 All right, so my name is Brad Powers in the CTO at Passport. Talking a little bit about complexities and government payments. Find print. This is for informational purposes. I'm not a lawyer. I don't give legal advice. Ask your legal counsel if this is the right thing for you to do. We've done some of these things and I don't know if it'll impact your business specifically, but hopefully it'll give you some stuff to look at. So I'll kind of give you an overview of our business and the concepts that apply. A lot of the same problems that you guys are tackling that we have done at Passport. PCI and a baseline of what's important and what I think is important for you guys. Regulation in the payment space. And I don't know, I called it secret sauce. Maybe some of the things that we've learned and some of the similar things that you guys have all uncovered in payments and government. So Passport, we've been around for about six years. We have about 500 customers. We're processing about 300,000 payments a day. And our basic products that you guys probably know about are mobile payments for parking and transportation. So here in Durham, if you download our app, you can pay for parking on the streets or private parking lots. Or if you're riding the bus or the light rail or heavy rail, Miami light rail. And pretty much a lot of the other cities that we are the back end of most of their systems. So Chicago, London, Montreal, Toronto, Boston, et cetera. We are the payment platform that these guys are running their payments on. Not just those mobile payments, but we're also doing the enforcement aspect. So when you get a citation, we might be writing it. So apologize for that. And then tolling. So if your car is not parked, if your car is moving, we might be tolling you as well. We want to try to make money all the time for the government. If your car is parked or if it's moving, they want to be making money off you, right? And how do you figure out, you know, how to manage those revenue streams for the government when gas taxes are right? Or gas usage is going down? More electric vehicles losing tax revenue and gas. Also now you have to make up the money somehow. So is it going to be tolling? How are we, the government, going to do this to continue the revenue necessary to support government operations? So, you know, issuing citations, mobile payments, writing a train, bus, and then validation. So maybe you don't pay for parking. Maybe your restaurant pays for parking on your behalf. That's kind of our solution set that we're working through. That is a map, but I don't know why it's white right now. Some of the customer base, you might not know, but those are some of the apps that we support out there. Our model is right. We're a gateway at our core. Everything is a payment with our specific verticals of product that process those payments on top of it and with a data management reporting layer for the operators, right? For the government entity so they know what's happening and then followed by, right? We have advanced analytics, which is a light at this point. It's not too advanced, but we like to be advanced. But that's more around, right? You know, maximizing revenue or compliance or how do you predictively price or dynamically price parking in certain areas based on demand? Is there an event? Are there any spaces left? How do you get people to the right areas when there's congestion, et cetera? So those are the things that we're focusing on. I just like that slide, so I included it. Marketing makes these cool slides and I'm like, man, that's a great one. I'll take it. So very similar to what everyone's doing here, right? We have a marketplace and we've had to build out some of these gateways because we're selling to governments and when a government has a contract with a particular payment provider, all their payments have to process through that provider. So I think we have 19 or 20 right now that we are integrated with. And we've also done our own gateway with First Aid on their Rapid Connect platform. But just, again, very similar things that you guys are experienced with. So talking about PCI, here's just a couple of things we're going to talk about. PCI, why I think it's important for you guys at any size to just go ahead and start thinking about yourself as a level one provider. And that's when you're processing 6 million Visa and 6 million MasterCard transactions, or if you've had a data breach, a credit card breach, or if they want to just demu your level one and you have to do it. So the reasons why I think you should start thinking about it now is because the further down the path you get to not doing it, you'll make mistakes and scope and just decisions you make from a technology perspective or a compliance perspective or a user access perspective. All these different things will really change how you make your decisions today. So if you just think of yourself like you should be doing it, it'll make it a lot easier when you have to do it. For us, we're in government, so everyone wants a stamp of approval to mitigate risk, right? If we can come up with an AOC signed off by a third party auditor, great. Reduce risk for the government, they love that. With your QSA right now that if you have a third party coming in, they can give you some great recommendations on things to do. There's another set of eyes that will really help dig into some things that you might not have thought of. We've been really happy with having a third party do that for us. Again, stamp of approval. Third party ethical hackers. Every other year we hire a different firm to try to get through our system and we provide them all our source code so that they can make an attempt, as much of a valid