Can I see your ID?

credit_card_transaction_paul_burns18 March 2015

 

A major retailer just called me this AM. Theme of conversation is that the industry is creating a “perfect storm” for issuers in acceptance.  While LoopPay is very secure (because of Visa/MA tokens, phone ID, and transaction counters), the existence of a commercial grade mag stripe emulator in the hands of “bad guys” will create a little chaos… particularly when the cashiers think nothing of consumers (or fraudsters) waving their phones at the POS.

While both Visa and Mastercard have set rules that prohibit merchants for asking for IDs in a contactless EMV transaction (EMV), LoopPay (Samsung calls it MST) muddies the waters as it uses the phone to talk to the magnetic reader of the payment terminal. MST transactions are magstripe transactions which merchants are (and have always been) allowed to ask for IDs. Merchants can make the case that they have no idea which is which, and they have no way of “prohibiting” either, thus they must assume that it requires them to treat as something that requires them to validate (signature).

Let me see if I can list the different acceptance methods (looking for input into what I miss)

Acceptance Options

 

Add to this list Token authority (Tier 1, Tier 2, Visa, Mastercard, TCH, Bank, …) and TSM for GSM style NFC and we have quite a complex mess. The good news is that issuers have control over where their cards are presented.. Problem is that there are many new “exploits” which can be attacked by very well funded fraudsters.

Normally, all of this seems to put pressure to update and lock down your payment terminals. But merchants don’t bear any costs for POS fraud where they have validated signature/ID… it moves to the banks. How can Banks force merchants to lock down terminals? The incentives are very complex.. so complex that it may mean “can I see your ID” happens in every case.  So much for mobile making things easier.

In EMV transactions, issuers are normally in control of when PIN is required.. In mobile  there is no physical payment instrument (card)  for the cashier to validate signature … so when they ask for ID what do they validate against? (ie no embossed card with your name on it). This means issuers will naturally like PIN for mobile. In the US consumers don’t know their PIN (for credit cards)..

This is just too confusing.. lets just say small issuers will have a very challenging time adapting here, while the big issuers will maintain a substantial advantage. This is the normal course of [big] bank fraud strategy:  if a bear comes to your campsite you don’t have to be faster than the bear.. just faster than the slowest fellow camper (small banks)

iPhone 6 – Apple’s Strategic Opportunity

8 September 2014

We are likely to see much innovation in the iPhone 6, but I suspect there is even more innovation that we won’t see. Purpose of blog today is to help my friends navigate through the coming tsunami of press, to what really matters. What are the things I’m looking for? If you are looking for a list of new iPhone 6 features in this blog.. you will be sadly disappointed.. I’m much more attuned to payments, network strategy, commerce, security/Auth.. admittedly myopic. Note payments stuff is in last paragraph

Tomorrow

Don’t get caught up in buzzwords like NFC, payments, tokens, BLE, Secure Enclave. Will it have a new security architecture? Yes, industry leading from hardware through firmware, OS and Apps.. Will the iPhone be able to do payment? Sure… Emulate a hotel door room key? Yep, in fact it could virtualize and emulate any chip card including the GSM SIM. Yet focusing on this stuff is kind of like talking about what the internet could do…  can I email my Aunt in Singapore? Buy a book from a seller in Seattle… The key questions for investors and start ups in the Valley is: HOW WILL THE iPHONE 6 CHANGE COMMERCE?.

Why am I excited about the iPhone 6? It is the dawning of a new age of mobile “platform”. This leads to the obvious question of: what is a platform, and how can anyone lead it? My favorite book on platforms is Platform Leadership: How Intel, Microsoft and Cisco Drive Industry Innovation. The authors provided a great model to assess the 4 Levers of Platform Leadership

  1. Scope of Firm: What is done inside, how they encourage outside investment and focus
  2. Product Technology: Architecture, Interfaces, Modularity, What do they expose to partners?
  3. Relationship with Complimentors: Support of Complimentors, acting on ecosystem needs, path to consensus and standardization, profitability
  4. Internal Organization: What is the “core”, and how are resources allocated to core activities vs support for partners.

Apple has a massive check mark in #2 (Product Technology), as they are 3-5 years ahead of every handset maker (integrated hardware thru OS and Software). How do we measure this lead? Admittedly technology is a little harder to quantitatively measure than financials and market share, so for the later: Apple captures 70% of industry profits (from 18% market share), #2 in consumer brand (behind Google), and #1 in retail sales per square ft. Most would agree its hard to get to these stratospheric numbers on crappy hardware.

On the technology side, Apple is the only vendor (since RIM) to have developed a secure mobile platform for biometrics, encryption, smart card emulation, …etc. All using a proprietary architecture from A8 Processor, Secure Enclave, OS, Apps and integrated into cloud services. For example, Apple has thrown the GSMA’s NFC under the bus in favor of their own unique design. I think of it this way: RIM started with security in mind and then tried to bolt on a browser and other features consumers wanted beyond secure e-mail. Apple started with the consumer and is now (with the iPhone 6) rolling out the most secure mobile platform in history. I believe Google is 18mo-3yr behind (with ARM/TEE and SE Linux) primarily because they don’t have the same HW control as Apple (see Secure Element, NFC, HCE, EMV, Tokens and Cards).

From a platform perspective the REAL question is Can Apple pull levers 1, 3 and 4?

Platform Leadership

Most all of us know the Microsoft/Intel Story (see reference). WINTEL’s pace of innovation crushed Apple by creating industry standards (ex PCI Bus) and allowing hundreds of companies to specialize on many subcomponents (dives, processors, applications) which further increased performance, decreased price and expanded usage… which in turn drove more investment. Intel’s Architecture Lab (IAL) was centerpiece of this success: an investment in defining and supporting the platform (ex the common infrastructure “bus”) that allowed for specialization and defined interaction (and accelerated Intel’s dominance). No one asked Intel to lead.. they TOOK IT (with great success). Leadership is not creating APIs and taking a 30% cut of revenue, it is recognizing that a business where 100s of companies can succeed is a much bigger business. This is particularly true in Commerce.

In physical commerce, I look at Visa and Mastercard as the best “commerce” platforms. This comment will draw ire from all my merchant friends, but it is factual (total volume processed). The beauty of the V/MA business model is that 1000s of banks invest (and merchants pay) billions of dollars to make this work. They have struck a tremendous balance between bank, consumer, and merchant. They have become the standard for interaction. One that will start to shift significantly toward merchants in next decade (for another blog).

With respect to platforms and mobile, I was in Hong Kong last year constructing scenarios with a major investment bank, with the key question: Where will value flow in mobile once handset hardware is a commodity? (Battery life, processors, screen resolution, are all good enough). What are the FACTORs of competition today? Can someone else change the game? I went through this analysis in my blog on Stage 4 Value Shift.

As we look for where the form of mobile competition may change, it would seem to be outside: hardware, software and network bandwidth. If hardware is good enough, and not the primary factor of competition, it must be software, services or data that will drive competition in the next phase… If platform is decided on software only.. then software platform with most open standard and most users (ANDROID) should dominate as any connected devices (handsets and everything else) have lower cost and more ability to “specialize”, particularly if intelligence is in the network (not the device).  But software is currently not the point of competition either… If not DEVICE software, or hardware, or network connectivity.. then what?

 

… Orchestration and Trust:  mobile phone transforms into the networked device “bridging” the virtual and physical world then value (and profitability) will shift from platforms executing transactions to coordinating interactions.

Apple’s greatest asset is its ability to change consumer behavior (see blog Apple and Physical Commerce, and Consumer Behavior). Apple’s reputation is well deserved and earned “the hard way” by remaking: phones, music, mice, computers, apps, …etc.  Through consistent delivery of value within fantastic hardware delivering great (and fun) consumer experiences they earned trust for their products and brand. The greatest NEW opportunity for Apple to influence consumers beyond the individual (music/contacts/calendar) and eCommerce (browser, apps) to the real world: Commerce. Apple’s core gap? How will it allow for investment, specialization and define interaction of aligned participants.

Commerce Platform

I’m assuming Apple will get its consistent A+ in hardware, and there will be a bundle of new capabilities in the phone and connected devices (ie iWatch). But commerce is between a consumer and a merchant/manufacturer. What “platform” will exist to assist Merchants? What is Apple’s role in mediating platform (and consumer) with the merchant (beyond the app store)? How will Apple enable 100s of other companies to invest billions of dollars to make its Commerce Platform the centerpiece of value orchestration? Beacons (see Apple iBeacon Payment Experience)?

Google, Amazon, Facebook, all organize millions of businesses, and billions of consumers. Apple is missing the business side… in a BIG way (remember iAd). From a network strategy perspective, Apple has created a consumer focused nodal platform (vs hub centered orchestration). They certainly have the opportunity to create a hub (ie iCloud), but their hardware centric organization may keep this from maturing (Lever 4). Thus Apple is 5 years behind Amazon, Google, Facebook in delivering value to merchants, and orchestrating Commerce. As I stated above, handsets are becoming a commodity, Apple’s new handset will not lead in screen resolution or battery life.. consumers will start to look at the VALUE it provides in connecting to other REAL WORLD businesses.

A January 2001 Harvard Business Review Article: Where Value Lives in a Networked World put it this way:

In more general terms, modern high-speed networks push back-end intelligence and front-end intelligence in two different directions, toward opposite ends of the network. Back-end intelligence becomes embedded into a shared infrastructure at the core of the network (cloud), while front-end intelligence fragments into many different forms at the periphery of the network, where the users are. And since value follows intelligence, the two ends of the network become the major sources of potential profits. The middle of the network gets hollowed out; it becomes a dumb conduit, with little potential for value creation. Moreover, as value diverges, so do companies and competition. …. In a connected world, intelligence becomes fluid and modular. Small units of intelligence float freely like molecules in the ether, coalescing into temporary bundles whenever and wherever necessary to solve problems.

where value lives

Apple’s strategic opportunity is to orchestrate these information bundles and consumer insight in a way WHICH THE CONSUMER CONTROLS. This was the focus of my previous Apple Strategy Blog: Apple’s Platform Strategy: Consumer Champion.  Unfortunately, it seems that Apple’s management team may be so hardware focused that they are missing this opportunity. Retailers like Nordstrom, Macy’s, CVS, and Starwood will show (tomorrow) how excited they are to work with Apple. But Apple needs a version of Intel’s IAL, that is focused on Retailers, Gimbal and Commerce.  Actually, I believe Apple’s gap here is so large that they must find a way to partner/acquire someone else in this space (not paypal). This is a $100B opportunity, and if Apple doesn’t move on it, it will be left competing on screen resolution, and hyper sensitive affluent consumers seeking data privacy.  (Note to Apple, one of my companies would love to pitch you a few ideas here).

My top strategy questions for tomorrow

  • Does Apple see strategic growth for iPhone as working in real world (Commerce)?
  • What level of investment/support will Apple give to “community”? How (IAL)?
  • Where does Apple “Stop” and partners “stop”
  • Apple’s organization.. anything changing? Is it still H/W dominated?
  • Apple’s phone is no longer differentiated by external features.. so what is different and why is it valuable to consumers? Merchants? (Can Tim articulate)
  • Does Apple see itself as the Consumer data/privacy champion? How do you monetize anonymity?
  • How will retailers work with Apple?
  • How will beacons be supported?

Security, Authentication and Anonymity

The biggest features we will see (IMHO) surround  how Apple is completely reworking the role of authentication and security in the platform (see iPhone 6 Secure Enclave, great article from Networked World). Apple’s proprietary mechanisms for “smart” card emulation (credit card, hotel door key, transit pass) will impact many, many industries (see Authentication in Value Nets).  Apple has ROCKED THE CART substantially with this capability. My guess is that they will demonstrate the obvious tomorrow with contactless card emulation (V/MA/Amex) and security keys (Starwood hotels). The much more sensitive area is virtualizing the GSM SIM. I believe the iPhone 6 is capable of virtualizing the SIM, I have no idea if they will demonstrate the capability.

From a consumer perspective, the big changes will surround Apple’s efforts to limit ad tracking will significantly impact advertisers (see Tech times ). I believe there is hidden genius here as they turn themselves into the ultimate consumer protector… both online and in the physical world.  They are the gatekeeper and orchestrator… the only entity that can know what a consumer is doing. Question is can anyone else work with Apple (and the consumer) to request that the gate be opened. For example, will Apple be the primary publisher (please send phone ID 187349387 the following message .. and Apple approves).

Payment Stuff

Most of my readers are in this area.. so sorry for saving this till last. I described how payments will work in the new iPhone back in March: Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”. The key innovation in iPhone 6 should be credited to Visa and Mastercard: tokens. No longer will Primary Account Numbers (PANs) be sent in the clear as we have with EMV, and NFC today (I know, hard to believe.. see this blog for background). Now if someone steals your phone.. and breaks Apple’s unbelievable security.. they have a number.. that is COMPLETELY worthless.. they can’t use it anywhere.  At time of manufacture and OS load, Apple has loaded 6 tokens: Visa credit, Visa Debit, MA Credit, MA Debit, Amex, China Union Pay, (and perhaps a few backups).  These numbers are locked up in the secure enclave, they are 16 digits long and are BINs that processors can route to the appropriate network. The networks operate as TSPs (Token Service Providers) and map the Tokens to the Actual Bins. The primary key for the mapping is Token, plus Token Assurance Information, plus Phone ID.  Technically.. everyone of us could have the same exact 16 digit token and Visa/MA/Amex could still map the correct card based upon the other unique information.

My biased view is that the networks emulated what Google (under Osama Bedier) put in place 3 years ago as Google also operates this Token environment within their TXVIA acquisition. The big plus for Google is that the consumer can register any card they want, as Google does not charge the banks anything.

The biggest “surprise” over last 2 months is that Apple has squeezed 15-25bps from the 5-6 participating banks at launch (C, BAC, COF, JPM, Amex and perhaps WFC). The challenge for phone wallet companies has always been there is no economic model for them. Banks know that wallets will not work without cards.. for example Apple has little chance of success if Chase, Citi and Cap One don’t participate. Thus someone must have “blinked” and the others followed. No one wants to be left out of the Apple launch. Thus to participate in the Apple wallet, Issuers will need to cough up the fee to Apple. There are 3000+ issuers in the US.. so this may be a little challenging on the consumer side. I also have firm G2 that BAC, C and possibly WFC will enable debit cards (have no idea how these will be priced).

My G2 tells me that the Issuers refused to give on CNP interchange, so even though Apple has tokens and can sign them with same assurance information a “tap” at the POS will have a different rate than an eCommerce/mCommerce CNP transaction. One of my bigger unknowns is how Paypal will play in all this launch. I understand Apple is near launch of an “off Apple” eCommerce payment scheme (?EasyPay?).. will Paypal be the merchant acquirer and white label a PayPal like button (pay with “Apple”).

Strategically, Payments are moving to be part of the Operating System. What does that mean? See blog. My favorite payment quote is from Ross Anderson at a Federal Reserve meeting. If you solve for Authentication in payments, everything else is just accounting. This is a key example of how Apple has the potential to completely turn the world of payments upside down. For start ups this means that payment is no longer a specialized function, just as TCP/IP was not in Windows 95 launch.. and became part of the standard stack.. so are payments with iOS and Android. There will be no more Paypals in the future.. A key WIN for Visa, Mastercard and Amex is that Amazon, Apple, and Google are all of one mind: Let consumers pay they way they want to pay.

Arcane payment stuff. I’m more than a little interested in how Apple will actually get paid beyond the honor system. Card emulation applications have no idea who they presented the card to, or size of transaction. Visa/MA/Amex will be able to track transactions, but don’t know of any formal facility to pay a wallet company within the settlement stream, meaning that the issuers will be cutting the check based upon data that only V/MA and/or the issuer themselves have. So beyond the pure “TSP” role, is there also a role for wallet settlement in the overall V/MA scheme. Optimally, issuers would have one way to register cards for participation in any given wallet, this was a significant flaw in the NFC TSM card provisioning flow. It would be very smart for V/MA to take this on. In other words a new V/MA process for registering card/token scheme/Assurance information/approved wallet (ex HCE).

Merchant Acceptance

My view is that the MUCH larger problem for Apple is merchant acceptance. As I outlined in Apple Payment Experience, Apple did not want to launch within network contactless specifications, they wanted certification of BLE.  Apple presented its solution back in August of 2013 and the issuers went “nuts”.. going to V/MA telling them “You are going to let Apple own the PATENT for how a card goes from phone to merchant.. I thought that was your job”. Thus we see the press release on tokenization in Oct 2013 that came out of no where.  The networks did not want to fragment acceptance infrastructure and give merchants the opportunity to accept Apple BLE and not NFC.

There will be 2 or more merchants moving from MCX to Apple tomorrow, one rumored is CVS. Of course they could still accept MCX, but rumor is MCX agreement precludes other forms of mobile payment acceptance. Payment acceptance is no peripheral battle to merchants. This is a VERY VERY big deal and I don’t believe Apple understands it at all. Net margin in retail is around 2.6%, so taking a 225bp card is VERY MATERIAL. Retailers tell me that mobile is the #1 thing they think about in strategy, and they are quite confident that they are in the best position to influence consumer adoption and value creation (ala Starbucks). My hope is that Apple can work out its desired BLE experience directly with MCX retailers.. and let the merchant/consumer decide how all this works. See  Value Creation and Distributed InnovationStatic Strategies and the Rewiring of Commerce and in Future of Retail

How will the iPhone 6 Change Commerce?

Remains to be answered pending Apple’s platform support strategy. Where does Apple see its role in value creation? (Or does Apple just see a role in consumer protection?) The Google, Amazon roadmap is much clearer to me.. I don’t want to buy into a hardware company.. hardware is becoming a commodity, value orchestration is the $100B+ opportunity.

This is not a clean wrap up.. but my football game is on and I want to watch it.

 

 

 

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog).  Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control.  The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.Token schemes

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog).   Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me),  MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

  • an x% interchange reduction
  • Treat as Card Present, and own fraud (can not certify unless acquirer)
  • Access to DATA as permissioned by consumer
  • Share fraudulent account/closed account activity with you to sync

If you:

  • Tokenize (dynamically) every one of our JPM cards on file
  • Pass authentication information
  • Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

Token Activity – 10 Approaches?

11 December 2013

I’m preparing for a few institutional investor chats next week in NYC and thought it was time to update my view on the payment landscape. Summary: much chaos and noise, with existing players throwing sand in everyone else’s gears… lots of energy.. but NO HEAT. This blog contains a brief inventory of initiatives I’m aware of. One of the reasons I do this is to solicit further dialog from blog readers.. so your thoughts are always appreciated. It is very difficult for small companies to identify activities which will impact them.. turns out that most non banks and even Visa and MA are ill informed on some of these as well.

In my June Blog Tokens: Merchant Options, and September blog Money 2020: Tokens and Networks I laid out 5 token initiatives.. we have now almost doubled..

The key differentiation between these Token initiatives is WHERE the translation occurs (Wallet, POS, Processor, Network, Issuer).  Translation is also referred to as DIRECTORY, which I define as the mapping of consumer information to payment information (see blog Battle of Cloud Part 1). The owner of the consumer directory is the winner in all of this, as the value of payment pales in comparison to the value of data and the consumer relationship. This is the core of the token battle

Inventory is for POS payments only. 

Token schemes

  • Form A (TCH Pilot – Processor Translation)
    • Consumer Directory: Bank
    • Token is presented to Merchant at POS (QR code, NFC, Barcode, …)
    • POS forwards token to Merchant processor (ie Elavon)
    • Elavon translates token into card through TCH service
    • TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
    • Issuer sends Authorization to Elavon
    • POS settlement
    • Patent issues surrounding merchant processor translation of tokensTCH Scheme
  • Form B – Wallet Translation (Push Payments)
    • Consumer Directory: Wallet
    • Token is presented by Merchant and read by Wallet. Token represents MID, TID, Processor and Amount
    • Merchant POS is awaiting authorization as if a card was swiped
    • Wallet sends token to Issuer (circumventing Visa/MA). Note this is WEAK LINK as data connectivity required for Consumer’s phone at POS
    • Issuer translates token into authorization, sends to processor
    • Processor passes authorization through to TID as if card was swiped
    • SMS based payments done in this model for years. Form of tokens could be beacons, QR, biometrics. Difficult to patent as core for operation is consumer directing bank to make payment.
    • Key differences (globally) are how consumer IDs the merchant and amount, and how does issuer pass the auth
  • Form C (C for Chase with their unique VisaNet deal)
    • Consumer Directory: Bank
    • Token is card number, Presentment is TBD.
    • If Merchant is a CMS merchant, Card routes through JPM’s version of Visa net for offers/incentives (given merchant participation.. of which there is none).
    • If Consumer card is JPM then deliver Card Linked Offers. Again.. not much here.
    • Unique capabilities, but all based upon Visa’s network. Barrier to replication is the unique deal that JPM constructed to “branch” VisaNet
    • JPM Visa flow
  • Form E – EMV/NFC
  • Form G (G for Google’s old Mastercard proxy model)
    • Consumer Directory: Google
    • Token is a card number – Issuer is google (See blog)
    • A plastic version of this was planned in 2012 as reported by Android Police, but was pulled because of high stakes war involving top issuers and Mastercard.
    • Merchant runs transaction as normal
    • Google acts as issuer receives authorization request and routes to selected card (using facilities of TXVIA).
    • After receiving authorization from funding card, google authorizes transaction
    • Issuers make all of the interchange they did before, but don’t like being wrapped. They also don’t like the data leakage and the fact that this impairs their ability to offer unique services (10% off at Kinkos).
    • Note: this scheme has a value proposition for everyone.. and banks still don’t like it… Google loses money on every transaction.
    • Another little known fact is that early versions of GW ran in this model due to limitations within NXP’s chip (only supporting one card emulation app)
    • No Patent issues, few other companies could afford to take a loss on every transaction (buying data). Network rules are the primary issue.
  • Form H – Host Card Emulation  (Google, MA, SimplyTapp) I like – this one
    • Consumer Directory: Issuer
    • HCE Blog
    • Blend of NFC and Form V below. Simplifies the NFC supply chain
    • No dedicated hardware, NFC just another radioExposure: 000 : 00 : 00 . 156 %Accumulated%=0
    • Issuer Creates One time use tokens for EMV key generation
    • Merchant acceptance hurdle CURRENTLY same as NFC
    • Can be leveraged for non EMV purposes (Beacons, QR, wi-fi, …)
    • HCE is GPL, but ability to generate one time use tokens for EMV generation is unique.
  • Form M – MCX/Target Redcard
    • Consumer Directory: Wallet/Retailer
    • See Gemalto/MCX Blog
    • Very similar to Model S (Square) below except wallet is owned by the retailer and form factor is QR code
  • Form P – Paypal/Discover
    • Consumer Directory: PayPal
    • OK… this is not mobile yet.. but since I have Square down below, I thought I would be fair
    • Consumer registered for Paypal Card running on Discover network.
    • Consumer enters phone number at POS + PIN
    • Processor translates phone + PIN into Discover transaction
    • Discover routes to Paypal for authorization
    • Very similar to Model G above
    • Transaction authorized
  • Form S – Square/Starbucks/LevelUp – POS translation
    • Consumer Directory: Wallet/Square/Starbucks
    • Consumer account mapped to phone, ID, voiceprint, card, picture, location
    • POS translates ID to Card
    • POS request authorization as a card not present transaction
    • Consumer Authorization was taken during service registration
    • Consumer receives digital receipt for transaction
    • See Square Stand, LevelUp
  • Form V – Visa/Amex/MA – Network Tokens (TBD)
    • Consumer Directory: Network (Issuers don’t like this)
    • Press Release
    • See blog on Battle of the Cloud Part 4 – Clusters Form
    • Tokens will evolve to a very long number which will be translated to an issuer/account number. This is what Visa/MA do today.
    • Patents will be around generation, use and validation of token. In the future, merchants will not store your card numbers on file (COF), each merchant will have a unique token based upon your actual account number and their own ID.

From Business Implications of Tokens

Business Drivers

As I outlined in New ACH System in US, my view of Bank business drivers for Tokenization are:

  1. Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
  2. Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
  3. Own New Mobile POS Schemes to protect their risk investment
  4. Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
  5. Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
  6. Regulatory, Financial Pandemic, AML controls (per  blog on HSBC)
  7. Take Visa and MA out of the debit game (yes this is a major story)
  8. Maintain risk models (see both sides of transaction)
  9. Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (seeDirectory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

Chip and Signature!?

4 Decemberblue_credit_card

I finally received my very first EMV compliant piece of plastic from Citi this week. As I travel frequently to Asia and LATAM I’m very happy. This should help me avoid situations like being stuck at Vancouver Airport without anyway to buy a tram ticket from their ATM like ticket machine. Just one thing missing in the package.. a PIN. !!

I went online to see why there was no PIN https://www.citi.com/credit-cards/template.do?ID=chip-technology-questions

chip and signature

Can you believe it… we now have something unique to the US.. CHIP and SIGNATURE!?

Wikipedia tells me that the US, Australia and NZ are the primary countries for this model… I described some of the dynamics in my 2012 blog “EMV Battle Impacts Mobile Payments

From Chip and PIN to Chip and Choose? Visa wants  encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD.  PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment.  All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?….  Expect some Regulatory involvement here.

 

Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..

 

So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, EMV compliant ATMs

So WHY chip and SIGNATURE? The 30 second summary is that “Perfect Authentication” is a Nightmare to Banks (see blog). If there is no risk.. then anyone can be a card issuer. (Credit risk as opposed to the billion dollar fraud/authorization systems).

Business Drivers

Visa/MA

  • PIN is not a desirable consumer behavior, PIN is despised by both Banks and Visa
  • Grease the skids for contactless EMV. Who wants to waive their phone and THEN enter a PIN!? Visa/MA understand that it makes no sense to force a PIN on plastic and provide a “pass” for a waive.
  • PIN provides fantastic fraud prevention and therefore decreases the NEED for other risk management services (by Network and Bank)
  • Ensure that transactions are routed through them (signature debit is primary transaction type at risk).
  • The January 2013 Visa Mandate was a complete surprise to Issuers. I asked a top 3 card issuing CEO why did you commit to EMV. “Tom I found out about it the way you did, in a press release.. Visa has yet to come by my office to discuss EMV”. This gives you an idea on issuer relations. Why did Visa push EMV? to encourage reterminalization and enable mobile (credit card) payments.  Visa knew the big issuers would hate it.. but the Chip and Signature was a “meet in the middle” strategy. Visa created opportunity to enable contactless, and big issuers kept their PIN less advantages.

Issuers

  • Shifts Fraud to Merchants who do not have compliant POS payment terminals
  • Allows large banks to continue to leverage their multi billion dollar investment in fraud infrastructure (Signature + $$ Fraud Infrastructure == security of Chip and PIN)
  • Keeps consumer behavior away from PIN
  • Big banks win, enabling them to leverage multi-billion dollar fraud system investments at the expense of smaller banks. Banks that can not make the investments will be challenge to support contactless, or EMV, without PIN. This again demonstrates how large banks continue to exert substantial leverage over the card networks in rule making and incentives.
  • The only EMV products coming out in the US are Credit based. Payment strategy is centered around increasing consumer use of credit card products.
  • See my blog on PIN Debit (Signature Debit is Dead).,PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009 fraud numbers: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (interchange and fraud; 96% of PIN fraud losses assumed by issuers, vs 56% in Signature). Source FRB report

We have an environment where Large Banks and Networks are purposely rolling out a less secure payment product. From the FRP report  http://www.frbatlanta.org/documents/rprf/rprf_pubs/120111_wp.pdf

PIN verification provides superior protection against fraud losses… Signature based losses were 13 bps compared to 3.5 bps for PINfraud dollar losses 2

Obviously PIN is more secure, and DEBIT is where EMV should be focused.. But banks DON’T WANT TO MAKE DEBIT SECURE (no margin here). To a non-payments geek this must look completely insane. Is there any wonder that large merchants are working together on a new payment network (MCX)? To understand the payments industry you must throw out all logic.. and look at the incentives. Moves here are NOT logical..  Networks are measured on volume, the entities which are in control of volume are Issuers (switch portfolios). Merchants are motivated by cost of acceptance.

Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

4 Nov 2013

Long blog.. load of typos

As I’ve stated before, this blog has been a great way to make new friends and stay in touch with my 100s of friends and former employees around the world. When you are in a small company you tend to lose touch with what else is going on as you no longer have 1000s of folks feeding you market intelligence. Small companies live and die by the risks they take, and I’m primarily focused on reducing risk by sharing G2 and perspective.worry-about-identity-theft-confession-ecard-someecards

Industry History (experts can skip this section)

I’m fortunate to have worked with some of the best teams in both Security and Fraud areas. Back in 1998 I ran Oracle’s Payment and Security National Practice where we did things like PKI, Single Sign On, as well as Oracle’s first Java application: iBill and Pay (built on Oracle’s first Application Server OAS which scaled to 40 users regardless of hardware). I switched from the tech side to the business side in 02, and can assure you that running online Banks keeps you in the security AND Fraud space. In 2008 I left Citibank to go to 41st Parameter (just acquired last month by Experian). 41st Parameter was founded by a visionary fraud prevention guy.. Ori Eisen, with a focus device ID.

From a Commercial/operational perspective there is always friction between the security teams and the Fraud/Operations teams. The security teams are always working to enhance security, the fraud and operations teams are always working to mop up the mess from any holes in security and create proactive processes by which they can stop it. As I said in my blog last week, if I let security guys have their way with authentication …. customer experience would be awful.. and no one would use online banking. Hence we have services like Risk Based Authentication, Honey Pots, Fraud Controls, …

This same Security vs. Fraud dynamic plays out in payments. From the 1970s to the 1990s banks had built their authorization infrastructure around tools like HNC’s Falcon to create rules based authorization, with daily tuning of rules based upon fraud. Today Banks continue to invest billions of dollars in fraud and risk infrastructure (see blog). The metaphor for competition here

If you are camping with your friends and a hungry bear comes to your campsite.. you don’t have to be faster than the bear.. you just have to be faster than at least one other camper.

Thus the rule of thumb: fraudsters always attack the easiest target. Big bank billion dollar fraud platforms thus drive fraud to smaller competitors. This enables the large banks with sophisticated controls to derive higher margins in payment products, which drives incremental investment.  This is one reason why large US banks are so resistant to EMV (it levels the playing field). Fraud numbers in the US are not well reported, the best data is from my friend in the UK (see UK Card Association).  Large US banks were not involved (or informed) of Visa/MA’s plans to mandate EMV. As one CEO told me personally “Tom .. to this DAY Visa has never come by my office to discuss EMV, I found out about it the same way you did.. in a PRESS RELEASE.. “ [Top 3 Issuer].

In the late 90s Banks were not prepared for Card Not Present (CNP) Transactions that came from eCommerce. Their fraud systems (ex HNC Falcon rules) were not tuned for this type of transaction. Actually, banks really didn’t care much here because 100% of fraud loss was borne by the merchant. The only Bank impact was helping the customer deal with fraud (and reissuing cards). Thus RETAILERs began investing in Fraud systems and 3rd Party specialists (GSI, CYBS, 41st P, Digital River, 2CO, PayPal, …) emerged to help manage fraud on behalf of retailers. LARGE retailers followed the same path as large banks, investing in custom fraud infrastructure (ie Amazon, Apple, Google, Airlines, …).

Banks thus ceded eCommerce risk management to 3rd parties until around 2003 where 3DSecure was developed (See Wiki. Implemented as VBV by Visa and MSC by Mastercard). Merchants were incented to adopt the scheme by a liability shift (to banks) and an interchange reduction of 5-10bps. Rollout of the scheme in Europe was a disaster (see UK Guardian). Banks now owned a mountain of new fraud losses (as 3DS technology was broken), with only ONE tool to address: Decline Transactions. See my 2010 blog and Schneier’s: Online Credit/Debit Card Security Failure

Mobile

Banks are determined to avoid their prior mistakes, in eCommerce risk/roles,  and take a leadership position in mobile (ie payments, risk, authentication, data, … ). I’ve detailed their efforts in:

Why is mobile so important to Banks?

#1 PRIMARY INTERACTIVE customer touchpoint. 10 years ago, how did you interact with your bank when you were away from home, work and a branch? The only interaction you had was a piece of plastic.  Mobile enables a new class of Services.. but ALL mobile services must add value. The rest of these priorities pale in comparison to consumer touch… Banks are thus experimenting on what they COULD DO with mobile to remake banking.

#2 Authentication. Confirming identity of consumer.

#3 Risk Management. Both gaining additional consumer insight, and enabling new levels of risk control based on this data.

#4 Remaking of Retail Banking (reducing cost to serve)

#5 Mobile Payment.

#6 Partnerships. Sales, Distribution

I’ve touched on #1 many times, but before I go to Authentication/Authorization/Risk, let me provide a brief recap of my many blogs covering the “other services”. As I outlined in Card Linked Offers, Banks don’t realize is that just because you CAN interact with the consumer doesn’t mean that the consumer WILL. You must actually deliver VALUE if you want to capture consumer TIME. Having run 2 of the largest online banks I know what customers do. Retail Customers log in 3 times a week, check their balance, pay a bill or two and log off (180 seconds later).  Bank CEOs.. I gave my recommendation on what you SHOULD be doing in my Bank NewCo blog.

Authentication – THE Lynch Pin

As I stated in Who do you Trust,

Google and Apple are working to secure their platforms, and assume the central trust role in authenticating the consumer. I’m much more interested in the Apple’s new developer APIs than I am in the fingerprint app. How will they begin to “lock down” applications, what new authentication features will they expose to developers? How will they allow consumers to provision sensitive data to other apps?NFC Change

Hardware is evolving to software (from NFC to the SIM). …[ If Google locks down Android with a new secure OS, they will be in a position to provision Google applications (Maps, mail, search, …), identities, and cloud based services (drive, Google Now, Commerce, …).  The “freeware” model could still exist, but without the cutting edge Google services it becomes a COMMODITY HARDWARE game.

What we will see at Money 2020, is that there is an all-out war going on for the Trust role: Banks (see Tokenization), MA/V, MNOs, Samsung, retailers… everyone realizes this is the “key” to unlocking future value in the convergence of the virtual and physical world.

and in Authentication – A Core Battle for Monetizing Mobile

As Ross Anderson said “if you solve for authentication.. everything else is just accounting”. Think of how much bank infrastructure is dedicated to authentication of the consumer and risk/fraud management. This infrastructure was built over last 30 years because there was VERY poor ability to authenticate a consumer (ex. signature and possession of card) AND inconsistent CONNECTIVITY at each commercial “node” touching the transaction. Today we have complete connectivity, but the MODEL has not evolved from its archaic past.

Beyond Authentication, mobile also plays SUBSTANTIALLY on the risk side, as it enables Banks to interact OVERTLY and COVERTLY with the customer. For example a risk system could ask: is the customer’s cell phone within 20 yards of their transaction (at X merchant).  Or even issue the customer a one-time PIN (or PIN request) to complete transaction.

Perfect Authentication – A threat to Banks?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

If we made an inventory of payment systems (technical investment) between merchant to consumer bank we would see today’s systems, processes and rules would be DESTROYED by a future state of connectivity and authentication. I’m sure this one line statement will be questioned “prove it”, but I don’t have time.. I’ll leave it to someone else. Take this statement for what it is: my opinion.

Authentication is 0-1, Risk and Fraud deal in shades of grey. For example, if there is a CHANCE that Joe Smith is a really a the end of the transaction, and he is my wealth customer, I’ll let him in the door, see what he wants to do and then risk it based on it. I certainly won’t LOCK HIM OUT.  Another example, if I could authenticate a customer why do I need to make the transaction secure? This is the BEAUTY of the Square “pay with your name” scenario.  Why do I need tokens? Someone just needs to map consumer ID to payment types.

The very concepts of payment “products” begins to dilute. No more credit, debit, pre-paid, Amex, ACH, check, … In a world of perfect Authentication “old line” products evolve toward dumb pipes as competition shifts to speed and cost (not risk).

From Cash Replacement

Networks are designed around a value proposition.  For payments to flourish, a coordinated system of instructions which can be read by trusted participants is necessary. Providers of payment services must consider what network participants are providing in order to collaborate in risk management and settlement; the greater the number of consumers and businesses that participate, the greater the collaboration and interdependency. As more people adopt the payment system, its value increases, since it provides access to more people; this encourages larger networks. Not only do the benefits increase as the network expands, but the per unit cost of service falls. This behavior is the basis for what economists refer to as a “network effect”.

Once a payment system reaches a “critical mass”, economic value will be created at the ends of networks. At the core- the point most distant from users-generic, scale-intensive functions will consolidate. At the periphery-the end closest to users-highly customized connections with customers will be made. This trend pertains not only to technological networks but to networks of banks as well as small merchants and even to consumers who engage in shared tasks9. From a payment network perspective, this means that the “routing” of payments will provide much less revenue opportunity than managing the end points (e.g. the customer interaction or the products which are sold on the network).

…] Payment networks are inherently “sticky” with investments required by consumers, merchants, and banks for effective functioning. Payment networks also have substantial government involvement to support Commerce and Treasury functions that ensure stability, resilience and protection of parties. Innovation in payments is challenged by this network dynamic. As most small companies know, getting a bank to make a decision is tough… but nothing compared to getting 4-6 groups (issuers, acquirers, merchants, MNOs, Regulators, networks, ..) to collaborate in making coordinated change. A level of difficulty that is only superseded by the challenge new entrants face in competing directly against these existing networks.

A truely jaw dropping piece of research was completed last month by philippon_newfig1NYU’s Thomas Philippon (  http://www.voxeu.org/article/where-wal-mart-when-we-need-it).

The cost of intermediation grows from 2% to 6% from 1870 to 1930. It shrinks to less than 4% in 1950, grows slowly to 5% in 1980, and then increases rapidly to almost 9% in 2010

In other words Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). This is BY DESIGN as the orchestrators of banking have successfully created constructs to squeeze COMMERCE. Further demonstrating that existing payment networks are incapable of leading ANY FORM creative destruction. As I stated in Commerce Battlefield

Mobile is a platform which enables a radically improved customer experience. With respect to payments it also offers a unique ability to authenticate a consumer (fingerprint, GPS, cell tower location, voice, camera, …). Yet, no banks are looking to leverage these “new” capabilities in a “new” payment system. After all, given a clean sheet of paper, no one in their right mind would design a payment system like we have in Visa/MA: present a credential to a merchant, who passes to a processor, who passes to network and routes to issuer to approve a customer transaction… giving the auth to everyone in the chain again.. and getting back another message. If everything is connected why not just ask the consumer to send the money from their bank (ex Sofort,  Push Payments also read Banks will Win in Payment ).

Why? Well because Banks can’t make money in a Sofort model.. (would need to create all new merchant agreements). This is why Banks are going through contortions to stay within Visa/MA, yet attempting to alter it fundamentally (ie Tokens). … (Also see Push Payments)

Regulation… the KEY

Payments, telecom, commerce, customer data, … all are regulated (merchants … not so much). Banks are completely justified in seeking solutions to their current regulatory burden. After all they bear most of the AML, BSA, CPFB, FED, OCC, .. burdens here. What needs to happen is that regulators must allow non-bank entities to bear risk. This is where innovation occurs. See blog US Payment Innovation and Regulation

CEO View – Battle of the Cloud Part 5

There is a payment cluster war going on right now and it is the subject in the C Suite in Banks and the Payment industry. The battle is happening at every level. I’ll be leading a panel at Money 2020 which addresses several of these items, with participation from V/MA… should be interesting. Here are a few updates.

22 July 2013

This post is a continuation/update to my post back in March Network War – Battle of the Cloud Part 4. Sorry for typos.

There is a payment war going on right now and it is the subject of C Suite strategy talks. The battle is happening at every level. I’ll be leading a panel at Money 2020 which addresses several of these items, with participation from V/MA… should be interesting. Here are a few updates.

Network Clusters

Network/Routing/Rules

  • $8B Revenue Impact. I apologize to my EU readers for my constant US focus. Let me break the mold now to emphasize the earth shaking changes going on in the EU (See today’s NYT blog, and today’s WSJ). Going from 250bps + cross border fees to 30 bps will be tremendous, and may set a precedent for the US litigation between Visa/MA and top retailers.
  • EU provides a glimpse at what a world of payment “dumb pipes”  and least cost routing looks like (see Blog Payments Innovation in Europe).  Canada and Australia also follow these lines in debit (see Blog). Also see my favorite case study in Europe  Sofort – ECB analysis, and Push Payments.
  • Networks, and their members are reacting to regulation and positioning themselves (individually) to “push” their respective vision of innovation in order to protect their brand and network (see Visa Money Transfer, and Visa Portfolio Manager). I don’t mean to limit this to just Visa and Mastercard (see picture, and blog).
  • New networks are forming (see Blog on Clusters)
  • Large issuers like JPM have successfully forced Visa to break/segment its Visa net, and run under unique JPM/CMS rules with new capabilities. Visa’s CEO comments to investors: “rules must be consistent with Visa”..  My view is that this is a major crack in Visa’s network ownership (see Golden Goose on the Menu).payments pyramid
  • From a wallet perspective the rules on “wrapping” are killing much innovation (see don’t wrap me). Top issuers are actively working to inhibit wrapping of their payment products (ex Mastercard’s staged digital wallet fee of 35bps on PREVIOUS years volume of over $50M..  which only impacts paypal).  Similarly Amex and Visa are working to ensure their cards are not wrapped.
  • Rules are being issued and ignored, from Visa Money Transfer to EMV (see below). Banks tell Visa “do you want me to write the waiver or will you send it over… as we are not going to do this”.. which is one reason JPM just created its own unique rule set. Similarly US merchants face a liability shift (on to them) if they do not accept EMV cards (chip and pin). All are playing a game of chicken as no one wants to re-issue plastic. Visa has created a new type of EMV, chip and SIGNATURE, which makes absolutely no sense at all, but helps them keep customers away from PIN (which Visa despises, but everyone else loves).
  • Cross boarder fees (see blog). As 20%-30% of network revenue moves to these fees, it is becoming a substantail pain point for global banks like Citi, HSBC, Barclays, .. A big topic I can’t fully cover here

Issuance

  • US Banks are spending 90% of their time in innovation around Credit Cards. Exception is Bank of America and to some extent my old team at Wells. In either case the banks have hit a wall, and recognize that innovation can’t happen in a 4 party network. American Express is 5 years ahead of them and they can’t catch up.. they must change.
  • The NATURE of card completion is changing in both credit and debit. Traditional Payment revenue is being REGULATED AWAY as payments become “dumb pipes”. The goal most have recognized is that the real value to be unlocked is in commerce data, particularly Payment Enabled CRM (see blog). Examples of just how focused this effort is: 22 Banks working in Secure Cloud, ~$1B in Google Wallet Investment,  ~$500M in ISIS investment,  JPM just hired Len Laufler (former CEO of Argus Data) to be the new CEO of Data in Chase.
  • Banks thus need to build a network which can accommodate both payments and “other data” which they own and control (like Amex)… hence “tokenization” (see Blog, and TCH Announcement).
  • Tokenization is currently going nowhere.. but it is “impacting” the industry and many start ups as banks and networks position themselves (see JPM/Visa Blog, Start up implications).
  •  Visa and MA also have their own secret token efforts. Merchants have a much better short term win in this approach with a liability shift and reduction in interchange, but they also know from past experience that if the issuers are not on board, there will be a much broader business impact in declines (see VBV post, and Visa’s Token Strategy).
  • Retailers are attacking from below. Bottom 40% of mass market customers are not profitable for banks (Durbin related items ranging from NSF fee changes, to debit interchange) . These customers are profitable for retailers like Walmart, Tesco, Target, .. (see Blog).
  • Telcos have a chance to own a new payments network, as they have both physical distribution, customer relationship, connectivity and device.. but they are focused on controlling a handset in a walled garden strategy. To succeed they must refocus efforts on COMMERCE, which means partnering with all participants to construct a value proposition (see blog).

Acquiring

  • The first hurdle of any “New” network is to get the merchants and acquirers on board.
    1. This is NOT going well for companies like Paypal … hence the complete failure of their DFS partnership (see blog). Specifically, there is at least one major acquirer which is refusing to route traffic on any of these new Discover/Paypal BINs, as well as at least 2 major retailers. Although Discover is a 3 party network, they only acquire directly for their top 100 merchants. Therefore Paypal must “incent” and negotiate with every single other acquirer AND merchant.
    2. Chase is working to build a new CMS acceptance brand, which will be different from Visa.
    3. Retailers are building their own network (MCX), and have hired Dekkers Davidson, a tremendous executive, to lead it.
  • Roughly 60% of acquiring profits come from bottom 30% of merchants. There are small independent merchants that are paying over 5% in acceptance fees thanks to the poor transparency within the ISO sales process. Companies like Levelup and Square are changing this (2.75% flat, or free if you commit to marketing). I’ve eaten my shoe on Square, as I never fully understood how badly the ISOs were treating small independent retailers. Their solution solves a short term pain point and also improves customer experience.
  • Acquirers are making POSITIVE headway in merchant friendly services (see blog), particularly helping merchants “merge” consumer data to gain new insights for loyalty and incentives. They are challenged to quickly ramp up this services revenue, in order to overcome the new aggregators acting on the side of small independents (ie Square).

POS Acceptance

  • Has anyone seen the graph of Verifone’s stock? Market cap of under $2B. A hardware company that could not adapt to a software world. At the bottom end they are being eaten by free Roam/Square dongles at the top end are facing integrated POS Terminals from IBM/Toshiba and Micros. Dedicated payment terminal are commodities, and thus suffer from commodity like competition. Grand hopes for re-terminalization with EMV and NFC are not happening (see blog). New dongles and mobile acceptance infrastructure is developing even in the complex EMV space (see Tedipay.com )stand
  • POS strategy centers around data as well. Google’s Zave purchase has given them opportunity to help retailers focus advertising and eliminate paper coupons independent of payment network. Other leaders like Fishbowl and Open Table in Restaurants have integrated into the POS. The BIG idea here is to integrate the POS to the cloud and Google is now 5-7 yrs ahead of everyone (2 yrs engineering, 2 yrs IBM Certification, 3 yrs to sell and test w/ retailers, +++ yrs in content/ads/targeting).
  • Square’s new Stand is an integrated payment, POS, inventory management, CRM, marketing and loyalty system.. all on an iPad.
  • Payment Terminal “software”. Verifone’s Verix architecture and equivalent schemes have failed. Idea was to allow 3rd party developers to create “apps” for a non-secure space in the payment terminal. For example, 2 years ago, Google’s first version of wallet leveraged NFC to communicate “coupons” to the payment terminal, which then relayed to the POS.  Problems are obvious..  A grocer like Safeway has 2,000 person development team around their IBM 4690 POS, guess how many engineers support the payment terminal? NONE. They don’t want apps on a PCI compliant payment terminal.. it goes beyond question of who will manage them. Also note that payment terminal interaction with the POS is simple today (payment request and authorization).  There is also significant development work to RECEIVE coupons from a PAYMENT Terminal.

Services

  • This section could fill a book, so I will make this brief. All network participants are working to deliver services. The 4 party networks cannot innovate. For example, take a look at my very first blog, topic was Googlization of FS. Visa built an offers services with Monitise and Clairmail 3-4 yrs ago, but the large issuers refused to use it, preferring to innovate themselves. Another example is V.me, a topic which makes Card CEOs red faced. These points exemplify the dynamic w/ V/MA and the large issuers.. Issuers want to dumb down the pipes and limit services, V/MA want to grow them and relationships with consumers.
  • Current state is myopia.. everyone is working as if they uniquely own the customer. Banks and Card Linked offers are top example. When you go into a bank branch, do you want to buy socks? dog food? Of course not! Banks have great data but they are in no position to run an advertising campaign. I’ve run 2 of the largest online banks in the world (Citi and Wachovia) and can tell you retail customers spend about 90 seconds with me, they log on check their balance make a payment and leave. They don’t stay around to click on coupons. Commerce, and retail, is in the midst of a fundamental restructuring as online and off line worlds converge in new ways (beyond show rooming).
  • Payments are just a small part of the overall commerce value chain, yet they have by far the highest cost. The proposed 30bps EU fee cap may occur in other markets, thus banks are working feverously to build services to replace this revenue (primarily around credit cards), with CLOs largely failing to deliver value (see blog). Yesterday we say Ally Bank discontinue Card offers, following Amex last week.

EMV Battle Impacts Mobile Payments

20 September

Most of everyone knows of the EMV efforts in the US, with Visa implementing a liability shift on October 1, 2015. In this model, any merchant that is presented with a chip and pin card, but is not capable of processing it (as an EMV), will bear fraud loss.  There have been very BIG swings in strategy over the last 6-8 months. The big issuers were all dead set against EMV.. saying they could not afford the cost to re-issue. Now all are on board… why? This is what I’m thinking about today….

Merchants have always loved PIN Debit (see blog). PIN was the cheapest transaction type prior to Durbin, and post Durbin PIN still has the unique advantage of allowing the merchant to route without going to Visa at all. Remember PIN Debit leniage was from ATM networks. Merchants also like the fact that 96% of PIN Debit fraud losses are assumed by issuers..

Visa/MA hate PIN Debit.. the countries where it has taken off like Canada-Interac, Australia EFTPOS, China Union Pay… have domestic clearing networks. This means that transactions are no longer routed through Visa/MA. In the US we have 8 debit networks (see blog). It makes little sense to continue all of these separate PIN debit networks if merchants can route directly to banks… The banks were thus looking at consolidation similar to what was done in countires above. In other words, banks were planning to take Debit back from Visa/MA in a bank owned network. After all, Bank margin improves in the PIN model (post Durbin) when payments are routed directly to them (they don’t pay a network fee ~10 bps).

Visa read the tea leaves… So how can Visa/MA stop the bank and merchant love affair w/ PIN? Force EMV…

The Merchant Stick? How will Visa “force” merchant’s to accept contactless? (See Visa Document)

Domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015.

The Merchant “Carrot”?  Visa TIP program

TIP program allows merchants to be excused from validating their PCI DSS compliance for any year that at least 75 percent of their Visa transactions come from chip-enabled point-of-sale terminals. There are also subsidies for terminal upgrades … To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program

Visa’s effort to include contactless in the TIP program is very strategic. To gain the benefits of TIP, merchants must reterminalize with both contact and contactless EMV capability. Why? Well for one reason there are no contactless debit cards out there… yes everything is a credit card. These of course carry much higher fees… The other advantage of TIP is that the PCI-DSS wavier is like a “get out of jail free” card. Merchants can’t get the card without contactless… If this weren’t enough… not only does VISA want contactless.. they also want signature.

Visa says PIN not necessary – Green Sheet

“There’s a lot of confusion around the myth that EMV means ‘chip-and-PIN,'” Stephanie Ericksen, Visa Head of Authentication Product Integration, said in a blog published Jan. 13, 2012. “It doesn’t in many countries, including the U.S. That’s because, in the U.S., we can rely on online processing where transactions are transmitted in real time to the issuer for approval. With that in place, there’s no need for the offline authentication that was the genesis of chip-and-PIN.

From Chip and PIN to Chip and Choose? Visa wants  encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD.  PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment.  All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?….  Expect some Regulatory involvement here.

Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..

So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, …

Comments appreciated.

MasterCard follows Visa’s lead on EMV Push

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but the most important to note that neither large US issuers or retailers are enthused about this push as there is no business case for the change on either side.

31 January 2012

http://www.mastercard.us/mchip-emv.html

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but it is important to note that neither large US issuers nor retailers are enthused about this push for one primary reason: there is no business case for the change (on either side). Historically, networks do not change without sound financial incentives ( or there is some sort of regulatory mandate).

A Bank makes money by managing risk. Within the payments space large banks have invested billions of dollars in custom fraud infrastructure. The effect (if not the goal) of bank investment in custom fraud infrastructure is to push fraud into the weakest link (or bank) in the network. Smaller banks must seek partners like FIS, FirstData and the Networks to help them keep up. The EMV standard is used by card issuers in just about every market globally, except the US. EMV is effective in addressing certain kinds of fraud such as counterfeit and skimming. Within an EMV environment, international issuers and acquires thus could relax in maintaining related fraud controls IF cards existing in an EMV only environment.  However international travelers to the US and US travelers abroad lead to fraud “leakage”. US issuers did not suffer, due to their fraud infrastructure, but the other banks have.

