mobile money – Page 3 – Noyes Payments Blog

Apple’s iPhone 6: GSMA’s NFC thrown “Under the Bus”

28 April 2014

I must get 10 calls a week on Apple/NFC. I’m quite concerned that Apple’s new capability will be completely mis-understood by the press, so i thought I would preempt all the NFC zealots out there with my own tag line.. So far I have a 100% success rate in predicting Apple and NFC (blog). Don’t know if I can keep it up as I read the tea leaves. Let me start with facts, then give you my informed opinion

Facts

There are 2 aspects to NFC: 1) the communication protocol as defined by the NFC Forum (this stays as is), #2) The GSMA’s construct and standards for how NFC can be deployed in a handset (things like TSM, SE, SWP, …). See http://en.wikipedia.org/wiki/Near_field_communication
Neither Google, Apple, Merchants nor Bank Issuers are in favor of the GSMA’s NFC platform. This is a fact in my mind… particularly in the US.
Host card emulation has created a way for all Android 4.4 and above phones, with and NFC compliant radio, to provide application access to the NFC radio. Phones cannot be certified for 4.4 unless they demonstrate support for HCE. See blog HCE – Now the Preferred Contactless Approach
The new card present scheme “Tokenization” was announced Oct 2013 at Money 2020, with the specification out last month (see EMVCO details). See my blog Payment Tokenization.
HCE and tokenization play together well. Tokens must be coupled with something else (Device ID, Bometrics, PIN, …). For those that have been MIS informed by Gemalto… there is NO NETWORK connectivity requirement for HCE/Tokens. A token representing a card is in software on the phone. It can be stolen.. but it is a worthless piece of information without the other identity/device information. HCE gets around the EMVCo Contactless encryption requirements.. and operates under the TOKEN specification. But there is much grey area here.. as “acceptance” of token is not clearly defined (including pricing). Thus the only “covered” presentment method from a phone to a POS is through a card emulation application. Token acceptance will be coming later, but “assurance levels” are making this a cracy space (tomorrow’s blog).
Update – I see that the smart card alliance has already responded to my blog here. The need for a trusted execution environment.. blah blah blah. Did you know that in an EMV contactless transaction that the PAN is sent in the clear? Yep… the need for the TEE is around signing a cryptogram (to verify where the card came from). Obviously I would much rather hide the PAN in a token, and enhance with phone information than give the PAN in the clear and sign something. There is no need for a TEE in payments, just as I access my bank through my browser on my PC without a TEE.. I can also do so with a phone. arghhh…
Tokens align well to banks and payment network dynamics and investment. US Banks had been working on a tokenization initiative for the last 3-4 years in the Clearing House (blog).
In both HCE and Tokenization scheme, the ISSUER IS IN COMPLETE CONTROL of their card. Issuers generate the token, and authorize the transaction. US issuers have their own token infrastructure in place from the TCH initiative (above). I wish I could emphasize this more. With HCE, issuers control which application(s) can present a card.. just as they did with within the TSM provisioning model.
There are HCE pilots that are live and functional. So much for not being “viable”. The issues are not around technology, but rather validating fraud controls and device ID. Issuers can be up and running with either Mastercard or SimplyTapp in weeks.
Perfect authentication and security is a nightmare to Banks.. Banks make money on ability to manage risk. There is no risk in a world of perfect authentication. Or as Ross Anderson says “if you solve for authentication in payments… everything else is just accounting”. See Blog – Perfect Authentication is a Nightmare for Banks.
MNO led payment schemes (the GSMA’s platform) are failing in OECD 20 (mature markets, but are leading the way in Emerging Markets). I have seen the transaction numbers… Reasons are multifaceted (see blog for reasons). The technology works.. it is beautiful.. problem is business/consumer value proposition and consumer behavior.
Historically, new POS payment instruments and POS payment behaviors are established through frequency of use. There are 3 categories: Grocery, Gas, Transit. Transit is the global success story (Docomo, Suica, Octopus, …)
4 Party Networks have a limited ability to change rules, Issuers dominate in influence. Amex is 3-5 years ahead of every US issuer in terms of capability, strategy and execution.