attempt as they possibly can, with as much knowledge as we can give them to try to do it. So if you haven't done it, it's actually pretty fun and they always find something. Compliance in the cloud. I guess we're at AWS that clears up a few of the requirements related to PCI. When we started doing this five years ago, when we went through our first audit, like some of the QSAs, it was like they're the first time going through an audit in the cloud as well. So it was a learning experience for everybody and what's important. And when you're saying you're at AWS and they're like, okay, we'd like a data center tour. It's not going to happen. So it's become a lot easier and they all understand it now. It's great. PCI for like, it's not something you do once and don't touch again. It's constant work. There's a constant level of effort that you have to continue to maintain. And there's costs and bodies associated with that. Our Visa and MasterCard registration. Again, for us, it's like validating compliance. It's a barrier to entry. Once you're compliant, once you're registering with these guys, you're getting the contacts at the different building relationships with Visa and MasterCard. Again, Stanford for customers are all about low risk. They're about working with someone that's been validated and proven and trusted. We can keep out the small guys in our business because it's government RFPs. If the requirement is you need to be validated by Visa and MasterCard and someone doesn't qualify. Sorry, you don't qualify. You can't compete with us. So you can't build that RFP, right? So keeping other guys out of the business is one of the ways why. Like, hey, require service level one, right? Other guys won't be able to compete with you then. Make it a requirement. Tokenization and card store. We ended up doing this at the beginning because we wanted to operate on multiple gateways and we wanted a seamless experience for the user. You know, it's more about the technology is easy, right? It's like encrypting a card that's easy, providing a token that's easy. But it's all about the implementation of it and, you know, like how you do key rotations, how you expire cards out, how you delete cards. All the processes related to that and maintaining that is way more important than encrypting a card. I had a good collision. That's just something we ran into at one point and I thought it was interesting. I don't know if anyone else has run into anything like that, but it doesn't happen often, but it happened once. So we had to have a solution for it. Key rotation. Since we're all on the Amazon stack, it's become a lot easier because they have products like their key management systems and just, again, there's a lot of new technologies out there and services provided that just take a lot of the complexity off of us. Regulation. I'm going to pick up a piece of paper because I don't want to say things incorrectly. But I'll try my best not to screw it up so I don't get mad information. So e-commerce laws. There's a lot of guys out there that have spent way more money than we've all spent figuring out terms of service and agreements for your terms of service with your user and they probably do something maybe similar to what you do. So take a look at their terms and see how they're doing it because they probably had a bunch of lawyers and things look it over a lot more than we did when we started. Shipping delivery refund policies. All this stuff is like, if you're clear with your users, it makes it a lot easier when someone complains and then files a lawsuit against you for your refund policy or your terms of service. I mean, I'm sure, I don't know if everyone else, the past like three weeks, how many GDPR emails you've gotten telling you about updated terms, updated this, updated like, yeah, we get it now. Just another GDPR update email that likely they're not even doing anything correct. But you got the email so they're clear, presumably. E-sign and UETA, right? This is about disclosures and like how you disclose information to your customers because when you're contracting a payment or an account that is holding funds or something like that, how you, like, customers have the right to get that data or get that statement in writing like by mail, so like having E-sign specifically calling out those things so that you can provide that electronically. Like if you don't do it, I mean, they can ask for their statement in paper on a monthly basis or something. So just some things to like, you'll probably see it the next time you look at someone's terms and conditions. It'll mention E-sign. Handling customers data, right? Like data retention policies. This is all things that like the government's very sensitive on because of breaches constantly and they don't want to be at fault because they'll be liable, right? So liability taxes, how you collect taxes, third party, there's awesome third party tools out for tax services and calculations that I'm sure all of you guys use as well. But relying on other people to reduce your risk and your burden is great for that. Accessibility, Stephanie talked a lot about accessibility. It's interesting to think about parking and at least in the parking space thinking about like, okay, maybe there's a blind person and maybe they want to drive their car downtown and pay for parking. That was like some of the things like, why does our app have to be accessible? That doesn't make any sense. But maybe they're riding in the passenger seat and want to pay for parking. So accessibility, right? Like, again, it's a government service paying for parking and you have to be accessible to all people and you have to have an option for them to pay. In that parking idea, right, we