What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance[5] and if it fits the criteria for being considered a personal area network.[citation needed]

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.

 

From a mobile payment perspective, NFC is

  1. Protocol. NFC Forum owns the Protocols making up the ISO specifications.  These protocols are the “universal” aspect of NFC that is NOT changing.
  2. Platform for How NFC works in a Phone
    • GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
    • HCE
    • Apple Secure Enclave
    • ??
  3. Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom

 

 

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog).  Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control.  The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.Token schemes

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog).   Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me),  MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

  • an x% interchange reduction
  • Treat as Card Present, and own fraud (can not certify unless acquirer)
  • Access to DATA as permissioned by consumer
  • Share fraudulent account/closed account activity with you to sync

If you:

  • Tokenize (dynamically) every one of our JPM cards on file
  • Pass authentication information
  • Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

Another Bank Consortium? Paydiant

Banks have not put all of their eggs in the TCH basket. There is another Bank Consortium around payments which I have not discussed: Paydiant has been working with 27 odd banks around a “Push Payments” pilot for last 2 yrs.

PUSH Payments – 27 Bank ‘Consortium’

Summary

  • Banks have another “consortium” on payments I have not discussed: Paydiant Push Payments
  • Trials have been underway for over 2 years
  • Competes with TCH tokens
  • Led by BAC, FIS, and other top banks
  • Objective: minimize changes to POS, through a new payment terminal which displays QR code.
  • Flow: Customer takes picture of Payment Terminal QR Code (which contains MID and TID), Code sent from Consumer Phone to FIS service, translated in to card (currently), Processed in normal Auth flow, then Auth PUSHED to POS terminal.
  • Elavon in primary processor for TCH tokens, FIS is focused on Paydiantpaydient

Background

On a flight to SFO today and I’m looking at 50 odd emails from last week questioning my blog on Host Card Emulation (HCE). It has certainly caused a stir with the NFC community. As most know, companies like SimplyTap have been able to make this work on the Blackberry platform for some time…. I don’t mention vendors by mistake… but can’t tell you much more here other than it would be worth your time to work with them if you want to evaluate HCE.

How does HCE play in a world of Tokens, QR codes, merchant run networks, NFC, and Push payments? Well quite frankly nothing is happening now, and until a critical mass of Banks, retailers and platforms start to deliver value (beyond payment) nothing will.  I’ve stated many times that existing networks are ill equipped to drive fundamental change. For example banks look at mobile as a chance to cement use of credit card and maintain control over payments (and consumers).

Those that have read my numerous Token articles know that Banks have been working to disintermediate Visa/Mastercard. The theme is “if there is a number stored on the mobile phone, we want that number to be one we own and control.. not a V/MA number.. but ours”. This number is the Token I referred to in Tokens – Volunteer Needed, Directory Battle, and Tokens and Networks,  …etc. Last month Visa, MA and Amex launched their own competing token scheme to ensure Issuers did not end run them. This has put significant dampers on the TCH project, together with the loss of its early bank champions (Paul Gallant now CEO of Verifone).  The TCH project is likely to morph into ACH and perhaps debit tokens, as well as coordinator of standards, with the Card Network consortium winning the battle over Card tokenization. The only significant piece of new information on this is that the TCH bank champions were emphatic that Regulators would FORCE TOKENs in pending rules. Lets see if that happens.

PUSH PAYMENTS

Banks have not put all of their eggs in the TCH basket. There is another Bank Consortium around payments which I have not discussed: PAYDIANT (http://www.paydiant.com/). Paydiant has been working with 27 odd banks around a “Push Payments” pilot (see blog for Push discussion).

Paydiant Flow

  • Merchant has specialized Payment Terminal that can generate a Paydiant QR Code. No POS change necessary
  • Consumer has Paydiant application or Bank white labeled version
  1. Merchant pushes normal card button on ECR
  2. ECR sends Payment amount to FIS Card Reader
  3. FIS Reader Generates Unique QR code based upon Amount, Merchant ID (MID), Terminal ID (TID)
  4. Consumer launches application and takes a picture of the QR Code
  5. Application sends QR code to FIS/Processor for transalation and asks consumer to confirm amount/payment instrument selection
  6. Consumer confirms transaction
  7. FIS sends transaction through normal payment Auth flow.
  8. FIS receives Auth
  9. FIS Sends Auth to pending MID/TID
  10. Merhant Payment Terminal receives Authorization and communicates to ECR
  11. Transaction is completed

I think of this as a reverse Starbucks. Consumer reads a QR code instead of the other way around. In a perfect world this is a great example of push payments. Only supporting issuers can participate, and they can set rules for interchange, fraud or anything else they want to with Merchant. Banks can also completely circumvent Visa and Mastercard as actual card number did not have to be used.

This solution, while very attractive, does have a few problems. In my own personal experience

#1 Connectivity. Over half of participating merchants had to install wi-fi hot spots as consumers did not have data connectivity in stores. This makes for a very bad (and slow) consumer experience.

#2 Glare. I couldn’t take picture of the terminal without holding another hand up to block glare. Of course we could solve this with Bluetooth LE, or some other factor.. but today it is a problem.

#3 Learning curve. Taking a picture of a QR code is not something most of us do..  Cashiers are not in a place to help

#4 Why? This entire solution is cool.. but why? It is MUCH EASIER to just pay with my card. Just as in Card Linked Offers, there are very few advertisers or other offer content to make this attractive.  FIS seeks to offer LevelUp like loyalty services, but currently in its infancy.

Bank Chaos

The reason I’m telling this story is  to show you the chaos going around mobile payments. Just because the technology works doesn’t make this a great idea. However, I do like this particular initiative very much, as it is the BEGINNING of a new network and a NEW APPROACH to payments that could reinforce Bank roles in authentication.  The flow makes sense to me.. we just have a few problems with the phone to Payment Terminal interface.  Imagine if I could couple this with a SQUARE voice experience and Apple’s new fingerprint technology.

