Divide and Conquer: Commerce Battlefield

What “standards” are there in commerce?

Do we advertise in the same way? Locate in the same geographies? Price products the same way? Have the same eCommerce or mobile “store” and services?

What about Payment?

Payment is perhaps one of the few “standards” that retailers have in commerce. I had an “ah hah” moment at Money 2020. It was from a presentation by Jim McCarthy of Visa.. the theme: Visa is a model where everyone wins, and participants can monetize their respective roles. Of course I should know this.. but it really just struck me on WHY the Banks want to work within the Visa model.. if they break it.. they will no longer be able to monetize payments.

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). A top 3 Retailer provided me a great example “if tokens are not created by Visa/MA do I have to accept all tokens like I have to accept all cards”?

Defining the Battlefield

My real “ah-hah” came when thinking about how the Card “standard” has been managed for the last 50 yrs. Quite frankly the Banks have been playing Chess while everyone else has been playing checkers (quote from a Retail Client).

This reminds me of Sun Tzu

Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted

Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.

Sun Tzu – Book 6

Retailers have been playing on someone else’s field.. they have been so distracted in competing with each other.. that they did not even identify a common enemy. This has shifted significantly in the last 5 years. The payment burden has become so substantial that Retailers realize they must define their own rules and create a new network (aka field).. thus we now have MCX in the US, SEPA in EU, EFTPOS Australia, CUP/China, Interac/Canada…  This is not just the US, take a look at what is happening in the UK last week, or with Card EU regulation cross border.

Implications of Tokens

I cannot understate the business implications of tokens to Retailers, Processors, Wallet Providers, eCommerce/mCommerce companies, and Start Ups(also see Money2020 and Tokens). It will impact every company that keeps cards on file (COF), or processes transactions electronically.  What is most concerning? These entities have few existing mechanisms to coordinate/collaborate … a coordinated Bank/Network consortium is battling a bunch of unorganized tribes… and setting them against one another. The hectic activity in payments has caused a fog of war which serves to obfuscate the primary advances of the opposition. While everyone is focused on litigation, debit, mobile, MCX…  banks are moving 3 steps ahead.

Banks have wrapped tokens in secrecy (per Sun Tzu) with motherhood and apple pie stories pertaining to protection.  I can assure you that Banks are not dropping over $1B+ to protect consumers.. they are spending this to protect themselves from competition. As I said previously, Banks know they cannot innovate at the pace of Google, Square, Cardspring, Braintree, … thus they must control the battlefield. Tokens enable them to recast the battle.

The new battle surrounds data. As my friend Osama told Tim Geithner, the value of data exchange may quickly outweigh the value of risk management and clearing in payments. JPMC has even created a new DIVISION run by Len Laufer to focus on data, as Jamie would say “we have better data than Google”.  Bank Card CEOs are furious at the thought of anyone delivering value on their cards, particularly efforts by the networks themselves (V.me, Visa Offers, …). Other token drivers:

  • Control who can be a wallet provider
  • Control who can add value to a card number
  • Control how a merchant can identify a customer via a card number (See payment CRM)
  • Control how payments are cleared (ex. What they did to Google Wallet).
  • Control how and WHEN mobile payments succeed
  • Control what payment instrument is used in mobile POS payments (ie Credit)
  • …etc

Banks are so far ahead on strategy….. I’m concerned Retailers will have no idea of what hit them.

How to respond?

  • Coordinate on a plan of action (glad to assist)
  • Create a new Battlefield.. create a new set of rules that Retailers control (thus the brilliance of MCX)
  • Join MCX.. just to ensure Banks know they must take this seriously
  • Frustrate the Banks on their Battlefield… Visa/MA and the issuers are not on the same page.. help to further the rift.. ensure new rules work to the Retailer’s benefit. For example, push V/MA to create a “certified wallet provider” that can translate cards to tokens WITHOUT THE ISSUER.
  • Regulatory… push payments into DUMB PIPES. Let innovators own the risk.. give banks a pass on payment compliance, open non bank owned pipes (Fed wire)…
  • Find Banks that will partner with Merchants to deliver value. On my short list are: Barclays, AMEX, Discover and Bank of America..
  • Help Banks solve their problems through you.. help Banks leverage their data for your benefit….instead of the other way around. Amex is FAR ahead in this.. 5 yrs ahead (see blog)
  • Break the Card revenue model…. Beyond what Chase did to VisaNet
  • Ensure you are viewed as fighting for the consumer.. NOT for yourself. Banks don’t exactly have a stellar reputation these days.
  • Banks also rightly fear that Debit will move from $0.21 to $0.05 or even $0.03.. making debit the equivalent of a quasi real time ACH system. How can you incent increased use of debit today?

