iPhone 6 – Payment Predictions

30 April 2014

I’m on a roll, so thought I would put this out there as a positive prediction (vs describing how Apple is Throwing GSMA’s NFC under the Bus). My views are as much informed from the “negative” as the positive. For example, my starting hypothesis is Apple will enable a POS payment capability in iPhone 6. It was the reason for the timing of the Oct 2013 “token” announcement from the big 3 payment networks. As most of us asked “where on earth did this come from”…. It came from Apple (or the network response to Apple’s initial plan).

My problem in figuring out what is going on (if anything) is that Banks have no idea what Apple is planning. Current guess below revolves around assumption that the 3 payment networks do understand the plan. Thus the question becomes “what can Apple do in payments that starts with the payment networks, but does not involve the banks”? Constraints? It must involve: tokens, Apple’s security architecture, 600M cards on file, existing card presentment infrastructure, existing rules, recent lessons learned, and be able to expand to iBeacons.

My predictions

  • Apple will have a certified EMV contactless capability from V, MA and Amex in the iPhone 6.
  • Apple’s contactless is a proprietary architecture, based upon both tokens, and 3 card emulation applications (4 perhaps with Paypal)
  • Each Network will act as a Token Service Provider (TSP), with one token in each card emulation application. The TSP specs give this away, per the Spec, the TSP must be approved by issuer and have ability to translate token to Card. Apple may want to be the TSP… but Banks will say no. This solves a BIG problem with card provisioning, with V/MA/Amex already having the “proxy” card/token provisioned in the iPhone, and each bank working with respective network to turn on their card.  This is the Google model, with the networks running the TSP as opposed to Google/TXVIA.
  • Apple will not work in iBeacon model at launch, but rather EMV Contactless. You notice I’m not saying NFC.. from a merchants perspective this will look like NFC, and use the NFC protocol, but certainly not from a GSMA NFC perspective. There are no other vendors in this solution beyond Apple and their hardware suppliers (?Broadcom?)
  • Cards will be “provisioned” into the wallet through complex process involving Issuing banks, TSPs, and Apple. Apple’s inventory of Cards on file will be registered with the TSPs, and Banks issuers will approve based upon Token Assurance information , MNO information, card usage information … (yesterday’s blog).
  • Fingerprint will be key process which unlocks card/wallet and enables EMV Contactless interaction. Customer experience? EMV Contactless, consumer unlocks phone with fingerprint and authorizes purchase on Payment Terminal. iBeacon? Same thing only works on all iPhones via BLE (no proximity/NFC)
  • How will Apple make money on this? They won’t… nada. Altough there COULD be a way forward given that the product presented to merchant is in control of Networks AND the Issuers are in control of their cards.. a potential… but given lack of issuer participation, I have no idea of how they would pull this off. I do believe that there are groups in Apple that want to make money on a card present transaction, but join the club.. there is no economic model in any network agreement for a wallet provider.
  • I want to emphasize again.. this is just the easy payment part. I strongly believe that looking at payments in isolation is the wrong way to view this (see Blog).

I like this.. IF consumers can choose which payment products to store in phone (debit card). I think the Bank Issuers will flip out when they hear that V/MA have locked themselves into the TSP role.. talk about a reversal from TCH. Issuers could make the case that the networks own the fraud loss since it is a network proxy card wrapping the issuers card…. can’t wait for that one to happen.

I’m 90% confident in the above… lets see if I can keep my perfect track record on Apple, Google, Tokens and NFC.

 

Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC.  I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion

Facts

  • There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See http://en.wikipedia.org/wiki/Near_field_communication
  • Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
  • Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
  • The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
  • HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
  • Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
  • Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
  • In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction.  US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card..  just as they did with within the TSM provisioning model.
  • There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
  • Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
  • MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons).  The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
  • Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
  • 4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.

 

Opinion

  • Apple’s biggest asset is their ability to change consumer behavior (blog).
  • Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
  • Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
  • Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
  • -Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
  • Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
  • Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
  • How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
  • Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
  • What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
  • The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
  • Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
  • MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

Authentication – In “Value” Nets

March 3, 2014

Today’s blog brings together: the Role of Authentication in Value Orchestration, Apple’s Role in Commerce, Constructs for Compensating Authentication Agents, and Ability of Payment Networks to Adapt. The ability of other parties to assume risk in payment is the key shortcoming of all of our existing payment systems (see last week’s Blog). The recent activities around tokens can best be explained through this Risk Lens.

My use case for today: Assume Apple has the best biometrics system on the planet, and Consumers trust Apple with all their credentials. How can non-Apple Service Providers use Apple’s Authentication service (pay them)? As I outlined in Who do you Trust (Sept 2013)

The “KEY” [prerequisite] in value orchestration is owning the Consumer relationship. Therefore Identifying and Authenticating the Consumer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.

This goes hand in hand with my other favorite payment quote from Ross Anderson with respect to payments:

If you solve for Authentication.. Everything else is just accounting

The Role of Payments in Commerce

As I’ve stated before payment is just the last (easiest) phase of a long commerce process that involves design, manufacturing, marketing, advertising, retail, payment, …etc. (see Payment enabled CRM). Payment is the key PROCESS by which these parties measure the effectiveness of their activities (think attribution). To measure effectiveness (and value) participants tie their activity to Consumer and: items, activities, processes, and behaviors. Answering questions like “did the consumer see our ad on facebook?”, “did our campaign influence the consumer’s buying behavior”?

Before we can assess the value of Apple’s Authentication we need to identify the processes and participants that can use the service. My bias is that the greater value to be unlocked is around the attribution than payment (as a side note Apple has constructed a new platform to manage an Advertising Identifier around this “identity arbitrage”). My personal bets are around the hypothesis (outlined in Apple and Commerce): that Apple’s biggest asset is their ability to change consumer behavior, and are working to make the iPhone the centerpiece of physical commerce (not payment). However, since I have no interest in writing a novel on the subject, I’ll give my highly condensed views on authentication in today’s payment instruments.

Value of Authentication in Payments

What is value of authentication in payments? To whom does the value accrue? We should not assume payment methods will change in anything shorter than a 20 yr horizon (analysis of value in existing payment networks). The value flow in a 4 party payment network is fairly simple: Merchant pays with the Issuer receiving 80% of the revenue. Any payment for Authentication must therefore come as “cost” to the issuing bank. There are 5 models for extracting authentication fees from Banks:

  • Bank chooses to pay (or exchange something of value … like data)
  • Network forces payment
  • Authentication provider forces payment
  • Consumers force payment, or Choose to pay themselves
  • Regulators force paymentGAO payment flow

Optimally a service cost would be based upon value (if the value declines … the cost should decline). Of course nothing in payments work this logically. Issuers like to have all the control, so that they can retain all the margin. In fact, Top Issuers would be fine keeping mag stripe with no authentication (see Perfect Auth… a Nightmare to Banks). Perfect authentication would eliminate all risks not credit related (ex ability to pay). It would therefore be very hard for Banks to justify any payment fees (interchange) beyond the cost of operation. Banks make their money on the ability to manage risk (not eliminating it). Mobile Authentication (biometrics) provides a mechanism to reduce risk outside of the bank’s services.

