Cards – Noyes Payments Blog

Payment Data.. Banks are NOT the problem

Loss of Anonymity in Payments and the threats to Banking, Retail and Consumers

Compelling WSJ article yesterday on Facebook and Bank data. This article doesn’t begin to touch the extent of the problem. When it comes to data, there 2 very very distinct camps. Those that care about consumer data and their role in managing it, and those that don’t.

Banks and payment networks care and are “squeaky clean” compared to the rampant data sharing going on within marketing (retailers directly to the big ad publishers). While Cambridge Analytica brought about changes to 3rd party data sharing the entire ad industry has DRAMATICALLY increased direct first party data sharing. In other words many large retailers are sending their real time SKU level purchase data (for all customers) directly into the big Ad Platforms.

What enables retailers to identify consumers and send this data to Ad Platforms? Historically, only retailers with loyalty card schemes could do this, but recently Payment cards have transformed to become the virtual loyalty card used to accurately identify consumers (without Bank/Network permission). This is shocking, as Payment cards have a solid track record for protecting consumer identity (ie anonymity in payment), with payment anonymity a core “feature”. Within the 4 party network schemes only issuers could identify the consumer, enabling issuing Banks maintain the critical role of Identity broker (see blog). As former banker this makes my head spin, as the Payment Card Industry (PCI) has invested BILLIONS to protect transaction data.. Only to have it pour out from a hole.

Example

Today, when a consumer uses their V/MA card to purchase the retailer creates an “anonymized ID” and stores the transaction set internally (at ~50% of the top 10 retailers) with the entire inventory of items purchased. There are few rule or privacy issues here (IMHO), as general trends and loyalty are measured. However, retailers are voluntarily sending this transaction data (mapped to consumer ID not PAN) directly to the big Ad Platforms. The ad platforms then map this activity to the “anonymized ID” customer behavior it maintains (ex preference for soccer and CNN.com). Issues with this model:

Replacing the PAN with another Anonymized ID SHOULD NOT cause it to run under a different “rule set”. If ANY card information was used in the mapping, it should run under network rules
Neither the issuers, the networks nor the consumers have permissioned this data sharing.
Banks will never have a data business if data plays in this way
Retailers are giving away enormous consumer insight and strengthening the pricing power of Google/FB
The value of the “raw data” will diminish. Once reliable predictive models and preferences are established (ex Tennis player that likes Lacoste) I no longer need the raw data
Data is the “new uranium” we must work to control dissemination or it will destroy those touching it.

Obviously data is following the path of least resistance to centralization points that can act on it efficiently (covered in my blog Equifax, FB and Dangers of Data Centralization). However the ABILITY to act on data is different than the rules which data should act within. Transaction data was developed with VERY thoughtful rules and controls. For example, when a party submits a transaction or request the counterparty is known as is the legal agreement under which the “transaction” operates. Trust developed as a result. Trusted data must be managed.

Russ Schrader (Commerce Signals GC/CPO and Executive Director of the National Cyber Security Alliance) put together these 3 simple rules of thumb when thinking about data use:

Right to have the data
Right to use the data
Right to share the data

To be clear my goal is NOT to create a government imposed GDPR in the US. Rather I want Banks and Retailers to have a data business, and create great new consumer experiences.

Yes I have a bias here, it is what I built my company around (see Federated Data®). Data centralization is the v1.0 architecture of data science. Sure you can learn great things if all the data is mashed together but the value of data is based upon use. If you can’t control use… you can’t control the unique value that is unlocked (or the rights) within a given use.

Bank/Network Actions

Let me be clear.. banks must have a role in data! The economics of payments are changing. Banks must protect their ability to deliver value beyond the transaction. Banking is a commerce function and Alipay has shown what the future holds for “commerce orchestrators” .. payments allow them to become banking orchestrators as well (see WSJ and Ant Financial). There are both offensive and defensive actions that must be taken.

Defense. Change the rules to protect your data ensure every party “in the network” is operating on your data with permissions. Your data is playing in the market today.. and you don’t even know it. Banks have permissioned and distributed their data to marketing, loyalty, and shared market insight vendors. While individual transaction data may not be distributed by your partners, consumer level models are built and shared (see Banks as a Data Business). Typical network rules allow for merchants to use card information for the purpose of “loyalty and marketing” these rules need to be tightened up as the rights to share this data with many parties was never part of the original intent.
Retailers are not big enough to force change within the ad world. You are.. Ensure that all data operates within the simple rules above.
Banks must collaborate in data. As a top 3 bank told me “… we have learned some very hard lessons in data, no one bank is big enough to go it alone. What we should have remembered is the success with V/MA. Even though we compete with [Banks] a common network allowed millions of businesses and consumers to work with us consistently….” and another “ The real threat to banks is the Alipay. We need a common data network with common rules. Banks have a role to play in creating great consumer experiences however there are only a very few of them we are poised to lead”.
Take on the roles of transparency and consumer champion.