I have a few others that I’m not going to share.. but we have got to stop falling on the same sword over and over again.  Banks are NOT the center of commerce, just as my ISP or MNO is not the reason I shop at Amazon.

Investors.. I’m not saying to short V/MA.. I see nothing to dent their global growth.. but in US/EU.. we will see their revenue drop substantially in 5 yrs.

My predictions

  • Visa/MA will create a rule that no one can wrap their card in a token but them… after all a card is really a token for an account number in the first place. Bank token efforts will die in next 12 months.. unless they can force a strategic change… or they make a move toward a 3 party network like discover.
  • Visa/MA will start off getting feedback from all participants.. but banks will win on their rules like they always do.  Merchants will resist efforts unless carrots are substantial (card present and fraud liability shift). If issuers are NOT on board merchants know (from VBV/MSC experience) that issuers will just tweak the decline rates to make for a terrible customer experience. In the end issuers have control over how any new scheme works for its consumers.. they have an unlimited ability to frustrate Visa’s rules… or leverage networks against each other.
  • Take a look at how long EMV, NFC, … have taken. I would make the case that EMV only succeeded because of regulatory pressure.  I see no impetus for change… no business case for either merchant or consumer.  PCI costs and Fraud are already managed…
  • Mobile successes will work around today’s plastic.. This is the beauty of Square..
  • Merchants have reached beyond the tipping point of collaboration on common payment services. It will happen… and there will be implications to V/MA volume (in 5 years)
  • There is only one entity that has the POWER to change consumer behavior on mobile: Apple. It took them over 20 years to earn consumer trust through their maniacal focus on quality and consumer experience. If Apple makes a move in mobile payments.. we should all “think different”
  • Merchant friendly solutions and big data.. are red hot areas. My favorite case study here is a little restaurant marketing company (Fishbowl).. will write a blog on them this month.

21 thoughts on “Divide and Conquer: Commerce Battlefield”

  1. How about non-phone SE? Cloud POS for “card present” e-comm? The latter can be linked to tokens…

    Apart from control (incl. battlefield definition), how about fraud liability shift?

  2. Tom,

    As always, great post, but In this case it leaves me with questions.

    Why are you so sure that Visa and MC are only using tokens to maintain control of payments, and not as a sincere attempt to add value? From what I can tell, their power here is quite limited. First, the tokens are explicitly targeted at CNP transactions, not POS. Their strategy at POS is EMV, which as you yourself have pointed out, has not met with universal merchant acceptance. In fact, some merchants have said they will accept the liability shift rather than invest in terminal upgrades. Why would the networks have more power in the CNP context, where there are so many more alternatives? The prospect of card-present interchange and liability shift to the issuer would indeed be quite attractive, but I don’t understand how that becomes a threat.

    I think you may be overlooking the implications of the legal setbacks the networks have had over the past decade. It is now accepted law that Visa and MC have market power sufficient to subject them to anti-trust scrutiny. This severely constrains their ability to use rules to restrict how their tokens may be used. “Honor all Cards” is history; only Amex is still fighting that battle, on the basis that they _don’t_ have market power. Even if the networks did try to constrain the use of tokens, merchants and wallet providers could simply continue to use the printed card number as they do today. Issuers wouldn’t dare block use of their actual card numbers, any more than they were willing to force the use of 3D Secure. The customer service issues would be insurmountable.

    In short, the conspiracy theory you are outlining feels somewhat strained to me. I find your thoughts on how banks and merchants can work together for mutual advantage more intriguing, and hope you will focus more on that area.

    1. Wow.. great questions.

      Your point on POS vs CNP focus is one I will add to blog in update. My view is that Visa is very focused on eCommerce CNP and TCH is very focused on POS.. Mastercard… ? that is another question. I believe the banks would love to carve up tokens along the Visa lines..

      Other Responses
      – Honor all cards is alive and well w/ V/MA. Retailers are not big fans of paying for bank loyalty on the premium credit cards. It is dead on debit vs. credit.
      – Conspiracy theory? No… banks just have a well thought through strategy that is 3 steps ahead.
      – Constrained in rules to restrict tokens.. I don’t agree, Visa has a great view… a Token is really just a longer card number that can change more frequently. They WILL be able to create new rules if TOKENS are a new form of Card Present transaction. to your point, Merchants can continue to process as card not present.. for non-certified tokens, they are in a position to create rules around how their card is used, for example:
      1) there must be a one to one mapping for token to card… and it must be registered or compliant w/ Visa scheme to get a card present rate.
      2) if token is passed that represents a card, the entity which created the token must be a registered XXX, and have X PCI compliance, and have taken x steps to certify the underlying card is valid.