Startups.. this is the challenge in selling banks improved risk management or identity solutions that are not in their control. It is also why Banks want their services manifested through applications they control (not others). However, Banks must live in a world where their payment product does live outside of their environment (not that they like it, but Amazon does have a little potential to sell :-)).

A recent example of external network driven services: Verified by Visa (VBV) and Mastercard Secure Code (MSC). VBV/MSC rolled out in 2003 (Europe) and shifted eCommerce CNP risk to Banks. It was a complete and utter failure, not just from a tech view but also from a customer experience and business model. Merchants were incented to put the technology in place (10bps and fraud shift to Banks). VBV/MSC failed to catch the fraud… who was motivated to fix the flaws? Not the merchants.. they had given the fraud loss to the Banks and received a discount. It was rather the Banks, which were left with declines as their only tool (as I outlined in Perfect Authentication – A Nightmare for Banks). In other words, Banks had no way to pay the merchant to do a great job at managing risk in VBV/MSC, but only penalize a merchant for poor performance (through declines). This is why we don’t see VBV or MSC running in Amazon, Apple, Paypal, … etc.. Merchants fear declines much more than they do managing the fraud.

But how do a Banks pay external parties (ex Experian, EWS, …) for assisting in the risk management of payments? Usually a per transaction fee of $2-$5 in account opening, and then 10bps for transaction risk scoring (think check verification, although not all transactions need to be scored). The Networks themselves offer services for authentication and account management.

Authentication Fee Structures

Issuer Controlled

  • Interchange Rate Reduction ~15-30 bps based upon performance
  • Fraud Shift (for CNP + Auth in eCommerce)
  • Data Sharing (quid pro quo)

Network Controlled

  • New Category – Mobile Card Present with Authentication (30bps below current)
  • Network Enhancement Fee – Charged to Issuer (for Token and for Auth)

Platform Controlled

  • Authentication Fee (Nothing gets passed to Issuer unless they choose to use service)
  • Network support of new field(s) for Authentication information

My preference (for Authentication) would be for last item in the list, where Apple and Google assess an authentication fee to Banks which choose to leverage Authentication. This allows for performance based pricing. If the service is not providing benefit to the Banks, it is stopped. Issuers which invest in using the service will receive benefits that can be passed to consumer.

Oddly enough the danger in this approach is for Visa and Mastercard. As Issuers work with Google and Apple directly, it provides them an opportunity to end-run V/MA and define their own rules for CP/CNP, as well as Tokenize their existing portfolio and gain access to data.

Mobile Auth and Payments – Today

The scenario on biometrics and tokens is happening today… Apple’s new iPhone will have both biometrics, a secure enclave, and  patented Point of Sale Interaction. Host Card Emulation has evolved so quickly because Banks were told by Apple that they would have to pay for their cards operating within Apple’s scheme. As I outlined in Token Acceleration, the Banks responded by telling V/MA “we are not going to let our Cards operate under an Apple Patent… you guys killed our TCH project and said you would own this… so are you owning it or not?” Hence we have this Press Release.

The networks are committing a fair amount of brain power here. Clearly the benefits and control of a token led scheme will flow quickly to issuers unless there is a solid process to lock up the token standards and token translation. For example, assuming V/MA certify an HCE scheme that provides for “transparent” EMV compliant Paypass transaction.

This is why NO ONE has seen the token spec… and why it is not evolving as quickly as hoped. Not only must V/MA/Amex make the Spec functional, they must also work to control the token creation, authentication and routing rules. Arrggghhh…

Big Picture Thought

What we REALLY need is a payment network where risk and data can be owned by non-banks (selectively). This was my input to the Federal Reserve, and the driver behind last week’s post Risk: Carving it up in Payments.  Real time payments is not holding up innovation, the ability to take risk and manage it is (just as it is in our economy). While I believe Ross Anderson’ view that Authentication is the key to value, the dumb pipes are all owned by non-aligned Banks.

What if American Express created a new payment network that allowed for merchants to selectively own risk for clearing? In this model, Amex could operate as charge card, Bank, prepaid card, or link to another banked account. Merchants could assume risk depending on consumer history, payment type, purchase type, reputation, … Some merchants would choose to allow the consumer to decide. Others (like Grocery and WalMart) would encourage the consumer to choose the lowest cost instrument (selective settlement risk), or even change their relationship (banking, data sharing, … ).

If the value of authentication and the value of “payment” is not in settlement and risk but in the attribution, then we must have much more flexibility and consumer participation.What will glue together these new Value Nets?

 

Apple Services

 

What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance[5] and if it fits the criteria for being considered a personal area network.[citation needed]

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.

 

From a mobile payment perspective, NFC is

  1. Protocol. NFC Forum owns the Protocols making up the ISO specifications.  These protocols are the “universal” aspect of NFC that is NOT changing.
  2. Platform for How NFC works in a Phone
    • GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
    • HCE
    • Apple Secure Enclave
    • ??
  3. Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom

 

 

HCE – Now the PREFERRED contactless approach

Feb 19

HCE Gains Official Support from V/MA today

So much for 2 NFC/TSM CEOs telling me that HCE was “not viable”.  I told you Feb was going to be a great month.. and this is not even the tip of the iceberg. As I look at the number of reference links below.. I realize that I’ve been talking about this stuff for far too long. For detail on what HCE is see my November Post HCE Breaks the MNO Lock.

Today’s announcement primarily impacts BANKs. Message to Banks, if you want to test HCE TODAY there are 3 options: Mastercard, SimplyTapp, or Android 4.4 DIY.  Before everyone gets too excited.. the same mobile payment hurdle remains: merchant adoption. Technically HCE looks exactly the same to a payment terminal as NFC and unfortunately it also has same (terrible) business model (everything is a Credit Card .. by Bank design). Credit cards cost 200-500bps (% of sales) vs a flat fee of $0.07-$0.21 for most debit cards.

What does this announcement mean?

  • HCE Token Presentment = Card Present Paypass/Paywave
  • No more TSM, Payment is in the OS, No more dedicated NFC chipsets, and the MNO lock is gone. (Sell Gemalto … loosing MCX and NFC in the same week?)
  • Visa/MA prefer HCE to NFC hands down. It allows them to own the tokenization of cards in mobile. HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. The Networks ARE the TSMs. Mastercard is 3-5 years ahead of Visa here (with actual pilots). Visa’s is attempting to make up lost time by creating a more flexible program to support HCE within Visa Ready (Issuer Support). Note “Visa is Developing”.. vs.. call up MA and start the pilot. Visa’s token focus had been on the eCommerce side (V.me), and will have to run hard to play catch up.

Visa Ready

  • Android Rules! Cards, Tokens and Door Keys in Apps. Your Citibank mobile app can pay at a contactless terminal, your Starwood App can open hotel room doors. Apps have access to ISO 14443/18092 compliant exchange.. with the support of Android. This is where it will get VERY interesting. Google created HCE based upon the contribution of SimplyTapp’s Software (via GPL). I believe it is a tremendous competitive edge for Android, and I would bet they work to “manage” the deployment of KitKat and approve applications that can leverage it, as they MUST be part of Google’s Authentication/Biometric plans. Why is this better than Apple’s Beacon/BLE approach? Google is a Platform that will allow hundreds of apps to access the radio where they will own security and authentication (open innovation). Apple is a hyper controlled structure where beacons will talk to your phone in defined ways through approved apps (managed innovation). OK this is a bit of simplification, but until Apple actually releases a product don’t complain about it.
  • Tokens, Tokens, Tokens.  I could write a book on the interplay here. Much of the V/MA stance evolved from the previous TCH Token Project (see Money 2020 Blog and Business Implications of Tokens). The banks were working to end run Visa and MA on mobile tokenization. Theme is “if there is a number in the phone, why would we [Bank] want it to be a Visa or MA number.. lets make it OUR OWN number (ie a Token). After 3+ years the effort floundered and now TCH is left to be the standards body. Visa and MA reacted, most likely because of all my excellent token blogging (not), and together with Amex announced a new shared token approach.