Retailer Actions

Retailers have a right to payment data. While big data can create great new insights if we centralized and analyzed all conversations, there is a downside. Digitally, every interaction you have with a consumer is a conversation. Brands must manage who gets to take part in these conversations and build insight from them. If your downstream data “partners” mis-use your data your customers will go to Amazon (which doesn’t share data with Google and FB). You must create great consumer experiences, but you must balance against consumer privacy and your rights to the data.

Maintain control of your data supply chain. Both WHO is using your data and HOW it is being used. Create a mission control that allows you to see what data is shared with Whom, for which Use under which legal agreement (a shameless plug for our service)
Rather than sending out raw transactional data that improves pricing leverage of Goog/FB build a CDP and enable your own targeting. Make partners bring their insights to you, or ask you to append a propensity score for a specific campaign.. not raw data for all of your customers. This is what Commerce Signals enables.
Hold all marketing partners accountable to performance against a common benchmark. This does not mean a measuring against a panel of 8M location based “presence” participants. But leverage your transaction data to measure performance consistently. This means Google and FB must be measured against your metrics.. Not report their own. Mark Pritchard of P&G is the most vocal advocate of this approach

For more information, please see my previous blogs

Chase Net 2017

Its tough to find time to Blog as a CEO…. Most of you my blogs are sometimes snarky and tactless (making NOT offending someone a new consideration).

I was taking a look at JPMC’s latest investor presentation and noticed that ChaseNet is gone.. Why? I’ve written on JPMC and ChaseNet a number of times over last 6 yrs. Today I’ll cover my views on the latest developments and my views on JPMC’s ChaseNet strategy. Lets recap first: Continue reading “Chase Net 2017”

PIN Debit at the POS

Most of you have read that Walmart, Home Depot and Kroger have launched new litigation against Visa for “PIN” and Debit. This issue is so complex it makes my head spin… For those unfamiliar with some of the basics see this article, my prior blog on PIN debit consolidation, AT Kearney, Digital Transactions: PIN Debit Claw Back and Pinless PIN Debit. Continue reading “PIN Debit at the POS”

ApplePay: Debit issues

Update Oct 1

Apple forced all the top 5 launch partners to launch debit and credit at same time. Right thing to do!!.. but debit is messy.

My bank friends are having kittens over Apple Pay debit compliance. Issue isn’t Apple, but forcing debit cards to EMV (industry not ready) and dealing with the conflict between EMV rules and Durbin. For example, EMV rules state transaction must be routed to primary AID as identified by issuer. This is fine for credit, but Durbin requires routing flexibility… this requirement just never bubbled up through the EMV specs. Tokens exascerbate the problem, particularly if the AID is from a Visa BIN.. Specs must be updated to address need for routing flexibility (using the secondary AID) …but this breaks network rules.. and there are no payment terminals that read secondary.

————————————————

Previously I stated that debit cards in ApplePay are not Durbin compliant. I am retracting that comment completely. The debit card in ApplePay seems to be Durbin compliant, as Bank of America spent significant time with First Data’s Star network to make it so. Problem is that the rest of the debit industry is scratching its head trying to figure out how to make this stuff work… so don’t expect to see any ability for all your debit cards to work in ApplePay anytime soon.. just the top 5.

The Challenges with Debit

Debit in the US is broken down into 2 primary segments: Signature Debit (processed through Visa) and PIN debit processed through 8+ PIN Networks. See this Federal Reserve note for more background. Retail banks exert almost complete control within PIN debit, after all it is their “ATM” acceptance infrastructure that allowed for this network.

While the new EMVCo token scheme is available to Debit, coordinating implementation across 8+ PIN Networks (and large Retail Banks) is a big chunk of work. Particularly when these same banks are working to consolidate PIN networks, and create their own centralized token solution (see blog). I’m painting a picture of many companies and many moving parts in PIN debit and tokenization. Add to this picture Apple, who worked with networks to compartmentalize and maintain secrecy with a handful of partners.

To get anything done in this environment, it is best to work with the biggest gorilla, solve their problems, show the way, and hope everyone else gets in the boat. This seems to be what happened and the Gorilla is Bank of America. This is the only Debit card I’m confident is in ApplePay. I believe BAC has been working with Apple for over 4 years on this.

There are 2 essential problems with debit in mobile wallets

Debit cards must be PIN capable
Debit cards have complex routing requirements (more detail below)

Durbin Challenges – Routing

The Durbin amendment requires that Debit cards give merchants flexibility in the routing debit transactions (see this excellent Paul Hastings note). From Financial Reform Insights

As noted above, all banks, regardless of asset size, must comply with the prohibition on network exclusivity and routing requirements. The Fed has implemented requirements to prohibit network exclusivity arrangements on debit card transactions and ensure merchants will have choices in debit card routing. In addition, the network exclusivity and routing requirements apply to both debit cards and prepaid cards.