Paydiant was quite sure they were going to win the MCX business. The solution’s complete dependence on processors and issuers made this quite unattractive, and hence Gemalo’s win (see blog).

I have a number of friends in the payment s industry, and each bank seems to be involved in multiple intitiatives:

  1. Tokens
  2. CLOs
  3. NFC
  4. Paydiant
  5. Apple/Google Wallets
  6. MCX
  7. EMV/Reissuance
  8. Visa/MA/Amex Scheme
  9. …etc

It is a crazy time. Small companies and mobile investors need to be aware of this Chaos, and understand the diffusion of focus.

Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

4 Nov 2013

Long blog.. load of typos

As I’ve stated before, this blog has been a great way to make new friends and stay in touch with my 100s of friends and former employees around the world. When you are in a small company you tend to lose touch with what else is going on as you no longer have 1000s of folks feeding you market intelligence. Small companies live and die by the risks they take, and I’m primarily focused on reducing risk by sharing G2 and perspective.worry-about-identity-theft-confession-ecard-someecards

Industry History (experts can skip this section)

I’m fortunate to have worked with some of the best teams in both Security and Fraud areas. Back in 1998 I ran Oracle’s Payment and Security National Practice where we did things like PKI, Single Sign On, as well as Oracle’s first Java application: iBill and Pay (built on Oracle’s first Application Server OAS which scaled to 40 users regardless of hardware). I switched from the tech side to the business side in 02, and can assure you that running online Banks keeps you in the security AND Fraud space. In 2008 I left Citibank to go to 41st Parameter (just acquired last month by Experian). 41st Parameter was founded by a visionary fraud prevention guy.. Ori Eisen, with a focus device ID.

From a Commercial/operational perspective there is always friction between the security teams and the Fraud/Operations teams. The security teams are always working to enhance security, the fraud and operations teams are always working to mop up the mess from any holes in security and create proactive processes by which they can stop it. As I said in my blog last week, if I let security guys have their way with authentication …. customer experience would be awful.. and no one would use online banking. Hence we have services like Risk Based Authentication, Honey Pots, Fraud Controls, …

This same Security vs. Fraud dynamic plays out in payments. From the 1970s to the 1990s banks had built their authorization infrastructure around tools like HNC’s Falcon to create rules based authorization, with daily tuning of rules based upon fraud. Today Banks continue to invest billions of dollars in fraud and risk infrastructure (see blog). The metaphor for competition here

If you are camping with your friends and a hungry bear comes to your campsite.. you don’t have to be faster than the bear.. you just have to be faster than at least one other camper.

Thus the rule of thumb: fraudsters always attack the easiest target. Big bank billion dollar fraud platforms thus drive fraud to smaller competitors. This enables the large banks with sophisticated controls to derive higher margins in payment products, which drives incremental investment.  This is one reason why large US banks are so resistant to EMV (it levels the playing field). Fraud numbers in the US are not well reported, the best data is from my friend in the UK (see UK Card Association).  Large US banks were not involved (or informed) of Visa/MA’s plans to mandate EMV. As one CEO told me personally “Tom .. to this DAY Visa has never come by my office to discuss EMV, I found out about it the same way you did.. in a PRESS RELEASE.. “ [Top 3 Issuer].

In the late 90s Banks were not prepared for Card Not Present (CNP) Transactions that came from eCommerce. Their fraud systems (ex HNC Falcon rules) were not tuned for this type of transaction. Actually, banks really didn’t care much here because 100% of fraud loss was borne by the merchant. The only Bank impact was helping the customer deal with fraud (and reissuing cards). Thus RETAILERs began investing in Fraud systems and 3rd Party specialists (GSI, CYBS, 41st P, Digital River, 2CO, PayPal, …) emerged to help manage fraud on behalf of retailers. LARGE retailers followed the same path as large banks, investing in custom fraud infrastructure (ie Amazon, Apple, Google, Airlines, …).

Banks thus ceded eCommerce risk management to 3rd parties until around 2003 where 3DSecure was developed (See Wiki. Implemented as VBV by Visa and MSC by Mastercard). Merchants were incented to adopt the scheme by a liability shift (to banks) and an interchange reduction of 5-10bps. Rollout of the scheme in Europe was a disaster (see UK Guardian). Banks now owned a mountain of new fraud losses (as 3DS technology was broken), with only ONE tool to address: Decline Transactions. See my 2010 blog and Schneier’s: Online Credit/Debit Card Security Failure

Mobile

Banks are determined to avoid their prior mistakes, in eCommerce risk/roles,  and take a leadership position in mobile (ie payments, risk, authentication, data, … ). I’ve detailed their efforts in:

Why is mobile so important to Banks?

#1 PRIMARY INTERACTIVE customer touchpoint. 10 years ago, how did you interact with your bank when you were away from home, work and a branch? The only interaction you had was a piece of plastic.  Mobile enables a new class of Services.. but ALL mobile services must add value. The rest of these priorities pale in comparison to consumer touch… Banks are thus experimenting on what they COULD DO with mobile to remake banking.

#2 Authentication. Confirming identity of consumer.

#3 Risk Management. Both gaining additional consumer insight, and enabling new levels of risk control based on this data.

#4 Remaking of Retail Banking (reducing cost to serve)

#5 Mobile Payment.

#6 Partnerships. Sales, Distribution

I’ve touched on #1 many times, but before I go to Authentication/Authorization/Risk, let me provide a brief recap of my many blogs covering the “other services”. As I outlined in Card Linked Offers, Banks don’t realize is that just because you CAN interact with the consumer doesn’t mean that the consumer WILL. You must actually deliver VALUE if you want to capture consumer TIME. Having run 2 of the largest online banks I know what customers do. Retail Customers log in 3 times a week, check their balance, pay a bill or two and log off (180 seconds later).  Bank CEOs.. I gave my recommendation on what you SHOULD be doing in my Bank NewCo blog.