      1. Tom,
        I stand corrected on the “honor all cards” point; I was thinking of the V/MC settlement with the DOJ allowing merchants to refuse premium reward cards, but of course that doesn’t take effect without cooperation from Amex.

        Redefining the “card present” rate as “token present” while creating a new, higher rate for “actual card number” transactions would incent cooperation, but if the networks overreached, it would improve the economics of bypass networks, which Visa and MasterCard want to avoid. So I still doubt they will be able to force compliance without a legal mandate, but I do understand more clearly now the business case for merchants to establish their own network.

        Thanks,
        Aaron

        1. Aaron, thanks for taking the time to share your perspective. I’m admittedly very weak on the acquiring side dynamics, so please keep me honest and continue to question my perspective. It is exactly that type of dialog I was hoping to achieve here.. and therefore much appreciated.

          I agree on “force” compliance…. however the issuers have done a fantastic job of FRUSTRATING success. MA’s imposition of a 35bps wallet fee… prohibition on back to back transactions which killed the Google wallet approach… new rules which prohibit CNP wallets from passing through the merchant name (everything is paypal or Google wallet). I don’t see how Tokens will ever be “forced” until they stop giving consumers card numbers. That could take a few days :-)…

          Our current state is just a mess.. no EMV, no NFC, new rules, inconsistent practices, data leakage, data control… everyone is throwing sand in the gears … It’s hard to build anything on Jello.. hence why AMEX is so far ahead… and why MCX must exist.

  3. “If token is passed that represents a card, the entity which created the token must be a registered XXX, and have X PCI compliance, and have taken x steps to certify the underlying card is valid.”

    If a s/w-based token is used in e-comm scenario to get CP rates, why not use the same token in physical retail?.. If that is allowed, why do we need EMV, secure elements (and ISIS)? Also, in that case, why not run physical retail as e-comm, i.e. without card terminals etc?..

    How would the market react if the rules becomes inconsistent, i.e. a chip card in physical retail and just s/w tokens online?

    1. You are asking the right questions.. the inconsistency is why I believe the networks must own and control any token schemes.. Banks have no way to enforce rules directly.. they have no agreements with retailers or wallet providers… which is why in the US they are so desperate for Apple/Google/Amazon participation.

    1. When I had a chat with Paymentech and FirstData execs, they referred to “other solutions” (Dwolla amongst them) as esoteric options. Dwolla/Square/PP are cute concepts for specific types of merchants, not for the mainstream, for many reasons (IMHO). As Tom keeps (correctly) saying, there is no (major) problem with the payment status quo as far as consumers are concerned.

      1. Sounds like the prefect case for disruption — everyone thinks they’re cute. 🙂

        To the degree that they try and be a brand your point is well taken, to the degree that the show how many of the problems that V/MC have solved are no longer issues there is an interesting dynamic I think. Mobile is the opportunity for making consumers change preferences at checkout… and no one really cares about their issuer… the more tools merchants have to create their own MCX or RedCard the more they will do so and keep the data, experience and payments under their control, etc.

  4. Great idea, Tom. What is in it for customer for merchants/merchant organisations to control the battlefield? As i understand merchants have been required not to pass burden of any merchant fees charged by Banks to customers, if that is the case really then what benefit can merchants promise customers? I feel more than merchant, banks, or schemes, it is customer who should be at the center of any solution. He is major driver. Merchant/banks/schemes have always been making profits and they will continue to make. Any new change unless it is customer focused, i dont think it is going to find any traction. e.g. Debit card fees have reduced in USA , how has customer benefited from that? I have not see any data which support customer being benefited by that.

    Thanks,
    Sandip

    1. The problem is, consumers will ultimately choose an option they like (from available ones), but they cannot drive/dictate adoption of a particular solution by merchants. Take MCX, for example – no matter what consumers could be saying now, MCX has its own agenda and vision. Whether or not consumers will start using QRs, for example, is another question… They might do so if MCX provides an incentive, but if it costs you money to drive consumers to QR, wouldn’t that defeat the (cost-saving) objective?..

      1. Agree.. if the cost of acquisition is high enough than it would defeat the purpose of a retailer network. But retailers will not have this cost.. since they touch the consumer every week. In other words they have physical touch, distribution and in store sales which will greatly reduce the cost of acquisition when compared to a bank (you don’t go there every week.. particularly a bank you don’t have an account with).