Opinion

Apple’s biggest asset is their ability to change consumer behavior (blog).
Apple’s iPhone 6 will be coming out in October (my best guess) with payment capability. It will have the capability to communicate in the NFC protocol.. but nothing about the new iPhone will be compliant with the GSMA’s architecture
Apple’s new capability is NOT ABOUT PAYMENT, but about Commerce (see blog) as they act as a CONSUMER CHAMPION (see blog).
Tokens play very, very well into an iBeacon model. Given that tokens are worthless “keys” that refer to a card.. these keys can be exchanged in the open with BLE. There is no need for near field if the information is worthless.
-Update- From my perspective I would not refer to Apple’s efforts as HCE. Where Google’s HCE repurposed an existing chipset to create a new software model. Apple has designed a new hardware model. Apple will be using bank issued tokens. Banks will look at using these delivered tokens in combination with: 1) Apple derived authentication score, or 2) MNO device ID from Payfone, 3) Bank mobile application information, 4) combination of above.
Authentication is key to Apple’s role in consumer trust and commerce. Per my blog Authentication in Value Nets, Apple is 3 years ahead of Google and everyone else in integrating software and hardware level security (ex Secure Enclave). Google has a path for a secure execution environment through Arm’s Trustzone, but this is more challenging as Google does not mandate hardware architecture (yet).
Apple’s new POS payment method will involve finger print on phone, and token presentment to retailer. It can be transmitted via NFC, BLE, QR Code.. or whatever the merchant and consumer can agree on.
How does Apple make money on this? I don’t think they will make money on payment, but rather on #1 Authentication (charging the card issuers for an authentication score), or #2 Marketing (charging merchants for consumer insight/ability to reach consumer).
Gemalto continues to cast stones, and miss revenue targets. Mobile Communications revenue of €225mn (-5.7% YoY growth, -1.0% constant currency) came in below consensus of €245mn (2.7% YoY). This is the second consecutive disappointing quarter for Mobile Communications, with revenue down 4% YoY in 4Q13. Why would any MNO invest in a secure vault on a Android handset when any application can go around it. That’s right.. there is no lock on the capability. This tremendously impacts the willingness of MNOs to “invest” in incremental features.. when their “investment” can be used without their permission.
What will REALLY impact Gemalto is a VIRTUALIZED SIM. Don’t think this is coming in iPhone 6.. but is it coming (see Viritualized SIM).
The next 2 years will see mobile payments as a “1000 flowers blooming”. Top card issuers will extend their mobile banking applications to enable card emulation (BLE, NFC, QR, … whatever).
Payment Networks will be working to expand the 16 digit PAN to something much larger to support dynamic tokens. They will be working to transition Cards on File to tokens.. with perhaps a card present value proposition.
MNOs will realize that they have a unique ability to create a device ID that competes with Apple’s biometrics. Payfone is the leader in the US, Weve in the UK. Beyond this, they may also begin to realize the $5B KYC opportunity I outlined 5 years ago.

Paypal and HCE? Really?

Just read David Marcus’ blog on Beacons, HCE and Alerts. I agree with him on just about everything… except Paypal’s opportunity in the physical world.

emvco token

Why do Banks love tokens? HCE – Now the preferred contactless approach addressed this in Feb. HCE aligns to everything that Banks and Networks do today:

Manage Risk and Fraud
Manage Consumer Authentication
Intelligence with bank and network
Trust is in the network. Networks ARE the TSMs (or rather TSPs)
Banks leverage 4 years of investment in TCH token scheme (ex Token Service Provider)
Banks expand mobile app capability with payment
Banks are in complete control of who can use their cards where
No more TSM, Payment is in the OS, No more dedicated NFC chipsets, and the MNO lock is gone.

Now imagine Paypal’s role here

In this world.. Banks make nothing (for ACH funded transactions) and merchants get stuck with 210-180bps for everything.. this is the “Blended rate” deal. Is there any wonder why merchants aren’t running to enable contactless?

As I wrote in my blog.. at least Google has a value proposition charging the merchant a maximum of 160bps and paying Banks the full rate of interchange (see Google/TXVIA, and Tokens, Rules, Wrapping and Acquiring).