Important. In the mobile context think of tokens are constantly changing card numbers. In the early stage HCE tokens will be 16 digits to support current payment infrastructure, but will evolve in next 2 years to be complex token identifiers much longer than 16 digits. Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts. A Token could refresh at different rates (10 seconds to 10 weeks) based upon how the user transacts or what part of the world they are in. In this model Token generation is a NETWORK responsibility, which is why V/MA love this model.  In the new token schemes, there is opportunity for the “mobile handset” to provide biometric and security information. As I stated before, NFC zealots will HOWL that there is no TSM, or security that a number will be stored in software. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation.  I will leave it a subject to a future blog how ID providers are paid for this service.

History

There maybe a few new readers on this blog, so let me recap a brief history of how this came to pass.

NFC is a great technology, with a terrible business model. Developed by carriers in a walled garden strategy, they planned to charge $0.05 every time someone wanted to access a credential (like a credit card) in the “secure vault” within the mobile phone. The secure vault was the Secure Element (SE), with companies like NXP making dedicated chipsets for the function. See Carriers as Dumb Pipes.

Also seeNFC Handset

ISIS Platform: Ecosystem or Desert

Apple and Physical Commerce

Network War – Battle of the Cloud Part 4

Controlling Wallets – Battle of the Cloud Part 3

Apple and NFC

Gemalto

 

 

 

 

 

Token Activity – 10 Approaches?

11 December 2013

I’m preparing for a few institutional investor chats next week in NYC and thought it was time to update my view on the payment landscape. Summary: much chaos and noise, with existing players throwing sand in everyone else’s gears… lots of energy.. but NO HEAT. This blog contains a brief inventory of initiatives I’m aware of. One of the reasons I do this is to solicit further dialog from blog readers.. so your thoughts are always appreciated. It is very difficult for small companies to identify activities which will impact them.. turns out that most non banks and even Visa and MA are ill informed on some of these as well.

In my June Blog Tokens: Merchant Options, and September blog Money 2020: Tokens and Networks I laid out 5 token initiatives.. we have now almost doubled..

The key differentiation between these Token initiatives is WHERE the translation occurs (Wallet, POS, Processor, Network, Issuer).  Translation is also referred to as DIRECTORY, which I define as the mapping of consumer information to payment information (see blog Battle of Cloud Part 1). The owner of the consumer directory is the winner in all of this, as the value of payment pales in comparison to the value of data and the consumer relationship. This is the core of the token battle

Inventory is for POS payments only. 

Token schemes

  • Form A (TCH Pilot – Processor Translation)
    • Consumer Directory: Bank
    • Token is presented to Merchant at POS (QR code, NFC, Barcode, …)
    • POS forwards token to Merchant processor (ie Elavon)
    • Elavon translates token into card through TCH service
    • TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
    • Issuer sends Authorization to Elavon
    • POS settlement
    • Patent issues surrounding merchant processor translation of tokensTCH Scheme
  • Form B – Wallet Translation (Push Payments)
    • Consumer Directory: Wallet
    • Token is presented by Merchant and read by Wallet. Token represents MID, TID, Processor and Amount
    • Merchant POS is awaiting authorization as if a card was swiped
    • Wallet sends token to Issuer (circumventing Visa/MA). Note this is WEAK LINK as data connectivity required for Consumer’s phone at POS
    • Issuer translates token into authorization, sends to processor
    • Processor passes authorization through to TID as if card was swiped
    • SMS based payments done in this model for years. Form of tokens could be beacons, QR, biometrics. Difficult to patent as core for operation is consumer directing bank to make payment.
    • Key differences (globally) are how consumer IDs the merchant and amount, and how does issuer pass the auth
  • Form C (C for Chase with their unique VisaNet deal)
    • Consumer Directory: Bank
    • Token is card number, Presentment is TBD.
    • If Merchant is a CMS merchant, Card routes through JPM’s version of Visa net for offers/incentives (given merchant participation.. of which there is none).
    • If Consumer card is JPM then deliver Card Linked Offers. Again.. not much here.
    • Unique capabilities, but all based upon Visa’s network. Barrier to replication is the unique deal that JPM constructed to “branch” VisaNet
    • JPM Visa flow
  • Form E – EMV/NFC
  • Form G (G for Google’s old Mastercard proxy model)
    • Consumer Directory: Google
    • Token is a card number – Issuer is google (See blog)
    • A plastic version of this was planned in 2012 as reported by Android Police, but was pulled because of high stakes war involving top issuers and Mastercard.
    • Merchant runs transaction as normal
    • Google acts as issuer receives authorization request and routes to selected card (using facilities of TXVIA).
    • After receiving authorization from funding card, google authorizes transaction
    • Issuers make all of the interchange they did before, but don’t like being wrapped. They also don’t like the data leakage and the fact that this impairs their ability to offer unique services (10% off at Kinkos).
    • Note: this scheme has a value proposition for everyone.. and banks still don’t like it… Google loses money on every transaction.
    • Another little known fact is that early versions of GW ran in this model due to limitations within NXP’s chip (only supporting one card emulation app)
    • No Patent issues, few other companies could afford to take a loss on every transaction (buying data). Network rules are the primary issue.
  • Form H – Host Card Emulation  (Google, MA, SimplyTapp) I like – this one
    • Consumer Directory: Issuer
    • HCE Blog
    • Blend of NFC and Form V below. Simplifies the NFC supply chain
    • No dedicated hardware, NFC just another radioExposure: 000 : 00 : 00 . 156 %Accumulated%=0
    • Issuer Creates One time use tokens for EMV key generation
    • Merchant acceptance hurdle CURRENTLY same as NFC
    • Can be leveraged for non EMV purposes (Beacons, QR, wi-fi, …)
    • HCE is GPL, but ability to generate one time use tokens for EMV generation is unique.
  • Form M – MCX/Target Redcard
    • Consumer Directory: Wallet/Retailer
    • See Gemalto/MCX Blog
    • Very similar to Model S (Square) below except wallet is owned by the retailer and form factor is QR code
  • Form P – Paypal/Discover
    • Consumer Directory: PayPal
    • OK… this is not mobile yet.. but since I have Square down below, I thought I would be fair
    • Consumer registered for Paypal Card running on Discover network.
    • Consumer enters phone number at POS + PIN
    • Processor translates phone + PIN into Discover transaction
    • Discover routes to Paypal for authorization
    • Very similar to Model G above
    • Transaction authorized
  • Form S – Square/Starbucks/LevelUp – POS translation
    • Consumer Directory: Wallet/Square/Starbucks
    • Consumer account mapped to phone, ID, voiceprint, card, picture, location
    • POS translates ID to Card
    • POS request authorization as a card not present transaction
    • Consumer Authorization was taken during service registration
    • Consumer receives digital receipt for transaction
    • See Square Stand, LevelUp
  • Form V – Visa/Amex/MA – Network Tokens (TBD)
    • Consumer Directory: Network (Issuers don’t like this)
    • Press Release
    • See blog on Battle of the Cloud Part 4 – Clusters Form
    • Tokens will evolve to a very long number which will be translated to an issuer/account number. This is what Visa/MA do today.
    • Patents will be around generation, use and validation of token. In the future, merchants will not store your card numbers on file (COF), each merchant will have a unique token based upon your actual account number and their own ID.