        Think about this checkout process.
        Cashier: would you like to register for our new free loyalty and mobile payment product? You’ll get x% off on your next purchase
        Consumer: sure
        Cashier: all I need is your email address or mobile phone number and we will send you something right away

    2. My thoughts
      – signature debit fees have been reduced from 120-150 bps to $0.21 + 5bps. This is almost exactly what a PIN debit has cost a merchant for an average $40 transaction. The judge has said this rate was contrived and the Fed’s own internal team recommended $0.12.. merchants believe we will see the new rate set at $0.05 to $0.03 consistent w/ debit rates in EU, Australia, Canada. The Durbin LAW said that the rate must be COST..
      – Merchants cannot explicitly pass on card costs within VISA/MA schemes (a surcharge). They can however create a new scheme to charge customers, or they can discount for use of debit.. but they cannot charge more for use of credit.. We will see Gas and Grocery move first here, and they haven’t moved yet because litigation is still pending (in my opinion). This is primary reason for lack of consumer “savings” research.
      – Why control the battlefield? Mobile payments… Nothing has started yet, and both Banks and Merchants want to establish consumer behavior in a way that benefits them. Starbucks is by far the biggest mobile/POS payments success (in US).. why do you use it? Free coffee? Loyalty? Speed? Each MCX retailer will be able to create their own value proposition… Banks want to control mobile payments as well.. but for another reason.. they want mobile to be a credit card play. When we see ISIS launch there will be no debit cards..
      – Cost to acquire… read my blog on target red-card… great example of how consumers register for the card inline at the POS. Retailers have a much lower cost of acquisition than banks.. consumers visit high frequency retailers weekly.. they have physical touch.. there is no need to advertise outside of store. http://tomnoyes.wordpress.com/2010/12/06/redcard/

  5. My comments should be read as discussing of U.S. banking.

    First, banks are going to tokenize the ACH networks to end use by the “free riders”. If the likes of PayPal or Target Redcard would like to leverage the ACH network then they are going to pay a fee to the banks.

    Second, banks are going to issue EMV debit and credit cards. Most of the EMV cards that will be issued will be dual interface, contact and contactless (NFC). Merchants are not suddenly going to stop taking cards nor are the largest merchants going to expose themselves to the fraud risks that are ever on the rise from counterfeit mag. stripe transactions. Merchants will adopt EMV because the acquirers will essentially enforce it. The entire system from regulators, auditors, security consultants, and the various operating rules and agreements will make it impossible otherwise.

    Third, banks and card networks will tokenize “card” payments. Merchants will be given what looks like a card number that they will process like a card number, when the card number is nothing but a token that they may never see exactly the same again.

    I am cutting myself off before I even get more into “mobile” otherwise I could be here all day.

    Tom, as always, thank you for continuing to share your insights.

    1. Target is a bank.. actually they have 2 bank licenses.. but your point is still valid. The top 5 consumer banks have indeed developed a view that there are ACH “free riders” and are looking to shut them down. Tokens are just part of the scheme.. the top 3 have formed Clearxchange to enable “real time” debit.. of course no one will run to this entity until the “locks” on ACH debit have been established.

  6. I see several conceptual issues with this post.

    Just one is that Banks issuing tokens means that each merchant will have to need its own ‘namespace’ for tokens & we will require a Cartesian product of accounts no to merchants for each Bank. You can see how that can get out of hand really quick. Also, within a merchant itself, a token will be as good as a PAN, so this creates a new fraud vector i.e. a token can be used fraudulently within a merchants namespace. Also, who will route such transactions ?

    1. Thanks for your note.. think there are probably multiple phases. In in end state I believe that token will vary for each merchant… it will be a MID/Wallet/Token unique combination.. and a much more complex routing table. Networks are of one mindset that they want to be able to do a mass reissue for any given merchant or wallet with no consumer impact (for example). That should only take a day or so before this becomes real (next week)… 🙂

      1. @tomnoyes, The devil is in the details. Any security design needs to reviewed before any useful comments can be made. Until then, it has no useful value.

        There is really no way to rationally analyze a security feature or product without knowing the details. As example is http://www.finextra.com/News/FullStory.aspx?newsitemid=25271&topic=mobile#!

        Thus, I look forward to hearing the details of the token architecture you mention.

        FYI – I made a mention of tokeinization being a buzzword several years ago in a paper I presented in an owasp event. -> https://www.owasp.org/index.php/ProblemsCBCModeForPANs

Leave a Reply

Your email address will not be published. Required fields are marked *