ApplePay: Debit issues

Update Oct 1

Apple forced all the top 5 launch partners to launch debit and credit at same time. Right thing to do!!.. but debit is messy.

My bank friends are having kittens over Apple Pay debit compliance. Issue isn’t Apple, but forcing debit cards to EMV (industry not ready) and dealing with the conflict between EMV rules and Durbin. For example, EMV rules state transaction must be routed to primary AID as identified by issuer. This is fine for credit, but Durbin requires routing flexibility… this requirement just never bubbled up through the EMV specs. Tokens exascerbate the problem, particularly if the AID is from a Visa BIN.. Specs must be updated to address need for routing flexibility (using the secondary AID) …but this breaks network rules.. and there are no payment terminals that read secondary.


Previously I stated that debit cards in ApplePay are not Durbin compliant. I am retracting that comment completely.  The debit card in ApplePay seems to be Durbin compliant, as Bank of America spent significant time with First Data’s Star network to make it so. Problem is that the rest of the debit industry is scratching its head trying to figure out how to make this stuff work… so don’t expect to see any ability for all your debit cards to work in ApplePay anytime soon.. just the top 5.

The Challenges with Debit

Debit in the US is broken down into 2 primary segments: Signature Debit (processed through Visa) and PIN debit processed through 8+ PIN Networks. See this Federal Reserve note for more background. Retail banks exert almost complete control within PIN debit, after all it is their “ATM” acceptance infrastructure that allowed for this network.

PIN Volume2

While the new EMVCo token scheme is available to Debit, coordinating implementation across 8+ PIN Networks (and large Retail Banks) is a big chunk of work. Particularly when these same banks are working to consolidate PIN networks, and create their own centralized token solution (see blog).  I’m painting a picture of many companies and many moving parts in PIN debit and tokenization. Add to this picture Apple, who worked with networks to compartmentalize and maintain secrecy with a handful of partners.

To get anything done in this environment, it is best to work with the biggest gorilla, solve their problems, show the way, and hope everyone else gets in the boat. This seems to be what happened and the Gorilla is Bank of America. This is the only Debit card I’m confident is in ApplePay. I believe BAC has been working with Apple for over 4 years on this.

There are 2 essential problems with debit in mobile wallets

  1. Debit cards must be PIN capable
  2. Debit cards have complex routing requirements (more detail below)

Durbin Challenges – Routing

The Durbin amendment requires that Debit cards give merchants flexibility in the routing debit transactions (see this excellent Paul Hastings note). From Financial Reform Insights

As noted above, all banks, regardless of asset size, must comply with the prohibition on network exclusivity and routing requirements. The Fed has implemented requirements to prohibit network exclusivity arrangements on debit card transactions and ensure merchants will have choices in debit card routing. In addition, the network exclusivity and routing requirements apply to both debit cards and prepaid cards.

The final regulation requires issuers to make at least two unaffiliated networks available to the merchant, without regard to the method of authentication (PIN or signature). A card issuer can guarantee compliance with the network exclusivity regulations by enabling the debit card to process transactions through one signature network and one unaffiliated PIN network. Cards usable only with PINs must be enabled with two unaffiliated PIN networks. ATM transactions are not subject to routing and exclusivity regulations.

Note: A smaller payment card network may be used to help satisfy the two unaffiliated network requirements; however, if the second payment card network is unwilling to expand its coverage to meet increased merchant demand for access, that would trigger noncompliance with the network exclusivity regulations.

In real world terms, the Durbin amendment allows merchants to treat all debit cards like bank PIN debit cards (they can be routed around Visa/MA switch and switched through PIN networks Star, NYCE, Pulse, Cirrus, … etc). Large merchants have also started routing debit transactions DIRECTLY TO BANKS, skipping the PIN Networks all together.  This is all very straight forward in the world of a 16 digit PAN. The merchants (or their processors) use BIN routing tables that can be customized by issuer/debit network.