From Business Implications of Tokens

Business Drivers

As I outlined in New ACH System in US, my view of Bank business drivers for Tokenization are:

  1. Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
  2. Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
  3. Own New Mobile POS Schemes to protect their risk investment
  4. Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
  5. Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
  6. Regulatory, Financial Pandemic, AML controls (per  blog on HSBC)
  7. Take Visa and MA out of the debit game (yes this is a major story)
  8. Maintain risk models (see both sides of transaction)
  9. Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (seeDirectory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

Commerce and Banking – What is the Difference?

21 Nov 2013

Warning… long blog.. random unstructured thoughts

This is the question I came up with in a lunch chat with my friends at Omidyar Network and not exactly something I can adequately address in a blog, a book, or a lifetime.. but hey some idiot like me may as well throw it out there.

Why am I asking this question?

My investment hypothesis is that Banking and Commerce will be undergoing a fundamental rewiring. Therefore I’m wondering who the winners will be? What needs to be built? What are the signs that progress is coming? These are my selfish drivers.

On the altruistic side, how can we massively expand the global economy? Enable millions of businesses and billions of consumers to participate in the world economy? Within emerging markets, which is more important to invest in? Banking or Commerce (see blog Expanding Global Economy).

Where am I coming from? Network View

Well I’m certainly no economist, but I do know a few things about networked businesses. How are Banking, Commerce, Society, Government influenced by network effects? How has it evolved?

One of the most influential books I’ve read on this topic is Weak Links by Peter Csermely (viewable on Google Books here). If I had one book for you to read during the Holidays this is it. This book is tremendously arcane, detailed, technical, deep.. but I guarantee you that you will have a new view of commerce, banking, advertising, social networks, payments, and society after reading it. Example below on Peter’s insights into how the creation of money altered society, established “weak links” and Capital Markets (p 263)

weaklinks

Wow… just when I thought I knew everything about payments. The advent of money led to the development of concept of PERSONALITY!? (Certainly a new way of thinking about networks). The idea that increasing use of money drove new social and economic structures is obvious; less obvious are the connections formed, the “weak links”, beyond the flow of funds: non monetary data, relationships, reputation, …etc. I prefer to think of this “personality” dynamic, within weak links, as behavior (as influenced by Malcolm Gladwell).

These “weak links” represent the world’s most complex network, and this network is going through a FUNDEMENTAL change as communications networks have greatly improved the efficiency of network creation to a near frictionless flow information. There are 2 fundamental questions for me here:

  1. What is the cognitive limit to networking (ie. associations, data, ..etc)? and what are the tools to improve them (ie Platform which I will cover later), and
  2. How do we connect the unconnected?

Most surprising to me, within Peter’s work, was the idea that scale free distribution (completely open networks) is not always the optimal solution to the requirement of cost efficiency. For example, Peter states in his book

in small world networks, building and maintaining links between network elements requires energy…. [in a world with limited resources] a transition will occur toward a star network [pg 75] where one of a very few mega hubs will dominate the whole system. The star network resembles dictatorships in social networks.

Therefore, there is a case to be made for specialization and “semi open” networks when it comes to COST efficiency. Logically, the boundaries for star network size are associated with the value of connection exceeding the cost.

Given the complexities of weak links discussed above, we can see (from a networked view) why managed economies (like the old USSR) lost to social structures where dynamic networks could be formed on value.  We can also see how consumers at the bottom of the pyramid are more heavily influence by the the few links they have (ex social programs, corrupt dictators, populists, …etc).

This all leads to a question for us, as a society, where should we try to “centralize” services and functions? Would it be better to provide the tools to “connect” and educate the mass market on how to discover services (ie value, reputation, price, …)? Or force everyone into a network with no other options? (Sorry for the Healthcare tangent).

Star networks naturally occur, but they also occur artificially. Banking has both dynamics, as connectivity and strong links are required for efficiency. Banking System’s network dynamic is also strongly influence by regulation that manages the connection and the information flow. What would an unmanaged banking system look like? This is what we see today in BITCOIN.

US Bank regulation impacts participation, services, value, location, communication, … etc. In a world of free information flow, should consumers have a choice? What choices should they have? The need of government is to track financial information for the purpose of taxes and management of economic activity. The need of consumers is to connect to the economy efficiently.  Thus star networks exist both as natural (self organized communities) and unnatural (regulated services, dictatorships) phenomena.

How do consumers select a Bank? Well back in 2006 we commissioned an analysis and found that branch location (convenience to home/office) was the number one factor in consumer bank selection. In the last 2 years we have seen a SEA CHANGE as US banks now work to thin out their branch network. Many drivers here, but it certainly doesn’t help that the fee restrictions from Durbin led to a consumer banking environment where the bottom 40% of consumers are no longer profitable (see Future of Banking).

Where are these bottom 40% going? Pre-paid (see Bluebird). Although Banks don’t want the bottom 40%, they also don’t want Walmart to succeed. Retailers like Walmart love these consumers, as they are their core. Banks products are becoming “banking lite” services productized and sitting on a retail shelf to buy. Pre-paid “specialists” have thus materialized, and established players hate the idea that consumers will to think of bank services in this light (a product which can be bought.. and switched). Of course it makes sense to ask your regulator from protection against consumer choice, but this is certainly not to benefit the consumer.

How do consumers select a retailer? Not all commerce is retail, and I can’t possibly do justice to answering this question. The CEO of Safeway also outlined how 80% of any given Store’s customers were within a circular proximity of his stores, and that store location was driven by density/competition/demographics.  However, this is convenience selection process is NOT the dynamic with Amazon or Walmart. It would seem that the value of connecting to Walmart and Amazon is different for certain population groups. (see Future of Retail).

Quantitative Data

Big picture first. How can we measure “networks”? Perhaps the real question is what are we trying to find. We could look for efficiency of the network itself, or the financial health of the nodes, or the scale (number of nodes). The last one makes little sense as everyone participates in Commerce and Banking to some extent.

With respect to Banking and Networks, NYU’s Thomas Philippon published jaw dropping research detailing how Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). Consumer banking examples are plentiful: is how can the banks justify paying 0.2% interest on your savings, but charge you 15% on your card? (See Future of Banking: Prepaid..?). Obviously regulators are protecting bank margins, with some Bankers ACTIVELY discouraged from rate competition. This is the DEFINITION of regulatory capture (regulators DISCOURAGING philippon_newfig1consumer competition).

Commerce is far too broad to generalize. It encompasses manufacturing, services, retail, infrastructure, rules, codes, …etc. Logically improved information flow should improve transparency, improved transparency should lead to improved consumer choice and growth of specialists focused on serving ever smaller niches of demand. We certainly see this dynamic today in HighTech manufacturing (Cisco, Samsung, Apple, …), US capital markets, telecommunications, professional sports, ..etc. How can we measure this? One of the best scholarly articles I’ve read on networks and global commerce is from Humels, Ishii and Yi (See paper as published by US Federal Reserve). From the abstract

Using input-output tables from the OECD and emerging market countries we estimate that vertical specialization accounts for up to 30% of world exports, and has grown as much as 40% in the last twenty-five years. The key insight about why vertical specialization has grown so much lies with the fact that trade barriers (tariffs and transportation costs) are incurred repeatedly as goods-in-process cross multiple borders. Hence, even small reductions in tariffs and transport costs can lead to extensive vertical specialization, large trade growth, and large gains from trade

From a Commerce (Manufacturing) network view, over 30% of export growth was fueled by network effects associated with specialization. These effects (growth) were highly correlated to trade barriers (ie, network friction) and  infrastructure (payments, commercial banking, transport, logistics, communications, …etc).

How has information flow impacted Retailers? Net Margin in retail has taken a nose dive (from 4.2% in 2006 to 2.8%, see data by industry from CSI market). Retailers have no one to protect them from the forces of competition (ie Bank regulators) and therefore have a much tougher job as they work to sell commodity goods at the highest possible price, in a world where they don’t know the consumer’s name (see Retailer CRM).  It seems obvious that data transparency (ex show rooming) and new networks provide price and reputation information and that consumers are changing behavior.retail margins 2

Commerce and Banking

Summary: the only difference between Commerce and Banking is REGULATION. Banking is a highly regulated activity…. Commerce is not. Providing access to financial services is a much harder problem to crack because of local regulatory hurdles (see my notes on MPesa and Reaching the Unbanked).

If commerce, networks, banking, government and society are evolving how SHOULD we change our artificial structures (ie regulation, government, …etc.) to support? Have we reached an apex where the pendulum will swing quickly from centralization to hyper democracy? And hyper capitalism? Where SOCIETY creates and evaluates rules which are established based upon their aggregate network effects, not on lobbyists, politics and junk science?

The most immediate areas impacted are those networks that do not deliver value, as barriers to entry and switching costs are overcome value and scale of alternative networks and new business models. 200 years ago we could walk into our local country store and ask the shop keeper to put our purchase on our account. We could barter for goods and services.  Today, the regulatory hurdles for a store to provide this simple service are substantial.

Banks, manufacturers, retailers, service providers are all capable of issuing credit based upon identity, reputation, history, use, …etc. A home builder could take on the ability to sell, lend, lease and repair a home. Yet the enormous regulatory requirements on selling, lending, leasing inhibit the viability of this vertical service integration.

With respect to payments, as my friend Osama outlined to Tim Geithner, what if the future of payment profitability was driven not by interchange, but by the flow of data? What if Apple were to give away new iPhones, with free connectivity, with the provision that they share data on preferences and behavior? This is NOT some future state, these discussions are happening today. We tend to view these discussions in context of the companies, products and structures that exist today (ex. how could Visa enable this?). Yet existing networks have proven an inability to adapt, as they were formed around an existing value proposition in which each node became “attached”. If you change the core service, you change the entire network.

The inability of other networks to adapt is FAR less concerning to me than regulation that will destroy innovation and create artificial PROTECTIONS around existing structures. In the example above, what if the government mandates controls around PII making the prospect of free phones and free data non-viable. Who wins? Consumers gain increased protections on their PII, but loose a service. Should they not be able to make this trade themselves?

Another example is Prosper in social lending. A great example of innovation which was “guided” by the SEC to become a securities dealer (see Wikipedia, Crowd Sourced Credit, and my blog on Reputation). Now every loan must be registered as a security (see example) . This may be the right thing for us to do as a society, transparency and auditing are valuable functions which increase the flow of capital and efficiency of a market. But must we be required to submit to these regulations when we want to take on another type of risk? Having the government certify “accredited investors” or “accredited borrowers” may be best as an optional service that must prove its value.

In the emerging markets we see the MASSIVE success of MPESA. With few exceptions (Philippines, PK, Colombia, Peru, Ghana), we see every other country working to ensure this DOES NOT happen in their market. India is at the top of my list of offenders, where entrenched bureaucrats and regulators work to protect domestic banks at every level, regardless of the potential macro economic benefit (review IMPS for example).  Beyond banking the same dynamic plays out in Commerce as well capitalized companies like WalMart are hammered for making unapproved INVESTMENTS in infrastructure (see WSJ).

Clearly the pain point is around banking, but it is not something that banks alone can address as they themselves are regulated, it is a regulatory issue (see US Payment Innovation and Regulation).  Europe has done a fantastic job addressing the regulatory issue (within the ELMI construct, SEPA, …etc.), their problems are around nanny state consumer protections and EU rules do not make their way into domestic law or regulations. A government that protects against everything, inhibits free association, consumer choice and the assumption of risk. (now I sound like Milton Freedman).

“Many people want the government to protect the consumer. A much more urgent problem is to protect the consumer from the government.”
― Milton Friedman

“Government has three primary functions. It should provide for military defense of the nation. It should enforce contracts between individuals. It should protect citizens from crimes against themselves or their property. When government– in pursuit of good intentions tries to rearrange the economy, legislate morality, or help special interests, the cost come in inefficiency, lack of motivation, and loss of freedom. Government should be a referee, not an active player.”
― Milton Friedman

“The society that puts equality before freedom will end up with neither. The society that puts freedom before equality will end up with a great measure of both”
― Milton Friedman

Platforms

Just as use money enabled a specialization and concept of “personality”, telecommunications is opening up a new world of free form association, both business and societal.

Open Source is a model most of us are well familiar with. (further reading… I ran across a very nicely done paper from 2 MIT students: Implication of Open Innovation and Open source to Mobile Device Manufacturers).  Given that mobile, advertising and payments are all networked businesses… business models supporting distributed innovation should advance at a faster pace than those controlled by a single entity. For example, Amazon, Samsung, Motorola, LG, HTC, Verizon, ATT, Vodafone, .. all make much larger investments in the Android platform (than in IOS). (I would love to see an analysis of combined capital investment in android platform)

From my blog Stage 4 Value Shift

…this distributed innovation hypothesis is NOT playing itself out (ie Apple). Apple’s 1Q12 showed iPhone revenue alone was $24.4B, which is bigger than all of MSFT revenue combined.  Analysts have shown that Apple now garners 75% of mobile handset profits, with only 9% of handset market share.  So while Samsung alone has outsold Apple in Units this quarter (41M vs. 32.6M), and Android just topped 50% market share (vs Apple’s 30.2%).. Apple’s handset business PROFITABILITY dwarfs that of all of the competition (COMBINED).

So… What are the factors of competition today? Can someone else change the game?

The big downside in distributed innovation is complexity, there is a need for a “channel master” or chaos reigns. Many Android users witness this chaos when an app won’t work on a new hardware/OS combination.. Distributed innovation is not something that established businesses are good at. It has proven most successful in product PLATFORMS where the pace of change in each component is changing at a rate where no one company can make the capital investment to remain competitive (ex. Moore’s Law, PC architecture through present day). Intel played a very important role in this process, as it worked outside the scope of the CPU in areas such as: Intel Architecture Lab (IAL, developed common standards like PCI),  stimulated external innovation (developer training, testing, Intel Capital), industry marketing, patent/licensing. Intel defined what the PLATFORM was.. something that is common sense to us today.. but rest assured it was not given to them, rather it was something that they stepped into and took leadership of.

