Update Oct 1
Apple forced all the top 5 launch partners to launch debit and credit at same time. Right thing to do!!.. but debit is messy.
My bank friends are having kittens over Apple Pay debit compliance. Issue isn’t Apple, but forcing debit cards to EMV (industry not ready) and dealing with the conflict between EMV rules and Durbin. For example, EMV rules state transaction must be routed to primary AID as identified by issuer. This is fine for credit, but Durbin requires routing flexibility… this requirement just never bubbled up through the EMV specs. Tokens exascerbate the problem, particularly if the AID is from a Visa BIN.. Specs must be updated to address need for routing flexibility (using the secondary AID) …but this breaks network rules.. and there are no payment terminals that read secondary.
Previously I stated that debit cards in ApplePay are not Durbin compliant. I am retracting that comment completely. The debit card in ApplePay seems to be Durbin compliant, as Bank of America spent significant time with First Data’s Star network to make it so. Problem is that the rest of the debit industry is scratching its head trying to figure out how to make this stuff work… so don’t expect to see any ability for all your debit cards to work in ApplePay anytime soon.. just the top 5.
The Challenges with Debit
Debit in the US is broken down into 2 primary segments: Signature Debit (processed through Visa) and PIN debit processed through 8+ PIN Networks. See this Federal Reserve note for more background. Retail banks exert almost complete control within PIN debit, after all it is their “ATM” acceptance infrastructure that allowed for this network.
While the new EMVCo token scheme is available to Debit, coordinating implementation across 8+ PIN Networks (and large Retail Banks) is a big chunk of work. Particularly when these same banks are working to consolidate PIN networks, and create their own centralized token solution (see blog). I’m painting a picture of many companies and many moving parts in PIN debit and tokenization. Add to this picture Apple, who worked with networks to compartmentalize and maintain secrecy with a handful of partners.
To get anything done in this environment, it is best to work with the biggest gorilla, solve their problems, show the way, and hope everyone else gets in the boat. This seems to be what happened and the Gorilla is Bank of America. This is the only Debit card I’m confident is in ApplePay. I believe BAC has been working with Apple for over 4 years on this.
There are 2 essential problems with debit in mobile wallets
- Debit cards must be PIN capable
- Debit cards have complex routing requirements (more detail below)
Durbin Challenges – Routing
The Durbin amendment requires that Debit cards give merchants flexibility in the routing debit transactions (see this excellent Paul Hastings note). From Financial Reform Insights
As noted above, all banks, regardless of asset size, must comply with the prohibition on network exclusivity and routing requirements. The Fed has implemented requirements to prohibit network exclusivity arrangements on debit card transactions and ensure merchants will have choices in debit card routing. In addition, the network exclusivity and routing requirements apply to both debit cards and prepaid cards.
The final regulation requires issuers to make at least two unaffiliated networks available to the merchant, without regard to the method of authentication (PIN or signature). A card issuer can guarantee compliance with the network exclusivity regulations by enabling the debit card to process transactions through one signature network and one unaffiliated PIN network. Cards usable only with PINs must be enabled with two unaffiliated PIN networks. ATM transactions are not subject to routing and exclusivity regulations.
Note: A smaller payment card network may be used to help satisfy the two unaffiliated network requirements; however, if the second payment card network is unwilling to expand its coverage to meet increased merchant demand for access, that would trigger noncompliance with the network exclusivity regulations.
In real world terms, the Durbin amendment allows merchants to treat all debit cards like bank PIN debit cards (they can be routed around Visa/MA switch and switched through PIN networks Star, NYCE, Pulse, Cirrus, … etc). Large merchants have also started routing debit transactions DIRECTLY TO BANKS, skipping the PIN Networks all together. This is all very straight forward in the world of a 16 digit PAN. The merchants (or their processors) use BIN routing tables that can be customized by issuer/debit network.
Within the EMVCo Token Scheme, the only way for the underlying card to be “resolved” is from the Token Service Provider (TSP) as described in part 3.2 of the EMVCo spec. Visa and Mastercard are the only TSPs in the current version of ApplePay. Although, both networks have committed to allow Issuers to serve in the TSP role directly none appear to be ready October 2014. These unique TSP roles are probably due to the speed at which the EMVCo spec materialized (fastest new Scheme in history of V/MA), and also to the secrecy surrounding its first use (ApplePay). Thus, in the current ApplePay EMVCo token scheme neither the Issuers or PIN Networks are in control of the tokens, and hence cannot make “at least two unaffiliated networks available” without first resolving the token with the TSP.
To solve for token resolution, each and every processor must have the ability to work with a multitude of TSPs to resolve tokens into something that could be routed based upon the MERCHANT’s options (2 unaffiliated networks). The problems here are not insurmountable and resemble the problems associated with the Internet’s DNS system, where multiple copies of DNS routing tables exist to convert www.domain-name.com to an IP address. Tokens have an added advantage of identifying the owner/TSP through the BIN. For example, a Visa debit card within the ApplePay system could be a Visa Bin, a Chase Bin, a Wells Fargo bin.. So a token identifies its “owner”, or the TSP which can translate it.
To solve for this problem, Visa and Mastercard have made a “detokenization” service available, and other TSPs/PIN networks must do the same (running Vaulting / PIN transformation). But to do this for all cards, all processors and all merchants takes a little time. There are technical and business issues here.
What is most surprising to me? I spoke to the head of debit cards at a top 5 banks, and he didn’t even know there was a problem..
While it is great that they included debit in the launch, the debit issue had plagued other schemes as well. ISIS initially launched with a Chase Debit account to hold balance. Chase’s regulator told them that this card was not compliant (no PIN capability) and thus they had to pull weeks before the ISIS launch. ISIS had to run to Amex Serve for the solution, as Amex was not under durbin constraints. This PIN issue will also hit ApplePay, but the more immediate problem is routing.
Google solves the PIN problem by wrapping in a non Durbin debit. Specifically, banks with under $10B in assets, and non-banks (like Amex) don’t have to comply with Durbin. Google thus has one token (non Durbin debit), where they are issuer with Bancorp Bank (TBBK).
I am laughing a little bit on the PIN side, can you imagine, unlocking your phone, touching the ID, tapping to merchant, then also keying in a PIN. Merchants are in a place to “steer” toward PIN for every debit card. But downside is that if consumers get too frustrated with experience they will just use their credit card.
A few months ago, “a merchant group” sent Apple a “formal notification” telling them that their scheme was not Durbin compliant. I don’t know if Apple’s team just sat on the notification, or hoped it would just go away once all the good launch activities came to pass. I’ve been convinced over the last 2 days that there is a durbin compliant card in the wallet, but Apple Pay is certainly not ready for every debit card. Why didn’t Apple respond to the merchants and tell them they were investing to make sure this works? It is not a great way to start off a relationship… particularly when you have your own plans for engaging the consumer.
This is the graph that merchants see in their minds when they think of Apple pay
Notice the flat line on credit card spend.. and the 20%+ CAGR on debit. Merchants worry that the strong banker presence at ApplePay launch is a key message.
My friends in the Debit industry are scratching their heads this week: Retail Bankers (debit card owners), Processors, PIN Networks and Merchants. What do they do to get their debit cards in ApplePay? If only one of them is ready (meaning has ability to resolve and or issue PIN debit tokens) what does it mean for the other 7?. Is this the first path toward an industry PIN consolidation? Who “owns” the token resolution service, standards and approach? What are the service levels on directory synchronization and response times? No one told them about an industry body to standardize… Man this debit stuff is complicated.
The underlying PIN Network industry problem is there is really no single authority to coordinate EMVCo token implementation across 5000+ banks and 8+ PIN Debit networks. Perhaps there is really no single way to get debit cards into a wallet, and this mess just further helps the 800lb gorillas that can invest in semi-proprietary schemes to get it done.