Evan Schuman: Is MasterCard's fraud program just another data grab?

It offers slightly greater payment convenience, but at what cost?

Marketing executives salivate at the thought of being able to track shoppers via their mobile devices. The only problem: How to get consumers to sign on to that? MasterCard might have the answer. By spinning it as a global payment convenience, MasterCard has put a happy face on a major potential information grab.

Here's the deal. MasterCard and its partner Syniverse, a global mobile telecom firm, want you to opt in to let them track your mobile geolocation data. MasterCard says that cardholders who opt in and then travel to other countries will have fewer transactions denied. You see, cardholders are supposed to call their issuer before leaving the country so that their itineraries can be fed to the issuer's antifraud systems. When the cardholders don't do that, they are more likely to have their purchases denied.

So, says MasterCard, let's make this easier for everyone. Just register your phone with us, and then when a transaction request for you comes in from, say, Greece, our system will be able to check to see if your phone is in Greece too. If it is, the transaction is more likely to go through.

The news release announcing a trial of this program said that "mobile geolocation can deliver payment security." That is not precisely true, in the sense that it is completely false. The way this program is being set up, mobile geolocation data will tell MasterCard that your phone is in the same country where someone is trying to use your card to make a purchase. If anything, the program loosens the fraud controls for the convenience of cardholders. But just think how easy it would be to subvert that. If your MasterCard were stolen at Giza and then used to buy a high-res TV in Cairo, MasterCard's new geolocation effort would take a look and decide everything must be fine, because your phone is in Egypt.

You see, the MasterCard trial doesn't, for example, react to a transaction being processed at a retailer on Via dei Calzaiuoli in Florence by checking to see if the cardholder's mobile phone is also on Via dei Calzaiuoli. The technology exists to do so, but MasterCard won't be doing it, at least not as currently planned. Executives with MasterCard and Syniverse said the system is not going to dig beyond country level. (Though even that will be in a rather haphazard manner. MasterCard and Syniverse might note your arrival in Italy, then not check again when your card gets swiped on Via dei Calzaiuoli. Meanwhile, you may have turned your phone off and flown on to Spain. MasterCard won't know that.) Although country level is better than nothing, it doesn't have nearly the fraud-prevention potential of a more specific ping. "All we care about is whether the consumer has changed the country where they are visiting," said James Davlouros, MasterCard's vice president of global strategic alliances.

But even if MasterCard were narrowing your phone's location down to a city, a neighborhood or a specific street, this isn't a foolproof approach. Say that you keep both your MasterCard and your phone in a purse or a backpack and then that purse or backpack is stolen. There go your credit card and your phone, always together in the shops the thief visits.

After talking in their Mobile World Congress press release about how this service would "enhance peace of mind for mobile users when they are traveling abroad," MasterCard and Syniverse eventually made a point that might explain what really lies behind this initiative: "Mobile network operators and brands can also benefit from the collaboration between MasterCard and Syniverse. In the future, they could implement targeted offers, which will be made more relevant by knowing the location of a mobile device, for example in close proximity to a retail store. A research report for Syniverse from economists at SEEC uncovered a market valued of as much as $44 billion for operators providing services to brands based on opted-in mobile subscribers' information, behavior and location -- known as mobile context." MasterCard said it is not linking the targeted offers referenced in its statement to the geolocation program.

So, yes, back to that question of how to get consumers to opt in. In this regard, MasterCard and Syniverse have some work to do. They have yet to agree on a privacy policy, according to Davlouros and Syniverse chief marketing officer Mary Clark. In other words, they haven't figured out what they want consumers to sign away.

Will the data only be used for authentication? Can marketing see where shoppers are going? Can special offers be texted to shoppers based on those movement patterns? Will the data only be used aggregated and anonymously? And do third parties get to see those aggregated -- and perhaps not aggregated -- patterns? To be clear, MasterCard is saying that the geolocation data "will only be used to support the authorization of payment transactions at POS." The only problem is that this is a "today" statement, not addressing how the data might be used tomorrow, one year from now or four years from now. That's what formal -- approved by Legal -- privacy policies are all about.

I don't think it bodes well for users' privacy when companies proceed to a trial without answering any of those questions. When geolocation is involved, privacy can't be treated as an afterthought. My cynical side wants to say that these execs know exactly how far they want to go, but they're not ready to say. Why announce it when a little-read, small-type privacy policy can do it instead?

To be fair, what the two partners are trying to do is extremely complicated. They need to coordinate information as consumers bounce from one carrier to another in various countries, as well as disappear entirely while in flight. Not every store or street in every country has consistently reliable wireless access, whether Wi-Fi or over-the-air. And although the goal is to have agreements with as many carriers and related companies as possible, it's going to take some time to get there, and in the meantime, the telecom patchwork will have many holes in it. Another issue is that legal standards differ from country to country and province to province. "Different countries have different regulations about privacy," MasterCard's Davlouros said.

Nonetheless, when MasterCard and Syniverse roll this program out in its final form, they will have to have crafted a privacy policy. That policy will reveal what limits they choose to set for themselves. The frightening question is this: Will any of their customers bother to read it?

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Copyright © 2014 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon