Business Implications of Payment Tokens

US mobile payments will have a new “network”, a system to use tokens which are neither V or MA card numbers. Thus Banks need not route these transactions through either V or MA, but will be able to leverage same acceptance infrastructure. Virtual card numbers will be bank numbers that banks resolve. JPM’s is first to align w/ plastic, leveraging common authorization authentication and other services

21 Feb 2013 (pardon the typos as always)

US mobile payments will have a new “network”, a system to use tokens which are neither V or MA card numbers. Banks’ position is that the need not route these transactions through either V or MA (in order to leverage same acceptance infrastructure), whereas V/MA clearly say that an account can’t be both a network account and a XPAY account (see no wrapping).

The banks desire in 2011 is that Tokens will be bank numbers that banks resolve.  JPM’s is first to align w/ ChaseNet and ChasePay.  Banks are putting in place “controls” around ACH debit and card rules which will “encourage” token adoption.  Watch out payment start ups.. rough seas ahead. As I stated: Banks will WIN in payments.

In the US, merchants own liability for Card Not Present (CNP) fraud which aligns online merchants to the risk of using a payment instrument for a consumer they cannot physically verify (see VBV exception). However well an individual online merchant manages their own payment risk, their remains extraneous indirect risk to banks, as card data loss could result in: counterfeit plastic, identity theft, other first party fraud, …etc. Thus the fallibility of the current card “token” which relates Bank to Consumer relationship. Through this NEW token initiative, Banks are seeking to expand the account identifier by making it unique to: consumer, bank AND merchant.token

Today merchants receive an authorization for use of the card and behind the scenes Banks use very large sophisticated risk models (ex software HNC’s Falcon) to make authorization decisions. As eCommerce merchants are responsible for fraud, they perform their own risk management either directly or through payment specialists (Cybersource, PayPal, Amazon, Digital River, …etc). Banks have few problems approving online transactions.. as they bear none of the loss… and hence a game is played. Banks have little incentive to share their fraud data and merchants have little incentive to share theirs. Remember that within banking, margins are driven by the ability to manage risk and banks therefore incented to differentiate capability (not harmonize it). Which leads to other interesting dynamics (perhaps a topic for a later time).

At the Physical POS, the situation is different. Merchants bear little fraud and with EMV (Chip and PIN) the US will further reduce fraud where plastic is presented (if EMV in the US does happen). As I described in EMV Battle Impacts Mobile Payments, Retailers love EMV and are biased toward PIN and Debit. Retailers are continually looking for a way to reduce payment costs and influence consumers AWAY from Bank reward schemes.Payment-Gateways-growth

Mobile payments remain “green field”  and may be significantly disruptive at the POS. One of my favorite quotes around payments ” if you solve authentication.. everything else is just accounting”  (Ross Anderson @ KC Fed). The mobile device can provide a much richer set of information which to authenticate (vs a piece of plastic). Banks have invested billions in their card risk and authentication infrastructure. Mobile could render most of this investment moot, thus Banks are working to control and influence mobile payments at POS, particularly given NFC’s complete failure. Additionally, new payment providers like LevelUp, Google Wallet, MCX, Passbook, …etc all present large challenges to banks efforts to own the consumer relationship and payment choice at the POS (See MCX Blog).  Banks have some latitude to create incentives around mobile. For example is an MCX QR code backed by a Visa Debit card a CNP Visa transaction? Card Present? Or will MCX try to encourage consumers to back with DDA like the Target RedCard model?  Mobile payments are a key battle ground for many parties.. it is imperative to recognize that mobile payments are not just about payments.. but also about loyalty, relationship, data, influence, banking… etc.

In architecting incentives, banks have diminished ability to force V/MA to change acceptance rules. The same is true for retailers. Thus both are looking to create networks based on direct consumer accounts with account numbers (tokens) they can control. This is a very big statement.. if the banks can create a “token” which represents a credit account or a debit account.. they have “wrapped” Visa and MA (see blog Don’t Wrap Me). If successful, they could subsequently change networks anytime they wanted… or create their own. Why on earth would they want to route any debit transaction through V or MA if the token represented a debit card that represented a DDA? Or similarly doubtful: a token that represents a credit card which represents a credit account? (see  PayPal at the POS). Taking card number out of merchant (and consumer) possession, and replacing it with a token, enables banks enormous flexibility.

Yes my head is spinning too. I am implying that banks could leverage their entire acceptance and authorization infrastructure without routing anything through V or MA. No direct consumer involvement would be necessary in this token scheme since something like an MCX QR code could be mapped to multiple tokens in a single back end process. Banks are looking to make ACH changes as a defensive play to ensure that ACH rails are protected against funding a Retailer/3rd Party wallet directly (as PayPal, Target RedCard, Safeway Fastforward do today). This was my point in yesterday’s blog on ACH Debit.