Within the EMVCo Token Scheme, the only way for the underlying card to be “resolved” is from the Token Service Provider (TSP) as described in part 3.2 of the EMVCo spec.  Visa and Mastercard are the only TSPs in the current version of ApplePay. Although, both networks have committed to allow Issuers to serve in the TSP role directly none appear to be ready October 2014. These unique TSP roles are probably due to the speed at which the EMVCo spec materialized (fastest new Scheme in history of V/MA), and also to the secrecy surrounding its first use (ApplePay). Thus, in the current ApplePay EMVCo token scheme neither the Issuers or PIN Networks are in control of the tokens, and hence cannot make “at least two unaffiliated networks available” without first resolving the token with the TSP.

To solve for token resolution, each and every processor must have the ability to work with a multitude of TSPs to resolve tokens into something that could be routed based upon the MERCHANT’s options (2 unaffiliated networks). The problems here are not insurmountable and resemble the problems associated with the Internet’s DNS system, where multiple copies of DNS routing tables exist to convert to an IP address. Tokens have an added advantage of identifying the owner/TSP through the BIN. For example, a Visa debit card within the ApplePay system could be a Visa Bin, a Chase Bin, a Wells Fargo bin.. So a token identifies its “owner”, or the TSP which can translate it.

To solve for this problem, Visa and Mastercard have made a “detokenization” service available, and other TSPs/PIN networks must do the same (running Vaulting / PIN transformation).  But to do this for all cards, all processors and all merchants takes a little time. There are technical and business issues here.

What is most surprising to me? I spoke to the head of debit cards at a top 5 banks, and he didn’t even know there was a problem..

PIN Capable

While it is great that they included debit in the launch, the debit issue had plagued other schemes as well. ISIS initially launched with a Chase Debit account to hold balance. Chase’s regulator told them that this card was not compliant (no PIN capability) and thus they had to pull weeks before the ISIS launch. ISIS had to run to Amex Serve for the solution, as Amex was not under durbin constraints. This PIN issue will also hit ApplePay, but the more immediate problem is routing.

Google solves the PIN problem by wrapping in a non Durbin debit. Specifically, banks with under $10B in assets, and non-banks (like Amex) don’t have to comply with Durbin. Google thus has one token (non Durbin debit), where they are issuer with Bancorp Bank (TBBK).

I am laughing a little bit on the PIN side, can you imagine, unlocking your phone, touching the ID, tapping to merchant, then also keying in a PIN. Merchants are in a place to “steer” toward PIN for every debit card. But downside is that if consumers get too frustrated with experience they will just use their credit card.

Merchants know…

A few months ago, “a merchant group” sent Apple a “formal notification” telling them that their scheme was not Durbin compliant. I don’t know if Apple’s team just sat on the notification, or hoped it would just go away once all the good launch activities came to pass.  I’ve been convinced over the last 2 days that there is a durbin compliant card in the wallet, but Apple Pay is certainly not ready for every debit card. Why didn’t Apple respond to the merchants and tell them they were investing to make sure this works? It is not a great way to start off a relationship… particularly when you have your own plans for engaging the consumer.

This is the graph that merchants see in their minds when they think of Apple pay

non cash payment

Notice the flat line on credit card spend.. and the 20%+ CAGR on debit. Merchants worry that the strong banker presence at ApplePay launch is a key message.

Industry Confusion

My friends in the Debit industry are scratching their heads this week: Retail Bankers (debit card owners), Processors, PIN Networks and Merchants. What do they do to get their debit cards in ApplePay? If only one of them is ready (meaning has ability to resolve and or issue PIN debit tokens) what does it mean for the other 7?. Is this the first path toward an industry PIN consolidation? Who “owns” the token resolution service, standards and approach? What are the service levels on directory synchronization and response times? No one told them about an industry body to standardize… Man this debit stuff is complicated.

The underlying PIN Network industry problem is there is really no single authority to coordinate EMVCo token implementation across 5000+ banks and 8+ PIN Debit networks. Perhaps there is really no single way to get debit cards into a wallet, and this mess just further helps the 800lb gorillas that can invest in semi-proprietary schemes to get it done.



8 thoughts on “ApplePay: Debit issues”

  1. Interesting post. I always enjoy your insight.

    One clarification about Durbin and small issuers. You said: “Specifically, banks with under $10B in assets, and non-banks (like Amex) don’t have to comply with Durbin.”

    In fact, issuers under $10B in assets still have to comply with Durbin’s dual routing requirement. The part of Durbin they are exempt from is the interchange cap. So, the dual routing quandry you described here will be a challenge for small V / MA issuers too.

  2. Hi,

    Your blogs have been very instructional and I thank you for that – keep ’em coming!

    Thought I would share that it is likely that MasterCard and Visa have enabled their own signature debit networks to operate with Apple Pay and hence BoA can use it. To your point, the banks and the networks have developed a technique to make their own debit networks operate properly with EMV, and by extension, NFC.

    The single message networks (EFT/PIN Debit like STAR and NYCE) were left out of the EMVCo EMV spec and the EMVCo Tokenisation spec. The The Secure Remote Payment Council (SRPc) has been working to address these issues, but it will require new standards be released and new certification processes implemented, which will take some time.

    Keep up the great work!


    1. Great insight.. there must be one single message network participating to allow for at least one “unaffiliated” network requirement .. right?

  3. Presumably Durbin doesn’t apply to m-commerce transactions via Apple Pay (i.e. not done via NFC but rather via an app), correct? Would Apple allow me to add a debit card to Passbook but only use it when invoked via an app for m-commerce payment?

    1. Correct on Durbin.. no PIN or routing issues in mCommerce. You are no in the “meat” of the issue here. So you can have a card in your wallet that works for mCommerce.. but won’t work for tap and pay? wow… that would really stink..

  4. Great article. I want to clarify a couple of points.

    Remember when I kept asking the question on Apple and how Durbin will impact Debit? The aside below I think will shock people that haven’t seen that part yet.

    Well there are two answers, because Visa/MC and Apple couldn’t get the infrastructure in place to deploy Tokenized EMV payments in the most ideal fashion. The original and now future goal was for tokens to be created for each transaction, one time use, or for the creation of tokens for use at a single merchant, one token for McDonalds, one token for Burger King. The reason that is important has to do with the definition of a debit card in Regulatoin II aka Durbin Amendment. The definition gives a clear exemption that single use tokens or tokens for use at a single merchant are not Debit Cards and would not then need to have two networks for routing.

    As an aside and why the larger banks care even more, this would also mean the debit cap would no longer apply to these transactions. Sadly, V/MC and Apple couldn’t get this complete in time. So we are stuck with answer 2 or solution 2.

    First, to help illustrate this second solution we are stuck with for now, lets say that Visa is the token vault and primary signature debit brand. As a debit card I need to have a secondary network available to processing the Token BIN.

    1. That means, the secondary network has to have the ability to received the Tokenized EMV transaction, recognize it as a token BIN, which the network should be the issue will them that.

    2. The secondary network will make a call to the Visa Token Vault in this scenario to get the credentials used to create the token

    3. The secondary network will then transform the message into a card present like transaction using the existing message sets and send to the issuer for authorization.

    4. Issuer will respond and the secondary network will re-transform the message into a proper response to a Tokenized EMV transaction to the issuer.

    So as stated, the EMV Token is created by Visa and able to be processed by Visa we just need a second network to be able to handle the lookup and transforms.

    We know that Visa, Visa PAVD/Interlink, MasterCard, Maestro, Star are ready. So, in the scenario the issuer will have the option to add the newly issued Token Debit BIN to Star or Maestro, today. If the scenario was reversed with MasterCard being the Token Vault, then the issuer could add Visa PAVD/Interlink or Star.

    The other big pin networks, like FIS’s NYCE and Discover’s Pulse, are working to catch up to Star rapidly because they know that if they aren’t ready in time they will lose traffic to Star, Visa PAVD, Maestro. And the networks are making it easy to enable themselves for this purpose.

  5. Supposedly Visa is allowing all the debit networks access to the TSP. My question is really will merchants get all the proper bin information to correctly route with the tokens involved. I am guessing it could be confusing for a while.

Leave a Reply

Your email address will not be published.