Thus the “true” benefits of EMV cannot occur until there is 100% adoption at POS (10M in US), complete elimination of the mag stripe in the plastic that we all carry (approximately 1.5 billion in US). This is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout, nor is there a business case for either issuer or retailer to implement. Take this on top of the fact the EMV is 20 year old technology and we have a very challenging environment.

What are the benefits in retail? Both Visa and MA have established a carrot and stick approach. Given only the issuer can reduce interchange, the carrot is reduced PCI compliance costs and some terminal subsidy. The stick is a liability shift for to the merchant  if a consumer presents an EMV capable card and the merchant terminal does not accept it.  Given that the big issuers have no plans to reissue cards, the merchant risk is fraudulent EMV cards (starting in Oct 2015 for Visa). Perhaps if retailers see an EMV card, they should request an ID.  For issuers, the compliance dates are longer and the stick which Visa and MA have constructed is weaker given that US issuers already bear costs of card present fraud.

So what are Visa and Mastercard trying to accomplish? From a political standpoint they must address the international issuer concerns and be viewed as supportive of the EMV standard. But more importantly Visa and MA want to cement their control of the network, particularly in two areas: mobile and US debit cards. In mobile, Visa and Mastercard are aggressively trying to make mobile POS payments a “premium” service used exclusively by credit cards. A key to success in mobile is POS readiness to support contactless payment. The EMV mandate certainly helps provide another incentive to merchants. With respect to the Debit, the Durbin Amendment has impacted the incentives for US banks to continue support of Signature Debit. In the US, PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (96% of PIN fraud losses assumed by issuers, vs 56% in Signature). PIN debit transactions do not need to be routed through Visa and MA, and PIN only cards do not require their logo. EMV debit cards may be a tool for Visa to maintain a US debit business (MA US debit penetration is low).

What to expect?

Note that in virtually every geography, EMV was a regulatory driven initiative. In the US this is not the case, as the large banks have proven capable of managing fraud. Large issuers are thus reluctant to undertake any mass reissuance of cards, and US regulators are reluctant to have US Banks pay for a system that will primarily benefit issuers outside of the US. My guess is that we will start to see a trickle of new cards being issued on EMV starting in 2014 or so.

Retailers will have a similar adoption dynamic as they assess cards being used at their stores, and what future payment networks may offer not only in terms of compliance and interchange, but also in delivering customers through incentives and advertising.  I’m certain that the retail “first movers” in NFC must be pulling their hair out as they discover that their new NFC payment terminals are not equipped to accept the mandated EMV card. These retail CEOs will discover that the “stutter” in reterminalization was intentional and it will be a cost they will bear twice in 2 years.

In this dynamic environment, there will be high demand for companies that can help retailers develop a plan and navigate this chaotic environment. Oddly enough, start ups like Square and Payfone may have a tremendous advantage in simplifying the checkout process. In other words, EMV could actually provide the impetus for new payment networks to gain a foothold.

EMV in US? No Way

Update Sept 2014

Did EMV in the US happen? Well to the surprise of issuers, Visa announced a scheme change in the US in August 2011 (see PR). The big issuers were not consulted about this program prior to rollout, as the dynamics described below in my previous article were occurring. Additionally banks were working on a new scheme that would leapfrog EMV: Tokenization.  The large banks were working on this scheme without the involvement of Visa and MA. If successful, this new token scheme would have bypassed V/MA altogether. I believe one of the reasons for this EMV push by Visa was to reassert its control of the network. Today we see quite a bit of friction remaining here between issuers and networks. See my blog on Chip and Signature for a view on some of the remaining chaos.

The new EMVCo token scheme announced in October 2013, formalized in March 2014 and rolled out first with ApplePay in Sept 2014 is the new “best” scheme on the planet. In this scheme, the networks have taken over the original bank token model. Of course banks can also serve as TSPs, but none of them are currently prepared (as of Sept 2014).


 

Original Oct 2009 A

As I was reading an article concerning “why US Card issuers should move to EMV”, I was struck by the amount of “disconnectedness” on this topic in the industry.

A quick background for those unfamiliar:

  • EMV is a “Chip” that replaces the mag stripe on a credit card http://en.wikipedia.org/wiki/EMV
  • Rolled out in Europe in 2004 w/ hope that fraud would go down (it actually just shifted to Card not present “CNP” transactions)
  • European issuers are also acquirers. In US these functions have been separated w/ exception of AMEX
  • Europeans banks are complaining that US cards in EMEA markets and EMEA cards in US markets are the weaknesses in their beautiful vision of a “Chip world”. EMEA acquirers are also threatening to stop accepting US (mag stripe) cards.
  • US Adoption of EMV would take 10+ yrs for banks to re-issue cards and for all merchants to replace all terminals that use the mag strip.
  • Issuers in the US don’t collaborate very often because of anti-trust concerns. Rules are set by networks… in which banks are Board members. Big banks like competing through “best practice” in fraud management. Small issuers have trouble in the arms race.

US Issuers are exercising sound judgment in not jumping on the EMV bandwagon, yet many industry pundits (without access to the data) continue to push a POV that we in the US are somehow backward. Just take a look at the UK fraud data, the card losses have grown from 122M GBP in 1997 to 531M GBP in 2007, and 610GBP in 2008. What did the EMV investment “buy” the UK issuers? A detailed look at this fraud data (APACs confidential) shows that fraud adapted to the next weakest point in the card chain: CNP.

The US banks are highly motivated to do the right thing here, but the solution requires coordinated movement by 4+ highly fragmented groups (Issuers, Acquirers, Networks, Merchants).  The US banks do get together to discuss these topics, primarily at the Philadelphia Fed.  The top request from the banks (to their regulators) was to free their hands in working together on fraud and standards without fear of anti-trust reprisals.. A request that took on no owner, as the number of agencies involved were challenged to work between themselves (FTC, OCC, Fed, …)

http://www.philadelphiafed.org/payment-cards-center/publications/update-newsletter/2009/spring/spring09_06.cfm

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together.

  • Old technology (will not last the 10yrs it will take to roll out in US)
  • Expensive (POS, Card). Costs are not borne equally in network
  • No proof point, fraud did not go down in UK, CNP was not addressed. http://www.computeractive.co.uk/computeractive/news/2238913/apacs-releases-fraud-figures
  • Fraud Shifts to the next weakest point, it is not static
  • Big issuers like to compete on risk management
  • No benefit from “incremental” rollout of any technology (below)
  • “Health” of issuers (below)

The “true” benefits of EMV will not occur until there is 100% adoption at POS (complete elimination of the mag stripe), and all other weaknesses are addressed (primarily CNP). That is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout.

Where there is chaos there is opportunity…

With respect to card use at the POS in the US, prospects for NFC in mobile handsets is very exciting. NFC enabled handsets provide great customer convenience and the cost(s) are not borne by the banks. I highly recommend the business whitepaper below for those interested in the subject.

http://www.gsmworld.com/documents/gsma_pbm_wp.pdf

Other Data

NCL losses of Top Issuers for 3Q09

Top 5 issuers have seen their businesses deteriorate substantially, as NCLs moved from ~3% in 2007 to 10-12% currently. 3Q09 Examples (Data is for QUARTER)

  • – Citi.  NCL of $4.2B,
  • – JPMC. NCL 9.41% (ex WaMu) Card Net Income ($700M) for quarter
  • – BAC. NCL $5.47B, 12.9%
  • – CapOne. NCL $2.3B, 10%

 

http://www.javelinstrategy.com/2009/08/06/emv-us-magnetic-stripe-credit-cards-on-brink-of-extinction/