Pay by Car

Way back in CardsFTW #66 (2023!) I wrote about in-car payments. The proximate reason was CarIQ announcing a deal with Visa. I haven’t heard much since then. This past week, though, I saw two items on this (two!)

How I imagine this whole idea got started: Charley Car-d

First, one of my favorite non-fintech news sources, Ars Technica, had this item: “97% of drivers want in-car payment system for tolls, parking, charging”. I can understand the research result here; it sounds convenient. I imagine the reality is quite complex. I have an electric car, and I’m supposed to be able to start charging my car using a specific charger network. Let’s just say my experience is uneven. Plus, that’s only one brand of car and one brand of charger. The interoperability concern here is enormous. One thing we often preach in payments is the value of ubiquity and acceptance. Unless all the car manufacturers and charger brands get on the same page and share all this data I don’t see it happening.

Second, gas station chain Sunoco announced it would be bringing in-car payments to its 5,700 locations via Sheeva.AI. There have been attempts for various gas brands to allow app-based payments (e.g., to start a pump from your phone by scanning a QR code or inputting a pump number). I have tried this a lot, of course (I also have a traditional gas-powered car). I don’t know. Tap and pay is pretty darn easy, and I think the number of steps, authentication, and more to get in-car payments isn’t really worth it. Plus, you still have to get out and pump your gas (unless you live in New Jersey, I hear).

Me, Elsewhere, on Other Topics

Last week, I authored an article in This Week in Fintech Signals about the challenges of Regulation CF (crowdfunding). TWIF subscribers can read it here: https://www.thisweekinfintech.com/crowdfunding/. Not a subscriber? I encourage you to sign up today!

Deserve Sells to Intuit

Big news in the credit card infrastructure world hit Monday evening, with word that Intuit is acquiring certain assets and employees of credit-cards-as-a-service pioneer Deserve.

Startups are very hard. Deserve was founded in 2013 as SelfScore, which worked to build alternative underwriting models for thin-file/no-file customers. Over time, the company pivoted to an infrastructure provider. My last startup, Vertical Finance, chose Deserve as our partner to launch the Grand Reserve World Mastercard in 2020.

Like Deserve, Vertical Finance didn't have a winning outcome. Selling a company is hard, even when you exit via an acquihire as Deserve did here (and Vertical Finance did in its time). I'm looking forward to seeing what Intuit does with these assets.

Swiss Cheese Security

Anyone who has worked in payments for long enough (two weeks? one day?) has dealt with fraud. Understanding that fraud is inevitable and that fraudsters are endlessly clever is one of the most fundamental lessons of the payments profession.

Fraud and security risks manifest in all forms and at every stage of the payment lifecycle. Companies face identity fraud during account creation, transactional fraud when payment credentials are stolen, and first-party fraud from users who initiate false disputes or who never intend to repay credit lines. On the merchant side, there’s merchant fraud, such as charging users for goods never delivered or services never rendered. Then there’s system-level risk. Your infrastructure could be compromised by a bad actor, or a malicious employee with legitimate access might abuse their privileges.

There’s no way to completely prevent fraud without harming the user experience. And that’s the crux of the challenge: balancing the cost of prevention with the cost of losses. The best way to frame this is the Swiss cheese model of security.

What Is the Swiss Cheese Model?

I first came across this concept while reading about the Gimli Glider, an Air Canada flight that famously ran out of fuel mid-flight and managed a miraculous, engine-less landing in Gimli, Manitoba (not the original destination). A chain of small oversights (metric vs. imperial conversions, miscalibrated gauges, and more) led to the fuel miscalculation. Each issue was small, but disaster nearly struck when they lined up just right (or wrong).

Post-evacuation on the race track

The Swiss cheese model suggests that each layer of defense has holes: gaps where a bad actor or mistake might get through. One slice may be thin and riddled with holes, but stack enough slices together, and the holes don’t line up. No single failure leads to catastrophe because another layer catches the issue.

Unless, of course, all the holes line up. Then you have a problem.

Layering Defense in Payments

We know every security system has gaps. But our job is to layer the right controls so that no one pathway leads to total compromise, and these are some of the best places to start for a card program.