Google/TXVIA is actually the only production physical POS “token” solution in the market. Osama Bedier made this happen through the TXVIA acquisition…. a brilliant move. It works today.. and I’m still struck by the insanity surrounding Banks and Network plans to kill it. It makes no sense at all!! The only production token platform, providing value to everyone.. yet the Banks HATE IT.. why? They don’t want google to see transaction data. You can only imagine the odds against Paypal as they work to serve their own interest.

paypal token rev

To be a successful payment provider you must have a solid business case to AT LEAST 2 of the parties: Consumer, Bank, Merchant. Visa and MasterCard built theirs around consumer and Bank, Starbucks on Consumer and Merchant. Oystercard on Consumer and Merchant. PayPal….? Consumer and ??? Well it is NOT delivering revenue to the Bank.. and given its cost it is NOT delivering value to the merchant. The reason PayPal succeeded in its early days was it solved a real problem: card acceptance online. It has no chance of competing in the much more hotly contested POS world … particularly without any value proposition.

Yes Paypal will be a payment option in the new Apple Payments scheme (it fought very hard for this win). As I stated previously Payments have moved into the Operating System and Payal DOESN’T HAVE ONE. But this is not a win at all.. they still must convince both consumer and merchant to use Paypal… it is just an option.

FYI… see the new card present standard on tokenization EMVCo Tokenization, Mar 2014.

What is NFC? What part is Dead? A: The GSMA part

23 Feb 2014

I decided to turn this into a Wiki update.. as the prior entry is somewhat lacking. For example: Who created the TSM? Single Wire Protocol in the UICC? Who certifies a device for payment?

The New Wiki is now (with the last 2 para’s just added)

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into proximity, usually no more than a few inches.

Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.^[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.^[2]

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443and FeliCa.^[3] The standards include ISO/IEC 18092^[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips Semiconductors (became NXP Semiconductors since 2006) and Sony, and now has more than 160 members.The Forum also promotes NFC and certifies device compliance^[5] and if it fits the criteria for being considered a personal area network.^{[citation needed]}

In addition to the NFC Forum, the GSMA has also worked to define a platform for the deployment of “GSMA NFC Standards”. within mobile handsets. GSMA’s efforts include“Trusted Services Manager”., Single Wire Protocol, testing and certification, “secure element”..

The GSMA’s standards surrounding the deployment of NFC protocols (governed by the NFC Forum above) on mobile handsets are not exclusive nor universally accepted. For example, Google’s deployment of Host Card Emulation on “Android KitKat 4.4”. in January 2014 provides for software control of a universal radio. In this “HCE Deployment”., the NFC protocol is leveraged without the GSMAs standards.

From a mobile payment perspective, NFC is

Protocol. NFC Forum owns the Protocols making up the ISO specifications. These protocols are the “universal” aspect of NFC that is NOT changing.
Platform for How NFC works in a Phone
- GSMA NFC Specifications, reference architectures, platform constructs (TSM, ..) outlining a SCHEME for how NFC manifests itself within a Handset Architecture
- HCE
- Apple Secure Enclave
- ??
Payment Network Standards and Certification. Exxon Mobile and Mastercard were the first contactless payment mechanisms, and Mastercard PayPass was the first Network Standard with reference implementation and certification for presentment and acceptance.

With HCE, the entire GSMA “NFC platform” is dead, but NOT the protocol (No UICC/SWP role, No TSM, Access to “controller” and Secure Element, no Handset Certification).

Comments on Wiki and blog welcom

Token Acceleration

20 Feb 2014

Let me state up front this blog is far too short, and I’m leaving far too much out. Token strategies are moving at light speed… never in the history of man has a new card present scheme developed so quickly (4-6 MONTHS, see announcement yesterday). As I tweeted yesterday, the payment industry is seldomly driven by logic, and much more by politics. Given many of my friends (you) make investments in this industry, and EVERY BUSINESS conducts commerce and payments, movements here have very broad implications. The objective of this blog is to give insight into these moves so we can all make best use of our time (and money). I was flattered at Money 2020 when a number of you came up and told me that this blog was the best “inside baseball” view on payments. Perhaps the only thing that makes our Starpoint Team unique is that we have a view on payments from multiple perspectives: Bank, Network, Merchant, Online, Wallet, MSB, Processor, … etc.

It’s hard to believe I’ve already written 12 blogs on tokens… more than one per month in last year. As I outlined in December there are (at least) 10 different token initiatives (see blog). Why all the energy around tokens? Perhaps my first blog on Tokens answered this best… a battle for the Consumer Directory. It is the battle to place a number in the phone/cloud that ties a customer to content and services (and Cards). The DIRECTORY is the Key service of ANY network strategy (see Network Strategy and Openness). For example, with TCH Tokens Banks were hoping to circumvent V/MA… (see blog). The problem with this Bank led scheme (see blog): NO VALUE to consumer, wallet provider or merchant. It was all about bank control. The optimal TCH test dummy was almost certainly Google, and the “benefit pitched” was that Regulators were going to MANDATE tokens, so come on board now and you can be the first.