Authentication – THE Lynch Pin

As I stated in Who do you Trust,

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software (from NFC to the SIM). …[ If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.

and in Authentication – A Core Battle for Monetizing Mobile

As Ross Anderson said “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past.

Beyond Authentication, mobile also plays SUBSTANTIALLY on the risk side, as it enables Banks to interact OVERTLY and COVERTLY with the customer. For example a risk system could ask: is the customer’s cell phone within 20 yards of their transaction (at X merchant).  Or even issue the customer a one-time PIN (or PIN request) to complete transaction.

Perfect Authentication – A threat to Banks?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

If we made an inventory of payment systems (technical investment) between merchant to consumer bank we would see today’s systems, processes and rules would be DESTROYED by a future state of connectivity and authentication. I’m sure this one line statement will be questioned “prove it”, but I don’t have time.. I’ll leave it to someone else. Take this statement for what it is: my opinion.

Authentication is 0-1, Risk and Fraud deal in shades of grey. For example, if there is a CHANCE that Joe Smith is a really a the end of the transaction, and he is my wealth customer, I’ll let him in the door, see what he wants to do and then risk it based on it. I certainly won’t LOCK HIM OUT.  Another example, if I could authenticate a customer why do I need to make the transaction secure? This is the BEAUTY of the Square “pay with your name” scenario.  Why do I need tokens? Someone just needs to map consumer ID to payment types.

The very concepts of payment “products” begins to dilute. No more credit, debit, pre-paid, Amex, ACH, check, … In a world of perfect Authentication “old line” products evolve toward dumb pipes as competition shifts to speed and cost (not risk).

From Cash Replacement

Networks are designed around a value proposition.  For payments to flourish, a coordinated system of instructions which can be read by trusted participants is necessary. Providers of payment services must consider what network participants are providing in order to collaborate in risk management and settlement; the greater the number of consumers and businesses that participate, the greater the collaboration and interdependency. As more people adopt the payment system, its value increases, since it provides access to more people; this encourages larger networks. Not only do the benefits increase as the network expands, but the per unit cost of service falls. This behavior is the basis for what economists refer to as a “network effect”.

Once a payment system reaches a “critical mass”, economic value will be created at the ends of networks. At the core- the point most distant from users-generic, scale-intensive functions will consolidate. At the periphery-the end closest to users-highly customized connections with customers will be made. This trend pertains not only to technological networks but to networks of banks as well as small merchants and even to consumers who engage in shared tasks9. From a payment network perspective, this means that the “routing” of payments will provide much less revenue opportunity than managing the end points (e.g. the customer interaction or the products which are sold on the network).

…] Payment networks are inherently “sticky” with investments required by consumers, merchants, and banks for effective functioning. Payment networks also have substantial government involvement to support Commerce and Treasury functions that ensure stability, resilience and protection of parties. Innovation in payments is challenged by this network dynamic. As most small companies know, getting a bank to make a decision is tough… but nothing compared to getting 4-6 groups (issuers, acquirers, merchants, MNOs, Regulators, networks, ..) to collaborate in making coordinated change. A level of difficulty that is only superseded by the challenge new entrants face in competing directly against these existing networks.

A truely jaw dropping piece of research was completed last month by philippon_newfig1NYU’s Thomas Philippon (  http://www.voxeu.org/article/where-wal-mart-when-we-need-it).

The cost of intermediation grows from 2% to 6% from 1870 to 1930. It shrinks to less than 4% in 1950, grows slowly to 5% in 1980, and then increases rapidly to almost 9% in 2010

In other words Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). This is BY DESIGN as the orchestrators of banking have successfully created constructs to squeeze COMMERCE. Further demonstrating that existing payment networks are incapable of leading ANY FORM creative destruction. As I stated in Commerce Battlefield

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). … (Also see Push Payments)

Regulation… the KEY

Payments, telecom, commerce, customer data, … all are regulated (merchants … not so much). Banks are completely justified in seeking solutions to their current regulatory burden. After all they bear most of the AML, BSA, CPFB, FED, OCC, .. burdens here. What needs to happen is that regulators must allow non-bank entities to bear risk. This is where innovation occurs. See blog US Payment Innovation and Regulation

Money 2020

10 Oct

Great Conference! In fact I would vote it the best networking conference I have ever attended. Kudos to Anil, Jonathan and the rest of the Money2020 team.. !

I’m backlogged and jet lagged but had to get a few thoughts out.

MCX IS REAL

I was fortunate to have lunch with Dekkers, though I can’t comment on anything relating to product, I will certainly comment on what I think is most surprising. Dekkers related that the degree professionalism and warmth of welcome has surpassed anything he has ever experienced in his career. It is NOT a herd of cats.. ! It is also not just a bunch of  interchange focused treasury guys.

Retailers are sick and tired of being handed rules by people that have no understanding of their business. They are competitors.. just as different as the Yankees and Red Sox… but they do agree on common rules .. and are determined to set them within their own “MCX” league.

Tokens

My panelist were great.. the content and answers were predictable.. hence the session was a little dry.  What is clear?

Banks want us all to believe that they support V/MA/Amex token efforts.. and this is all about security. I can assure you this story is complete BUNK!  At least from a business strategy perspective.    Card CEOs are furious at the thought of ANY ENTITY delivering value on top of their cards (see don’t wrap me):  Cardspring, Visa, MA, Retailers, Google, PAYPAL. There is an all out war to stop them.. the war is about DATA AND CONTROL and ESTABLISHING CREDIT as the primary mobile payment product.TCH Scheme

Consumers prefer debit for most POS transaction 8:1 (in Grocery).. but credit usage dominates eCommerce due to the better protections available to consumer (Reg Z) and reluctance to share debit card information online. Logically TOKENS should first extend to DEBIT in order to address these issues and ensure debit account security. Whether from action or inaction, most banks WANT to extend consumer UNCERTAINTY over eCommerce debit use into mobile.. CAN YOU BELIEVE THAT? Of course they would recast this statement “we want to deliver value to consumers [on credit] and ensure consumers are protected on mobile [using credit].. and we are making investments [in credit] to make this happen”.

