Google+Softcard Levels Field Against Apple

24 Feb 2014

Well done Google. As predicted last month, Google announced last night that it had acquired “some exciting technology and IP from Softcard”. The price? My guess is around $50-60M, plus multi year revenue share (below). This is a FAR cry from the $3-$4 BILLION that these same Mobile Operators wanted for “NFC RIGHTS” in 2011. Google proposed a rev share back then too.. but MNOs were convinced they could go it alone. After dropping almost a billion in ISIS/Softcard with no future revenue of any kind in sight the drivers of the deal were obvious. Not only did carriers need an exit for their investment, they needed a partnership that gives them a role in the future of mCommerce.

What technology will stay? The SE Keys and the vending machine acceptance terminals.. seriously.. 98% of what ISIS/Softcard was is completely dead. My biggest unknown? I would love to see if Amex Serve could pick up the pre-paid card from Mastercard.. as the banks wanted to beat up my good friend Ed McLaughlin for doing what I still think was one of the best most innovative deals ever (Google pre-paid).SONY DSC

What did Google get? MANDATORY GOOGLE WALLET. That’s right, now EVERY ANDROID phone sold by the carriers will have wallet installed. This addresses a key advantage that Apple has in mandating an iTunes account (with credit card) for activating the iPhone. Apple’s brilliant registration process allowed it to know its customers (ID, card on file) where Android/Google did not. Many analysts believe that this ID/Payment deficiency is THE KEY reason why Apple’s environment is 8x-10x more profitable with less than 20% of the handsets. Now Google can compete in all things which require identity+payment. Not JUST in buying apps/music in Google Play, but in orchestrating commerce and brokering identity. I cannot understate the win here for Google. A brilliant move, and I firmly believe that this was the primary driver of the deal. Don’t look at this as a ApplePay competitive thing, it is about enabling Google to identify every Android holder as a default “opt in” during phone activation (iTunes Account Mandatory = Wallet Account Mandatory).

The Carriers? A partner that will share revenue. Where Apple takes 15bps for itself, my guess is that Google will give that to the MNOs, plus some revenue share for play services. My TOP 2015 prediction was that this would be the year of partnerships.. This is certainly my top new one for the year. MNOs are losing sleep about Apple’s unmatched “walled garden”, no one plays but Apple here. Google is developing an open model and this deal may be the first template for MNO/Platform revenue sharing.

Banks? Google will likely slowly “roll out” of its Google Wallet Card (also see TXVIA blog) which wrapped all other cards in a Mastercard Debit. Banks will be able to sign up for Google Wallet through network agreements just as they do for ApplePay today (at same rates/rules). This will mean that the networks will provision bank cards as tokens, and that Google will also benefit from forthcoming CNP token rules this summer. The primary difference in GW operation is HCE+Tokens (see blog). The Google Wallet model is not dependent on the SE Keys, or SD storage.. but it CAN operate in a non HCE model (from its GW 1.0 lineage).

Payment Networks. BIG WIN. Cards are the defacto standard for everything in mobile. I’m interested to see if the networks recognize (certify) the HCE card emulation application, as of 3 months ago it was still not certified. My belief is that they certify as part of tokenization scheme acceptance. This is a funny side story in itself. Most would ask how Google Wallet could run a non-certified card emulation app. Remember that the ONLY card being emulated was a Google owned mastercard debit.. just a brilliant work around. Note that in ApplePlay, Apple operates as a tier 1 token requestor in the current ApplePay model, and V/MA/Amex are tier 2 token requestors (see this excellent blog by SimplyTapp). In the Google model Visa and Mastercard will act as both Tier 1 and Tier 2 token requestors.

Big Losers? Samsung. OUCH!! No wonder they had to buy loop. Their new wallet strategy was to have a DUAL NFC/LOOP wallet. Google just got all the SE keys for the Samsung Phones. This means that Samsung’s wallet will only work on new phones.. a rather rough place to start.  Paypal.. with the birth of a new CNP scheme this summer driving ApplePay and Google Wallet beyond Apps to mCom checkout.. Paypal has no future in Mobile…  Except in emerging markets.

More to come.. but wanted to get this out today.

Structural Changes in Payments

2 January 2015

Today’s blog is focused on discussing the structural changes influencing consumer retail payments in the US. For those interested in looking at a broader global view of all payments, I highly recommend reading the Cap Gemini World Payments Report (https://www.worldpaymentsreport.com/) .

Payment Value - highlighted

Payments have been a focus of mine for 20 or so years… it is perhaps the MOST interesting of all network businesses. Payment is a critical part of commerce and a product of it. It is the event in which almost every commercial contract is based upon. Payments can be simple (cash), complex (bitcoin), and political (interchange, rules). Payment efficacy, reliability and data are important to: consumers, merchants, banks, governments and economies.

Globally, electronic payments are still in their infancy, which makes investing in it so much more exciting. For example, over 90% of the global electronic transactions occur in the top 10 markets (representing less than 10% of the world’s population).  This would seem to point to a future where electronic payments (and the banking/commerce they represent) are poised to grow geometrically as the number of nodes grow. There is a chicken and egg argument here.. are payments the result of strong economic environments or are they the enabler? Perhaps a bit of both, but finding markets where they are growing (ie Brazil, Peru, Philippines, Kenya, … ) are worth exploring (Democratizing Access to Capital – see blog).

Not only are payments poised for exciting growth, there are also tremendous forces driving change within existing systems and networks. Investors must consider these structural changes impacting existing players across the entire value chain.

In its simplest form, payments are a brokering business which manages value exchange between two entities engaged in commerce. Logically, a broker must be removed from the transaction to maintain the trust of both parties, and deliver value through managing the financial risk associated with the transaction. My view is that Card issuing banks, have lost the neutrality of their “brokering” role by creating a card rewards system that incents card use (paid by the merchant). However, this ideal “neutral” world is NOT the nirvana that we should seek, as no one would invest and we would be stuck with cash (and SEPA in the EU .. see blog).

Complexity in payments is driven by the quest for control and margin of the various participants, not by necessity. This is what makes understanding payments so hard…. most of the changes are not logical, but political. The friction (inefficiencies and illogical design) in payments is what makes them work. As I’ve stated before, no engineer would design a payment system to operate the way we do today (see Push Payments). Thus there is beauty in this chaos! The V/MA model created incentives for 1000s of banks to invest in payments, and I doubt if we will ever see any other companies that could repeat this feat (thus my V/MA personal investments).

What changes are likely to impact the world’s oldest profession in the next 10 years? My list (in order of impact)

  1. Risk and Identity
  2. Data/Commerce Value
  3. Consumer Behavior/Trust/Acceptance
  4. Issuance/Customer Acquisition/HCE
  5. Regulatory/Rates/Rules (Fees)
  6. Mobile/Payment in the OS

#1 Risk and Identity: Authentication and Authorization

How would you authenticate someone’s identity? Best practice is to validate a combination of what you are (biometric, image, DNA), with something you have (mobile, token, OTP FOB, …) and something you know (shared secret). Apple’s new iPhone 6 is the first major consumer device that can manage all 3 securely. It is truly revolutionary.  The ability to authenticate a consumer eliminates fraud risk, and thus impacts both Account Opening and Transaction Authorization.  Both of these services in turn impact the “core” banking relationship (see Future of Retail Banking).. How do consumers choose a bank? A credit card? What is the value proposition?PIN Fraud Rate 2013 Value

Before there is payment there must be an account in which to pay from. The key to opening an account is identity (Regulatory KYC or Know Your Customer). Account Opening has been automated (and online) for over 10 years. In 2004, my team at Wachovia was the first in the world to introduce instant account opening (online) for deposit accounts (Credit Cards were just 2 years ahead of us..). 10 years ago I used products like Equifax accountChex or EWS AOA (Validating questions based on prior financial history and credit bureau data), today could I use Apple!?

Identity and authentication is changing rapidly, and if the first two paragraphs were not already enough to ponder on this topic, we must mention Bitcoin. As opposed to authenticating the person to give access to funds and services, bitcoin authenticates itself enabling the holder to be anonymous. It is a self authenticating instrument.. imagine a dollar bill that can tell you it is genuine with 100% accuracy.  Self authenticating instruments exist independently of the holder and are a store of value (ie, Gold, Bitcoin, …etc). Normally there was physical presence required to exchange self authenticating instruments (exchanging gold), bitcoin changed all of that. A virtual self authenticating instrument that can be exchanged remotely and cannot be tracked (easily). Whereas payments are instructions move money (value) from one bank (store of value) to another, a bitcoin exchange is value exchange (not instructions). bitcoinhow-100032615-orig

The power of bitcoin to disrupt payments, companies, government, economies, .. cannot be understated.  How could any central bank manage money supply in this model? How can you tax something that cannot be tracked? The growth challenge for bitcoin is in “connecting” to other payment networks and regulated entities (ie cash out).  Unfortunately the entities which benefit the most from bitcoin are those that seek anonymity… which of course impacts the willingness of mainstream (regulated) institutions to accept it.

Fraud and Risk

As you can see from picture above “risk” in payments has several components: credit risk, settlement risk, fraud risk, regulatory/AML risk, … etc. Fraud risk is the area in the most flux, both WHO owns the risk and HOW it is managed. In the US Card Not Present transactions follow the pattern of ACH and Checks in that the originator of the transaction bears the risk of loss. In a retail transaction, that is the merchant. applepayinapps

Risk and fraud management were historically the key areas where banks excelled and differentiated (big banks have multi billion dollar investments), but the merchants and platforms have now passed banks in their ability to manage it. This mobile authentication advancement had rendered the multi billion dollar bank risk investments moot (for mobile initiated payments).  Proof is in the picture above (see Federal Reserve 2013 Payment Study), all fraud has fallen tremendously! Both for Card Present, Card Not Present and even for Checks. Why? As the former EVP of a Kleiner Perkins backed Fraud Prevention company I’m not going to give you all the details, but suffice to say that identity plays a key role. Paypal, Amazon, Google, Apple all have fraud rates under 8bps, some have the around 3bps.  These numbers will get better for Apple and Google as mcommerce starts to take an ever larger share of eCommerce (see my previous blog) and they bake in biometrics into mobile payments.

A key point that investors must understand here is that the large CNP merchants have gotten so good at managing fraud, that they could care less about a liability shift. What they want is a rate reduction (risk based pricing).  After all, if you could manage fraud at a rate of 3-8bps.. what work is the bank doing to justify taking 240 for payments? The Paypal investors read this and say “ahh.. Apple and Google want to become Paypal”.. No they don’t! while Apple/Google COULD assume all the functions of Paypal, their role as commerce orchestrators is of FAR greater value. In this role you must not force a consumer to a merchant, a good, or a payment instrument. “Let the consumer decide” is the common mantra across the Google, Apple, Amazon.

The investor impact is complex. Large merchants have proven ability to manage fraud and risk, and want the consumer to choose the payment instrument of their choice. Banks ability to differentiate in managing risk is greatly reduced, and the cost of issuance/acquisition is dropping to 0. Banks have proven incompetent at creating a Visa/MA replacement. What are the levers in negotiation? How will merchants negotiate a lower rate?

The path in Europe, Australia and the US (Durbin/Debit) has been driven by regulation. No one likes having regulators define the rules, but my investment hypothesis is that there will be a very large TILT of Visa/MA toward the merchant. This will address the both regulatory pressure, and open up new revenue streams surrounding data (below). This tilt means moving rates in the direction that retailers want, creating new rate tiers where risk and identity can be managed by the merchant/platform. Remember Apple is getting 25 bps for their service, the next logical move would be make this same “discount” available to anyone that can drive down risk. Personal-Data-Ecosystem-Diagram-from-FTC-Roundtable

From an identity perspective, Google and Apple have authentication as the CORE feature of their mobile platforms.. it is key to everything they do in mobile. See my blogs on Brokering Identity Authentication in Value Nets, and Authentication – Key Battle for Monetizing Mobile for more here.

#2 Data and Commerce Value

The comments below are largely taken from my blog Banks, Non-Banks and Commerce Networks. As a side note, this is the focus of my new Company: CommerceSignals. We are working with the Fortune 50 to serve as the neutral broker, one layer above the network, supporting companies working together offline and in mobile.

Today, every issuer and card network is chasing after American Express and Alliance Data Systems. Both ADS and Amex have made SUBSTANTIAL progress in working with merchants to deliver new value to consumers. AMEX and ADS have the benefit of working in a 3 party model where they own both the merchant and the consumer relationship.  As I’ve stated before, I believe these 2 companies are 3-5 years ahead of everyone else. Is this data stuff delivering any revenue? Market Size AdvertisingFor ADS the answer is a resounding yes, for Amex the benefits seem to be less direct and more on customer loyalty/spend/engagement. See my blog on Amex Innovation Leader for more details.

Think about the battle in connecting networks, as each of us have limited resources we can connect only to a finite set of “hubs” (unless there is some larger orchestrator). Examples are Wikipedia and Google… these serve as the directories of information. It is almost IMPOSSIBLE to displace an efficient hub. This is why I love Visa, MA and Amex. If they can shake the issuer “tilt”.. and add a few merchant friendly services, they could leverage their networks in many new ways. The revenue opportunity? Payments in the US is roughly a $200B business (issuers, acquires, processors, networks), whereas marketing is $750B (in US).Infographic_Showrooming-lg

Payments work well, but so did the Sony Walkman. The bets that Google, Apple, Amazon, Facebook and others are making is on value orchestration. Does this involve payment? Not really.. at least not as a primary focus.. Payment is there.. but orchestration is about commerce; payment is just one of many important processes (See blog Payment in the OS).  Don’t look at payments as something in isolation, payments are the “connections” made in commerce; they are made for a purpose. Visa and MA also have the potential to expand their “traditional network”, but this must involve a separate agreement with separate rules.

Payments = Network

Here is my network view. Payments are the connections of the GDP. If we were to map payment flows, we would unlock a map of the global GDP at the micro level, from employment to shopping, behavior and preferences, to demand and supply. Free information flow on the internet is enabled through openness and a single primary protocol, whereas payments operate within 100s of proprietary networks with a complex series of clusters and “switches” (there is effort in connecting, authenticating and managing risk). Just as it would be nearly impossible to change the protocol for the internet, it would be difficult to bring fundamental change in payments (see Rewiring commerce).  Now think about the value of payment data. Connecting business is much different than connecting information (the core of CommerceSignals.. but I digress).

From a network strategy perspective, the business opportunity of changing “payments” pales in comparison to the opportunity to influence connections in commerce, banking and manufacturing. Payments support business and consumer needs; they do not alter their path. This insight is the downfall of bank payment strategies around “control”, and their inability to “tilt” toward merchant friendly value propositions.

A top 5 retailer provided my favorite commerce quote

“I think of Commerce as a highway, the payment networks are like a toll bridge. I don’t mind paying them $0.25 to cross the bridge, but they want to see what is in my truck and take 2-3% of what is inside. Hence I’m looking for another bridge… “

ADS, Amex, Google, Amazon, Facebook, Alibaba, V, MA all understand this. Rather than charging toll for crossing their bridge, these networks are beginning to execute against plans to grow the size of the goods in the merchant’s truck.

Existing networks have an existing value proposition, and many don’t like to have their services leveraged by competitors, thus there is a much more highly “regulated” flow of information. Intelligent use of data increases the effectiveness of networks in a way that also benefits consumers. Tilting more toward merchants and consumers.. means tilting away from banks. This is VERY hard for a bank to initiate. It is a change worth making however, as assisting merchants (or consumers) is what brokering is about. My firm belief is that both V and MA have the opportunity to grow Revenue 4x+ in the next 5-10 years. Their principal challenge is to “tilt” their models away from Banks and toward the 2 parties that matter most in commerce: Merchants and Consumers.

#3 Consumer Behavior/Trust/Acceptance

Perhaps nothing matters more in business than consumer behavior (see Consumer Behavior: Discerning and Capturing Value). In payments we learn over and over again that behavior changes slowly in 20 year cycles (Checks, Debit Cards, ATMs, Mobile). Any investor looking for payment innovation should run away unless there is some underlyibranch visitsng commerce value proposition. Payments work REALLY well its everything else that is broken (in OECD 20 countries)…. Among Payment innovators/founders there is a common saying.. you only start ONE payment company.

It is easiest to find the hotspots in payment by looking first for the changes in consumer behavior. For example, the tremendous change in how consumer’s are using their phones, as I outlined earlier this week in eCommerce/mCommerce Convergence.  The banking relationship is also changing, as customers visit branches less than 3 times per year, and the billions spent on huge buildings, huge vaults, sports sponsorships and brand names gives way to value.

Brand reputations for 2014 just came out last week (see Venture Beat), with Amazon, Apple, Google topping the list. How did these companies earn this reputation? Through consbank likabilityistent daily interaction delivering value in every interaction. Value delivery and interaction are my key metrics for assessing investment and focus; both are key measures of consumer behavior and trust. There are many strategies: whereas Google engages with the average consumer 10-50 times per day (winning in frequency and insight), Amazon has a lower interaction but a much greater impact on transaction (value delivery), Apple’s interaction is more holistic within a much more affluent base, Facebook’s is more social.

If I were to outline one KEY point to my bank friends it is this: you can’t reach consumers where you want them to be.. you must reach them where they are. This is the essence of why most bank strategies to engage are failing. Consumers choose to go to Google, Apple, Amazon because of the value and service. As the charts above show, most banks are challenged to deliver value within the core banking products they already delivery, why would any customer want to use a new service in this environment. Thus Bank’s efforts are ill suited to drive a deliver products outside of their core, and outside of existing consumer behavior, banks play a role in SUPPORTING commerce.. not leading it (see Card Linked Offers).Measure Data

Apple is the greatest company in the world in delivering value, experience and changing consumer behavior (see blog Apple and Physical Commerce, and Consumer Behavior). Apple’s reputation is well deserved and earned “the hard way” by remaking: phones, music, mice, computers, apps, …etc.  Through consistent delivery of value within fantastic hardware delivering great (and fun) consumer experiences they earned trust for their products and brand. The greatest NEW opportunity for Apple to influence consumers beyond the individual (music/contacts/calendar) and eCommerce (browser, apps) to the real world: Commerce.

Unfortunately Apple is inept at partnerships, even within its own supply chain. While apple has the talent to accomplish this, their commerce, payment and ad teams are buried within a hardware culture. They will only succeed if they are spun off into a separate division, thus my view is that there is a very low probability of Apple acting in an orchestration role across 1000s of Banks, millions of retailers and billions of consumers. If they did move, it my recommendation (and guess) is that it would be a consumer centric orchestration role as I outlined in Brokering Identity.

One technology (and behavior) I’m keeping an eye on is Beacons and mobile use in store (engagement). Qualcomm Retail Systems spun off the IP around Beacons to Gimbal with Qualcom and Apple both rumored to have 30-40% of the equity. Today Retailers are the entity best positioned to change consumer instore activity for 2 reasons: they alone know consumer product preferences, and they physically touch the consumer (trust, value, presence). See Retailers as Publishers , and Apple iBeacon Experience for more detail.greendot

#4 Issuance/Customer Acquisition/HCE

Now this is a mixed bag of topics. What is fundamentally changing in card issuance? Most of you know I ran remote channels at both Citi (06-07) and Wachovia (02-06). Today, most new customer bank accounts are originated online as branch visits go down and direct mail (the old way) even directs the consumer to this “instant” channel.

Historically I had to spend about $150 in marketing for every new card customer, and around $80 for every new deposit customer. Banks still incur roughly these same costs, but prepaid cards have an acquiring cost of less than a tenth of this cost (See Future of Retail Banking: Prepaid). In this pre-paid model banking products sit on a shelf in a retailer and compete for customers just like shampoo and candy bars.

I would challenge all card participants to think about the credit card product… what delivers value? what about it is unique? how do consumers view it? how is it part of a great consumer experience? When you leave Disney World do you think wow.. buying the ticket with my card was just fantastic? How are new customers acquired? Who benefits when cost of issuance is $0? Is charging the average consumer 12-16% on a card, paying them 0.2% on their savings charging merchant 2% a great model?  Do you think that there is room for improvement? Where do retailers win (ADS, Private Label, Co-Brand, )?

What prohibits you from having 20 retailer cards in your wallet today? Bank card issuers will roll their eyes, but you can not understate the influence that trusted retailers have in consumer decisions. Take this trust together with direct sales force and frequent consumer interaction and you have Private Label and industry whose cards outnumber everyone else’s by a factor of 2. As this week’s Morningstar article on Private Label shows, private label (the largest card segment) is making a tremendous comeback.Private label market share

Citi, GE (now Sychrony), ADS, HSBC are leaders in this space, with ADS advancing most in use of technology. Retailers like Nordstrom, Macy’s, Sears and Kohls are fanatical on their private label program, as their most valuable customers use this product. All new customer experience must first address this base, which you can see is one reason why we don’t see ApplePay being pushed here at all. As I described in Retail 101 (and What do Retailers want in Mobile), most retailers don’t know who their customers are today. Private label and Loyalty programs solve this problem.

Let me throw in a little tech now. I’m on the board of advisors of SimplyTapp, the company that created HCE. Instant issuance is key to everyone in the card space, why wouldn’t every retailer want to enable a private label card if card issuance cost is $0!? Credit worth customers can get store credit, sub-prime get decoupled debit (see Target Red Card) and everyone else gets a loyalty only? I believe we will see this happen, not only within MCX but within platforms like Google, with PL managers like ADS and Citi. This is the strategy focus of the top retailers… (focusing on their top customers).Private Label Profitability

My bet on the future of Google wallet is that it will be very merchant and consumer friendly, enabling them to uniquely integrate to 100s of merchant platforms to create great consumer experiences. This linking of PL, Loyalty, in store, maps, mobile, advertising is value orchestration.. but it all starts with consumer opt in. The opt in is both to merchant (private label/loyalty) and to Google. See blog Host Card Emulation for more background.  Google made the right technical move in HCE, but it dropped the ball in enabling merchants through last mile.. not a technical limitation .. an educational / awareness one.

Do I believe that the world will go private label!? No, it will be at the margins. My view of Visa and Mastercard have changed over the last 2 years. Before I was much keener on the development of a new scheme, but no more. Why? How many networks can you list where millions of participants have invested billions of dollars to make it work? Visa has 1.7B cards and 36M merchants.. how could anyone compete with this? This network works REALLY well, with the only issues with their network are in their control (merchant costs and rules).

#5 Regulatory

From a regulatory perspective, the US retail payment system has been impacted by the Durbin Amendment and the EU to an even greater extent by SEPA and PSD (see my blog).  Most of you have also read my token blogs outlining how the US banks were planning to build a new payment network to compete with V/MA (Now dead).  If someone has a info-graph picture of global acceptance rates I’ll put it in here.. but suffice to say that airline ticket pricing has NOTHING on the complexity of payment pricing.

Visa and Mastercard are largely insulated from the regulatory driven pricing changes, as the issuers continue to bare most of the impact. The EU has created a payment nightmare environment with “cross border” Credit card merchant interchange (MIF) at 30bps starting in later this week Jan 1, 2015 (see article and Visa’s response). The EU can not mandate change within country (domestic transactions), but there will be a race to the bottom in fees.

EU competition commissioner Margrethe Vestager claimed that interchange fees are a form of tax levied on retailers by banks and said that the new legislation would reduce those costs and “lead to lower prices and visibility of costs for consumers”.

Ms Vestager may be correct from a transparency perspective, but SEPA and the PSD put governments into the brokering role with no incentives for intermediaries to invest.. making payments a nearly free infrastructure service (with agreement of consumers and merchants). Network work best when there are shared incentives, and minimal regulation.  I believe Visa and Mastercard will work with new vigor to build relationships with merchants and deliver value, to head off the regulatory driven approach. Unfortunately Europe is already too far gone for this to work.

A prediction (next week’s blog) will be merchants providing greater influence in V/MA rules.

#6 Payments in the OS

My blog from this week: Payment in the OS

card-financial-compete view

Comments appreciated.

What do Retailers Want in Mobile?

1 Nov 2014

Money2020 is next week, and I’m moderating the ApplePay session on Tuesday at 5pm… hope you guys can come. I’m more than a little sad that I can’t get any retailers up on stage with me. Why? The top 60 retailers are in MCX, and it makes little sense for them to get on stage and tell the world what they are NOT going to do and why. As I’m preparing to leave for Las Vegas tomorrow, was thinking “what could I write about? What unique perspective can I offer?” Well given I can’t get them on stage with me, let me try to articulate the Retailer’s view of the world. My twitter feed is blowing up as I work to explain why CVS and Rite-Aide turned off NFC. Please know I’m only trying to give perspective…

Payment Services are a brokering activity between two entities engaged in commerce. Logically, a broker must have the trust of both parties, and deliver some sort of value in managing the financial risk associated with the transaction.  Within Consumer Retail, Visa and Mastercard evolved from Bank owned exclusive networks of the 1960s (see History) to ubiquitous independent payment networks. Few remember that back in the 1960s, merchants took either Visa or Mastercharge but not both as the Merchant’s acquiring bank could only be a member of one of the networks. For merchants, the value proposition was clear: consumer credit.

Payment networks thus evolved from a closed and focused value proposition, to a settlement “infrastructure”. However the rules and governance process by which many parties (merchant, acquirer, processor, issuer, network, VASP, …etc) participated in defining operation of this “brokering” activity did not evolve. This is the central issue restricting the future growth of Visa and Mastercard. One I believe both are acting on. My firm belief is that rebalancing network rules will unleash a massive new phase of value creation for these networks.

Let me take a quick side bar here..

Network Theory – Openness

As I’ve stated many times, closed networks always precede open networks until scale is reached (Building Networks and “Openness”, 2011). Weak Links (nodal affinity) influences network creation, and there are VERY few open networks which exist in Nature. This is logical as Networks form around a function rendering generic open networks less “efficient” than specialized networks around any given specialized need.

Scale-free distribution (completely open networks) is not always the optimal solution to the requirement of cost efficiency. .. in small world networks, building and maintaining links between network elements requires energy…. [in a world with limited resources] a transition will occur toward a star network [pg 75] where one of a very few mega hubs will dominate the whole system. The star network resembles dictatorships in social networks.

-Weak Links

Networks NATURALLY form around a function and other entities are attracted to this network (affinity) because of the function of both the central orchestrator and the other participants. Open networks (internet/TCPIP, Visa, NASDAQ, … ) succeed where a common infrastructure benefits MANY NETWORKS.

Visa and MasterCard have transitioned to become common network infrastructure, a position FAR MORE valuable than that of a closed credit delivery system. They are a network of networks. However their rule making and governance processes do not match the other open networks listed above (NASDAQ, Internet, …). Most Banks, have also lost their traditional role of “brokering” and risk management (in retail) by creating a card rewards system that encourages card use paid by the merchant. This creates a brokering incentive separate from the commercial transaction… impacting brokering independence.

What do merchants want? A neutral broker!!

A top 5 merchant told me a few months ago “Retailers like Starbucks have proven that we are best placed to deliver value and influence consumer behavior. I don’t want to force my consumers to do anything, but similarly I want to networks that let me play on an even field. These next 5 years are going to be complete chaos for consumers. What do we want them to do? Swipe, dip, chip, pin, tap, QR…? We have been planning for EMV for 3 years… am I really supposed to jump to Apple in 4 weeks?”

MCX

These guys are good friends of mine, and I think their business vision is well placed. They want a network where they can play on an equal footing. A neutral broker.. or at least one where they can have a seat at the table when rules are set. Will MCX be a massive success? It depends on the consumer value proposition. Are the merchants motivated to work together in creating a neutral broker? Hell yes.

One merchant said it this way “Tom I didn’t think we would ever have someone more difficult to work with than Visa and Mastercard, but I was WRONG. Apple is a nightmare! At least we knew what was coming with Visa and Mastercard, with Apple they don’t talk to us, respond to our letters, or offer any kind of value proposition. Why on earth would I want to let another brand in my store without understanding what it will do for me? They are a great company, with great products, and certainly have a much better approach to data than Google.. but anonymity is NOT a value proposition, in fact Apple makes our efforts to deliver value to the consumer even harder as we have no defined way of using Apple to engage our consumers”. See Brokering Identity – Part 1, ApplePay and Merchants, Digital Transactions ApplePay Issuer Agreement.

Getting a card number from consumer to merchant is NOT innovation. There is just no problem here. My payment friends are already rolling their eyes. Apple does have great security and great ability to manage fraud.. but fraud losses for CP are 3.2 bps. What about store data losses? That is not “fraud”, and certainly a problem for merchants that keep PANs. Tokens do solve this problem… but so does better security, and more intelligent approach to tracking loyalty. Apple must move to create a merchant value proposition, and define how they will help with consumer engagement. I believe Google will far outpace Apple here.

Retail is a zero sum game.. I’m not going to buy MORE gas and groceries.. differentiation is about switching, product selection and pricing on data, ..the fluxonce this flux dies.. steady state resumes.  Perhaps all iPhone owners will only shop at whole foods, but data shows that consumers don’t make decisions this way. In fact payment is not in the top 5 reasons for consumers choosing a new iPhone.

Why are MCX merchants turning off NFC? To give themselves a little breathing room, make Apple create a merchant value proposition (engagement), get a seat at the table in a new network, and help to establish a consumer behavior that works for them too (Most Important Payment Race: Consumer Behavior, Apple’s Platform Strategy: Consumer Champion ).

What do Retailers want in Mobile?

Following from my big blog Static Strategies and the Rewiring of Retail.

  • Consumer Engagement
  • Consumer Acquisition
  • Consumer Loyalty
  • Allow Retailer to be in control of data
  • Partners that allow Store’s brand front and center
  • A Partner either IN CONTROL of the consumer experience (Apple/Google) or one that already has massive consumer adoption (ie Facebook).
  • Creating a fantastic customer experience from end-end
  • Ability to manage campaigns, data or your business
  • A Partner that can reach/influence consumers WHERE THEY ARE.. not where you want them to be.
  • Payment..? I guess if that comes too… 

shopper marketing

How will this play out?

  • Much has been made of the MCX contract provisions that prohibit participating retailers from allowing other forms of mobile payment. This is just not accurate. Any retailer can choose to turn on NFC, any retailer can sign up for MCX. Can an MCX retailer turn on NFC? Yep.. Large retailers are not participating in ApplePay because Apple has completely failed in a merchant strategy, they have not articulated one, nor have they worked directly with merchants. This is really no different than Apple’s failure to work with Banks. Banks are just fuming over the take it or leave it terms Apple offered to them. Merchants had no terms…
  • Apple will rollout a merchant friendly beacon product, and loyalty product for consumer engagement in next 6-9 months, this will also include a renewed focus on BLE. The product will fall flat until they can create an new merchant organization. Google has 4,000 sales people working with merchants, apple has around 16… so it is a big task.
  • Apple will ROCK in App payments.. it will be their homerun… I will make a further bet: Apple will WIN in every situation where they can control the consumer experience from beginning to end.
  • Visa and Mastercard are beginning a shift toward the merchant. They may not win the top 60, but Visa has 36M merchants.. that leaves 35,990,940 that will be open to new ideas. These are my biggest personal holdings, and I know both of the CEOs. Everything I’ve written here they know already.
  • Consumer authentication is VERY disruptive to retail and banking. As Ross Anderson said “if you solve for authentication in payments.. everything else is just accounting”. The need for an independent broker and their services are dramatically different if either the consumer or payment can be authenticated (ie cash, bitcoin). Why do you need a payment product at all? Just present the identity to the bank. This is what Sofort/Klarna does… Why not do this? Because the banks have no ability to MONETIZE the transaction (no merchant agreement). There are many better ways to leverage authentication, but no other ways to currently MONITIZE IT (outside card). Perfect Authentication… A Nightmare?
  • Apple is pursuing an “anti-google” approach: keep no data, closed platform, control everything. Google is 2-4 years behind on platform security.. but is catching up. The Google platform is much easier to build in and control (ex HCE), but consumer adoption lags as each Android participant must move consumer to their vision. Apple has successfully delivered security and authentication, but has not laid out a way for many apps to leverage it. Retail is a REALLY big business, with 1000s of specialists. It cannot be throttled by one company.. thus Apple will work fantastically in environment it can control. (sorry to restate).
  • ApplePay and overall contactless adoption will begin with small merchants and infrequent purchases. Most phones have the capability today. MCX will not stop contactless.. but it will impact consumer behavior substantially

ApplePay Vs Google

  • Is NFC/Contactless Acceptance required as part of EMV rollout? NO!!  This is the most widely held mis-understanding. While the large terminal manufacturers have no products in their official product list without contactless, the top 60 merchants order bespoke or custom terminals to fit their needs.

Banks/Non-Banks and Commerce Networks

Banks/Non-Banks and Commerce Networks (Why I love V/MA)

27 July 2014

This blog has been in 50% mode for 2 weeks! Obviously summer is not my productive time (I must be German). There will be a noticeable change in my blogs these next few months as I work on a newco launch. Blog will therefore focus more on concept, much less G2.  This will be a transition piece…

What is the benefit of becoming a bank? Would Paypal buy a bank? That is the rumor… I have no idea on this one.. 0% confidence.. my guess is no way. There are some great payment+bank companies (Amex, Wirecard and Alliance Data), and some great payment non-bank companies (Visa, MA, Stripe, Paypal, …etc). What are the business drivers of becoming a bank? What are the Pros/Cons?

Summary

For those without time to read below, a bank license brings on enormous compliance cost and restricts: what business you can do, how you manage consumers and their data, and what risks you can take. The upside for being a bank? You get to take risk with other people’s money. Simply put, any company contemplating a bank license must have a business plan MORE dependent on managing risk than on orchestrating commerce value.  Today there are many bank licensed “specialists” which support non-banks (TBBK, Meta, Alliance Data)… so why would you want to become one? Paypal is on the fence here, as historically they won in eCommerce because of their ability to manage risk (CNP Fraud). Do they want to grow in risk management? or in everything else?

When looking for the right regulatory structure of any company, we must assess their current network plans in the context of commerce AND banking. Not just how your network delivers value today… but rather how you deliver value in the future? Banks tend to make most of their money within their own node, whereas others in commerce are highly dependent upon other partners (manufacturers, distributors, agencies, sales, …). Electronic payment growth and network services are set to grow geometrically, yet payments are very very sticky and hard to change. This is the start up investor conundrum:  How do you make intelligent investments in payments/new networks? There are 3 basic options

1) Help others expand their networks

2) Build new networks

3) Build communities with minimal need to network outside of your environment (Facebook, Amazon, Alibaba, BANKS?…)

92% of all electronic transactions are done in the top 10 markets. (Cap Gemini’s World Payments Report is a must read). 90% of the worlds population is not connected to financial services. There is a n-squared dynamic when this takes place.

Many entrepreneurs, journalists and technologists miss THE CORE facet of Visa and Mastercard: a business platform where thousands companies invest billions of dollars. There is no way to compete technically with this business model, rather the ONLY way to “compete” is on value and services. Where Amex has the ability to deliver much broader and richer services (as they own both merchant and consumer accounts), they have a downside: no one else investing in their network (scale/adoption).

My firm belief is that both V and MA have the opportunity to grow Revenue 4-10x in the next 5-10 years. Their principal challenge is to “tilt” their models away from Banks and toward the 2 parties that matter most in commerce: Merchants and Consumers. Payments work well, but so did the Sony Walkman. The bets that Google, Apple, Amazon, Facebook and others are making is on value orchestration (in a new network). Does this involve payment? Not really.. at least not as a primary focus.. Payment is there.. but orchestration is about commerce; payment is just one of many important processes (See blog Payment in the OS).  Don’t look at payments as something in isolation, payments are the “connections” made in commerce; they are made for a purpose. These payment connections are rapidly changing from many environmental forces:

  • Internet flow of information,
  • Google enabled discovery
  • MNOs have enabled constant connectivity
  • Social has enabled reputation across activities
  • Online retail has enabled price transparency, comparison and product reputation
  • Changing of Bank roles, products and services
  • New Consumer behaviors

Payments = Network

Payments are the connections of the GDP. If we were to map payment flows, we would unlock a map of the global GDP at the micro level, from employment to shopping, behavior and preferences, to demand and supply. Perhaps this is why our government loves payment information. Oh.. the stories here.. (for another time). Free information flow on the internet is enabled through openness and a single primary protocol, whereas payments operates within 100s of proprietary networks with a complex series of clusters and “switches” (there is effort in connecting, authenticating and managing risk). Just as it would be nearly impossible to change the protocol for the internet, it would be difficult to bring abopayments pyramidut fundamental change in payments (see Rewiring commerce).  Connecting business is much different than connecting information (the core of my NewCo.. but I digress).

From a network strategy perspective, the business opportunity of changing “payments” pales in comparison to the opportunity to influence connections in commerce, banking and manufacturing. Payments support business and consumer needs; they do not alter their path. This insight is the downfall of bank payment strategies around “control”, and their inability to “tilt” toward merchant friendly value propositions.

A top 5 retailer provided my favorite commerce quote “I think of Commerce as a highway, the payment networks are like a toll bridge. I don’t mind paying them $0.25 to cross the bridge, but they want to see what is in my truck and takeUS Marketing Spend 2-3% of what is inside. Hence I’m looking for another bridge… “ (See Rewiring Commerce).  Google, Amazon, Facebook, Alibaba, Rakutan, V, MA, Amex, eBay all understand this. Rather than charging toll for crossing their bridge, these networks are beginning to execute against plans to grow the size of the goods in the merchant’s truck.

Intelligent use of data increases the effectiveness of the merchants, and in a way that also benefits consumers. Tilting more toward merchants and consumers.. means tilting away from banks. This is VERY hard for a bank to do. It is a change worth making however, as assisting merchants could meant 4x-10x of their current value creation (payments is roughly a $200B US business, marketing is $750B).

 

My favorite book on networks is Weak Links by Peter Csermely (viewable on Google Books here). If I had one book for you to read this is it. This book is tremendously arcane, detailed, technical, deep.. but I guarantee you that you will have a new view of commerce, banking, advertising, biology, social networks, payments, and society after reading it. In connecting to networks, each of us have limited resources. Therefore optimize our connections through finite set of “hubs” (unless there is some larger orchestrator).

Think about the battle in connecting networks, as each of us have limited resources we can connect only to a finite set of “hubs” (unless there is some larger orchestrator). Examples are Wikipedia and Google… these serve as the directories of information. It is almost IMPOSSIBLE to displace an efficient hub. This is why I love Visa, MA and Amex. If they can shake the issuer legacy.. and add a few merchant friendly services, they could drive 4x of their current value. Specifically, payments is roughly a $200B business, whereas marketing is $750B (in US).

Against this network strategy and services backdrop, there is an enormous transformation taking place in Commerce and Banking. In other words existing networks are evolving their services, as the “hubs” that they connect to (banks, retailers, manufacturers, aggregators, ..etc) undergo change within their “core”. See Remaking Retail, Future of Retail Banking: Prepaid?.

The regulatory/compliance “headache” for payment “innovators” revolve around connecting networks and engaging in non-commerce transactions. I’m not just talking about just small guys.. but BIG ones too (think Google, Apple, Amazon, Walmart, MCX, …etc).  Existing networks have an existing value proposition, and many don’t like to have their services leveraged by competitors (see Banking and Commerce: What is the Difference?, Don’t Wrap Me).

Banking Services

This leads us to Banking Services… expanding beyond commerce. This is area is very nebulous because of the complexity of regulatory authorities covering “banking” and money services. Here are just a few of the US regulators

saupload_110504jpm

What are Banking Services? Anything the regulators say are banking services. I’m not joking.. this is why I put the Paypal 2002 prospectus at the top. Banks are highly regulated, and the compliance costs are extraordinary. Regulators are attacking all things payments and banking with renewed vigor. Along with compliance constraints, there are constraints on how you can use data. As an example, my online banking team in Germany had to purge the server logs of IP addresses every 30 minutes (regardless of use for fraud).   (see Banking and Commerce: What is the Difference).

So what is the upside of being a bank? It’s certainly not the regulation or the mandatory compliance courses forced on every employee. The “benefit” of being a bank is the ability to take risk with other people’s money. Unfortunately, the BIG downside to being a bank, is that data can no longer flow outside of your organization. I cannot understate this limitation.

Banks have much clearer and hence stricter obligations as regards the sharing and protection of sensitive information, commonly known as ‘bank secrecy’. This matches the generally more extensive regulation of a bank, as opposed to the regulation of an ELMI or MSB.

Acquiring a new consumer financial account is hard, even if you get the consumer to create an account with you, you must get them to fund it, or take credit risk on them. These are the problems that banks have dealt with for 100s of years.
take rate

Banks have much clearer and hence stricter obligations as regards the sharing and protection of sensitive information, commonly known as ‘bank secrecy’. This matches the generally more extensive regulation of a bank, as opposed to the regulation of an ELMI or PI. Based on the same reasoning why non-banks require less strict regulation for their business and prudential risk involved, it follows that also their activities and also access and handling of certain information and data is restricted accordingly.

Would Paypal Buy a Bank?

Again, I have no idea here, but it doesn’t seem to make much sense. Considering a bank license is like watching flies in your kitchen window: the ones on the outside want in, and the ones on the inside want out.

For long time readers, I put together a blog about 4 years ago covering this topic Payment Startup: MSB or Bank? and US Payment Regulations.  As I outlined, there are very few payment regulations covering purchase of tangible commercial goods (this is true globally). We can see the evolution from PayPal’s 2002 prospectus.

We believe the licensing requirements of the Office of the Comptroller of the Currency, the Federal Reserve Board or other federal or state agencies that regulate or monitor banks or other types of providers of electronic commerce services do not apply to us. One or more states may conclude that, under its or their statutes, we are engaged in an unauthorized banking business. In that event, we might be subject to monetary penalties and adverse publicity and might be required to cease doing business with residents of those states. A number of states have enacted legislation regulating check sellers, money transmitters or service providers to banks, and we have applied for, or are in the process of applying for, licenses under this legislation in particular jurisdictions. To date, we have obtained licenses in two states.

How does Paypal operate today?

US

  • Licensed money services business in 47 states (all states which require one)
  • Bill Me Later, and paypal working capital are structured so that loans are originated by WebBank (Utah ILC). See this 2013 note on structure/issues
  • PayPal had been a market leader in “deposit” rates, through the Paypal Money Market fund (see Link). This fund was shut down in 2011 due to treasury rates/market conditions (see link).
  • A Discover partnership has yielded little fruit at the POS. Paypal had been claiming that there was an “exclusive” nature to the network agreement, whereas DFS was clear they could work around it by providing other services. (My blog on topic)
  • Paypal has been telling investors it plans to move to the POS, both with mobile, and an experimental paypal plastic card (running on Discover). Nothing is moving here, my guess is that JambaJuice is their #1 in volume and would be surprised if that had more than $50-$100M TPV ($1.5M-$5M in Revenue).
  • MasterCard pre-paid card for PayPal “balance” spend. I love this product, it is how I get cash out of my paypal account at the ATM.
  • Wells Fargo Clears Paypal ACH volume in US.
  • Paypal as strong acquiring relationship with Chase.
  • ADS partnership (see WSJ). In 2013 Paypal and ADS created a partnership with 3 primary components: ADS credit risk management (BML), Paypal merchant acceptance, Data/analytics/marketing at POS.

Europe

Asia

  • In Australia, PayPal serves its customers through PayPal Australia Pty. Ltd., which is licensed by the Australian Securities Investment Commission as a financial product
  • Per eBay’s 10k “In markets other than the U.S., the EU, Australia, Canada, Brazil, and Russia, PayPal serves its customers through PayPal Pte. Ltd., a wholly-owned subsidiary of PayPal that is based in Singapore. PayPal Pte. Ltd. is supervised in Singapore as a holder of a stored value facility.”

I see little upside for Paypal expanding it’s EU bank model to the US, as its current network assets and future opportunity revolve more around supporting commerce than managing risk.  Paypal’s current structure and partnerships (with ADS, Discover, MA, GE, …) provide the flexibility to deliver banking/lending services. For Paypal, Bank ownership would only hinder their broader efforts to deliver value to consumer (through data). Alternatively, a bank structure does work for other companies like Wirecard. The Wirecard bank model is a tremendous fit within a network where mobile operators serve distribution channels for financial services.

With respect to the Paypal/Bank rumors, my guess is that there is an “opportunistic” assessment going on .. and that this rumor is just one of the paths they have looked at. I also have a strong feeling that Discover is looking for a “partner/acquirer” that can make use of its network while it is still somewhat relevant.  Particularly since its M&A discussions with a top 5 bank 2 years ago did not happen.

 

 

Apple iBeacon Payment Experience

14 May 2014ibeacon

Last week I outlined what was coming out in the iPhone 6 from a capability/payment perspective. Today I will cover my best guess at the user experience, a 50% confidence guess…

Beacons

First a little about Beacons: Qualcomm is the technology behind Beacons and they just spun out Qualcomm Retail Solutions last week with external investors to form Gimbal. My bet is that Apple was in the mix, as Apple’s iBeacon is the brand and handset side of what QCOM developed and owns. Apple’s iBeacon appears to be dependent upon QCOM license (see Patently Apple). You can see the similarity in Apple’s patented logo with QCOM’s logo.

info_graphic29.24.13

Think of beacons as proximity devices with context. From QCOM

Gimbal proximity beacons complement GPS by allowing devices and applications to derive their proximity to beacons at a micro-level not currently afforded by GPS technology on consumer devices. A user’s mobile app can be enabled to look for the beacon’s transmission. When it’s within physical proximity to the beacon and detects it, the app can notify the customer of location-relevant content, promotions, and offers.

Here is a fantastic blog by beekn outlining how beacons operate and the advantages of the QCOM Gimbal platform. Beacons only transmit…they do not listen. Beacons can operate in a private mode where the UUID is dynamic and resolvable only within the Gimbal cloud, be public (Static UUIDs) where any application can read them, or registered as iBeacons  (see Gimbals as iBeacons).apple bump

Apple Patents

In January, the USPTO published a new Apple patent application: Method to send payment data through various air interfaces without compromising user data (see Patently Apple). PCT/US2013/049622. US20140019367

[0002] Devices located in close proximity to each other can communicate directly using proximity technologies such as Near-Field Communications (NFC), Radio Frequency Identifier (RFID), and the like. These protocols can establish wireless communication links between devices quickly and conveniently, without, for example, performing setup and registration of the devices with a network provider. NFC can be used in electronic transactions, e.g., to securely send order and payment information for online purchases from a purchaser's mobile device to a seller's point of sale (POS) device.
[0003]Currently, payment information such as credit card data in mobile devices is sent directly from a secure element (SE) located in a device such as a mobile phone through proximity interfaces, such as near field communications (NFC), without an associated application processor (AP), such as an application program in the device, accessing the payment information. Preventing the AP from accessing the sensitive payment information is necessary because current payment schemes use real payment information (credit card number, expiration date, etc.) that can be used to make purchases through other means, include online and via the phone, and data in the AP can be intercepted and compromised by rogue applications.
[0004] Thus, there exists a need for a secure method of executing a commercial transaction that is both secure and user friendly.

I believe the patent above describes what Apple is going to market with this October. There are several potential payment experiences depending on the merchant integration and the consumer handset. Specifically the patent seems to be written broadly enough where NFC is NOT a requirement for the “secure commercial transaction” referred to as the second secure link. As I stated Payment via BLE/Beacons will Still Happen, the issues are around:

  1. Issuer certification of tokens,
  2. bluetooth as the transport in the new EMVCo spec
  3. who will provide token assurance information and how will they be compensated, and to what degree will interchange be discouneted
  4. Treatment of token in Card Not Present (interchange)
  5. Merchant Adoption of NFC, Beacons and BLE

In the scenario of a new BLE capable point of sale, with a “second secure link” operating as BLE with the POS there is no need for a payment terminal at all.. and all iPhones with Bluetooth could interact directly with the POS (think Micros/Starbucks). Here is my short list of customer experience use cases

apple ibeacon options

Optimal Payment Experience

Here is my best guess and what Apple would like to have happen:

Set up

  • Consumer has BLE capable phone
  • Consumer enables Apple wallet and permissions payment with physical merchant
  • Banks have loaded tokens into Apple wallet for each registered card (see blog)
  • Merchant installs iBeacons near multi lane checkout, and registers location with apple merchant application. Another option would be to allow payment terminals to broadcast MID/TID beacons.
  • Merchant installs POS Bluetooth capability to receive consumer identifier and send total amount due, as well as eReciept.
  • Merchant payment terminals are upgraded to receive tokens through Bluetooth or other “Air Interface”

Experience

  1. Consumer walks up to cash register, beacons determine close proximity and wake up Apple payment application,gimbal-beacon-series10
  2. Consumer preferences are checked and approved merchants receive apple identifier, consumer loyalty card information, applicable discounts/coupons to the point of sale
  3. Merchant scans goods for purchase and processes loyalty, coupon, discount information
  4. Merchant POS (or payment terminal) sends total amount due to consumer phone directly via BLE based upon apple identifier
  5. Consumer receives notice on phone “Pay $100 to Merchant? Please confirm with fingerprint”
  6. Consumer validates transaction with fingerprint biometric
  7. Phone submits Card token to Payment Terminal via Bluetooth (not happening in October.. it will be NFC)
  8. Merchant processor routes token to payment network which translates and routes to bank for authorization
  9. Payment is authorized (as happens today).

October Launch Experience

Since Banks won’t support tokens over Bluetooth, Apple is stuck with NFC. The process is very similar to above, but my guess is that merchants will not be prepared to support the exchange of consumer information.. so it is iBeacon plus NFC only.

  1. Consumer walks up to cash register, a payment terminal beacon provides information to Apple payment application that it is close proximity to payment terminal ID xxxxx (TID),
  2. Merchant scans goods for purchase. No mobile processing of loyalty, coupon, discount information
  3. Merchant payment terminal cannot send total amount due since it does not have Apple handset information/UUID. So how will Apple do it? My guess is Apple will provide UUID to the Payment Terminal via BLE at application wake up to perform a “lite” checkin with payment terminal. Good news is that there would be no data connectivity requirements, but it requires a new payment terminal… For everyone else.. there is no total amount due (99% at launch).
  4. Legacy NFC. At application wake up,  phone asks “pay merchant with Apple wallet”?
  5. Consumer validates transaction with fingerprint biometric
  6. Consumer taps phone (NFC) and Card token presented Payment Terminal via NFC Merchant processor routes token to payment network which translates and routes to bank for authorization
  7. Payment is authorized (as happens today).

Apple’s biggest challenges?

  1. Merchant NFC adoption. Much of it is caught up in the fact that there are no debit cards in the mobile wallets (see blog Forces against NFC)
  2. Merchant adoption of Beacons and new payment terminals. No wonder Verifone is excited.. big merchants know this can all work without ANY payment terminal.. this is the big leap. The decision on payment terminal is now just nuts. EMV, EMV+PIN, EMV + PIN + BEACON, EMV+ PIN + BEACON + BLE…
  3. No business case for Apple in payments. Perhaps one of the reasons they are struggling to get an exec to lead this over there. Apple’s product people should ensure that their Treasury guys aren’t going to kill this thing. Banks know if consumers can’t choose their payment product that wallets will die. Apple should be focused on getting every single one of their 800M cards on file into the wallet, and ensuring the debit cards are added. This is key to making this work
  4. Organizational. No one leading
  5. Bank certification of Tokens in a Bluetooth transfer
  6. Token assurance information
  7. Merchant POS integration (see the optimal example above)

 

That is how I see it… comments welcome

Another good article on the overall Beacon/Retail Experience.

http://www.pcmag.com/article2/0,2817,2425052,00.asp

Secure Element, NFC, HCE, EMV, Tokens and Cards

7 May 2014

This blog is for my non-techie, non payment friends.. helping to make sense of all these acronyms.. experts may want to pass on this one.

The GSMA/NFC community is quite stirred up at the moment. This is quite understandable…  after all they spent 8 years perfecting their vision of NFC only to have it thrown under the bus by Apple and Google. I’m not knowledgeable enough to go into the depths of the protocol, or EMVco 4.3 Book 3. I’m giving the quasi technical business explanation of what is going on. There is room for disagreement here, as there is substantial interpretation, as well as understanding of what is REALLY happening vs the specifications.  Remember this is not my day job… so your comments/corrections are welcome. By far the most useful reference/summary page I have found online is located here http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/

It’s easiest for me to explain all of this in the context of an example. Credit cards are the easiest example as they are in the market today, with a few different implementations of contactless and touch the areas above.EMV

EMV

EMVco has a contactless specification which I challenge any non-techie to read. For this short blog, the key point I wanted to make is that the Credit card number (PAN) is given to the POS unencrypted, in the clear. That’s right… don’t believe me? See:

Your next question is probably “Where is the security?” the answer is that that along with the card information, the device sends a cryptogram that is uniquely signed. In other words there is a digital payload that rides along with this credit card primary account number (PAN). This digital payload uniquely identifies the device that EMULATED THE CARD. Think about is as someone validating your SIGNATURE on the document with your social security number on it… Your number is there.. but they make sure it is you by validating the signature.

So why is the SIMAlliance extolling the virtues of a Trusted Execution Environment (TEE) and SIM/UICC? After all we seem to live without this capability quite well in the PC world. Mobile operators want the ability to SIGN and AUTHORIZE more than access to mobile towers. That SIM card in your GSM phone signs and authorizes access to the mobile network, much as MNOs envisioned doing for payments. That is how the GSMA’s version of NFC evolved.. “hey we do this for network access.. lets do it for payments”.  To be clear there is nothing technically wrong with the GSMA NFC approach.. it is beautiful… but there are substantial business model issues (see Payments part of the OS).

Apple and Google are both moving aggressively to act as Commerce Orchestrators as handsets become commodities and data moves to cloud, enabling the mobile phone to be the key services platform at the confluence of the virtual and physical world is critical. It is not about payment. Authentication is core to this orchestration role.. authentication is not something that can be given away to MNOs or to Banks.

TOKENS

It makes most sense to jump to TOKENS now.  You can imagine that Banks don’t exactly like having their card numbers sent in the clear. In fairness they were involved in the specification, but the EMVCo contactless model is essentially a card number plus authentication. There is more than one way to achieve this, and improve on it by hiding  the PAN… this is what tokens are (a few examples described in Money 2020: Tokens and Networks, Apple’s Plans and Google/TXVIA).token

Tokens are not new (see Tokens… 10 Approaches). However Tokens are now an official EMVCo specification as of March 2014, with the major issue of Token Assurance outstanding. In this token model, the issuer chooses at Token Service Provider (or does it themselves) and creates a number to replace the PAN. This takes your PAN out of the open… and makes it useless. To be used the Token must be presented by the right party, with the right assurance information. All of this aligns VERY WELL to how banks and networks work today, which is why it is so popular (see blog on HCE).  In the GSMA NFC model, the a cryptogram goes along with a PAN in the clear with the PAN stored in the phone in a secure element.  In the token/HCE model a Token representing the card is stored in a less secure space, and presented with device and network information for translation by the TSP to the actual PAN. There are substantial Business Implications of Payment Tokens (blog) which I won’t go through again here, but clearly it cuts the mobile operator out of the “signing” role and they become dumb pipes.

My Gemalto friends will howl at how unsecure this is, or how it won’t work if the device has no network access. They are wrong. It is working today, and is secure enough. There is no connectivity requirement, that software token in the phone can change every 10 seconds, 10 minutes or 10 days. The TSP and Issuer can decide whether or not to accept an “old” token based upon the transaction. In other words the intelligence sits IN THE NETWORK.. NOT IN THE PHONE. This is why V/MA/AMEX love it so much. It cements their position (See Perfect Authentication… A Nightmare for Banks?)

Host Card Emulation

emvco token

This is an Android construct (see Software Secure Element – HCE Breaks the MNO NFC Lock) that allows any application to access the NFC Radio. Without Tokens, HCE would be useless for payments, as payment information can’t be securely maintained without an SE.  Think of HCE as dependent on tokens, now a card emulation application can be certified to run outside the secure element.  I don’t like to put Apple in the HCE boat, as they have a proprietary secure architecture using tokens. This is a uniquely apple construct where the networks seem to have certified Apple’s card emulation application(s) as well. It is important to note that they use none of the GSMA’s architecture (to my knowledge) and have embedded the TEE in the apple processor (see Apple Insiders note on Secure Enclave and Authentication in Value Nets).

Secure Element

Is it needed? Certainly it is needed for at least 2 functions: Mobile network access (SIM/UICC) and Biometrics. Fingers and Eyes are very hard to reissue.. so the actual information must be highly protected. Apple is handling biometrics in the A7 Secure Enclave (oddly enough has the same “SE” acronym) and Google is a tad bit behind but handling in ARM’s trustzone. Trust zone is largely a hardware construct, and much is made of Gemalto’s marketing announcement here. My view is that there are many more than on software solution for ARM.. and ARM is much more tied to Google and OEMs than Gemalto.

The “big news” here is that both Google and Apple are EMBEDDING SEs in their hardware architecture. Embedded SEs are a threat to Mobile Operators and their preferred Single Wire Protocol architecture. As you can imagine, an embedded SE has all the capabilities of the SE within that micro-SIM card.. and sets up the prospect for a Virtualized SIM (no more of those GSM cards popping into your phone). If the SIM can be virtualized you can switch your network provider anytime you want.. or have them bid for your phone call ( see Carriers as dumb pipes? , Who do you Trust?, Also see Apples patents on Virtualized SIM). To be clear, I believe MNOs can take a leadership position in Emerging markets and payments, but for POS Payments in OECD 20 markets it makes most sense for them to focus on the $5B KYC/Authentication/Fraud opportunity (NOT payments).

OK… now you can shoot me… Open to feedback.

 

 

iPhone 6 – Payment Predictions

30 April 2014

I’m on a roll, so thought I would put this out there as a positive prediction (vs describing how Apple is Throwing GSMA’s NFC under the Bus). My views are as much informed from the “negative” as the positive. For example, my starting hypothesis is Apple will enable a POS payment capability in iPhone 6. It was the reason for the timing of the Oct 2013 “token” announcement from the big 3 payment networks. As most of us asked “where on earth did this come from”…. It came from Apple (or the network response to Apple’s initial plan).

My problem in figuring out what is going on (if anything) is that Banks have no idea what Apple is planning. Current guess below revolves around assumption that the 3 payment networks do understand the plan. Thus the question becomes “what can Apple do in payments that starts with the payment networks, but does not involve the banks”? Constraints? It must involve: tokens, Apple’s security architecture, 600M cards on file, existing card presentment infrastructure, existing rules, recent lessons learned, and be able to expand to iBeacons.

My predictions

  • Apple will have a certified EMV contactless capability from V, MA and Amex in the iPhone 6.
  • Apple’s contactless is a proprietary architecture, based upon both tokens, and 3 card emulation applications (4 perhaps with Paypal)
  • Each Network will act as a Token Service Provider (TSP), with one token in each card emulation application. The TSP specs give this away, per the Spec, the TSP must be approved by issuer and have ability to translate token to Card. Apple may want to be the TSP… but Banks will say no. This solves a BIG problem with card provisioning, with V/MA/Amex already having the “proxy” card/token provisioned in the iPhone, and each bank working with respective network to turn on their card.  This is the Google model, with the networks running the TSP as opposed to Google/TXVIA.
  • Apple will not work in iBeacon model at launch, but rather EMV Contactless. You notice I’m not saying NFC.. from a merchants perspective this will look like NFC, and use the NFC protocol, but certainly not from a GSMA NFC perspective. There are no other vendors in this solution beyond Apple and their hardware suppliers (?Broadcom?)
  • Cards will be “provisioned” into the wallet through complex process involving Issuing banks, TSPs, and Apple. Apple’s inventory of Cards on file will be registered with the TSPs, and Banks issuers will approve based upon Token Assurance information , MNO information, card usage information … (yesterday’s blog).
  • Fingerprint will be key process which unlocks card/wallet and enables EMV Contactless interaction. Customer experience? EMV Contactless, consumer unlocks phone with fingerprint and authorizes purchase on Payment Terminal. iBeacon? Same thing only works on all iPhones via BLE (no proximity/NFC)
  • How will Apple make money on this? They won’t… nada. Altough there COULD be a way forward given that the product presented to merchant is in control of Networks AND the Issuers are in control of their cards.. a potential… but given lack of issuer participation, I have no idea of how they would pull this off. I do believe that there are groups in Apple that want to make money on a card present transaction, but join the club.. there is no economic model in any network agreement for a wallet provider.
  • I want to emphasize again.. this is just the easy payment part. I strongly believe that looking at payments in isolation is the wrong way to view this (see Blog).

I like this.. IF consumers can choose which payment products to store in phone (debit card). I think the Bank Issuers will flip out when they hear that V/MA have locked themselves into the TSP role.. talk about a reversal from TCH. Issuers could make the case that the networks own the fraud loss since it is a network proxy card wrapping the issuers card…. can’t wait for that one to happen.

I’m 90% confident in the above… lets see if I can keep my perfect track record on Apple, Google, Tokens and NFC.

 

Token Assurance – Updated

28 April

The most interesting aspect of the new EMVCo Token Specification is section 6 – Token Assurance ID&V Methods.assurance

Technical

Tokens must be combined with a form of identity to be useful. The specification outlines a rather ambiguous set of placeholders

  • Account verification
  • Token Service Provider risk score
  • Token Service Provider risk score with Token Requestor data
  • Card Issuer authentication of the Cardholder (ie PIN)

Real world examples would be Apple’s score on your fingerprint biometrics (ex 95% match), or Payfone’s device ID information on the phone you are using. Actually, just about any entity could provide this data to the issuer (with issuer agreement). Per the specification

ID&V steps may be performed by the Token Service Provider, the Token Requestor, or a third party. In instances where the ID&V steps are performed by an entity other than the Token Service Provider, verifiable evidence SHALL be provided to prove that the steps were performed and the resulting outcomes were provided. Verifiable evidence may consist of any value provided to the Token Service Provider by the ID&V processing entity that the Token Service Provider may validate. The details of what constitutes verifiable evidence are outside the scope of this specification, but examples include a cryptogram or an authorisation code

In the GSMA NFC world, a card is “provisioned” to the phone through the TSM.  In the token world a card is provisioned as a token to a phone by the Token Service Provider (big issuers will do this internally, V/MA will also offer services). If the card (or token) is presented to the merchant via NFC protocol it is operating within the contactless/EMV pricing. If the card (or token) is presented to the merchant via an iBeacon or QR code then it falls into some unknown TBD pricing.

Business issues

Problem becomes who will pay for great ID&V “Assurance”. For example, Apple could provide biometrics.. but shouldn’t the banks pay for Apple’s score (see Blog Authentication in Value Nets)?

Let me extend the example further. Today Banks are working to extend their mobile applications to add payment capability through HCE (on Android). Who is the TSP? Answer it is the banks themselves…  they generate the tokens and their own Assurance information. Who will deliver “tokens” to Apple? There are only 2 entities that can map tokens to cards: Issuers or Networks (acting as TSP).. wallets can’t do it.

Thus there are 3 ways a payment instrument can be added/stored/provisioned in a phone/cloud/device

  1. Consumer enters card number (Google, Apple, Amazon, Paypal, …). Benefit, consumer chooses any card they want. Downside CNP rates
  2. GSMA/TSM. Provisioned by Card. Only issuers that provision cards.
  3. Tokens. Provision token. Only issuers/TSPs can provision tokens

There are also different mechanisms for card Use/Presentment

  1. eCommerce (buying iTunes/App store, Amazon, …)
  2. EMV/Card Emulation
  3. Token Presentment (iBeacon, QR, eCommerce Token Presentment)

My view is that there are only 2 areas where tokens will move in next 12 months:

  1. Banks are focused on enabling Apple to use tokens later this year (in iBeacon model), so cards will exist in token form both within the Bank mobile application (Android HCE) and
  2. Apple’s wallet (IOS) in Beacons + NFC/Card Emulation

Looks like everyone else will be stuck with the “old” NFC/TSM model for quite some time.

Apple

For Apple to receive Card Present rates in a iBeacon model, they must provide information as a TSP to create a high assurance level.  Here is the REAL ISSUE. WHO DECIDES what degree of assurance equals card present rates. Right now only the ISSUER can make this call. Worst of all… the merchant will have NO IDEA of what the cost is. That’s right, Apple must negotiate with each and every issuer not only on ID&V data exchange, but also on the rate. The token specification outlined how the data must flow, but not how the pricing will work. I sure hope Apple is pushing for pricing MUCH better than listed card present rates. Fantastic authentication should lead to risk based pricing. My recommendation to Apple (beyond call Starpoint), is to price in a way that merchant sees card present rates and you are paid for risk reduction. This aligns everyone to reduce risk.

Banks are focused on Apple because: #1 Apple can move the needle in adoption, #2 Increase use of cards in iBeacon model, #3 Apple is dumb container for card and not as concerned about capturing data. Banks may work to restrict Apple’s ability to use tokens in an NFC contactless transaction only. One of my top questions is HOW will apple present these tokens in an EMV contactless scenario? There is no work being done on card provisioning with issuers… so how are the tokens getting into their phone? Will Apple convert their 600M cards on file to tokens?  Will the networks work to simplify and “on ramp” issuers without their technical involvement? This could be a brilliant move, as nothing is more broken about the NFC/TSM model than working with 10,000 bank issuers individually to provision cards.

I hear nothing on Apple Tokens + Beacons. Which means Apple Payment launch is EMV Contactless only (but in a uniquely Apple Way with fingerprint). If Apple is working in an EMV contactless model ONLY, did they certify an application? Who holds the encryption keys if cards are not provisioned by the issuer? the network? (my guess) If this is the case, what do card issuers think about the networks managing their keys?

 

Google

Today Google wallet (POS) wraps all other payment products in a Bankcorp (TBBK) Mastercard. Google is issuer so they provisioned the card (with a few exceptions in Citi/Barclays, …). It is the ONLY wallet where a consumer can load any payment card they want to. Today Google gets card present rates (for the TBBK Debit Mastercard) as they present cards within EMV contactless/card emulation rules. If they switch to tokens, what merchant pricing applies? If merchant accepts card via EMV contactless, contactless rates apply, but what if token rates are “better”? Can Google arbitrage? What if presentment could be based upon merchant preferences? Present token if you have a lower rate (via via QR code or “Beacon”) otherwise present card via NFC/EMV for card present.

I’m getting a headache!! Can you imagine Google would have to store cards/tokens by issuer/presentment mechanism, with different assurance data and provisioning for each. Some cards are provisioned via TSM, others via token, others entered by consumer, cards used for eCommerce on Google store could be tokens, cards used in Chrome autofill would be PANs, cards presented via NFC would be encrypted PANs, cards presented via BLE would be tokens..

In the token model, what is incentive for Google to deliver Assurance data?  What is merchant incentive to accept? Today Google can allow the consumer to use any card.. in a token world they have no control over which cards can be provisioned/stored, nor the rate the merchant will pay. Someone please draw me a picture of options…

Assurance Business Model

Can you imagine playing football where the opposing team also staffs the referee positions and can change the length of the chain whenever they want?  The token specification is a very, very solid document. But the business model is a little crazy. The only place where it will see short term traction:

  • Issuer’s own mobile application
  • eCommerce (where Apple/Google/Amazon/Paypal directly benefit from CP rates)
  • Apple (if they negotiate agreements well)

End result – No POS Merchant Adoption

Obviously, if merchants have no idea of the cost of a payment product.. they will not accept it. I couldn’t imagine anything worse than the ISIS NFC wallet… but a token at a card not present rate could fit the bill. Now you see the reason behind MCX…

eCommerce Merchants DO have a reason to jump on tokenization. As they will benefit from risk based pricing.

Thoughts appreciated.

Authentication – In “Value” Nets

March 3, 2014

Today’s blog brings together: the Role of Authentication in Value Orchestration, Apple’s Role in Commerce, Constructs for Compensating Authentication Agents, and Ability of Payment Networks to Adapt. The ability of other parties to assume risk in payment is the key shortcoming of all of our existing payment systems (see last week’s Blog). The recent activities around tokens can best be explained through this Risk Lens.

My use case for today: Assume Apple has the best biometrics system on the planet, and Consumers trust Apple with all their credentials. How can non-Apple Service Providers use Apple’s Authentication service (pay them)? As I outlined in Who do you Trust (Sept 2013)

The “KEY” [prerequisite] in value orchestration is owning the Consumer relationship. Therefore Identifying and Authenticating the Consumer is the first, primary, service that must be owned by a platform.  What was a separate “Trusted Services Manager” in the NFC world has been co-opted by platforms which will take a proprietary route.

This goes hand in hand with my other favorite payment quote from Ross Anderson with respect to payments:

If you solve for Authentication.. Everything else is just accounting

The Role of Payments in Commerce

As I’ve stated before payment is just the last (easiest) phase of a long commerce process that involves design, manufacturing, marketing, advertising, retail, payment, …etc. (see Payment enabled CRM). Payment is the key PROCESS by which these parties measure the effectiveness of their activities (think attribution). To measure effectiveness (and value) participants tie their activity to Consumer and: items, activities, processes, and behaviors. Answering questions like “did the consumer see our ad on facebook?”, “did our campaign influence the consumer’s buying behavior”?

Before we can assess the value of Apple’s Authentication we need to identify the processes and participants that can use the service. My bias is that the greater value to be unlocked is around the attribution than payment (as a side note Apple has constructed a new platform to manage an Advertising Identifier around this “identity arbitrage”). My personal bets are around the hypothesis (outlined in Apple and Commerce): that Apple’s biggest asset is their ability to change consumer behavior, and are working to make the iPhone the centerpiece of physical commerce (not payment). However, since I have no interest in writing a novel on the subject, I’ll give my highly condensed views on authentication in today’s payment instruments.

Value of Authentication in Payments

What is value of authentication in payments? To whom does the value accrue? We should not assume payment methods will change in anything shorter than a 20 yr horizon (analysis of value in existing payment networks). The value flow in a 4 party payment network is fairly simple: Merchant pays with the Issuer receiving 80% of the revenue. Any payment for Authentication must therefore come as “cost” to the issuing bank. There are 5 models for extracting authentication fees from Banks:

  • Bank chooses to pay (or exchange something of value … like data)
  • Network forces payment
  • Authentication provider forces payment
  • Consumers force payment, or Choose to pay themselves
  • Regulators force paymentGAO payment flow

Optimally a service cost would be based upon value (if the value declines … the cost should decline). Of course nothing in payments work this logically. Issuers like to have all the control, so that they can retain all the margin. In fact, Top Issuers would be fine keeping mag stripe with no authentication (see Perfect Auth… a Nightmare to Banks). Perfect authentication would eliminate all risks not credit related (ex ability to pay). It would therefore be very hard for Banks to justify any payment fees (interchange) beyond the cost of operation. Banks make their money on the ability to manage risk (not eliminating it). Mobile Authentication (biometrics) provides a mechanism to reduce risk outside of the bank’s services.

Startups.. this is the challenge in selling banks improved risk management or identity solutions that are not in their control. It is also why Banks want their services manifested through applications they control (not others). However, Banks must live in a world where their payment product does live outside of their environment (not that they like it, but Amazon does have a little potential to sell :-)).

A recent example of external network driven services: Verified by Visa (VBV) and Mastercard Secure Code (MSC). VBV/MSC rolled out in 2003 (Europe) and shifted eCommerce CNP risk to Banks. It was a complete and utter failure, not just from a tech view but also from a customer experience and business model. Merchants were incented to put the technology in place (10bps and fraud shift to Banks). VBV/MSC failed to catch the fraud… who was motivated to fix the flaws? Not the merchants.. they had given the fraud loss to the Banks and received a discount. It was rather the Banks, which were left with declines as their only tool (as I outlined in Perfect Authentication – A Nightmare for Banks). In other words, Banks had no way to pay the merchant to do a great job at managing risk in VBV/MSC, but only penalize a merchant for poor performance (through declines). This is why we don’t see VBV or MSC running in Amazon, Apple, Paypal, … etc.. Merchants fear declines much more than they do managing the fraud.

But how do a Banks pay external parties (ex Experian, EWS, …) for assisting in the risk management of payments? Usually a per transaction fee of $2-$5 in account opening, and then 10bps for transaction risk scoring (think check verification, although not all transactions need to be scored). The Networks themselves offer services for authentication and account management.

Authentication Fee Structures

Issuer Controlled

  • Interchange Rate Reduction ~15-30 bps based upon performance
  • Fraud Shift (for CNP + Auth in eCommerce)
  • Data Sharing (quid pro quo)

Network Controlled

  • New Category – Mobile Card Present with Authentication (30bps below current)
  • Network Enhancement Fee – Charged to Issuer (for Token and for Auth)

Platform Controlled

  • Authentication Fee (Nothing gets passed to Issuer unless they choose to use service)
  • Network support of new field(s) for Authentication information

My preference (for Authentication) would be for last item in the list, where Apple and Google assess an authentication fee to Banks which choose to leverage Authentication. This allows for performance based pricing. If the service is not providing benefit to the Banks, it is stopped. Issuers which invest in using the service will receive benefits that can be passed to consumer.

Oddly enough the danger in this approach is for Visa and Mastercard. As Issuers work with Google and Apple directly, it provides them an opportunity to end-run V/MA and define their own rules for CP/CNP, as well as Tokenize their existing portfolio and gain access to data.

Mobile Auth and Payments – Today

The scenario on biometrics and tokens is happening today… Apple’s new iPhone will have both biometrics, a secure enclave, and  patented Point of Sale Interaction. Host Card Emulation has evolved so quickly because Banks were told by Apple that they would have to pay for their cards operating within Apple’s scheme. As I outlined in Token Acceleration, the Banks responded by telling V/MA “we are not going to let our Cards operate under an Apple Patent… you guys killed our TCH project and said you would own this… so are you owning it or not?” Hence we have this Press Release.

The networks are committing a fair amount of brain power here. Clearly the benefits and control of a token led scheme will flow quickly to issuers unless there is a solid process to lock up the token standards and token translation. For example, assuming V/MA certify an HCE scheme that provides for “transparent” EMV compliant Paypass transaction.

This is why NO ONE has seen the token spec… and why it is not evolving as quickly as hoped. Not only must V/MA/Amex make the Spec functional, they must also work to control the token creation, authentication and routing rules. Arrggghhh…

Big Picture Thought

What we REALLY need is a payment network where risk and data can be owned by non-banks (selectively). This was my input to the Federal Reserve, and the driver behind last week’s post Risk: Carving it up in Payments.  Real time payments is not holding up innovation, the ability to take risk and manage it is (just as it is in our economy). While I believe Ross Anderson’ view that Authentication is the key to value, the dumb pipes are all owned by non-aligned Banks.

What if American Express created a new payment network that allowed for merchants to selectively own risk for clearing? In this model, Amex could operate as charge card, Bank, prepaid card, or link to another banked account. Merchants could assume risk depending on consumer history, payment type, purchase type, reputation, … Some merchants would choose to allow the consumer to decide. Others (like Grocery and WalMart) would encourage the consumer to choose the lowest cost instrument (selective settlement risk), or even change their relationship (banking, data sharing, … ).

If the value of authentication and the value of “payment” is not in settlement and risk but in the attribution, then we must have much more flexibility and consumer participation.What will glue together these new Value Nets?

 

Apple Services

 

What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance[5] and if it fits the criteria for being considered a personal area network.[citation needed]

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.

 

From a mobile payment perspective, NFC is

  1. Protocol. NFC Forum owns the Protocols making up the ISO specifications.  These protocols are the “universal” aspect of NFC that is NOT changing.
  2. Platform for How NFC works in a Phone
    • GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
    • HCE
    • Apple Secure Enclave
    • ??
  3. Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom