Token Activity – 10 Approaches?

11 December 2013

I’m preparing for a few institutional investor chats next week in NYC and thought it was time to update my view on the payment landscape. Summary: much chaos and noise, with existing players throwing sand in everyone else’s gears… lots of energy.. but NO HEAT. This blog contains a brief inventory of initiatives I’m aware of. One of the reasons I do this is to solicit further dialog from blog readers.. so your thoughts are always appreciated. It is very difficult for small companies to identify activities which will impact them.. turns out that most non banks and even Visa and MA are ill informed on some of these as well.

In my June Blog Tokens: Merchant Options, and September blog Money 2020: Tokens and Networks I laid out 5 token initiatives.. we have now almost doubled..

The key differentiation between these Token initiatives is WHERE the translation occurs (Wallet, POS, Processor, Network, Issuer).  Translation is also referred to as DIRECTORY, which I define as the mapping of consumer information to payment information (see blog Battle of Cloud Part 1). The owner of the consumer directory is the winner in all of this, as the value of payment pales in comparison to the value of data and the consumer relationship. This is the core of the token battle

Inventory is for POS payments only. 

Token schemes

  • Form A (TCH Pilot – Processor Translation)
    • Consumer Directory: Bank
    • Token is presented to Merchant at POS (QR code, NFC, Barcode, …)
    • POS forwards token to Merchant processor (ie Elavon)
    • Elavon translates token into card through TCH service
    • TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
    • Issuer sends Authorization to Elavon
    • POS settlement
    • Patent issues surrounding merchant processor translation of tokensTCH Scheme
  • Form B – Wallet Translation (Push Payments)
    • Consumer Directory: Wallet
    • Token is presented by Merchant and read by Wallet. Token represents MID, TID, Processor and Amount
    • Merchant POS is awaiting authorization as if a card was swiped
    • Wallet sends token to Issuer (circumventing Visa/MA). Note this is WEAK LINK as data connectivity required for Consumer’s phone at POS
    • Issuer translates token into authorization, sends to processor
    • Processor passes authorization through to TID as if card was swiped
    • SMS based payments done in this model for years. Form of tokens could be beacons, QR, biometrics. Difficult to patent as core for operation is consumer directing bank to make payment.
    • Key differences (globally) are how consumer IDs the merchant and amount, and how does issuer pass the auth
  • Form C (C for Chase with their unique VisaNet deal)
    • Consumer Directory: Bank
    • Token is card number, Presentment is TBD.
    • If Merchant is a CMS merchant, Card routes through JPM’s version of Visa net for offers/incentives (given merchant participation.. of which there is none).
    • If Consumer card is JPM then deliver Card Linked Offers. Again.. not much here.
    • Unique capabilities, but all based upon Visa’s network. Barrier to replication is the unique deal that JPM constructed to “branch” VisaNet
    • JPM Visa flow
  • Form E – EMV/NFC
  • Form G (G for Google’s old Mastercard proxy model)
    • Consumer Directory: Google
    • Token is a card number – Issuer is google (See blog)
    • A plastic version of this was planned in 2012 as reported by Android Police, but was pulled because of high stakes war involving top issuers and Mastercard.
    • Merchant runs transaction as normal
    • Google acts as issuer receives authorization request and routes to selected card (using facilities of TXVIA).
    • After receiving authorization from funding card, google authorizes transaction
    • Issuers make all of the interchange they did before, but don’t like being wrapped. They also don’t like the data leakage and the fact that this impairs their ability to offer unique services (10% off at Kinkos).
    • Note: this scheme has a value proposition for everyone.. and banks still don’t like it… Google loses money on every transaction.
    • Another little known fact is that early versions of GW ran in this model due to limitations within NXP’s chip (only supporting one card emulation app)
    • No Patent issues, few other companies could afford to take a loss on every transaction (buying data). Network rules are the primary issue.
  • Form H – Host Card Emulation  (Google, MA, SimplyTapp) I like – this one
    • Consumer Directory: Issuer
    • HCE Blog
    • Blend of NFC and Form V below. Simplifies the NFC supply chain
    • No dedicated hardware, NFC just another radioExposure: 000 : 00 : 00 . 156 %Accumulated%=0
    • Issuer Creates One time use tokens for EMV key generation
    • Merchant acceptance hurdle CURRENTLY same as NFC
    • Can be leveraged for non EMV purposes (Beacons, QR, wi-fi, …)
    • HCE is GPL, but ability to generate one time use tokens for EMV generation is unique.
  • Form M – MCX/Target Redcard
    • Consumer Directory: Wallet/Retailer
    • See Gemalto/MCX Blog
    • Very similar to Model S (Square) below except wallet is owned by the retailer and form factor is QR code
  • Form P – Paypal/Discover
    • Consumer Directory: PayPal
    • OK… this is not mobile yet.. but since I have Square down below, I thought I would be fair
    • Consumer registered for Paypal Card running on Discover network.
    • Consumer enters phone number at POS + PIN
    • Processor translates phone + PIN into Discover transaction
    • Discover routes to Paypal for authorization
    • Very similar to Model G above
    • Transaction authorized
  • Form S – Square/Starbucks/LevelUp – POS translation
    • Consumer Directory: Wallet/Square/Starbucks
    • Consumer account mapped to phone, ID, voiceprint, card, picture, location
    • POS translates ID to Card
    • POS request authorization as a card not present transaction
    • Consumer Authorization was taken during service registration
    • Consumer receives digital receipt for transaction
    • See Square Stand, LevelUp
  • Form V – Visa/Amex/MA – Network Tokens (TBD)
    • Consumer Directory: Network (Issuers don’t like this)
    • Press Release
    • See blog on Battle of the Cloud Part 4 – Clusters Form
    • Tokens will evolve to a very long number which will be translated to an issuer/account number. This is what Visa/MA do today.
    • Patents will be around generation, use and validation of token. In the future, merchants will not store your card numbers on file (COF), each merchant will have a unique token based upon your actual account number and their own ID.

From Business Implications of Tokens

Business Drivers

As I outlined in New ACH System in US, my view of Bank business drivers for Tokenization are:

  1. Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
  2. Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
  3. Own New Mobile POS Schemes to protect their risk investment
  4. Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
  5. Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
  6. Regulatory, Financial Pandemic, AML controls (per  blog on HSBC)
  7. Take Visa and MA out of the debit game (yes this is a major story)
  8. Maintain risk models (see both sides of transaction)
  9. Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (seeDirectory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

EMV in US? No Way

Update Sept 2014

Did EMV in the US happen? Well to the surprise of issuers, Visa announced a scheme change in the US in August 2011 (see PR). The big issuers were not consulted about this program prior to rollout, as the dynamics described below in my previous article were occurring. Additionally banks were working on a new scheme that would leapfrog EMV: Tokenization.  The large banks were working on this scheme without the involvement of Visa and MA. If successful, this new token scheme would have bypassed V/MA altogether. I believe one of the reasons for this EMV push by Visa was to reassert its control of the network. Today we see quite a bit of friction remaining here between issuers and networks. See my blog on Chip and Signature for a view on some of the remaining chaos.

The new EMVCo token scheme announced in October 2013, formalized in March 2014 and rolled out first with ApplePay in Sept 2014 is the new “best” scheme on the planet. In this scheme, the networks have taken over the original bank token model. Of course banks can also serve as TSPs, but none of them are currently prepared (as of Sept 2014).


 

Original Oct 2009 A

As I was reading an article concerning “why US Card issuers should move to EMV”, I was struck by the amount of “disconnectedness” on this topic in the industry.

A quick background for those unfamiliar:

  • EMV is a “Chip” that replaces the mag stripe on a credit card http://en.wikipedia.org/wiki/EMV
  • Rolled out in Europe in 2004 w/ hope that fraud would go down (it actually just shifted to Card not present “CNP” transactions)
  • European issuers are also acquirers. In US these functions have been separated w/ exception of AMEX
  • Europeans banks are complaining that US cards in EMEA markets and EMEA cards in US markets are the weaknesses in their beautiful vision of a “Chip world”. EMEA acquirers are also threatening to stop accepting US (mag stripe) cards.
  • US Adoption of EMV would take 10+ yrs for banks to re-issue cards and for all merchants to replace all terminals that use the mag strip.
  • Issuers in the US don’t collaborate very often because of anti-trust concerns. Rules are set by networks… in which banks are Board members. Big banks like competing through “best practice” in fraud management. Small issuers have trouble in the arms race.

US Issuers are exercising sound judgment in not jumping on the EMV bandwagon, yet many industry pundits (without access to the data) continue to push a POV that we in the US are somehow backward. Just take a look at the UK fraud data, the card losses have grown from 122M GBP in 1997 to 531M GBP in 2007, and 610GBP in 2008. What did the EMV investment “buy” the UK issuers? A detailed look at this fraud data (APACs confidential) shows that fraud adapted to the next weakest point in the card chain: CNP.

The US banks are highly motivated to do the right thing here, but the solution requires coordinated movement by 4+ highly fragmented groups (Issuers, Acquirers, Networks, Merchants).  The US banks do get together to discuss these topics, primarily at the Philadelphia Fed.  The top request from the banks (to their regulators) was to free their hands in working together on fraud and standards without fear of anti-trust reprisals.. A request that took on no owner, as the number of agencies involved were challenged to work between themselves (FTC, OCC, Fed, …)

http://www.philadelphiafed.org/payment-cards-center/publications/update-newsletter/2009/spring/spring09_06.cfm

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together.

  • Old technology (will not last the 10yrs it will take to roll out in US)
  • Expensive (POS, Card). Costs are not borne equally in network
  • No proof point, fraud did not go down in UK, CNP was not addressed. http://www.computeractive.co.uk/computeractive/news/2238913/apacs-releases-fraud-figures
  • Fraud Shifts to the next weakest point, it is not static
  • Big issuers like to compete on risk management
  • No benefit from “incremental” rollout of any technology (below)
  • “Health” of issuers (below)

The “true” benefits of EMV will not occur until there is 100% adoption at POS (complete elimination of the mag stripe), and all other weaknesses are addressed (primarily CNP). That is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout.

Where there is chaos there is opportunity…

With respect to card use at the POS in the US, prospects for NFC in mobile handsets is very exciting. NFC enabled handsets provide great customer convenience and the cost(s) are not borne by the banks. I highly recommend the business whitepaper below for those interested in the subject.

http://www.gsmworld.com/documents/gsma_pbm_wp.pdf

Other Data

NCL losses of Top Issuers for 3Q09

Top 5 issuers have seen their businesses deteriorate substantially, as NCLs moved from ~3% in 2007 to 10-12% currently. 3Q09 Examples (Data is for QUARTER)

  • – Citi.  NCL of $4.2B,
  • – JPMC. NCL 9.41% (ex WaMu) Card Net Income ($700M) for quarter
  • – BAC. NCL $5.47B, 12.9%
  • – CapOne. NCL $2.3B, 10%

 

http://www.javelinstrategy.com/2009/08/06/emv-us-magnetic-stripe-credit-cards-on-brink-of-extinction/