Banks are investing over $1.5B (collectively) in data, offers and new ways to add value to CREDIT CARDS. However Banks don’t give a hoot about Debit (except BAC and CUs), the rest want to establish credit as the PRIMARY payment mechanism (in mobile POS payments). Their token moves are focused on protecting WHO CAN ADD VALUE TO CARDS ..  Make no mistake, token efforts are focused on protecting CARD BRANDS and the VALUE they deliver, with safety/security a distant second. Supporting Data:

  • Credit only in ISIS
  • No EMV
  • Bank investment in Data/CLOs
  • Bank investment in Tokens
  • Lack of investment/strategy in Debit
  • …etc

These credit focused banks know they can’t move as fast as Google, Square, PayPal.. hence they must stop them from adding value to cards. THIS IS THE PURPOSE OF TOKENS TODAY. Banks are seeking to create a new DATA Network that bypasses Visa/MA to deliver this value… Tokens are just part of it.

We all know this to be the case.. Bank preference for CREDIT the elephant in the room.. it’s the reason ISIS switched from Discover/Barclay card.. it’s the driver behind tokenization by an entity (TCH) that has never touched a credit card in their life. Along these lines, Jim McCarty did a great job of articulating Visa’s Value: [it’s not just about transactions, but a BUSINESS MODEL to drive revenue among network participants].  Credit drives MUCH MORE value to Banks:$0.03-0.12 /tran vs 2%+ of the SALE!

I told the bank head of the TCH initiative  “start with debit and everyone will jump on board … DEBIT FIRST is the only thing you can do to rebuild trust with retailers.. and you can do it without support of V/MA”  his answer  “what if we do both”?

My message to merchants, wallets, acquirers, mobile operators, … do nothing on tokens unless debit IS FIRST. It is how consumers pay at the POS today..  Banks are NOT doing the heavy lifting on mobile payments.. they are NOT the center of Commerce but a supporting actor.  We will never move this ball forward unless we create value to consumer and merchant.. we CANNOT operate in a model where only banks benefit and control the rules.

My view of MCX’s objective is clear and simple.. enable retailers to deliver value in a debit like model. Banks are not making investment here.. so we must find a way around them.

V/MA/AMEX Tokens

They have ALL the Carrots and ALL the control of existing rules on existing cards.. I see no way around their leadership.  The banks are very upset …

The network opportunity is to involve all commerce parties in rules construction.. a retailer said it best “Visa and Mastercard DO things to me.. they never talk to me.. they direct me.. the never listen.. they mandate… “  (see Network Tokens). Also see my blog outlining the different token strategies.

Not on my Rails

We now see network resistance “Not on my rails”. Why on earth would Visa or MA want to let a Token ride on their rails? Perhaps the best example of “Rail” ownership is First Data’s refusal to support routing and processing of any Paypal/Discover BINs

In last year’s post “Don’t wrap me“, I described how issuers were responding to having their cards “wrapped” by Digital wallets and new Plastic aggregators (Serve and Paypal). Examples:

railroad_tracks414

  1. Paypal’s plastic. MA established a Staged Digital Wallet fee of 35bps, when its card brand was not used at the POS, but was the funding instrument for the transaction.  Amex and Visa also pushed back, although I don’t have details on rule changes here, they made clear that they wanted their brand at the POS.
  2. Serve. Hit by similar issues above,
  3. Google Wallet/Plastic. Visa reportedly issued a cease and desist to Google at the behest of Chase (See NFC Times)

All of these wallets (Virtual, NFC, Cloud, …) led issuers to wonder “what card is top of wallet”?.. and how does a customer select my plastic. Issuers have been (to date) the drivers of rule changes and resistance. They seem much more concerned about one physical plastic card wrapping them (ie Serve and Paypal) than a virtual wallet, but they are also very concerned about data (see blog). Letting a new intermediary see transaction data (and add offers/services on top of them). In other words “DON’T WRAP ME” (see blog Paypal at POS).

Issuers subsequently got together and developed the concept of tokens (see Business Implications of Tokens). The summary: IF issuers had the opportunity to give the customer an account number in a digital wallet. Why would it be a Mastercard, or a visa card number? They are thus working on a system for distributing 16 digit tokens which they own and control (see Secure Cloud PR from TCH).

We now see network resistance “Not on my rails”. Why on earth would Visa or MA want to let a Token ride on their rails? Perhaps the best example of “Rail” ownership is First Data’s refusal to support routing and processing of any Paypal/Discover BINs.  This means that every new “Home Depot” or “Jamba Juice” Paypal signs up must be serviced by a supporting processor (like Vantive).  Making your merchants switch processors in order to accept a more expensive payment instrument (240bps compared to debit pricing of $0.07-0.12) would seem to be a difficult sale. Quite frankly I didn’t see the weakness of Discover’s 3 party network until now.. it only acquires directly for top 100.. and is dependent on many other acquirers. Amex does not have this problem… paypal home depot

My guess is that Visa and MA will also throw up walls soon, but not sense in doing it now.. let the banks work feverishly to build a token machine.. only to find out that the tokens don’t fit in any “slots”.  The only bank globally to have worked all this out is JPMC with its new Visa deal, which bifurcates VisaNet to a new Chase version. Of course the other issuers will eventually ask for same… but these are 5 yr cycles.. All of this means V and MA will continue to rule the mainstream, and that any new competitor must have network control, issuer control and merchant control.

End Game

These rule and ownership battles make my head spin. Investing in this space is not for the faint of heart.  Perhaps the best way to really “change” payments is to first ride existing rails and establish a fantastic consumer/merchant value proposition .. THEN move that solution to a different network… or better yet enable a switch where payments are cleared on a least cost routing basis (like switching IP traffic).

Hopefully the Venture Community is aware of these pitched control battles: Network, wrapping, secure element, trust, card present, tokenization, … But information certainly does not flow well here. Just this week I learned of a start up about to launch a new P2P service built around Visa Money Transfer … allowing a user to “instantly” move money to another account.  Unfortunately they didn’t read my 2.5 yr old VMT Blog, or ensure it would work at ALL of the top 5 retail banks.