have to be accessible to all people and that means like all levels of income too, right? So if someone has a flip phone, they can call our IVR system and walk through that way like on an IVR telling them, hey, what zone are you in? Please enter your car, et cetera, et cetera. And then we have a web-based payment system, right? Instead of just an app because maybe someone doesn't have any space left on their device or they have a Windows phone or a BlackBerry. So we can't discriminate against anyone because of those choices. We have to provide a payment option for them. So money service businesses and registering with Vincent. This more applies to, like, if you're moving large amounts of money across between, you know, if you're making, like, when you're the merchant of record and you're going to be holding money on someone's behalf and then distributing it out, this is most of what it has to deal with, right? It's like, it's more of a banking thing and the guys like Venmo and PayPal and some of the marketplaces, those guys have to deal more with that. We do have a wallet which we do collect funds and distribute money out from. So there's interesting scenarios there that we have to do, although we operate a closed-loop wallet and operate under a certain value threshold that makes you exempt. But if you get into bigger accounts and amounts, then it starts becoming a factor. And then when you have to do things like this, all the monitoring and reporting and then how they come after you for suspicious activity and they want to investigate your systems and records and people using your system. So if you just keep those accounts small, you don't really have to deal with it. I think even PayPal went through something related to this and while they didn't admit that they had to do this, they went ahead and did it anyway. But that was a long, I think it was some time ago. Money transmitter licenses. So like if you're transacting between states or transacting business in states, you have to get a license to do that. And so you have to decide which you're supposed to have them all if you're doing business in all the states, but it's quite expensive. Look at the states you think you need to do and maybe do those. Some are really cheap and then some are expensive, but yeah. I mean that's a tough one and it's not like they're out looking for people, but when they do one audit, they audit pretty much all the states get together and we'll get on your case or something like that. It's an interesting rule. I'm pretty sure like more than 80% of people don't even do money transmitter licenses, but you're supposed to be. I'll talk a little bit about I guess what we consider our secret sauce and maybe some of the things other people were doing. I'll try to focus on the ones that I think other people didn't already hit because no reason to repeat it all. So when we built our system, we tried the same things that others were trying to do. I'm not a speedly customer and I didn't even know about them until recently and it's interesting because a lot of the pain points we have in processing are like similar things that they're having to deal with too and it's just funny that I didn't know about it and then someone else is tackling the same problems and maybe I could just throw my problems to them. At least for some of them, right? So I think I'm going to say build versus buy, yeah. I'll talk about that in a minute. So when we built our service out, we separated out into a totally different AWS accounts and the access for those accounts is limited. We have about 40 developers and we only have three guys that have access to our PCI environment and that's the infrastructure, that's everything code development, get JIRA. We have a separate instance for all of that just to segregate it so that there's no questions about who's accessing it, who has, you know, there's no questions. It makes the scope, someone talked about scope and they said, you know, make it as big as possible. You want to make it as small as possible. All of our systems, they don't have any access to payment information. They all work on tokens and requesting through these services. So it's like this little service is a stripe or a spruedly or something like that. So that was what we did to really accelerate so we could accelerate growth in our other platforms and not have to worry about a lot of the security and controls around that, although we still, when we run scans and things like that, we still run scans against our entire footprint of our system. Yeah, it's worth it. You know, it's just, I'm just kind of showing the card flow and what we have here is like, so everything's segregated, right? The client app is making a request to tokenize a card and authorize a card from a completely independent system. Completely different domain. Everything's totally separate. And this is just, I mean, this is like your card folder data flow that you'd probably have to submit for PCI if you went through something like that. Wallets. No one's really talked about wallets, but it's really interesting for us. And when we look at payments and merchant processing fees, you know, we've got payments that are like real, like low dollar amounts. So although we're processing 300,000 transactions a day, some of them are like a quarter. And that's not very efficient when you're charging a credit card a quarter. So we instituted wallets. And so some of our customers that they have low parking rates or low transit fares, you have to do a $10 wallet. And that was one thing that from a costing perspective, you know, when the Durban Act came out, like that eliminated the small, your small payments, discounts that most PCI and MasterCard were offering to