Obviously this did NOT happen (perhaps because of my token blog – LOL), but the prospect of a regulatory push was the reason for my energy in responding to the Feds call for comments on payments. In addition to the failure of a regulatory push, the networks all got together to say no Tokens on my Rails (see blog). Obviously without network rail allowance, a new token scheme would have to tackle acquiring, at least for every bank but JPM/CPT (see blog). Paul Gallant spent 3 yrs pushing this scheme uphill and had no choice but to look for greener pastures as the CEO of Verifone (Congrats Paul).

In the background of this token effort is EMV. I’m fortunate to work at the CEO level in many of the top banks and can tell you with certainty that US Banks were not in support of Visa’s EMV announcement last year. One CEO told me “Tom I found out about EMV the way you did, in a PRESS RELEASE, and I’m their [Top 5] largest issuer in the world”. Banks were, and still are, FUMING. US Banks had planned to “skip” EMV (see blog EMV impacts Mobile Payments). The networks are public companies now, and large issuers are not in control of rules (at least in ways they were before). Another point… in the US EMV IS NOT A REQUIREMENT A MANDATE OR A REGULATORY INITIATIVE. It is a change in terms between: Networks and Issuers, and Networks and Acquirers, and Acquirers and Merchants (with carrots and sticks).

In addition to all of this, there were also tracks on NFC/ISIS (which all banks have walked away from in the US), Google Wallet (See Don’t wrap me), MCX, Durbin, and the implosion of US Retail Banking.

You can see why payment strategy is so dynamic and this area is sooooo hard to keep track of. Seemingly Obvious ideas like the COIN card, are brilliant in their simplicity and ability to deliver value in a network/regulatory muck. This MUCK is precisely why retailers are working

Payment Value

to form their own payment network (MCX), retailers and MNOs are taking roles in Retail banking, and why Amex has so much more flexibility (and potential growth).

Key Message for Today.

With respect to Tokens, HCE moves are not the end. While Networks have jumped on this wagon because of HCE’s amazing potential to increase their network CONTROL, Banks now have the opportunity to work DIRECTLY with holders of CARDS on File to tokenize INDEPENDENT of the Networks.

Example, if JPM told PayPal or Apple we will give you:

an x% interchange reduction
Treat as Card Present, and own fraud (can not certify unless acquirer)
Access to DATA as permissioned by consumer
Share fraudulent account/closed account activity with you to sync

If you:

Tokenize (dynamically) every one of our JPM cards on file
Pass authentication information
Collaborate on Fraud

This is MUCH stronger business case for participation than V/MA can create (Visa can not discount interchange, or give access to data).

This means that smaller banks will go into the V/MA HCE schemes and larger banks, private label cards, … will DIY Tokens, or work with SimplyTapp in direct relationship with key COF holders.

Sorry for the short blog. Hope it was useful

HCE – Now the PREFERRED contactless approach

Feb 19

HCE Gains Official Support from V/MA today

So much for 2 NFC/TSM CEOs telling me that HCE was “not viable”. I told you Feb was going to be a great month.. and this is not even the tip of the iceberg. As I look at the number of reference links below.. I realize that I’ve been talking about this stuff for far too long. For detail on what HCE is see my November Post HCE Breaks the MNO Lock.

Today’s announcement primarily impacts BANKs. Message to Banks, if you want to test HCE TODAY there are 3 options: Mastercard, SimplyTapp, or Android 4.4 DIY. Before everyone gets too excited.. the same mobile payment hurdle remains: merchant adoption. Technically HCE looks exactly the same to a payment terminal as NFC and unfortunately it also has same (terrible) business model (everything is a Credit Card .. by Bank design). Credit cards cost 200-500bps (% of sales) vs a flat fee of $0.07-$0.21 for most debit cards.

What does this announcement mean?