… I don’t have time to lay out the scenarios here.. but I like investment thesis that recognize DEBIT as equivalent to ACH…new rules may bring cost down from $0.21 to $0.07… Although PIN Debit and Signature debit both cost the same),  PIN debit is not routed through Visa/MA and operates under separate rules. For example, I love the way First Data and Cardspring are leveraging STAR for non payment data.. without any issuer participation. a VERY good model. Thus I see PIN debit as a ripe area for both for merchant led payment products, and for new bank products.

Issuers are just fuming over the fact that AMEX is completely untouched by Durbin and EU SEPA pricing.  Which is why I see Wells Fargo’s move to Amex as “possibly” strategic… is wells switching railroads? with a first “test” of affluent?.

Debit Round 2 – Rates $0.21 to ?$0.05?

There is a school of thought that “pricing debit” for consumers will help banks increase credit transaction volume (ie credit cards are “free” and have points, debit cards will have monthly fee). Merchants must therefore act to build incentives around debit card usage, or a decoubled debit like product (see blog). Target Redcard is clear leader in the US.

1 Aug

Yesterday’s WSJ Merchants Notch Win in Feud Over Debit-Card Fees

Dodd Frank requires the Fed to set Debit interchange at a rate that reflects actual cost of processing. What the Fed did in 2011 was actually set rates at almost exactly the rate of PIN Debit. (see my 2011 blog).

US Retailers have been pushing for $0.05.. The Fed’s own internal team was recommending 0.12, but the final 2011 rate was $0.21 + 5bps. My view is that Governments should never set rates in an effective, competitive market. Their track record is just awful. But unfortunately payments are not competitive, but a form of 3rd party payor… a market type which is even worse than a government price controlled one.  Big Retailers know enough to negotiate great rates (as in health care) and swallow the “accept all cards” requirement. Small merchants get completely taken (just as in Health Care).

Visa/MA impact.. none. Visa’s revenue is not so much in the network fee on PIN or signature debit, it is in the DPS hosting of debit processing. Bank impact.. absolutely. If Debit interchange lands at less than $0.12, the forces behind debit consolidation (see blog) will accelerate, not because of M&A, but because the margins in this business cannot possibly sustain 6+ participants.

The Banks had planned a uniform march to add fees to debit card, but unfortunately Brian Moynihan at BAC could not wait for his peers and jumped the gun.. only having to pull back from the tremendous public reaction.  Adding fees to debit is a certainty if rates drop. The bottom 4 deciles of mass consumer are already unprofitable. Banks are a private enterprise and should not be obligated to do anything “at cost”. We thus shift costs from merchants, onto banks, who will then shift back to consumer. But quite frankly this is where they should be.. where the consumer can see them.

There is a school of thought that “pricing debit” for consumers will help banks increase credit transaction volume (ie credit cards are “free” and have points, debit cards will have monthly fee).    Merchants must therefore act to build incentives around debit card usage, or a decoubled debit like product (see blog). Target Redcard is clear leader in the US.

My idea for getting around regulation (which all parties agree is a bad thing), is 2 fold: Require transparency (by all participants), and enable competition (through access to core deposit accounts).  Imagine if Walmart, or United Airlines were required to publish their lowest interchange rate with each issuer, for every product (credit/debit). I believe retailers would support it wholeheartedly, but the issuers would go nuts.  Per the second point (account access), the UK led the way here in Faster Payments back in 2008 (see blog).  Consumer banks would need to be absolved of fraud loss responsibility if initiated as a debit by 3rd party (Onus on ODFI), but it would also allow a Sofort type model (Push payments) to prosper.

From a pure debit perspective, Australia and Canada have made Debit a common nationalized infrastructure service, part of a Bank’s requirement to have a license. Fedwire is our equivalent in the US, although only used for wires. You don’t see much payment innovation in Australia or Canada, as the common infrastructure works so well.. that there are no pain points.  The EU is also getting there with SEPA, although the inability for EU mandates to make their way into local law and requirements is proving to be a significant drag…

For innovators the message is simple.. payments are becoming dumb pipes. Go visit Canada and Australia to see why new payments schemes do not take off… Most know my view that payment is only the last “simplest” phase of a very long and complex COMMERCE PROCESS.

Tokens: Merchant Options

Most retailers I’ve spoken with take the view “we just won Durbin and are in the midst of steering customers to debit.. why on earth would I want to support a new product type that is more expensive AND gives banks more control? AND further enhances merchant funded rewards? Will this improve my sales”?

26 June 2013

My last blogs on TCH tokens were rather controversial..  several of my bank friends will no longer take my calls.. while others are grateful that I’ve shown the light on a program they are scratching their heads on. I’m a reformed banker..  only partially cured of my myopia. Banks can choose to put me on the hit list or leverage this information to refocus their efforts toward delivering value (based upon feedback I’m getting on the other sides of the conversation). I can’t imagine trying to justify $200M cash burn on this business plan. Bank CEOs.. if you can’t understand the objective in 30 minutes it is not there.

Controversial points:

  • Banks are working to build a network that circumvents V/MA
  • Focus is replacing cards on file w/ token
  • Value proposition ill formed and poorly thought through (perhaps liability shift)
  • V/MA have their own token projects
  • V is contemplating using tokens to replace VBV, this would step on bank initiative (as is Masterpass)

This is the CEO level strategy war going on right now. So thought it would be good to give a summary to the retail/merchant audience.

Banks

FSIs aren’t big fans of Durbin, or of not having control over their payment rails and data. If you talk about V.me or Masterpass to a card head their face will turn red. They are very frustrated that they can’t innovate in a 4 party network and that Amex is 5+ years ahead of them. Thus they are looking to build a new retail network that they can control.. not that there was much research on what the market needs.. it really didn’t matter. They knew what they wanted: Control and an “interchange” that is better than Durbin.