From Delivery to Discovery

Commerce and banking have many effective platforms to coordinate supply chains and payments. Today the nature of commerce competition is on quality, price and distribution (delivery). What if the nature of competition shifts from delivery to discovery? Shifting the model by which “weak links” are established today.  Today an individual must sift through mountains of search results and travel sites to find the best deal. We see complete garbage in banner ads and TV.

Who can proactively help you form networks of value, and expand how consumers manage their network, identity, personality? Most would agree that Google is best positioned here. I’m also very excited about the prospects of a company I’m incubating in this space. Ok.. this is getting off track quickly

Summary (I just finished reading a few of the federalist papers last night.. so pardon in advance).

The key for global economic growth is allowing individuals, and companies, to assume risk. The lines between Commerce and Banking SERVICES should blur, and start from the Commerce side as regulated intuitions have an unfair advantage in their protection. New networks provide for free form associations, and will improve in their ability to organize as platforms mature. These networks are capable of higher forms of risk mitigation, but are throttled by bespoke institutions and regulations.  Bitcoin is perhaps the best example of a disruptive force to hit banking. Europe is proving to be a role model in banking regulation, but their innovation in financial regulation has been offset with a local enforcement and complex environment where consumers cannot assume risk.

My message here is for Governments and regulators as much as it is for innovators. We must allow consumers to make decisions for themselves, and avoid regulating every behavior or government centralization and control will tend toward tyranny that is unaccountable and unchangeable.

Divide and Conquer: Commerce Battlefield

What “standards” are there in commerce?

Do we advertise in the same way? Locate in the same geographies? Price products the same way? Have the same eCommerce or mobile “store” and services?

What about Payment?

Payment is perhaps one of the few “standards” that retailers have in commerce. I had an “ah hah” moment at Money 2020. It was from a presentation by Jim McCarthy of Visa.. the theme: Visa is a model where everyone wins, and participants can monetize their respective roles. Of course I should know this.. but it really just struck me on WHY the Banks want to work within the Visa model.. if they break it.. they will no longer be able to monetize payments.

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). A top 3 Retailer provided me a great example “if tokens are not created by Visa/MA do I have to accept all tokens like I have to accept all cards”?

Defining the Battlefield

My real “ah-hah” came when thinking about how the Card “standard” has been managed for the last 50 yrs. Quite frankly the Banks have been playing Chess while everyone else has been playing checkers (quote from a Retail Client).

This reminds me of Sun Tzu

Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted

Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.

Sun Tzu – Book 6

Retailers have been playing on someone else’s field.. they have been so distracted in competing with each other.. that they did not even identify a common enemy. This has shifted significantly in the last 5 years. The payment burden has become so substantial that Retailers realize they must define their own rules and create a new network (aka field).. thus we now have MCX in the US, SEPA in EU, EFTPOS Australia, CUP/China, Interac/Canada…  This is not just the US, take a look at what is happening in the UK last week, or with Card EU regulation cross border.

Implications of Tokens

I cannot understate the business implications of tokens to Retailers, Processors, Wallet Providers, eCommerce/mCommerce companies, and Start Ups(also see Money2020 and Tokens). It will impact every company that keeps cards on file (COF), or processes transactions electronically.  What is most concerning? These entities have few existing mechanisms to coordinate/collaborate … a coordinated Bank/Network consortium is battling a bunch of unorganized tribes… and setting them against one another. The hectic activity in payments has caused a fog of war which serves to obfuscate the primary advances of the opposition. While everyone is focused on litigation, debit, mobile, MCX…  banks are moving 3 steps ahead.

Banks have wrapped tokens in secrecy (per Sun Tzu) with motherhood and apple pie stories pertaining to protection.  I can assure you that Banks are not dropping over $1B+ to protect consumers.. they are spending this to protect themselves from competition. As I said previously, Banks know they cannot innovate at the pace of Google, Square, Cardspring, Braintree, … thus they must control the battlefield. Tokens enable them to recast the battle.

The new battle surrounds data. As my friend Osama told Tim Geithner, the value of data exchange may quickly outweigh the value of risk management and clearing in payments. JPMC has even created a new DIVISION run by Len Laufer to focus on data, as Jamie would say “we have better data than Google”.  Bank Card CEOs are furious at the thought of anyone delivering value on their cards, particularly efforts by the networks themselves (V.me, Visa Offers, …). Other token drivers:

  • Control who can be a wallet provider
  • Control who can add value to a card number
  • Control how a merchant can identify a customer via a card number (See payment CRM)
  • Control how payments are cleared (ex. What they did to Google Wallet).
  • Control how and WHEN mobile payments succeed
  • Control what payment instrument is used in mobile POS payments (ie Credit)
  • …etc

Banks are so far ahead on strategy….. I’m concerned Retailers will have no idea of what hit them.

How to respond?

  • Coordinate on a plan of action (glad to assist)
  • Create a new Battlefield.. create a new set of rules that Retailers control (thus the brilliance of MCX)
  • Join MCX.. just to ensure Banks know they must take this seriously
  • Frustrate the Banks on their Battlefield… Visa/MA and the issuers are not on the same page.. help to further the rift.. ensure new rules work to the Retailer’s benefit. For example, push V/MA to create a “certified wallet provider” that can translate cards to tokens WITHOUT THE ISSUER.
  • Regulatory… push payments into DUMB PIPES. Let innovators own the risk.. give banks a pass on payment compliance, open non bank owned pipes (Fed wire)…
  • Find Banks that will partner with Merchants to deliver value. On my short list are: Barclays, AMEX, Discover and Bank of America..
  • Help Banks solve their problems through you.. help Banks leverage their data for your benefit….instead of the other way around. Amex is FAR ahead in this.. 5 yrs ahead (see blog)
  • Break the Card revenue model…. Beyond what Chase did to VisaNet
  • Ensure you are viewed as fighting for the consumer.. NOT for yourself. Banks don’t exactly have a stellar reputation these days.
  • Banks also rightly fear that Debit will move from $0.21 to $0.05 or even $0.03.. making debit the equivalent of a quasi real time ACH system. How can you incent increased use of debit today?

I have a few others that I’m not going to share.. but we have got to stop falling on the same sword over and over again.  Banks are NOT the center of commerce, just as my ISP or MNO is not the reason I shop at Amazon.

Investors.. I’m not saying to short V/MA.. I see nothing to dent their global growth.. but in US/EU.. we will see their revenue drop substantially in 5 yrs.