HCE Token Presentment = Card Present Paypass/Paywave
No more TSM, Payment is in the OS, No more dedicated NFC chipsets, and the MNO lock is gone. (Sell Gemalto … loosing MCX and NFC in the same week?)
Visa/MA prefer HCE to NFC hands down. It allows them to own the tokenization of cards in mobile. HCE actually ALIGNS to bank and network (V/MA) objectives: keep intelligence in network and control with issuers. The Networks ARE the TSMs. Mastercard is 3-5 years ahead of Visa here (with actual pilots). Visa’s is attempting to make up lost time by creating a more flexible program to support HCE within Visa Ready (Issuer Support). Note “Visa is Developing”.. vs.. call up MA and start the pilot. Visa’s token focus had been on the eCommerce side (V.me), and will have to run hard to play catch up.

Android Rules! Cards, Tokens and Door Keys in Apps. Your Citibank mobile app can pay at a contactless terminal, your Starwood App can open hotel room doors. Apps have access to ISO 14443/18092 compliant exchange.. with the support of Android. This is where it will get VERY interesting. Google created HCE based upon the contribution of SimplyTapp’s Software (via GPL). I believe it is a tremendous competitive edge for Android, and I would bet they work to “manage” the deployment of KitKat and approve applications that can leverage it, as they MUST be part of Google’s Authentication/Biometric plans. Why is this better than Apple’s Beacon/BLE approach? Google is a Platform that will allow hundreds of apps to access the radio where they will own security and authentication (open innovation). Apple is a hyper controlled structure where beacons will talk to your phone in defined ways through approved apps (managed innovation). OK this is a bit of simplification, but until Apple actually releases a product don’t complain about it.
Tokens, Tokens, Tokens. I could write a book on the interplay here. Much of the V/MA stance evolved from the previous TCH Token Project (see Money 2020 Blog and Business Implications of Tokens). The banks were working to end run Visa and MA on mobile tokenization. Theme is “if there is a number in the phone, why would we [Bank] want it to be a Visa or MA number.. lets make it OUR OWN number (ie a Token). After 3+ years the effort floundered and now TCH is left to be the standards body. Visa and MA reacted, most likely because of all my excellent token blogging (not), and together with Amex announced a new shared token approach.

Important. In the mobile context think of tokens are constantly changing card numbers. In the early stage HCE tokens will be 16 digits to support current payment infrastructure, but will evolve in next 2 years to be complex token identifiers much longer than 16 digits. Visa and MA have both developed controls for how this will work, for example having a “token” that refreshes at a given rate based upon where the phone moves and how the phone transacts. A Token could refresh at different rates (10 seconds to 10 weeks) based upon how the user transacts or what part of the world they are in. In this model Token generation is a NETWORK responsibility, which is why V/MA love this model. In the new token schemes, there is opportunity for the “mobile handset” to provide biometric and security information. As I stated before, NFC zealots will HOWL that there is no TSM, or security that a number will be stored in software. But SECURITY has DEGREES.. there is no such thing as 100% non-repudiation. I will leave it a subject to a future blog how ID providers are paid for this service.

History

There maybe a few new readers on this blog, so let me recap a brief history of how this came to pass.

NFC is a great technology, with a terrible business model. Developed by carriers in a walled garden strategy, they planned to charge $0.05 every time someone wanted to access a credential (like a credit card) in the “secure vault” within the mobile phone. The secure vault was the Secure Element (SE), with companies like NXP making dedicated chipsets for the function. See Carriers as Dumb Pipes.

Also see

ISIS Platform: Ecosystem or Desert

Apple and Physical Commerce

Network War – Battle of the Cloud Part 4

Controlling Wallets – Battle of the Cloud Part 3

Apple and NFC

Gemalto

Apple and Physical Commerce (not Payments) – Part 4

28 Jan 2014

The mainstream media is hooked on “mobile payments” like Doritos to the Super Bowl… we all like to talk about it… Difference is Doritos have real consumers.. while “mobile payments” at the POS are a laughable over-buzzed ethereal dream. I continue to be amazed at how badly this is covered, from over blown projections by Javelin ($20 B by 2012), to reports of NFC’s wonderful future from the GSMA. For readers of my blog, this hype is nothing new..

What is Apple doing?