The final regulation requires issuers to make at least two unaffiliated networks available to the merchant, without regard to the method of authentication (PIN or signature). A card issuer can guarantee compliance with the network exclusivity regulations by enabling the debit card to process transactions through one signature network and one unaffiliated PIN network. Cards usable only with PINs must be enabled with two unaffiliated PIN networks. ATM transactions are not subject to routing and exclusivity regulations.

Note: A smaller payment card network may be used to help satisfy the two unaffiliated network requirements; however, if the second payment card network is unwilling to expand its coverage to meet increased merchant demand for access, that would trigger noncompliance with the network exclusivity regulations.

In real world terms, the Durbin amendment allows merchants to treat all debit cards like bank PIN debit cards (they can be routed around Visa/MA switch and switched through PIN networks Star, NYCE, Pulse, Cirrus, … etc). Large merchants have also started routing debit transactions DIRECTLY TO BANKS, skipping the PIN Networks all together. This is all very straight forward in the world of a 16 digit PAN. The merchants (or their processors) use BIN routing tables that can be customized by issuer/debit network.

Within the EMVCo Token Scheme, the only way for the underlying card to be “resolved” is from the Token Service Provider (TSP) as described in part 3.2 of the EMVCo spec. Visa and Mastercard are the only TSPs in the current version of ApplePay. Although, both networks have committed to allow Issuers to serve in the TSP role directly none appear to be ready October 2014. These unique TSP roles are probably due to the speed at which the EMVCo spec materialized (fastest new Scheme in history of V/MA), and also to the secrecy surrounding its first use (ApplePay). Thus, in the current ApplePay EMVCo token scheme neither the Issuers or PIN Networks are in control of the tokens, and hence cannot make “at least two unaffiliated networks available” without first resolving the token with the TSP.

To solve for token resolution, each and every processor must have the ability to work with a multitude of TSPs to resolve tokens into something that could be routed based upon the MERCHANT’s options (2 unaffiliated networks). The problems here are not insurmountable and resemble the problems associated with the Internet’s DNS system, where multiple copies of DNS routing tables exist to convert www.domain-name.com to an IP address. Tokens have an added advantage of identifying the owner/TSP through the BIN. For example, a Visa debit card within the ApplePay system could be a Visa Bin, a Chase Bin, a Wells Fargo bin.. So a token identifies its “owner”, or the TSP which can translate it.

To solve for this problem, Visa and Mastercard have made a “detokenization” service available, and other TSPs/PIN networks must do the same (running Vaulting / PIN transformation). But to do this for all cards, all processors and all merchants takes a little time. There are technical and business issues here.

What is most surprising to me? I spoke to the head of debit cards at a top 5 banks, and he didn’t even know there was a problem..

PIN Capable

While it is great that they included debit in the launch, the debit issue had plagued other schemes as well. ISIS initially launched with a Chase Debit account to hold balance. Chase’s regulator told them that this card was not compliant (no PIN capability) and thus they had to pull weeks before the ISIS launch. ISIS had to run to Amex Serve for the solution, as Amex was not under durbin constraints. This PIN issue will also hit ApplePay, but the more immediate problem is routing.

Google solves the PIN problem by wrapping in a non Durbin debit. Specifically, banks with under $10B in assets, and non-banks (like Amex) don’t have to comply with Durbin. Google thus has one token (non Durbin debit), where they are issuer with Bancorp Bank (TBBK).

I am laughing a little bit on the PIN side, can you imagine, unlocking your phone, touching the ID, tapping to merchant, then also keying in a PIN. Merchants are in a place to “steer” toward PIN for every debit card. But downside is that if consumers get too frustrated with experience they will just use their credit card.

Merchants know…

A few months ago, “a merchant group” sent Apple a “formal notification” telling them that their scheme was not Durbin compliant. I don’t know if Apple’s team just sat on the notification, or hoped it would just go away once all the good launch activities came to pass. I’ve been convinced over the last 2 days that there is a durbin compliant card in the wallet, but Apple Pay is certainly not ready for every debit card. Why didn’t Apple respond to the merchants and tell them they were investing to make sure this works? It is not a great way to start off a relationship… particularly when you have your own plans for engaging the consumer.

This is the graph that merchants see in their minds when they think of Apple pay

Notice the flat line on credit card spend.. and the 20%+ CAGR on debit. Merchants worry that the strong banker presence at ApplePay launch is a key message.

Industry Confusion

My friends in the Debit industry are scratching their heads this week: Retail Bankers (debit card owners), Processors, PIN Networks and Merchants. What do they do to get their debit cards in ApplePay? If only one of them is ready (meaning has ability to resolve and or issue PIN debit tokens) what does it mean for the other 7?. Is this the first path toward an industry PIN consolidation? Who “owns” the token resolution service, standards and approach? What are the service levels on directory synchronization and response times? No one told them about an industry body to standardize… Man this debit stuff is complicated.

The underlying PIN Network industry problem is there is really no single authority to coordinate EMVCo token implementation across 5000+ banks and 8+ PIN Debit networks. Perhaps there is really no single way to get debit cards into a wallet, and this mess just further helps the 800lb gorillas that can invest in semi-proprietary schemes to get it done.

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog). Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control. The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog). Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me), MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

an x% interchange reduction
Treat as Card Present, and own fraud (can not certify unless acquirer)
Access to DATA as permissioned by consumer
Share fraudulent account/closed account activity with you to sync

If you:

Tokenize (dynamically) every one of our JPM cards on file
Pass authentication information
Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

Debit Card Wars

5 Jan 2014

Happy New Year everyone. Short blog today on debit card and a new battle taking shape on debit card.

Debit 101

From last month’s Federal Reserve Payments Study we see that the number of debit card payments increased more than any other payment type from 2009 through 2012. Given that the average transaction value is $39 for Debit and $94 for credit, debit has 64% share by number of transactions, but only 44% by volume.

For Non US readers, the Debit network is split between PIN debit and Signature debit (see US PIN Debit Consolidation). General-purpose PIN debit card purchase transactions at the POS, have roughly one third the fraud rate (0.45 basis points) of Credit (Note this is not shown in graph, this data point is from FED based upon exclusion of ATM fraud). This PIN fraud rate is as low as checks, a rate lower than for ACH (0.72 basis points), and a rate far lower than any other category of general-purpose card payment. In other words, PIN Debit is our “best” most secure card product which consumers PREFER to use for many small transactions.

Debit at Visa

Today Debit processing accounts for around 19% of Visa revenue. Visa famously won very big here over MA in the US starting in 2002, and as recently as 2009 Visa’s processed well over 50% of PIN and Signature Debit (Visa does not break out the categories). Post Durbin, Visa’s debit processing volume fell over 50% but has now recovered half of that loss as they acquire non Interlink PIN transactions and have established large merchant incentives (see Article, and Visa Policies). However I see this trend reversing again, the top 5 retail banks handles over 60% of debit transactions, and sources tell me that all of them are working with processors directly to route all debit transactions as PIN transactions (PINless PIN Debit) to avoid network fee AND DATA LEAKAGE. This is a MAJOR point.

The Volume share picture on the right is from 2009 (not accurate). Durbin has shaken this industry up substantially, with Mastercard near parity to Visa in debit processing. Remember Durbin has set PIN and Signature rates the same. Today, the most significant difference between PIN and Signature is routing, with merchant able to route PIN transactions directly to a Bank Issuer (avoiding network fee, a complex area still reworked Judge Leon’s ruling ). Visa’s advantage here is that DPS hosts many banks debit authorization services (they are the IT system provider for the Issuer’s Debit Product).

Push to Credit and Resistance on Real Time

With debit pricing dropping from 120bps to $0.21 (Durbin) and now likely to move toward $0.07 (Judge Leon), Banks have little incentive to push Debit cards. Particularly when the bottom 40% of mass consumer retail accounts are not profitable. Banks had a plan to institute fees on Debit, but Bank of America’s Moynihan jumped the gun in Oct 2011 and bore the consequences. Thus there is risk in moving aggressively toward Fees… so what are banks doing to encourage credit card usage?

Throw Dirt on Debit (See ABA’s Target PR and the NRF Response)
Promote consumer protections on Credit
Enhance consumer rewards
Make ATM card the default card with your account, with a longer process to request Debit Card
Enhance Fraud prevention on Credit (EMV)
Focus all mobile initiatives on Credit only
Keep ACH slow moving (see WSJ Article)
Institute new “token” network that provides another form of Bank control
…etc

Retailers need to start being aggressive in supporting Debit.

Honor all Barcodes?

As I outlined previously, MCX is pursuing a Starbucks like Barcode approach. Most of you know that the MCX merchants have universally refused to accept contactless at Payment Terminal (with a few legacy exceptions in CVS/Walgreens). The reason? Bank led initiatives in contactless are 100% credit cards (200+ bps). Why would any retailer want to encourage their customers to use this product when they just won the Debit war.

The new news this month is that Visa (and perhaps MA) are working on a Barcode scheme as well. Why? The logic goes something like this,

Get consumer bar code version of card in mobile wallet (given NFC Failure and Starbucks success)
If MCX merchants support barcode payment, work to make Visa option, for example by allowing consumers to provision a Visa Debit bar code without issuer consent (or for DPS banks)
Create confusion at the POS, why won’t the merchant accept the Visa Barcode
Try to leverage the honor all cards rule
Steal market “ownership” of barcodes from MCX

I can’t believe I’m writing this… going from NFC, to Tokens, to HCE to Barcodes.. seems to be walking backwards technically.. but Visa can’t afford to miss a payments party. It is also consistent with what I wrote 3 yrs ago on their “Portfolio Manager” strategy.

Investor notes (January)

I see Visa’s debit revenue falling off much faster than anticipated.

I’m very negative on Paypal’s volume. Amazon, Apple, Google, Visa, and the MNOs will all be entering both the eCommerce and mCommerce space in a very aggressive way. As payments move to the OS, Paypal doesn’t have one.

Stay away from specialized hardware players (Verifone, Ingenico, Gemalto, NCR…) as dedicated hardware moves to commodity hardware and software.

Related Articles/Blogs

Accept all Barcodes?

Chip and Signature!?

4 December

I finally received my very first EMV compliant piece of plastic from Citi this week. As I travel frequently to Asia and LATAM I’m very happy. This should help me avoid situations like being stuck at Vancouver Airport without anyway to buy a tram ticket from their ATM like ticket machine. Just one thing missing in the package.. a PIN. !!

I went online to see why there was no PIN https://www.citi.com/credit-cards/template.do?ID=chip-technology-questions

Can you believe it… we now have something unique to the US.. CHIP and SIGNATURE!?

Wikipedia tells me that the US, Australia and NZ are the primary countries for this model… I described some of the dynamics in my 2012 blog “EMV Battle Impacts Mobile Payments”

From Chip and PIN to Chip and Choose? Visa wants encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD. PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment. All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?…. Expect some Regulatory involvement here.

Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..

So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, EMV compliant ATMs

So WHY chip and SIGNATURE? The 30 second summary is that “Perfect Authentication” is a Nightmare to Banks (see blog). If there is no risk.. then anyone can be a card issuer. (Credit risk as opposed to the billion dollar fraud/authorization systems).

Business Drivers

Visa/MA

PIN is not a desirable consumer behavior, PIN is despised by both Banks and Visa
Grease the skids for contactless EMV. Who wants to waive their phone and THEN enter a PIN!? Visa/MA understand that it makes no sense to force a PIN on plastic and provide a “pass” for a waive.
PIN provides fantastic fraud prevention and therefore decreases the NEED for other risk management services (by Network and Bank)
Ensure that transactions are routed through them (signature debit is primary transaction type at risk).
The January 2013 Visa Mandate was a complete surprise to Issuers. I asked a top 3 card issuing CEO why did you commit to EMV. “Tom I found out about it the way you did, in a press release.. Visa has yet to come by my office to discuss EMV”. This gives you an idea on issuer relations. Why did Visa push EMV? to encourage reterminalization and enable mobile (credit card) payments. Visa knew the big issuers would hate it.. but the Chip and Signature was a “meet in the middle” strategy. Visa created opportunity to enable contactless, and big issuers kept their PIN less advantages.

Issuers

Shifts Fraud to Merchants who do not have compliant POS payment terminals
Allows large banks to continue to leverage their multi billion dollar investment in fraud infrastructure (Signature + $$ Fraud Infrastructure == security of Chip and PIN)
Keeps consumer behavior away from PIN
Big banks win, enabling them to leverage multi-billion dollar fraud system investments at the expense of smaller banks. Banks that can not make the investments will be challenge to support contactless, or EMV, without PIN. This again demonstrates how large banks continue to exert substantial leverage over the card networks in rule making and incentives.
The only EMV products coming out in the US are Credit based. Payment strategy is centered around increasing consumer use of credit card products.
See my blog on PIN Debit (Signature Debit is Dead).,PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009 fraud numbers: Signature $1.12B, $181M PIN debit card), and obvious merchant preferences (interchange and fraud; 96% of PIN fraud losses assumed by issuers, vs 56% in Signature). Source FRB report

We have an environment where Large Banks and Networks are purposely rolling out a less secure payment product. From the FRP report http://www.frbatlanta.org/documents/rprf/rprf_pubs/120111_wp.pdf

PIN verification provides superior protection against fraud losses… Signature based losses were 13 bps compared to 3.5 bps for PIN

Obviously PIN is more secure, and DEBIT is where EMV should be focused.. But banks DON’T WANT TO MAKE DEBIT SECURE (no margin here). To a non-payments geek this must look completely insane. Is there any wonder that large merchants are working together on a new payment network (MCX)? To understand the payments industry you must throw out all logic.. and look at the incentives. Moves here are NOT logical.. Networks are measured on volume, the entities which are in control of volume are Issuers (switch portfolios). Merchants are motivated by cost of acceptance.

Wells gets A+: New Amex Partnership

WFC is brilliant here. By leveraging their primary asset (customer relationships) they have jumped to the top of the line in a new ability to deliver services, and capture unregulated payment revenue. Think they need to work quickly to ensure retailers see an upside to expanded Amex transaction volume (see payment enabled CRM).

7 August

Press today on WFC/Amex plans for WFC to Issue Amex Cards (also see WSJ Blog, CNBC Clip with WFC Exec on deal overview). Key items:

WFC to issue credit cards accepted on Amex Network
New and existing WFC customers
New loyalty platform

Why is this big new for INVESTORS? 2015 will see reissue of EMV compliant cards (blog). Issuers are therefore assessing what brand/plastic to reissue. Top analyst question for Amex/WFC is will WFC reissue on Amex plastic/brand? If WFC moves this direction, will other banks as well? Is Visa’s golden goose on the menu? Will EU regulatory developments (suggested 30bp rate for credit supported last week in US by Dick Durbin) prompt additional banks to move to 3 party network?

Deal History/Drivers

There is tremendous history around this transaction, as well as the business drivers for it. Amex has been seeking mass market opportunity for almost 15 yrs. For example, within Amex, few know that back in 2002, American Express was contemplating an acquisition of Wachovia, then the #3 US retail bank, now part of WFC.

Within the large retail banks, there is broad recognition that:

#1 three party networks have substantial advantages (blog),
Durbin has killed the profitability of a vast segment of mass market retail (40%). Durbin’s impact was on Debit, and the PR on the WFC/Amex deal focuses on credit… so view this as attempt to generate fee revenue from mass market (only 30% of WFC retail consumers have credit card). See Barron’s article on latest Durbin bank EPS Impact
Pre-paid cards are proving to be real option, and banks face prospect of loosing core relationships (Blog, and Future of Banking)
Three Party networks (Amex/DFS) have no Durbin or EU constraints
Future of “payments” is about data, and enabling value added orchestration, Amex is the clear innovation, and business model, leader,
Chase has constructed unique Visa deal in attempt to create 3 party,
Visa and Mastercard are ineffective at “change” and have alienated both Retailers AND Banks. I asked one CEO about EMV and he said he found out about it same way I did, in a press release (and he was top 3 issuer)… Gives you idea of partnership “health”.
Retailers are working to establish their own payment network (see Battle of Cloud, MCX Blog)
Apple, Google and others are investing billions in this space

Top banks are working on a new token scheme to build a new “Visa” from within (see Tokenization). It now seems, BAC, WFC and JPM have separate plans from this centrally led TCH initiative… but all are consistent with disintermediating V/MA

I also believe this is a tremendous win for Amex, not only in their efforts to grow transactions riding on their rails, gain broader acceptance, grow in mass market but primarily as a way to unlock new value in mass consumer payment “data”. This is yet another “Cluster”…

The street should watch for M&A activity around DFS…. The only subscale 3 party network left standing.

Take a look at new Amex service, working as a back door to get line item detail from retailers.

https://www.americanexpress.com/us/small-business/openhome/receiptmatch

Debit Round 2 – Rates $0.21 to ?$0.05?

There is a school of thought that “pricing debit” for consumers will help banks increase credit transaction volume (ie credit cards are “free” and have points, debit cards will have monthly fee). Merchants must therefore act to build incentives around debit card usage, or a decoubled debit like product (see blog). Target Redcard is clear leader in the US.

1 Aug

Yesterday’s WSJ Merchants Notch Win in Feud Over Debit-Card Fees

Dodd Frank requires the Fed to set Debit interchange at a rate that reflects actual cost of processing. What the Fed did in 2011 was actually set rates at almost exactly the rate of PIN Debit. (see my 2011 blog).

US Retailers have been pushing for $0.05.. The Fed’s own internal team was recommending 0.12, but the final 2011 rate was $0.21 + 5bps. My view is that Governments should never set rates in an effective, competitive market. Their track record is just awful. But unfortunately payments are not competitive, but a form of 3^rd party payor… a market type which is even worse than a government price controlled one. Big Retailers know enough to negotiate great rates (as in health care) and swallow the “accept all cards” requirement. Small merchants get completely taken (just as in Health Care).

Visa/MA impact.. none. Visa’s revenue is not so much in the network fee on PIN or signature debit, it is in the DPS hosting of debit processing. Bank impact.. absolutely. If Debit interchange lands at less than $0.12, the forces behind debit consolidation (see blog) will accelerate, not because of M&A, but because the margins in this business cannot possibly sustain 6+ participants.

The Banks had planned a uniform march to add fees to debit card, but unfortunately Brian Moynihan at BAC could not wait for his peers and jumped the gun.. only having to pull back from the tremendous public reaction. Adding fees to debit is a certainty if rates drop. The bottom 4 deciles of mass consumer are already unprofitable. Banks are a private enterprise and should not be obligated to do anything “at cost”. We thus shift costs from merchants, onto banks, who will then shift back to consumer. But quite frankly this is where they should be.. where the consumer can see them.

My idea for getting around regulation (which all parties agree is a bad thing), is 2 fold: Require transparency (by all participants), and enable competition (through access to core deposit accounts). Imagine if Walmart, or United Airlines were required to publish their lowest interchange rate with each issuer, for every product (credit/debit). I believe retailers would support it wholeheartedly, but the issuers would go nuts. Per the second point (account access), the UK led the way here in Faster Payments back in 2008 (see blog). Consumer banks would need to be absolved of fraud loss responsibility if initiated as a debit by 3^rd party (Onus on ODFI), but it would also allow a Sofort type model (Push payments) to prosper.

From a pure debit perspective, Australia and Canada have made Debit a common nationalized infrastructure service, part of a Bank’s requirement to have a license. Fedwire is our equivalent in the US, although only used for wires. You don’t see much payment innovation in Australia or Canada, as the common infrastructure works so well.. that there are no pain points. The EU is also getting there with SEPA, although the inability for EU mandates to make their way into local law and requirements is proving to be a significant drag…

For innovators the message is simple.. payments are becoming dumb pipes. Go visit Canada and Australia to see why new payments schemes do not take off… Most know my view that payment is only the last “simplest” phase of a very long and complex COMMERCE PROCESS.

CEO View – Battle of the Cloud Part 5

There is a payment cluster war going on right now and it is the subject in the C Suite in Banks and the Payment industry. The battle is happening at every level. I’ll be leading a panel at Money 2020 which addresses several of these items, with participation from V/MA… should be interesting. Here are a few updates.

22 July 2013

This post is a continuation/update to my post back in March Network War – Battle of the Cloud Part 4. Sorry for typos.

There is a payment war going on right now and it is the subject of C Suite strategy talks. The battle is happening at every level. I’ll be leading a panel at Money 2020 which addresses several of these items, with participation from V/MA… should be interesting. Here are a few updates.

Network/Routing/Rules

$8B Revenue Impact. I apologize to my EU readers for my constant US focus. Let me break the mold now to emphasize the earth shaking changes going on in the EU (See today’s NYT blog, and today’s WSJ). Going from 250bps + cross border fees to 30 bps will be tremendous, and may set a precedent for the US litigation between Visa/MA and top retailers.
EU provides a glimpse at what a world of payment “dumb pipes” and least cost routing looks like (see Blog Payments Innovation in Europe). Canada and Australia also follow these lines in debit (see Blog). Also see my favorite case study in Europe Sofort – ECB analysis, and Push Payments.
Networks, and their members are reacting to regulation and positioning themselves (individually) to “push” their respective vision of innovation in order to protect their brand and network (see Visa Money Transfer, and Visa Portfolio Manager). I don’t mean to limit this to just Visa and Mastercard (see picture, and blog).
New networks are forming (see Blog on Clusters)
Large issuers like JPM have successfully forced Visa to break/segment its Visa net, and run under unique JPM/CMS rules with new capabilities. Visa’s CEO comments to investors: “rules must be consistent with Visa”.. My view is that this is a major crack in Visa’s network ownership (see Golden Goose on the Menu).
From a wallet perspective the rules on “wrapping” are killing much innovation (see don’t wrap me). Top issuers are actively working to inhibit wrapping of their payment products (ex Mastercard’s staged digital wallet fee of 35bps on PREVIOUS years volume of over $50M.. which only impacts paypal). Similarly Amex and Visa are working to ensure their cards are not wrapped.
Rules are being issued and ignored, from Visa Money Transfer to EMV (see below). Banks tell Visa “do you want me to write the waiver or will you send it over… as we are not going to do this”.. which is one reason JPM just created its own unique rule set. Similarly US merchants face a liability shift (on to them) if they do not accept EMV cards (chip and pin). All are playing a game of chicken as no one wants to re-issue plastic. Visa has created a new type of EMV, chip and SIGNATURE, which makes absolutely no sense at all, but helps them keep customers away from PIN (which Visa despises, but everyone else loves).
Cross boarder fees (see blog). As 20%-30% of network revenue moves to these fees, it is becoming a substantail pain point for global banks like Citi, HSBC, Barclays, .. A big topic I can’t fully cover here

Issuance

US Banks are spending 90% of their time in innovation around Credit Cards. Exception is Bank of America and to some extent my old team at Wells. In either case the banks have hit a wall, and recognize that innovation can’t happen in a 4 party network. American Express is 5 years ahead of them and they can’t catch up.. they must change.
The NATURE of card completion is changing in both credit and debit. Traditional Payment revenue is being REGULATED AWAY as payments become “dumb pipes”. The goal most have recognized is that the real value to be unlocked is in commerce data, particularly Payment Enabled CRM (see blog). Examples of just how focused this effort is: 22 Banks working in Secure Cloud, ~$1B in Google Wallet Investment, ~$500M in ISIS investment, JPM just hired Len Laufler (former CEO of Argus Data) to be the new CEO of Data in Chase.
Banks thus need to build a network which can accommodate both payments and “other data” which they own and control (like Amex)… hence “tokenization” (see Blog, and TCH Announcement).
Tokenization is currently going nowhere.. but it is “impacting” the industry and many start ups as banks and networks position themselves (see JPM/Visa Blog, Start up implications).
Visa and MA also have their own secret token efforts. Merchants have a much better short term win in this approach with a liability shift and reduction in interchange, but they also know from past experience that if the issuers are not on board, there will be a much broader business impact in declines (see VBV post, and Visa’s Token Strategy).
Retailers are attacking from below. Bottom 40% of mass market customers are not profitable for banks (Durbin related items ranging from NSF fee changes, to debit interchange) . These customers are profitable for retailers like Walmart, Tesco, Target, .. (see Blog).
Telcos have a chance to own a new payments network, as they have both physical distribution, customer relationship, connectivity and device.. but they are focused on controlling a handset in a walled garden strategy. To succeed they must refocus efforts on COMMERCE, which means partnering with all participants to construct a value proposition (see blog).