Business Drivers

As I outlined this week in New ACH System in US, my view of Bank business drivers for Tokenization are:

  1. Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
  2. Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
  3. Own New Mobile POS Schemes to protect their risk investment
  4. Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
  5. Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
  6. Regulatory, Financial Pandemic, AML controls (per  blog on HSBC)
  7. Take Visa and MA out of the debit game (yes this is a major story)
  8. Maintain risk models (see both sides of transaction)
  9. Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (see Directory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

Tokens for Mobile POS?

Why would any merchant or wallet provider choose to exchange consumer payment instrument(s) for token(s)?  Reduction in CNP rates, liability shift are significant. But the mobile device has many additional “identifiers” that far exceed what is available on a piece of plastic (IMEI, location, history, password, interaction for challenge). IMHO the bank business case for tokens must be built on CNP rates and Customer Choice. If Banks directly assist consumers provision their account into a mobile wallet, every wallet provider should support it. In other words the bank has done the work to integrate and “push” the customer’s choice into a given wallet from their online banking site (ex yesterday V.me and SavetoAPI).

But this bank led provisioning does nothing for the millions of accounts that consumers have already provisioned themselves in: PayPal, Apple, Amazon, Google, Target, Safeway… All of these companies have worked to deliver consumer value and obtained a direct consumer relationship, which subsequently resulted in the consumer choosing to store payment information directly. I can’t imagine a scenario (or business case) for them to part with that asset, particularly prior to 100% acceptance of tokens by all merchants (online and offline).

Token Acceptance

The value of a bank issued token is completely dependent on: ACCEPTANCE, cost and Risk Mitigation. At the physical POS Retailers are firmly in control of acceptance, unless the tokens perfectly mimic existing card schemes. Banks will likely work to ensure that any non-tokenized payment (QR Code) will be treated as a CNP transaction with merchants bearing fraud responsibility. If tokens are in the format of a 16 digit account number than there will be very little change necessary to the payment terminal. However, the downside of using 16 digit account numbers is that it would not enable banks to firmly separate from V/MA bin routing (and network fees). It will certainly be interesting to see the plan here.

Retailers, Banks, Networks, Consortiums… are all at odds… all trying to own the consumer relationship and control a directory which they can resolve.Payment Value

In general I see the token initiative as a distraction for banks. They are far too focused on control and throwing sand in the gears of commerce. Commerce will find the path of least resistance in an open market.

Summary

My guess is that many Card CEOs are skeptical of all this network tokenization strategy. Banks card teams have tremendous assets in their consumer relationship, established consumer behavior, brand, network of acceptance, merchant white label relationships. Why not work to partner and extend today’s model in a way that benefits consumer and merchant? Example Payment enabled CRM.

This tokenization project’s ability to positively impact mobile payments and retailers may be like squeezing Jello… American Express can only be laughing to themselves. As US Card issuers are 5 years behind them in innovation  Amex is extending their lead as they endeavor to “pull their weight” by while helping retailers obtain new insights on their customers. This sounds like a much better idea than tokens.. probably one that investors will understand better as well.

My message to Bank CEOs: stop trying to lock in your market position and start trying to justify it through value.  Tokens will provide you more control, but it is significantly detrimental to your acceptance network (V/MA). You have brilliant payment executives.. there is true genius in the token design here, but it is completely myopic. If you had a cross functional team with experience in retail, advertising, data, processing, CRM you would realize that mobile will change the way consumers interact with their environment. Banks will NOT be the intermediary in every interaction. The barriers you are constructing will only further inhibit your ability to partner and take part in processes which add value.  Remember your customer is not yours exclusively, we also are customers of Google and WalMart and Verizon…. Banks have an OPPORTUNITY to orchestrate commerce IF they deliver VALUE.  Payment people design payment solutions to payment problems. Banks must redefine the problem and the opportunity.

The questions banks must answer (for a retailer): when was the last time you brought me a customer and helped me build my brand, and consumer relationship?

Another scenario Card CEOs should consider: if Payments become “dumb pipes” …. where retailers and non bank intermediaries can perform Least Cost Routing (LCR)… how do we compete? How strong is your customer relationship?  Why did the consumer choose you as the bank in the first place?

13 thoughts on “Business Implications of Payment Tokens”

  1. “Banks are far too focused on control and throwing sand in the gears of commerce. Commerce will find the path of least resistance in an open market.”

    I wish I said that.

Leave a Reply

Your email address will not be published. Required fields are marked *