Creating a Commerce Platform that will enable 1000s of Retailers to rewire commerce. Apple is the ONLY COMPANY in the world where Retailers will CHANGE THEIR BUSINESS to create a unique APPLE EXPERIENCE . Why? Apple’s biggest asset is their ability to change consumer behavior.. It is the only company in the world that can move: Retailers AND Consumers AND Manufacturers. There is enormous TRUST in the Apple brand; they have earned this trust (with THE MOST AFFLUENT consumer base) by consistently delivering the best product experience (A very very big PERIOD). They have proven to be THE leader in digital goods, physical retail AND eCommerce. Payments may be a starting point.. but Apple’s patents, technology, products and applications are completely missed if you only look at them from a payment perspective

Sorry to sound pompous here guys, but I’m pretty decent in predicting Apple in Payments, and the role of the Handset in Physical retail. Take a look at the consistency of my previous blogs…

Apple and NFC (No NFC in iPhone 4 or 5)
Apple and NFC Part 2 (NFC in next version of iPhone.. and the likely combo chip)
Apple Passbook
Handset – Commerce Orchestration (Drivers behind Apple and Google’s Platform Strategies)
Rewiring Retail Commerce

Product First

Apple is a tremendous company, with the best product design teams in the world. They care deeply about their brand and the consumer experience, particularly as it relates to the iPhone. Apple also knows physical retail VERY VERY well, with the most profitable stores per square foot in the world (over $5,600 per square foot). Let me restate this again, Apple is #1 or #2:

Ability to Change Consumer Behavior (see blog)
Handset Profitability
Customer Demographic/Profitability
Product Design
Consumer Experience
Sales of Digitial Goods (App store)
Sales of Physical Goods online (Mac Store)
Physical Retail Sales (Apple Retail Stores)
other (Authentication, developer community, cloud, fraud, security, …)

NOT About Payments

Do you think Apple would risk any of this on something that they could not control or has proven to be a failure? OF COURSE NOT!!

Physical Retail is a complex business that is undergoing a complete restructuring (see Blog), we are talking about $2.4T in sales (does not included Auto, Gas, Fin Services) vs. eCommerce sales of $180B. Apple has been very well served in acting as a late follower, the key for Apple to add value in retail is their role in changing consumer behavior (See Blog).

Apple’s Strategy

It is to make the iPhone a platform for Physical Retail, to enable retailers and manufacturers to create 1000s of fantastic consumer experiences. Apple will do NOTHING it cannot control, it knows that Banks and MNOs will look to leverage its brand and gain a controlling foothold. Apple and Google are very consistent in the battle to control the consumer (authentication)… the ability to authenticate is critical to bringing together the virtual (cloud, social, pictures, music, payment, ID) and physical worlds ( Blog Who do you Trust, and Authentication Battle ).

I have to run and catch a plane, but as a quick example. What if you were in a shopping aisle and the products could talk to you? They could tell you their reputation, what your friends thought of them, what they tasted like, or how they could best be used? What if you allowed certain retailers to know you were in the store (a form of checkin) and the retailer could give you a special deal on a package of 2 or more things you were looking at, or offer to meet Amazon’s price if they could package a warrantee and same day installation. When you walk up to the POS, they know your name and ask if you would like to put the purchase on the same card you used last time?

The business case for Apple is not making 10-30bps in payments, it is about making 500bps in advertising and retailer services. It is about cementing iPhone’s role as a platform for both Consumer and Retailer… adding services, adding transactions, adding loyalty and creating a behavior chain with APPLE AT THE CORE.

—————- update

Most of you know I deal with the institutional investor community. Today I had a funny quote.. “Tom we heard that Paypal is working to be part of the Apple product”. My answer “I’m sure they are… but they have absolutely NOTHING to give them”. Apple would be nuts to include Paypal here, Paypal has NO Physical presence, no merchant relationships, no consumer traction in off line, … Should Paypal let consumers choose to a Paypal “product”? Why? Perhaps linking their debit accounts.. but Paypal is not merchant friendly… it would be a VERY bad way to start a platform business.

As I said before as Payments move to the OS, Paypal does NOT have one.

T-Mobile – Great Move into Banking

23 Jan 2014

First off, congrats to the T-Mobile, Bancorp and Blackhawk teams. I love this product and the unique capabilities of the team that put this together. https://t-mobilemoneyservices.com/

What is the value proposition?

For the Consumer: Cost, Convenience through a “Banking Lite” product (see Product Pricing Here)
For T-Mobile: Consumer Loyalty, Increased Switching Cost, NRFF + Debit Interchange, Leverage existing consumer footprint and physical distribution

As I’ve stated previously, the bottom 40% of mass market retail banking accounts are no longer profitable for the large banks. New banking regulations (and regulators) have eliminated fees like NSF as well as Debit interchange for the largest banks. I covered most of this in my blog Future of Retail Banking. The top tier of banks are actively running away from the lower mass segment, and working to drastically reduce the cost of servicing. For example one Top 3 bank CEO I met with was looking to take $1B out of branch costs in next 3 yrs, by actively working to push consumers into mobile/online.