Acquiring

The first hurdle of any “New” network is to get the merchants and acquirers on board.

This is NOT going well for companies like Paypal … hence the complete failure of their DFS partnership (see blog). Specifically, there is at least one major acquirer which is refusing to route traffic on any of these new Discover/Paypal BINs, as well as at least 2 major retailers. Although Discover is a 3 party network, they only acquire directly for their top 100 merchants. Therefore Paypal must “incent” and negotiate with every single other acquirer AND merchant.
Chase is working to build a new CMS acceptance brand, which will be different from Visa.
Retailers are building their own network (MCX), and have hired Dekkers Davidson, a tremendous executive, to lead it.

Roughly 60% of acquiring profits come from bottom 30% of merchants. There are small independent merchants that are paying over 5% in acceptance fees thanks to the poor transparency within the ISO sales process. Companies like Levelup and Square are changing this (2.75% flat, or free if you commit to marketing). I’ve eaten my shoe on Square, as I never fully understood how badly the ISOs were treating small independent retailers. Their solution solves a short term pain point and also improves customer experience.
Acquirers are making POSITIVE headway in merchant friendly services (see blog), particularly helping merchants “merge” consumer data to gain new insights for loyalty and incentives. They are challenged to quickly ramp up this services revenue, in order to overcome the new aggregators acting on the side of small independents (ie Square).

POS Acceptance

Has anyone seen the graph of Verifone’s stock? Market cap of under $2B. A hardware company that could not adapt to a software world. At the bottom end they are being eaten by free Roam/Square dongles at the top end are facing integrated POS Terminals from IBM/Toshiba and Micros. Dedicated payment terminal are commodities, and thus suffer from commodity like competition. Grand hopes for re-terminalization with EMV and NFC are not happening (see blog). New dongles and mobile acceptance infrastructure is developing even in the complex EMV space (see Tedipay.com )
POS strategy centers around data as well. Google’s Zave purchase has given them opportunity to help retailers focus advertising and eliminate paper coupons independent of payment network. Other leaders like Fishbowl and Open Table in Restaurants have integrated into the POS. The BIG idea here is to integrate the POS to the cloud and Google is now 5-7 yrs ahead of everyone (2 yrs engineering, 2 yrs IBM Certification, 3 yrs to sell and test w/ retailers, +++ yrs in content/ads/targeting).
Square’s new Stand is an integrated payment, POS, inventory management, CRM, marketing and loyalty system.. all on an iPad.
Payment Terminal “software”. Verifone’s Verix architecture and equivalent schemes have failed. Idea was to allow 3^rd party developers to create “apps” for a non-secure space in the payment terminal. For example, 2 years ago, Google’s first version of wallet leveraged NFC to communicate “coupons” to the payment terminal, which then relayed to the POS. Problems are obvious.. A grocer like Safeway has 2,000 person development team around their IBM 4690 POS, guess how many engineers support the payment terminal? NONE. They don’t want apps on a PCI compliant payment terminal.. it goes beyond question of who will manage them. Also note that payment terminal interaction with the POS is simple today (payment request and authorization). There is also significant development work to RECEIVE coupons from a PAYMENT Terminal.

Services

This section could fill a book, so I will make this brief. All network participants are working to deliver services. The 4 party networks cannot innovate. For example, take a look at my very first blog, topic was Googlization of FS. Visa built an offers services with Monitise and Clairmail 3-4 yrs ago, but the large issuers refused to use it, preferring to innovate themselves. Another example is V.me, a topic which makes Card CEOs red faced. These points exemplify the dynamic w/ V/MA and the large issuers.. Issuers want to dumb down the pipes and limit services, V/MA want to grow them and relationships with consumers.
Current state is myopia.. everyone is working as if they uniquely own the customer. Banks and Card Linked offers are top example. When you go into a bank branch, do you want to buy socks? dog food? Of course not! Banks have great data but they are in no position to run an advertising campaign. I’ve run 2 of the largest online banks in the world (Citi and Wachovia) and can tell you retail customers spend about 90 seconds with me, they log on check their balance make a payment and leave. They don’t stay around to click on coupons. Commerce, and retail, is in the midst of a fundamental restructuring as online and off line worlds converge in new ways (beyond show rooming).
Payments are just a small part of the overall commerce value chain, yet they have by far the highest cost. The proposed 30bps EU fee cap may occur in other markets, thus banks are working feverously to build services to replace this revenue (primarily around credit cards), with CLOs largely failing to deliver value (see blog). Yesterday we say Ally Bank discontinue Card offers, following Amex last week.