are read using the magnetic reader in the device as the card moves through the slot.

However it's becoming increasingly easy to add additional tiny card readers to the magnetic stripe reader slot so that it's read twice (once by the machine and once by an imposter, and someone comes by later to collect their own device), or to add a device to record the signals over the wires between the magnetic reader and the rest of the machine.  Like a password, once recorded it can be copied to another payment device, such as another card, and then if used again the mag stripe machine can't tell the difference between a copy and the genuine card.

Sometimes the magnetic strip of a counterfeit card doesn't match what's printed on the card, which is why some machines ask the cashier to confirm the last 4 digits written on the card.

As of 4 years ago, illegally copied magnetic strip cards could be purchased for as little as $0.25 each (or so I've read).  The price is likely lower than that now.

Some of the new popular everything-in-one cards like "Coin" offer a magnetic stripe that changes to match a card.  They have the same benefits and drawbacks as regular magnetic cards.  However the newest of these also offer additional, secure ways to pay that incorporate the features below.  Seek these out!  You'll understand why in a minute.

NFC, "Touchless" Cards, Apple Pay, and Android Pay (formerly Google Wallet)
Near Field Communication (NFC) or "touchless" payment methods (except Samsung Pay) all work based on short range (within inches) radio waves.  The general idea of each of these is that the credit card machine can have a "conversation" about the transaction, and that some of the information is different with every transaction.  So your card's "password" that makes it unique changes constantly, and isn't easily copied.

These work on the premise that the card and the payment processor know a "secret" that is never transmitted over the air.  Copying this payment method is harder, but if you had a device to have this "conversation" with a card that is in your wallet, you could have the card authorize a payment without your knowledge.  I haven't actually heard of this being done, but it's made people nervous enough to start an explosion of wallets and pockets that advertise they can block signals to keep your cards safe.

Touchless cards also have a magnetic stripe for magnetic readers that don't support the touchless payment option, but the magnetic stripe is no better than any ordinary magnetic card.  Unlike the touchless radio responder built into the card (or phone), the information on the magnetic stripe never changes.

Apple Pay and Android Pay are more secure because both use a form of authentication on your phone to authorize the payment.  Your PIN is never transmitted over the air, but your phone won't authorize the touchless payment without it.

Samsung Pay will act like Apple Pay and Android Pay, but the value Samsung Pay adds beyond Android Pay (which is available on every Samsung device) is outside this category, and I'll cover that later.

EMV "Chip" Cards
Retailers and card manufacturers particularly like the chip cards because they use a randomized password similar to the NFC "Touchless" cards, Apple Pay, and Android Pay, but cannot be accessed without removing it from a jacket pocket or wallet.

Contrary to common belief, the chip on the card has nothing to do with the magnetic stripe on the card, and just like Touchless cards, the magnetic stripe is provided as a backup for when the more secure payment option is not available.  The chip is not accessed when the card is swiped.

Unlike touchless cards, chip cards require the machine makes physical contact with the chip.  If you've been to one of the many Wal-Mart stores now equipped (as of Summer 2015) with these readers you have probably seen the slot at the bottom of the card reader.  The card is inserted into the reader, and left there until the transaction has been processed.

These also have the advantage over Apple Pay, Android Pay, and even Samsung Pay of being able to securely pay at a restaurant without giving up your phone to the waiter or waitress that will scan the card somewhere out of sight.

Most card issuers are sending free replacement EMV cards to their customers already.

Samsung Pay
Android Pay is now available for all Android-based Samsung devices, so if you have a Samsung device you already have Android Pay.  The newest Samsung devices will offer Samsung Pay.

Samsung Pay operates in two modes:

  • It can offer the same touchless payment experience Android Pay offers (which is why they don't bother to make it available for older phones that can already use Android Pay)
  • It can use a special antenna on these newest devices to send out a series of magnetic pulses, mimicking the presence of a magnetic card
Nothing I've found really explains Samsung Pay's security features, but they advertise they're more secure than a physical card.  

If I were Samsung, I would use a single use, extended length card number in that transaction, and transmit it directly from the phone through the card reader.  This would provide the same degree of security found in touchless and EMV card account numbers, and if the card number were captured by an illegal magnetic card reader, it would be invalid because it's single use.

Changes Effective October 1, 2015

Effective October 1, if you (as a vendor) use a magnetic card reader to process a transaction, you will be liable for any fraud related to illegal cards copied from an EMV or NFC capable original card.

Samsung Pay transactions through a magnetic card reader should be exempt based on my understanding of the technology, but it's unclear whether card processors will be able to tell the difference between a secure Samsung Pay transaction and a magnetic card.

Business Opportunity

The business opportunity here is in the sale or lease of secure equipment to retailers that are still using magnetic reader equipment.  The motivation for them to buy is in what merchants won't have to cover in credit card fraud.  In addition, merchants will be able to protect their customers by allowing and promoting secure forms of payment, and won't be held liable if a customer uses an illegally copied magnetic strip card.  

Online transactions shouldn't be affected, but retailers should still always ask for the CVV code as that's harder to copy, and reduces transaction fees.

Because the retailer almost always pays the processing fees (and not the card holder), most card holders are unaware and unmotivated to do anything that would improve the security of their transactions.  

For Consumers

Credit card companies and vendors with old equipment will cover the cost of fraud, but it's a lot of hassle to straighten out your account and replace your card when fraud happens.  So protect yourself and get a secure way to pay.  It's free.

Sunday, July 26, 2015

Why you should take your sleep apnea diagnosis seriously

I (somewhat erratically) maintain this blog to talk about topics that people don't seem to think about.  Usually I do it from a business perspective, but now I want to talk to all of you who (like me) have a diagnosis of sleep apnea.

First of all, who are you?  You are not necessarily middle-aged, male, and have a waist size of 38" or more, though those are 3 of the most common things.  If you feel tired often, but have figured it's because you're getting a little older, you probably should go get checked.  I am male and don't have either of the other two risk factors, but I have sleep apnea.  I was tired a lot, but I figured it was because of my lifestyle -- staying up late with the kids, and then leaving very early for a long commute to the office.

The doctors say I have a large tongue but a small lower jaw, and that's what is causing my sleep apnea -- losing weight won't really help me, it's the way God designed me.

The "gold standard" treatment for sleep apnea is the CPAP machine.  You have to wear something on your face to give you air when your body can't breathe in.  This treatment has a near-100%* success rate, but no one wants to wear a mask on their face -- besides unattractive look of it, it's uncomfortable, it's a hassle to keep clean, and finding the mask that fits properly can take over a year (remembering why you took off that mask can be more difficult than remembering your dream last night!).  ...and it can have an impact on the family too -- my full face mask startled my young children until I told them the doctors said I have to wear an "elephant nose" at night, and it though my wife is understanding, it has affected life activities in the bedroom too.

What are the alternatives?  Well yes, there are some, and they have varying degrees of effectiveness, but none of them are as effective as the CPAP machine.

  1. CPAP -- included for completeness, already discussed above, effective for 90%* of sleep apnea patients
  2. Lose weight.  This is probably the most effective alternative "cure" but you have to keep it up, and requires you have significant weight to lose - effective for 40%* of sleep apnea patients
  3. Dental device -- if, like me, you have a smaller lower jaw, sometimes this is effective.  Wasn't for me, though, and your jaw will be sore every morning for the first few weeks.  Effective for 25%* of sleep apnea patients
  4. Surgery -- if you've already had your tonsils removed, this probably won't do anything for you, but there are more things they can do than just remove the tonsils.  Varies based on the type of surgery, 15-35%* of sleep apea patients benefit.
  5. Pacemaker -- there is a "pacemaker for the tongue" to keep it out of your airways, but it's a very new treatment.  You have to maintain the device just like a pacemaker (batteries, etc.), and I have no idea what the side-effects are (does it impact your ability to talk?  no idea) -- insufficient data.
  6. "I'll just sleep on my side." -- usually not effective, but I'll give it a generous 5%* estimate
Is it really that big of a deal?

Yes.  It is.  Your heart can do its job to wake up the body enough for you to catch your breath a few times a night, that's no problem.  Sleep apnea patients wake up 25-50 times a night, but usually don't remember it.  That's a lot of wear and tear on your heart.

Also, general fatigue can lead to:
  • Car accidents
  • Poor attention span
  • Poor posture, and therefore back and other health problems
  • Poor judgement at work
  • Emotional health problems (which impact relationships at home and at work)

But I've lived like this for years!

This is the often overlooked piece of the puzzle.  According to a presentation I saw at Stanford's Sleep Clinic, you can live up to about 10 years like this before you start having noticeable health problems.  

You can also drive over 100 miles with a screw in your tire* without air leaking out, but chances are you would rather change the tire as soon as you notice it, because you don't want the risk of a blowout on the freeway.  So why would you take that risk with your body?

Ok, I've tried it, I don't like it.  I give up.

You owe it to your family, friends, and coworkers to keep trying.  Every night you don't, you shorten your life a bit.  

My story...

Three years after my diagnosis I'm still trying with my Variable BiPAP machine (similar to CPAP) -- the masks I've tried don't fit quite right for me.  The other options have already been ruled out for me (except the pacemaker option... not much is known about that one as of mid-2015).  However even though I'm not entirely successful, I've noticed a huge difference in my energy level, and my general health once I got above 4 hours of use per night.  ...and as I continue to get better at it, my energy level and health has continued to improve.

It's been worth the effort, and I wish I could just take a pill for it every day, but CPAP is the best solution for now.  My efforts paid off, yours will too.

Factors to play with

If you're having trouble and think you've tried it all, here are some factors to consider:

  • Type of mask
  • Tightness of straps
  • Is the mask seal clean?
  • Do you wash your face before you go to sleep?
  • Temperature of the humidifier
  • Your pillow (does it bump the mask off at night)?
  • Ramp-up settings of the breathing machine
  • Your doctor's settings on the machine
  • The air filter on the machine
  • Do you change your mask seal at least monthly, as designed?
  • Your mattress!  (if you've been tossing and turning thinking it was your breathing machine, but it was really your mattress, changing your mattress can help a lot! -- the Personal Comfort Bed is a great alternative to the Sleep Number Bed -- tell them referred you for $50 off)
...and if you're looking for tips, the CPAP Forum is a great place to get advice from breathing machine users who are just like you, but may have more experience.

* - this "research" should be treated as "what your friend thinks he remembers reading somewhere" at best, and if you want to know the truth, go research it yourself.  I am not a doctor, nor am writing this as a formal research paper.  I don't have sources, nor do I plan to add any.  

Friday, November 21, 2014

It's yours now - here's my laptop, my keys, and my VistaPrint designs

With Millennials (defined as people born between 1980 and 1999) changing companies often, many service-based organizations find it's better to build a relationship with the individual than the company.  Every time I call Discover Card, for example, they thank me for being a member since 1997.

Businesses find that by establishing relationships with the individual, they earn a recommendation when that individual changes companies and their new employer has a business need.

VistaPrint, the online service that caters to the small businesses' and individuals' needs, has followed suit, establishing the relationship with an individual.  But there's a use case they didn't cover.

I'm leaving my primary employer soon, and I'm making preparations.  I'm also a volunteer for a small club of an international nonprofit organization called Toastmasters International that's connected to that employer.  When we needed to be more competitive with other Toastmasters clubs in the area, I developed some evaluation forms and secret ballot forms to use in our weekly meetings to evaluate the speakers.  I had used VistaPrint for my needs before, so I already had an account, and I was collecting bids.  The only way I could get a bid from VistaPrint was to walk through it, so on my personal account I drafted what I thought the form should look like.

The draft became a proof.

The proof was shopped around to other local printing companies that couldn't beat VistaPrint's rates, at least for a small "trial run" order.  The club liked it and started using them every meeting.

I started ordering those products regularly.  Prices may have gone up since I did the original bid, but I don't really pay attention to the price.  At least I don't have to recreate the design.

Remember how I said marketing to the individual means that individual will recommend them to their next employer?  Good.  What happens, though, to that individual's past designs?  Well, VistaPrint has informed me that those stay with the individual.  What if I want to leave those behind with Toastmasters so they can continue giving VistaPrint business?  Well, Shantel at VistaPrint customer service said I can do this one of three ways:
  • I can transfer my whole account, personal and business designs, over to my successor, giving them my password, and delete my personal information from the account.  ...but I would lose access to the personal business cards I created.  This also defeats the purpose of marketing to the individuals of an organization, since now I would have to create a new login for my personal orders and upload those somewhere else.
  • I can authorize my successor to phone in an order for my design, and give them my design number.  VistaPrint would then charge my account (which sounds like it's my credit card number -- I love Toastmasters but I'd prefer they use their own money, not mine).
  • I can recreate all of my designs in a brand new account that will belong to my Toastmasters club.
Okay VistaPrint product managers, think about this.  Think carefully.  If the design has to be recreated, you lose your "stickiness."  They can't reorder more of the same design number, so my organization will need to recreate the design, and if they do that, they might as well shop it around to find a better deal based on the quantities they now need.  Is that what you want?

My advice for any SaaS product manager is to consider this when building business relationships based on individual contact points.  It's an easy use case to miss, but also an easy one to fix, and very lucrative.  As I said at the beginning, we Millennials tend to move around a lot, and with our move, we carry our endorsements.

Wednesday, August 29, 2012

"HELLO, MY NAME IS" (Caller ID, and From: email_address@...)

When you go to a social gathering where everyone is wearing handwritten name tags, has it ever occurred to you that the name on their badge might not actually be theirs?  You probably have considered that, for example, the person wearing a badge that says "HELLO MY NAME IS... Acme Corp" probably doesn't have that name on their birth certificate, but if it says "HELLO MY NAME IS... Stef Hopkins" you should treat it with the same amount of skepticism.  Their name might actually be Stephanie, or something completely different like Priscilla Smith.

The same is true for other technologies that we sometimes trust to give us information.  Just because technology has told us who the message or incoming call is from doesn't mean that the technology is accurate.  It's displaying the name tag it has been given.

Why you can't trust Caller ID

Most phones default to showing their actual phone number in the Caller ID field on mobile phones and phones with displays, but the number can be changed.  That's for two legitimate reasons:
  1. Sometimes companies or individuals want their calls to be returned to another number (such as a company main number or switchboard)
  2. Some phones aren't phones at all, but a set of headphones connected to the internet, or one of many phones on a switchboard.  Therefore it may not have a callback phone number.  Just because it doesn't have a source phone number doesn't mean your phone company won't put the call through.
Though this is allowed because there are legitimate reasons to do this, it's an opportunity for malicious or at least decivious people to change the phone number displayed.  For that reason, Caller ID should never be used as evidence in a court of law that the phone number came from a certain location, and you should always treat Caller ID as a hint about who the caller is rather than as a telephone trace. 

Caller ID is easily fooled, with just a little more knowledge than it takes to handwrite a name tag.

Why you can't trust the From field on email

During the setup of your email program, you are prompted to enter a username, a password, an email address, and your full name.  Most people never give this a second thought, but if you're providing a username and password, why couldn't the email address and full user name be grabbed from the account?  That's because just like Caller ID, there are legitimate reasons for the displayed email address and name to be different from the real source email address:
  1. The account may not have an email address, or be sending an email from a web form tool, so the preferred From address would be a customer service alias or the email address of the tool's developer.
  2. The sender may prefer that all email comes from a company alias and not expose their direct address.
Friends and family sometimes tell me someone must have broken into their email account because someone else received a message from them that they never sent.  The reality is that since the From field of an email can be filled in with almost anything, there are many tools to grab random names and addresses so that decivious or malicious people can send messages without revealing their true name. 

Just because someone received a virus or a scam email from your email address does not necessarily mean that the virus has ever been able to send from your computer or your account. 

Someone your nametag on the floor and decided to put it on.

Monday, December 19, 2011

Giving and Receiving, and Santa Claus

With less than one week to go until Christmas, it's time to talk about giving and receiving.  Usually I use this space to discuss points of view that the people managing a product or service may need to reconsider.  This time I'm going to talk about something that many people should reconsider, and it has nothing to do with the particular benefits of the offering involved.

It may seem cliche, but Christmas is about love and friendship.  It has little to do with receiving and much to do with giving.  Because this is now beginning to sound very boring and predictable, I'm going to now connect these ideas in a way I haven't seen from others.

We provide gifts to each other as a traditional part of the season.  If you're Christian, you may have heard the story of the three wise men, aka the three kings.  The gifts they brought to Jesus on the night he was born were a small example of how much they love God.  Santa Claus provides gifts (arguably) to remind us of the wisdom of these three kings, as one small way they show Jesus their love for God. 

Santa Claus's nice list has little to do whether you pick on your little brother or sister and everything to do with love.  He'll probably overlook minor infractions as long as you demonstrate through your behavior that you love and respect others.  A disregard or hatred of others is the most common reason for getting on the naughty list.

So that's the friendship bit, now giving vs receiving.  Though it of course feels great to be loved and to receive something we've always wanted, the love we show others is more important.  To give is to provide a small demonstration of that love.  It's to provide a physical or monetary manifestation that someone else matters in your life.  Indeed, there are many ways to demonstrate that love besides gifts.

For me, there's no greater gift than to see my gift to them being appreciated.  If I receive no gifts will I feel any less loved?  Will I feel left out?  Not at all.  It's not about me, it's about everyone else.  Though I won't deny that I wish I had an iPad or Android tablet, the greatest gift is seeing my family being happy (heck; the tablet would be a gift for the whole family anyway!). 

So what do I want for Christmas?  Send me thank you cards for what I've given to you.  Those cards are the best gifts in the world.

Friday, September 9, 2011

Correlation is not causation

Product managers have to do a certain amount of statistical research to understand what the perceived benefits of a new product feature will be.  Though we all know that just because two things happen at the same time or sequentially it doesn't mean one causes the other, it's easy to fall into that trap.

For example, I recently got a new water bottle.  I find that when I use it, I drink a lot more water vs going into the break room with a cup or sipping from a prepackaged water bottle (e.g. Crystal Geyser).  If I wanted to market that water bottle, I might look for research about the health benefits of drinking more water.  There was a study done some time ago that claimed drinking more water helps you lose weight.  The study compared groups of people and found that people who drank more water tended to be less prone to obesity than a control group that drank much less.

From this, you might conclude that you can advertise that this water bottle will help people lose weight.  Right?

Well, you may be able to advertise it, but no, it's not ironclad proof of the benefits.  ...and if you didn't see that coming, I'm sure you're not the only one.  It's a correlation - just because they happen at the same time doesn't mean one causes the other.  Suppose the groups were selected based on water consumption per floor of a building.  Suppose the group that drank more water turned out to be health fanatics that eat right, exercise, and believe drinking more water has health benefits, whereas on the comparison floor someone brings in donuts every morning.  The people eat right and exercise regularly.  This too is correlation, not causation, but it does introduce an additional unknown:  what one factor is most responsible for these people being less obese - exercise, diet, drinking more water, or something else? 

Proof of causation requires much more research, so the most common way around this is for the marketing (or legal) team to claim something like "in a study, people who drank more water tended to also be prone to fewer weight problems," which in this case is true, implies a connection, and to be fair, the connection hasn't been proven but hasn't been disproven either.  (some geographies have specific laws about health benefit claims in advertising, so if you're managing a product and claiming there's a health benefit, you'll want to look into that)

Let's use another example -- JibberJobber is a web site that provides tools for organizing a job search.  JibberJobber could advertise that people using their tool tend to get hired sooner than people that track job leads on a spreadsheet.  There may be a causal relationship (it was immensely helpful in my job search a couple of years ago!).  However if you look at their clientele, these people probably would be more organized anyway and often have more skills to help them stay organized, making them more desirable candidates.  It's a fantastic tool, but there's no way to tell whether using JibberJobber actually accelerates the job search, or merely makes it easier to track job leads.

Correlation is not causation.

Wednesday, August 10, 2011

Creating value from Intangibles

Most people learning to play guitar or piano are first taught about chords.  You sing or play the melody with one hand but the harmony is all chords or "oom-pa" harmonization.  The sound is decent, the desired sound is relatively easy to replicate, and the musical score easy to follow. 

However, you will not sound like the original musician.  Take two prime examples (that will make me seem older than I really am):  Billy Joel and James Taylor.  Though they use chords in their performances, most of their notes are individual, with each note building upon and enhancing each other.  Their style is difficult to replicate, yet with practice they easily deliver the same performance at concert after concert.  Occasionally they tweak the song a little, adding a riff here and there to surprise and delight fans, which challenge imitators to keep up.

Product managers in the software industry likewise have many standard tools available to them: Agile methodologies, quality assurance teams with their own methodologies, software developers, channel resellers, APIs for easier integration with partner technologies, websites and sales teams to sell and distribute software, marketing teams, and of the newest component - social media web sites. 

Usually the product requirements are focused on what the software will do, and using musical terms to construct this analogy we'll call this the song melody.  The people involved are the instruments, and the methods employed to organize the effort and create the performance are analogous to the execution of the performance.

Taking the analogy further, the concert experience depends not just on the performer or the score but technicians, lighting and sound technicians, accountants, event planners, transportation crew, ushers, marketing team, and staff local to the venue.  In software products, this is the equivalent of the supporting staff doing customer support, administrative functions, marketing, packaging, integration, and the like.

Perhaps it is no surprise to experienced product managers that there are many pieces to coordinate to create value, but it may be very much a surprise that most product managers are still creating music with chords without taking advantage of the potential for differentiation in how the tune is delivered, and making the product experience difficult to replicate.  Most do not take the time to develop the company expertise in less obvious yet valuable ways the way Billy Joel and James Taylor make every note count.  Others fail to keep the value fresh the way Taylor adds a guitar riff that isn't in the album, making it easy for competitors to replicate the static value proposition and add value of their own.

The point is, software product managers (and really even product managers outside of software and entrepreneurs) have a lot to learn from musicians.  Value differentiation can and should be more than the melody.  It can be in operational excellence, quality, support, sales, marketing, partner technology integration, alignment with suppliers, alignment in the channel, or (and preferably) none of the above usual suspects. 

A product, like a concert, is an experience, with every aspect of it being an opportunity to create value.

#prodmgmt #music #value