In one of my oldest blogs, MNOs Rule in Emerging Markets, I laid out the basic business case for Telecos to enter banking. Where Banks are burdened by a physical distribution network of branches that only sell banking products, MNOs (and Retailers) have physical distribution which can be leveraged to sell many products. In fact MNOs and Retailers can offer banking services at cost and still create a sustainable business case as banking/payments enhance foot traffic and loyalty. MNOs have a better short term prospect of delivering these services in the US as post paid customers go through a credit check process, thus consumer sighting and credentialing are very similar to what is necessary in opening a bank account (see my MNO KYC and Who do you Trust blogs). Add to this MNOs unique capability to enhance fraud controls in payments, and you have a set of VERY unique business platform that exceeds what a bank can deliver.

Prepaid?

My blog 2 years ago Future of Retail: Prepaid? spelled this move out.

…the business case for pre-paid is rather strong, and Banks themselves are assessing if they can make this the new “starter” account (ex Chase Liquid). However Three Party Networks (Discover and Amex) have a significant advantage. From Digital Transactions, March 2012

While the Federal Reserve’s rule implementing the Durbin Amendment has its greatest effect on traditional debit cards, it affects prepaid cards too, especially its provision that banks’ prepaid cards can avoid Durbin price controls only if cardholders can access the funds exclusively through the card itself. That provision thwarted banks’ efforts to make prepaid cards more like demand-deposit accounts and led them to scale back or end bill payments through prepaid card accounts.

But American Express and Discover are not subject to Durbin’s controversial provisions, Daniel and Brown noted. Both companies are so-called “three-party” payment systems that function both as merchant acquirer and card issuer. In contrast, Visa and MasterCard debit and prepaid cards are part of “four-party” systems in which the issuer and acquirer are usually different companies and rely on the Visa and MasterCard networks to route transactions among them. The Durbin Amendment exempts, or “carves out” in industry parlance, three-party networks from its provisions, including interchange regulation.

“There’s no restriction on what AmEx can pay itself” for prepaid card transactions, said Brown. Thus, AmEx and Discover have a new opportunity to grow their prepaid businesses, the attorneys said.

Clearly Discover (DFS) and American Express (Amex) have an opportunity to “Kill” prepaid cards, what are they missing? Physical distribution, service and reach in the mass market. These are the very things that retailers like WalMart can provide, and in fact economically benefit by providing them.

T-Mobile may have started this project as a result of Deutsche Telekom’s WireCard Success. Proving that it is not just emerging markets where Teleco’s can lead. In my view there are now 4 solid models for US MNO/Retailer as Bank (see and MSB or Bank)

1) WalMart/Bluebird through Amex/Serve

2) TMobile/Bancorp (DT/Wirecard) in Visa Product

3) Target .. Obtain the Banking License Directly (see Blog)

4) Prepaid non reloadable

Amex/Serve is the Leader, Bancorp #2

Why? Best example is the Chase Liquid Reloadable. Because of the Durbin constraints on funds access Chase had to pull Bill Pay capabilities from the product. Because Bancorp has under $10B in assets, it is exempt from this provision (?apparently) and can provide bill pay. However if I was an MNO, or Retailer, I would lean in strongly toward Amex (and to a lesser extent to Discover). Bancorp is the best pre-paid issuer to work with and is winning through hustle…

Prediction Big Future for Discover

TMobile may represent a tipping point for retail banking in the US. Now it is not just Walmart/Bluebird… this is a real business model that enhances a core telecom value proposition AND provides a tremendous launch platform for REAL PAYMENT INNOVATION. This together with the launch of MCX will provide the mass market with new products, not all of which are understood by the customer (ex Direct deposit my paycheck to my mobile phone company?).

The advantages of 3 Party networks are beginning to hit the market in REAL products, and I therefore predict that Discover will see a few MAJOR new partnerships, or be acquired in the next 18 months. All of this is somewhat ironic given that the ORIGINAL ISIS consortium was ATT WalMart Barclays and Discover.

Token Activity – 10 Approaches?