A very, very big bank “secret” is that fewer than 20 percent of any major issuer’s Credit Card portfolio has consumer cards that are transaction “thick” (more than 5 per month). Most credit cards are thus used for MAJOR purchases only. Banks want to increase credit card usage, lock customers into rich merchant funded reward schemes, AND increase the revenue of debit (when used). None of these objectives aligns to merchant needs.

How are the banks going to achieve their change? They have gotten together to create a new system. Of course anytime a group of competitors get together there are potential antitrust issues, hence they chose an existing entity in which to congregate. They also selected real issues like security, integrity, fraud, interbank clearing to focus their plans, and avoid regulatory scrutiny.  These issues are bank issues, as well as the pricing/control issues above. Given these design constraints you can imagine what they developed..  a bank friendly solution that has no market context.

A core requirement for any token pilot is that it is transparent to consumer. The perfect model for token issuance is OTA card provisioning in the NFC world.  From an economic perspective, Banks want to focus tokens at the POS as this is where the transaction volume is.. but NFC has not taken off, and there is no way for them to get POS adoption in light of MCX and general merchant resistance (although they continue to try). Thus token pilots are likely to be eCommerce focused (the have no choice.. ) and this puts them squarely in conflict with a very, very capable field of competitors with established solutions.

Network War

Per my blog Clusters Form, there are some VERY VERY high stakes battles being fought in the C suite.  For example, Visa is clearly positioned to deliver eCommerce tokens (as a replacement for VBV). In this model Visa would simply redefine VBV which already has bank “acceptance”, and would subsequently reduce CNP interchange and shift liability to issuer. If they did this, it would step on the TCH token project completely. Thus the large issers are threatening mutiny (with exception of BAC?). My guess is that Visa explicitly agreed NOT to do this with JPM in context of their new agreement (analysts/institutional investors please ask question).  With issuers threatening Visa mutiny… MA is not likely to be first to market on a similar solution w/ MasterPass.Network Clusters

What options does Visa/MA have to their own token project? Once one of them redefines tokens the other will follow.. if they don’t then COFs will not be theirs any longer.. they will have lost their acceptance brand. My guess is that the banks will give up on trying to do this themselves and will attempt to accomplish within the scope of V or MA’s rules.. But this defeats their primary control objective.

TCH Tokens – Value Proposition

As I stated last week in TCH Tokens: Any Volunteers, there are few merchants  or wallet providers jumping at the chance to participate in this pilot (POS or eCommerce). They want desperately to start a POS pilot, and may be forced to partner with a QR code solution provider with little to no merchant penetration. Why the merchant resistance?

Banks are not looking to solve a merchant problem, but rather their own.  How on earth can a merchant agree to participate in a pilot where rules are not defined, banks have more control, and the cost is higher than debit. The value proposition currently goes like this:

  • Give me your PANs and Cards on File.. and I will give you a token. (see Battle of the Cloud Part 4 and Business Implications of Tokens)
  • I may be able to take liability (not firmed up)
  • Since its really hard for us to do anything new at the POS, we will probably start with mCommerce and eCommerce and we will greatly improve your conversion rate by “auto filling” our customer’s name and address with the token. Since you have that already (given you had the card in the first place), perhaps we won’t really do anything new.. but hey we think we can.
  • You will have to change your processor to CMS or Elevon to process them
  • You will also have to retrain your fraud/customer support to handle all the special rules, and your customers will have no idea that they had a token to begin with
  • We want to price this higher than debit, but will give you a break on any debit cards.. but we won’t tell you which one is which.. because the customer may decide to switch (so we can lock them into rewards)
  • We will be able to give you a great new rewards/service using your data in the future. Not quite there yet.. but understand we will be the gateway between you and your customer forever…. So we want to justify the increased fees we plan to charge you once you have a number that only we understand.
  • We really love “partnerships” where we can control data.. so if you can please also give us any other data you have we may be able to use it as well.
  • Rules/Chargebacks.. hmmm.. haven’t gotten there yet. But we want to.. can’t we wait?

Ok, I’m rather harsh here.. partly for humor, but also to show how far they have to go for anyone to take this. As I mentioned in V.me – Issuers Please Give me your Customers, there is enormous concentration in eCommerce: Cybersource, Amazon, eBay/PP/GSI and Walmart.com account for over 60%+ of eCommerce retail purchases. Would anyone use a wallet that they only used 1-2 times PER YEAR?

Think about how you buy today.. Amazon, Walmart.com, Staples, Apple itunes, Google Marketplace. How many other sites do you buy from?  Where else do you key in your name address, card number? Airlines and hotels lead the list for me. Am I going to put all of my cards in V.me, Masterpass, or something else to help me (consumer)?

Let’s look at competing initiatives, do the banks really believe they can improve sales/conversions against these?

  • #1 eCommerce Amazon – One Click, #2 eCommerce PayPal, #3 eCommerce Google Chrome (and now with Instant Buy on phone as well)
  • #1 mCommerce Experience Apple iTunes, #2 Payfone – Leverages my phone/device to autofill everything, and phone/device/location information to manage fraud
  • V.me – Autofills everything for eCom/mCom… can load any card
  • Apple (Future)? See blog
  • Existing services from CYBS/GSI

Acquisition

Assuming tokens are issued without customer action, Tokens still face a fundamental problem of acceptance. eCommerce acceptance is just as difficult as physical commerce acceptance (given the concentration of both), eCommerce/mCommerce just solves the problem of keeping tokens consumers transparency. Having a 16 digit number resolves most of the technical hurdles, however merchants must know (and agree to) the rules that surround accepting something that is not within their current processor agreement. What is the cost, who bears loss on fraud, return policy, refunds, rebates, compliance, support, …etc.   Taking a new product with new rules is not something done in the dark of night. The idea of a bank POS token pilot based upon QR code is completely laughable.. as this is yet another “token”.. and it now requires the consumer to do “something”. Once I require consumer participation, I now compete (conceptually) with NFC, Starbucks, Level up, Apple passbook and thousands of other apps.