My predictions

  • Visa/MA will create a rule that no one can wrap their card in a token but them… after all a card is really a token for an account number in the first place. Bank token efforts will die in next 12 months.. unless they can force a strategic change… or they make a move toward a 3 party network like discover.
  • Visa/MA will start off getting feedback from all participants.. but banks will win on their rules like they always do.  Merchants will resist efforts unless carrots are substantial (card present and fraud liability shift). If issuers are NOT on board merchants know (from VBV/MSC experience) that issuers will just tweak the decline rates to make for a terrible customer experience. In the end issuers have control over how any new scheme works for its consumers.. they have an unlimited ability to frustrate Visa’s rules… or leverage networks against each other.
  • Take a look at how long EMV, NFC, … have taken. I would make the case that EMV only succeeded because of regulatory pressure.  I see no impetus for change… no business case for either merchant or consumer.  PCI costs and Fraud are already managed…
  • Mobile successes will work around today’s plastic.. This is the beauty of Square..
  • Merchants have reached beyond the tipping point of collaboration on common payment services. It will happen… and there will be implications to V/MA volume (in 5 years)
  • There is only one entity that has the POWER to change consumer behavior on mobile: Apple. It took them over 20 years to earn consumer trust through their maniacal focus on quality and consumer experience. If Apple makes a move in mobile payments.. we should all “think different”
  • Merchant friendly solutions and big data.. are red hot areas. My favorite case study here is a little restaurant marketing company (Fishbowl).. will write a blog on them this month.

Who do you Trust?

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?

9 Sept 2013

(sorry for typos.. on the road and will proof later)iPhone-6-Fingerprint-Detection-And-Apple-Release-Date-Rumors

WSJ article today on Apple’s biometric led me to believe the mainstream press is “missing” it. As I outlined in Payments as Part of the OS, generically for all handsets in Stage 4 Value Shift, and specific projections for Apple in Apple and NFC – Part 2:

  • Handsets are becoming a commodity, cameras screen resolution, battery life are no longer differentiators
  • New differentiator is “Value Orchestration” across physical and virtual worlds
  • Apple and Google are best placed to perform this service, and do so today from “cloud access” to music, pictures, calendars, documents, to storage of personal information like cards, social,
  • The “KEY” to value orchestration is owning the customer relationship. Identifying and Authenticating the customer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.
  • Authentication is of little value if the platform is not “secure” and offers no unique services to Authenticate. IOS and Android started life as relatively unsecure operating systems, where “control” over individual app access to phone data was “regulated” by testing vs. enforced in platform security.NFCActors

Platform Future

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software. From NFC to the SIM. Once security is in place, there is no reason Apple could not release a version of their phone with SIM virtualization/emulation. Could you imagine having 2-5 options at any given instant, using whatever carrier has best coverage and least cost given your current location… Perhaps even competing w/ Wi-Fi ? Of course this would destroy carrier subsidies.. but perhaps it may be worth buying an unlocked phone.. and carriers become dumb pipes competing to deliver the best service. There are a few regulatory roadblocks in the way.. but I am painting a future view that is already occurring in some markets (See dual SIM phones in India).

The implications for Android are much more significant than for IOS, given the number of Telecos that have leveraged Google’s baseline Android to create customized versions. If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

Trust – Everyone wants to play

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.where value lives

Bank strategy seems to center on control of existing networks. What they don’t realize is that the harder they work to build barriers to entry, the greater the value of finding ways around them. A public example is Google’s acquisition of Zave Networks in 2011.  Prior to taking your credit card at the POS, there is another settlement process in place.. one around coupons (which are a legal form of tender). In this coupon environment, P&G or General Mills’ accounts are debited and the consumers account is credited. In this financial settlement system, there is no limit on what accounts can participate… This example perfectly represents the “innovator’s dilemma” where a “good enough” network supplants an incumbent as the nature of competition changes.

I was with a top 3 bank CEO this year, who was confident that they would win the MCX business. I asked why. Response was “we have these Retailer’s investment banking business and handle most of their processing today”.. My response “when did you bring them customers or help with them compete”? He just did not understand the nature of his competition, it was not about cost of processing… the NATURE of competition in payments is changing.  (See Retailer as Publisher)

Who do I trust?

I’m an ex banker and can tell you that Banks take the trust role very seriously. They are regulated and monitored.. I had to take 40 online tests a year to ensure I understood compliance, regs, …etc. What a nightmare! Is it any wonder why this environment is not ripe for innovation. Can you imagine what the CFPB would do to a big bank when it had customer data not related to an account? It would have to explain why they had the data, how they obtained it, the customer agreement terms, what they would do with it, the safegaurds around use, storage, retrieval, how they planned to make money from it..  Its like your mother in law sitting next to you everyday asking you what you are doing.  I certainly Trust a bank.. but they will never ever get anything done here.  They need partners, but they want to dominate the relationship.. The country w/ most advance model of Bank led “trust” authority is Korea (see link).

I love Google and think everyone of their employees is working to “do no evil”. They are the most well meaning and least “nafarious” fortune 50 I have ever worked with.. but they are use to getting data for free and selling it back in services. Consumer safeguards seem rather absolute.. and their data stores are so massive and intertwined its hard to pull it apart, particularly when a “consumer” relates to an account(s) and device(s)… Google knows things about me that I have not specifically permissioned them for, They have the capability to be secure, but few current services where that is an imperative (payments, Google Drive).

Apple is from another planet, there is just no one else like them in keeping secrets. How do they do it? Yes I trust Apple.. they only know what I tell them…. I like this model.. If I added healthcare info to my iCloud account.. I have confidence it would be secure.

MNOs. This is a breakout business for them (See KYC $5B opportunity). GREAT authentication means physical verification of customer/credentials. I believe US MNOs are in a position to deliver this service through Payfone… but it must be integrated to local physical distribution channels for a “new” account type. This is where digital signatures could really take off… from signing mortgage documents to account applications..  I believe MNOs are best placed for the Trust role because of their physical distribution channels and knowledge of consumer.  Forget about ISIS.. if you own authentication everything else is dependent on you.

Side Note: Paypal is getting far too much attention

They had a slew of new product releases last week. All focused on “convenience” not on COST or customer acquisition. As I outlined.. Paypal is nowhere in off-ebay mobile payments ($1B – see my 10k Breakdown), they are under attack as processors like FirstData refuse to route their physical payment. The only prospective customers of Paypal are services, or Branded retailers that restrict distribution, as the eBay marketplace encourages price competition for distributed CPG products. Jamba Juice, Dunkin Donuts, and Under Armor are example prospects.. Consumer adoption is driven by frequency of use.. If Paypal can’t make traction in Grocery, Gas or Transit their prospects are very bleak.

From a network perspective Physical POS was NEVER PayPal’s focus.. it is not what they do, or why their current consumers and merchants use them.

PayPal under attack.. Not just Facebook…

Existing research (such as Morgan Stanley) are keen on Paypal’s chances as they survey merchants likely to use Paypal’s new services. This research is backward looking, as merchants don’t understand what new services will do for their business, and new value propositions are not yet in market. In my view Paypal’s entire eCommerce revenue is at risk.. with their only advantage (DDA integration/cost of funds) lost because of new Debit pricing of $0.07 cents. This is not just a US thing, or a mobile thing, or a POS thing.. this is EVERYTHING. They have no competitive differentiator… and are not positioned well to compete in ORCHESTRATING COMMERCE.

eBay shares were down 3% on news that Facebook has launched a new payment service (see article). Facebook came out later the next day to emphasize it was a small test and it has a “great relationship” with Paypal (see Businessweek article).