make them economical to process. And when they introduced the Durban Act, that went away. And so everything was, all the rates were jacked up and you couldn't process them cheaply anymore. So that's where we got into the closed loop wallets. So it works for parking. I'm sure it works for other us. You know, I think Apple, when they were originally doing some of their app store purchases, I think like they almost kind of instituted a wallet or they were batching your payments on a regular basis just to consolidate the spend or it was iTunes or something like that. They would like, you know, give you the day and then charge you at the end of the day for what you were doing. Fraud in our system is interesting too. We don't see a lot of fraud because you're paying for a parking space and usually entering your license plate number. So we have integrations with all 50 states. So we can look up the registered owner information on a particular vehicle. So you're likely not going to use a stolen credit card to charge parking for your own car. So that has been something that we haven't, our fraud rates are so low. We haven't really had to deal with that yet. As well as when we do detect fraud or get a charge back, we just blacklist your plate and you can never park again until you make a phone call in and say, okay, I will take care of that problem and I won't charge back or I will repay that and then you're allowed to park again in the city. So, I mean like, yeah, we can, it's the government, right? They can make it so you can never register your car again or renew your license. I mean, they have their ways to get their money. So they will not be defrauded. I mean, I think it's simple to understand why the wallet's efficient for merchant processing, right? You're just dividing up the cost over multiple transactions and like I was saying, if you're having a low dollar amount charges, it makes 100% sense. I mean, I don't know if there's, if you guys have business models that are similar, but it makes a ton of sense for us. Batching, you guys, the push pay guys hit on it earlier, right? Like it's even, while it's important for them, it's even more important for us because we have inventory that expires immediately. Like if you don't pay for parking right now or you don't pay for your train right now, we're not getting the money and the downstream impacts of that revenue cascade, right? Because if you didn't pay for parking because the system was unavailable, a gateway was unavailable or something, that means that the city can't enforce and so they're not allowed to collect revenue for citations. And so the downstream impact keeps going to where, next thing you know, a 20 minute outage or a 10 minute outage for a particular gateway stops revenue for the entire day presumably because people start saying I wasn't unable to pay, I heard I wasn't able to pay, I didn't even try because someone said I didn't have to pay. And next thing you know, the government just says, okay today we're just not, it was free parking today. But that's hundreds of thousands of dollars for them in revenue. So when we looked at batching, we looked at it similarly and decided if the consumer doesn't know that we're batching, is it gonna hurt? Are they gonna try to defraud the government? And the answer is no, they don't know that you're batching it. So it's an acceptable risk, right? What are the odds? So we look at how likely it is that we'll be defrauding and then decide okay, we'll batch for that particular customer and you know, the payment won't go through right away and we only do that if we're experiencing an outage because again, it doesn't, it doesn't, we will never go to offline processing where we do it beside 100% offline but we will always try to make the attempt. At 1056, one of our gateways went down for 10 minutes and it's like, there was 460 payments that batched and no one knows why yet, but we'll find out. It happens more than you think. Our best gateways first data, by the way, the Rapid Connect one, we've only had two outages in five years and both were very short periods of time of the 20 we use. Build versus buy. Man, that's tough, right? Like outsourcing your, one of your things that sets up your availability at a certain level or like for your system. How you decide to make that decision, it's like, that's a critical decision for everyone if you're willing to give up some of that part to shift risk off to someone else. Sometimes, I don't know, you have to, you have to weigh those things yourself and figure out the costs and benefits of each one. For us, right now, for our main payment, gateways and things like that, we're always going to do it ourselves in the margins that we're operating on. We make five to 35 cents of transaction, right, for 300,000 transactions. So it's outsourcing that or having another party involved in availability increases the risk that there could be an issue and if we can decrease that as much as possible, we can so we can always stay up and process. But then it's time to market. We recently launched in Mexico and there's some gateway we've never integrated with and now we have to build an integration for one customer and is it worth it? Maybe build it out if we were doing 10,000 transactions a day with them but if we're doing three or 10 or whatever it is, maybe it's better to use someone else for that. Again, and then the maintenance costs, reoccurring costs, compliance. I mean, it's a lot of work and you have to figure out if you're ready to take it on and want to maintain it forever because like I said before, it's not a one-time thing. That concludes. I hit next and I'm like, did I have anything else? That concludes it. I appreciate it. Thanks a lot.