Most retailers I’ve spoken with take the view “we just won Durbin and are in the midst of steering customers to debit.. why on earth would I want to support a new product type that is more expensive AND gives banks more control? AND further enhances merchant funded rewards? Will this improve my sales”?

Message to Merchants:

Tell them what your real problems are.. and see what they do to propose to help.   Tell them you do want to create better customer experiences both online and off line.. but when customers walk in your door they are not “Bank customers” … but yours.  200 years ago merchant banks were focused on helping merchants grow through industry insight and access to capital. How has your bank helped you grow lately?

Message to Banks

Listen, focus, find a real problem to solve for your merchant customers and consumers. Why do most product searches start on Amazon? What community have you enabled? What services do you perform for that 2% of transactions

Message to Acquirers

You have the merchant relationship and are best positioned for new data services.. you just need a consumer facing partner (Apple, Google, Amazon, …). I see great new things in your future.. particularly if you can deliver Least Cost Routing to Merchants. Perhaps the token platform should start with YOU.

Food for thought…

If you were going to redesign payments.. as an engineer… how should it work? Your money is with one institution that can communicate to any company.

Option 1

  1. Bank issues token to consumer
  2. Consumer Presents token to a merchant
  3. Merchant passes token to 3rd party that can route token to payment network
  4. Payment network routes token to bank
  5. Bank authorizes transaction
  6. Payment network sends authorization to merchant service provider
  7. Merchant receives authorization

Option 2 (Sofort, push payments, Debit Consolidation)

  1. Consumer instructs bank to send funds to merchant
  2. Merchant confirms funds are received

Tokens: Any Volunteers?

19 June 2013

I’ll be leading a panel on Tokens at Money 2020 so thought I would spend a little prep time this week.

V, MA, TCH token initiatives all share one very big problem: no volunteers. Visa is the furthest along organizationally.. they tried tokens before (2010 Token best practices), technically there was nothing wrong with Visa’s previous efforts. The primary problem was that network participants (POS, Card Reader, Gateway, Processor, Acquirer, .. ) were ill suited to transmit anything but a 16 digit PAN.  Now that we have 16 digit tokens (likely based upon ISO/IEC 7812 BIN ranges owned by individual banks), the network CAN forward them for resolution..  these tokens are not Visa, MA, or ACH numbers.. they are an identifying “key” to information (other cards).. which only the holder can determine. This is the heart of what I referred to in Directory Battle Part 1.

If you were a merchant and a vendor came to you with this proposition “give me all of your customer information, I will lock it up.. and give you one of my keys for you to access it”… would you do it? There are some possible business cases around fraud/data leakage liability…. but customer information is somewhat important to most businesses. Token value propositions are not much different.. give me all your stored cards and I’ll give you a token.  At least Visa and Mastercard have rules around PAN.. but what are the business rules around tokens? Think of the Amazon world where I select from a list of stored cards… does the customer have to consent to exchange of PAN for token? In instances where I have multiple bank accounts/cards. Will there be a token for each bank? for each card?  (Networks are prohibiting “non compliant” schemes today). How does customer select instrument (debit/credit) if multiple products are behind token.

I believe that if the consumer has given a merchant payment information, it is an asset that they should only part with if there is a significant value exchange (data, rates, …).  The idea that a merchant would willingly part with card data is just plain silly.. and hence the lack of pilot participants.

The only way I see this working is if banks “push” tokens into every wallet/retailer. Automatically enrolling them into Google, Amazon, V.me, Apple, PAYPAL, … In this model consumers are permission banks to assist with “fast checkout”. In the NFC world this is akin to “provisioning” a card.

We are very far away from seeing tokens at the POS “work” in any business sense, as there are no clear business drivers (beyond giving banks greater control of payments). Banks are not solving a consumer problem, nor are they solving a merchant problem. It is a strategy to maintain control (rules, rates, liability, speed, clearing, network, …). There is also friction within competing networks as MasterCard and Visa do not want to be wrapped by a TCH token, nor vise-versa… As stated previously, in the eCommerce world V/MA could see substantial success if they replace VBV/MSC with this token approach, shift liability to banks and give discount CNP rates. Banks would have great trouble replicating this eCommerce approach because they are in a very poor position to influence eCommerce gateway/processors.

From my view the future of any Token must be driven by customer first. This is where the best opportunities exist for MNOs, and the Banks (physical distribution). I call this federated identity management. Enabling a way for your real world ID to be associated with your virtual accounts and IDs (see my blog on Apple – http://tomnoyes.wordpress.com/2013/04/03/apple-and-nfc-part-2/).  Currently Apple, Google, Amazon and Square are leaders here… although there is a$5B opportunity for MNOs if they could put a team together with some focus.

My updated view on TCH token framework – Usage (“Wallet” transaction for JPM Visa Credit Example)

  1. Consumer presents Token (virtually or physically) held by consumer (or 3rd party)
  2. 16 digit “token” treated same as card (although not a V or MA PAN)
  3. Processor routes token to Bank Token Authority (TCH) in an ISO 8583 transaction
  4. TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
  5. JPM resolves token to Visa Credit, if on Merchant is CMS customer.. then on-us (No Visa Interchange). If non CMS, route through Visa.
  6. Authorization sent to Acquiring bank/Processor
  7. Authorization sent to both merchant payment terminal and to 3rd party wallet provider (?). Pilot prospects.. negotiate this one HARD
  8. POS settlement

Payments – Wrapping, Rules, Acquiring and Tokens

if Google had challenges pulling off POS innovation (after ~$1B in investment), rest assured you will too. Banks are well positioned to throw sand in your gears … focus on delivering value within merchant –consumer relationship.

18 June 2013 (sorry for typos)

Thought it was time for blog this week. Primary objective is to inform the venture community of changes which may impact payment related start ups. Sorry that the title isn’t a little more polished (you can tell I’m rather left brained). The exec summary of this blog: don’t ever bet your business on someone else’s rules… particularly if they themselves don’t own them.