Paypal is a cluster unto itself (see Battle of the Cloud 5). The negative “cluster” connotation (ie heard with respect to Vietnam) seems to stick well with Paypal’s current US prospects in several segments.  Last week we heard of Facebook’s payment pilot.. the future of which presents a just one of the many real threats to Paypal’s “core” eCommerce (off eBay) volume.Network Clusters

The nature of payments is changing… and I’ve stated often: the stength of networks is their resilience and resistance to change; they were formed around an defined value proposition where participants were aligned… The  strategic threat for Paypal is that the nature of competition is changing as advertisers and channels couple payments with other services (social, community, advertising, …) to deliver a better COMMERCE experience through insight into customer data.  Merchants gain CUSTOMERS… For example, both Google (instant buy) and Facebook payment will offer merchants an API that allows them to pull consumer information into the checkout page. This means a greatly improved checkout experience, improved ad targeting, improved lead attribution, improved consumer analytics, improved mobile conversion, and of course much more data for Google and Facebook. The MNOs also have a service in place with Payfone, (to launch in next month or so.. see blog).

The entities most capable of delivering on mobile payments (in order of likely success)

#1 Touch the consumer BEFORE the purchase (ability to add value and couple w/ advertising)

  • Channels: Google, Facebook, and Amazon

#2 Have a direct consumer “mobile relationship”, with payment history, and can authenticate/manage Fraud

  • MNOs (Payfone), Braintree/Venmo

#3 Have a physical POS relationship (or part of existing POS network)

  • Retailers, Visa (V.me), Mastercard (Masterpass), Amex/Serve (Payfone)

Online merchants are asking themselves where do my customers come from? how can I improve customer experience? customer conversions? Reduce cost of payments. The answers all point to very poor PayPal’s prospects. Paypal does NOT bring customers to the merchant, they can add no value to merchants beyond Autofill, a task much better suited to channels that already have authenticated the consumer before they enter the merchant’s virtual store.

Look at Google’s Instant Buy, Google’s delivers one click mobile buying AND financial savings to the online merchant in EVERY transaction with a  160bps (non Durbin regulated debit) taking a LOSS on EVERY transaction. Paypal’s cost of funds is around 80-110bps, and average merchant cost is over 240bps.

eBay’s 2012 10-k reports that $13B of TPV was assigned to marketplace mobile Commerce (page 5). On page 7 we see

In 2012, PayPal’s net total payment volume, or net TPV, for transactions using mobile devices reached nearly $14 billion, up from approximately $4 billion in 2011. PayPal’s mobile products are designed to deliver an end-to-end mobile shopping experience in a safe and secure environment. PayPal’s mobile checkout solutions offer a convenient and easy way for merchants to accept payments from mobile devices, and for consumers to pay, through a mobile-optimized user experience

This leads us to assume just $1B of “mobile payments” was off eBay commerce related.  In other words, all “mobile payment” growth from eBay participants finishing transactions on mobile/iPad.

Paypal’s core is in improving the eCommerce checkout experience, and will NOT extend into mobile as mobile participants are better able to leverage their channel positions, consumer insight and existing services to better deliver both a merchant and consumer value proposition. Beyond mobile.. what are Paypal’s prospects?eBay 2Q13

POS – FAILURE

Paypal is going absolutely no where with POS payments. For example, I had two separate industry experts tell me that FirstData has refused to route any Discover/Paypal traffic (see my May 13 Blog).  Paypal’s approach to this network roadblock is to partner with processors (like Vantive) and offer a spiff (say $500k) to switch from FD to Vantive.  Can you imagine the laughter.. I’m going to switch from FirstData to accept a Paypal payment product that is more expensive than anything other than a premium Visa credit card? Why?? exactly what is the consumer adoption. It all makes no sense at all… Thus, I hear internally that Don Kingsborough’s continued POS push may be short lived (product and person?).  Given Home depots experience of 5 transactions per WEEK, it would seem obvious.

eCommerce

This is Paypal’s core.  How do consumers find products online (see Forbes Article). With more product searches initiated on Amazon than Google, what if Amazon is well positioned for both: Retail/aggregator/reseller/distributor role AND the payments/advertising role.

eCommerce is very, very LUMPY, with eBay/GSI, Visa/CYBS, Amazon accounting for over 60% of Sales in US. In Japan, Amazon and Rakuten have similar shares, with similar concentrations in other markets.  An obvious investor question is to ask: what is PayPal’s penetration is within these other “networks”?  for example, within CYBS merchants, what have been PayPal wins within last 2 years.

Paypal has won here historically because of its ability to manage fraud and deliver great consumer experience.. it was a consumer facing value proposition. It will now be under attack as the same “channel” dynamic described for mobile above takes shape.  Google, Facebook and Amazon will change the nature of “payments” competition. No longer is it about experience and cost… payments is just part of a long commerce process. Channels are much better positioned to bring consumers to retailers (consumer’s search, select and shopping online). Payments is the last (easiest) part of this cycle.

Analysts (such as Morgan Stanley) are keen on Paypal’s chances as they survey merchants likely to use Paypal’s new services. This research is backward looking, as merchants don’t understand what new services will do for their business, and new value propositions are not yet in market. Paypal won market adoption because of its ability to make commerce easier (consumer) AND deliver benefit to Merchant. It is no longer cost competitive in EITHER as other entrants can offer service at BREAK EVEN costs to support their overall PLATFORM business.

Investor Impact

PayPal Competitors will:

  • Drive reduction in off e-bay take rate.
  • Introduce new P2P products
  • Take lead in orchestrating commerce
  • Destroy Paypal’s funding mix advantage through use of debit

Paypal generates 64% gross margins from online transactions. PayPal’s blended cost of funds is 104bps, with fraud costs of 30 bps. For total cost of funds = 134 bps.  2Q13 Take rate was 379bps, of which cross border was 22% (250bps fee for cross border).  Standard Merchant fees are published and tiered (See pricing), with average domestic of approximately 300bps.

Google’s merchant pricing for InstantBuy currently brings pricing down to 160bps, with Facebook, Amazon and MNOs/Payfone capable of matching.paypal take rate 3

2012 Off eBay payments revenue was $5,146 (on $97.2B TPV), which includes both remittance and commerce volume. I don’t have good numbers on breakout here, so lets assume Commerce represents 80% of off eBay payments revenue = $4B , with US taking approximately 50% ($2B).

Revenue at risk is US eCommerce revenue * (competitor take rate/current take rate ) =

$2B * 160/300 = $1.07B  ( 7.6 % of total 2012 revenue of 14,072MM)

Google has also announced a rollout of a Gmail P2P money transfer service, as will Facebook.. In my view Paypal’s entire eCommerce revenue is at risk.. with their only advantage (DDA integration/cost of funds) lost because of new Debit pricing of $0.07 cents.  This is not just a US thing, or a mobile thing, or a POS thing.. this is EVERYTHING.  They have no competitive differentiator… and are not positioned well to compete in ORCHESTRATING COMMERCE.

in 3Q13 we will see at least 3 major eCommerce initiatives launch which will impact Paypal

#1 Google InstantBuy (keep your processor and save on every transaction)

#2 ATT/Verizon Payfone

#3 Visa/Mastercard V.me/Masterpass

Networks are also changing the rules to make Paypal’s life more difficult. Example is Mastercard’s 35 bps staged digital wallet fee which ONLY impacted Paypal.

I’m short on eBay…. the reasons are above.