Background

All Networks are working on unique token schemes (as I outlined in: Payment Tokenization, “New” ACH System, Visa’s Token Plans and Business Impact of Tokenization). The business drivers here are: #1 Control, #2 Mobile Payments. The US Banks have gotten together in The Clearing House (TCH Tokens) and are in the midst of piloting with 2 providers. In this TCH token initiative, the banks have logically determined that if a customer doesn’t need to see their Primary Account Number (PAN), then they will provide a number which they can uniquely resolve. For example, in mobile payments Citi could put in a unique Citi 16 digit number that is not a MasterCard, not a Visa card, not an ACH account number.. its just a Citi “token”.  Citi can decide how to resolve this number adaptively.. based upon what the customer wants, or what products they have with them.  There are MANY benefits to this approach:

  • Banks control account
  • Banks control DATA (transactional and account information)
  • Banks own network rules
  • No fees to other networks
  • Set unique (NON DURBIN) pricing for a NEW payment product.
  • No restrictions on “Routing”
  • Enables banks to “switch” providers of any payment service or network clearing
  • more detail here…etc

This is a BRILLIANT move by banks. I believe that this central bank “facility” within The Clearing House will be their centerpiece for consolidating all of Debit, in addition to the mobile play.

TCH Tokens are not the only game. Visa, Mastercard and Amex (through Serve) are also in this token game, and others like Payfone (through phone number as token at VZ/ATT), Google (through TXVIA) are also on the periphery. My view is that the BEST tokens are ones you don’t have to issue (ie Square/Voice, Apple/Biometric, Google/Facial Geometry, Payfone/Phone #…).  I outlined dynamics of the strategies in my blog last year “Directory Battle Part 1 – Battle of the Cloud”.  Its amazing that this topic is not covered more broadly in the mainstream… of course most of these efforts above are not discussed at all, and sometimes denied.

Of all the token initiatives, I believe Visa is most likely to succeed. This is not a typo… I’ve been very negative on Visa in the past.. as they have alienated everyone. But Charlie has started to change the culture, he has pulled the JPM relationship out of the toilet and has made a tremendous hire with Ryan. Why do I like Visa’s token prospects? They failed in their first initiative (non 16 digit PAN required big changes by everyone), and learned their lessons. However, most importantly, they can change the rates through rules on CNP and risk “ownership” creating a “new” version of VBV, with the best payment brand.

Wrapping

Currently the networks are at war with anyone attempting to wrap their product and add incremental value. As I outlined in Don’t Wrap Me, and Battle of the Cloud Part 3

The threat to banks from “plastic aggregation” at POS from solutions like Amex/Serve, PayPal/Discover, Square/Visa, MCX, Google is real. Make no mistake, Banks have legitimate concerns surrounding ability support consumers and adjust their risk models. But the real business driver here is to “influence” mobile payment solutions that do not align to their business objectives. Key areas for bank concerns:

  • #1 CUSTOMER DATA
  • Top of wallet card (how does card become default payment instrument)
  • Credit card ability to deliver other services (like offers, alerts, …)
  • Ability for issuer to strike unique pricing agreements w/ key merchants
  • Brand
  •  …etc

Visa, MA, Amex, DFS are in a great position to “stop” wrapping. What does this mean? They have initiated new rules, fees, cease and desists, threats of litigation …etc. Banks are thus looking to circumvent these restrictions by placing their “token” with the customer. This token is thus a new quasi acceptance “brand”.

Acceptance is therefore the new battle arena (who can convince merchants to accept their tokens, rules, rates, …). eCommerce may have slipped away from the banks and networks (PayPal), but they are determined not to let this happen in mCommerce, or at the POS.  JPM has structured its new agreement with Visa  to give them the flexibility on rules in acquiring and network routing for a new acceptance brand (Chase Merchant Services – CMS).

Retailers

Retailers are not the dumb mutts that banks assume. The MCX consortium realizes that greater bank control does NOT benefit them unless the Visa ratesservice is ubiquitous and standard so that banks can compete against each other, with no switching costs. Analogy here is internet traffic routing…They just want the payment cleared, with transparency/control in price, speed, risk.  Retailers also want the death of bank card rewards schemes, and if they can’t kill them instantly, want the ability to deny “preferred” cards. I told a major retailer yesterday that they should offer an “X Prize” to anyone that can make sense of Visa’s rate structure in a youtube video.

Many Retailer’s also have a “token” in form of a loyalty card.. with Target’s Redcard, and Starbucks demonstrating the model in which a retailer led payment scheme could work. For retailers, their loyalty program is fundamentally about selling data, and trade spend.

As a side note, the “big” secret in acquisition is that most (~60%) of profits come from the bottom third of retailers.. specifically the small independents that don’t know enough to negotiate (hence the ISO business). Companies like Walmart negotiate heavily with the top issuers to reduce rates from “standard”.. and still end up paying over $1B a year.Square fees

I see a substantial opportunity for acquirers to participate in what I would discussed within Payment Enabled CRM. This would change their profitability from one driven by small merchants to data/analytics. This is undoubtedly what JPM sees within CMS. Retailers know that they can’t further empower the big bank with their data, but rather need an independent party to run the CRM platform for them.

Summary

I’ve already spent a little more time than I was anticipating here. For start ups my message is quite simple, if Google had challenges pulling off POS innovation (after ~$1B in investment), rest assured you will too. Banks are well positioned to throw sand in your gears … focus on delivering value within merchant –consumer relationship. The Mobile-retail interaction is greenfield, and there are 1000s of different flavors.. no one company will be the centerpiece here. Avoid POS payments.. or be the “arms provider” to the big institutions as they duke it out. My view is that the key for MNOs, Apple, Amazon, Google and Samsung’s future value is

#1 Authentication (Linking the Physical and Virtual World)

#2 Orchestration (Coordinating Virtual and Physical World Processes, Data and Value Chain)