11 December 2013

I’m preparing for a few institutional investor chats next week in NYC and thought it was time to update my view on the payment landscape. Summary: much chaos and noise, with existing players throwing sand in everyone else’s gears… lots of energy.. but NO HEAT. This blog contains a brief inventory of initiatives I’m aware of. One of the reasons I do this is to solicit further dialog from blog readers.. so your thoughts are always appreciated. It is very difficult for small companies to identify activities which will impact them.. turns out that most non banks and even Visa and MA are ill informed on some of these as well.

In my June Blog Tokens: Merchant Options, and September blog Money 2020: Tokens and Networks I laid out 5 token initiatives.. we have now almost doubled..

The key differentiation between these Token initiatives is WHERE the translation occurs (Wallet, POS, Processor, Network, Issuer). Translation is also referred to as DIRECTORY, which I define as the mapping of consumer information to payment information (see blog Battle of Cloud Part 1). The owner of the consumer directory is the winner in all of this, as the value of payment pales in comparison to the value of data and the consumer relationship. This is the core of the token battle.

Inventory is for POS payments only.

Form A (TCH Pilot – Processor Translation)
- Consumer Directory: Bank
- Token is presented to Merchant at POS (QR code, NFC, Barcode, …)
- POS forwards token to Merchant processor (ie Elavon)
- Elavon translates token into card through TCH service
- TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
- Issuer sends Authorization to Elavon
- POS settlement
- Patent issues surrounding merchant processor translation of tokens

Form B – Wallet Translation (Push Payments)
- Consumer Directory: Wallet
- Token is presented by Merchant and read by Wallet. Token represents MID, TID, Processor and Amount
- Merchant POS is awaiting authorization as if a card was swiped
- Wallet sends token to Issuer (circumventing Visa/MA). Note this is WEAK LINK as data connectivity required for Consumer’s phone at POS
- Issuer translates token into authorization, sends to processor
- Processor passes authorization through to TID as if card was swiped
- SMS based payments done in this model for years. Form of tokens could be beacons, QR, biometrics. Difficult to patent as core for operation is consumer directing bank to make payment.
- Key differences (globally) are how consumer IDs the merchant and amount, and how does issuer pass the auth
Form C (C for Chase with their unique VisaNet deal)
- Consumer Directory: Bank
- Token is card number, Presentment is TBD.
- If Merchant is a CMS merchant, Card routes through JPM’s version of Visa net for offers/incentives (given merchant participation.. of which there is none).
- If Consumer card is JPM then deliver Card Linked Offers. Again.. not much here.
- Unique capabilities, but all based upon Visa’s network. Barrier to replication is the unique deal that JPM constructed to “branch” VisaNet
Form E – EMV/NFC
- Consumer Directory: TSM/MNO
- See Smart Card Alliance
- Token resolution is TSM (yet another network). Problem with NFC is that TSMs are usually controlled by MNOs, that take a walled garden approach in constructing a toll bridge for use.
- See my blog on the 12 party supply chain making this approach a nightmare
- Pressure here comes from Payments as part of the Handset OS, HCE (see blog) and unique US political dynamics (see Chip and Signature).
- Patents and Standards well established. Issue is value to all parties.
Form G (G for Google’s old Mastercard proxy model)
- Consumer Directory: Google
- Token is a card number – Issuer is google (See blog)
- A plastic version of this was planned in 2012 as reported by Android Police, but was pulled because of high stakes war involving top issuers and Mastercard.
- Merchant runs transaction as normal
- Google acts as issuer receives authorization request and routes to selected card (using facilities of TXVIA).
- After receiving authorization from funding card, google authorizes transaction
- Issuers make all of the interchange they did before, but don’t like being wrapped. They also don’t like the data leakage and the fact that this impairs their ability to offer unique services (10% off at Kinkos).
- Note: this scheme has a value proposition for everyone.. and banks still don’t like it… Google loses money on every transaction.
- Another little known fact is that early versions of GW ran in this model due to limitations within NXP’s chip (only supporting one card emulation app)
- No Patent issues, few other companies could afford to take a loss on every transaction (buying data). Network rules are the primary issue.
Form H – Host Card Emulation (Google, MA, SimplyTapp) I like – this one
- Consumer Directory: Issuer
- HCE Blog
- Blend of NFC and Form V below. Simplifies the NFC supply chain
- No dedicated hardware, NFC just another radio
- Issuer Creates One time use tokens for EMV key generation
- Merchant acceptance hurdle CURRENTLY same as NFC
- Can be leveraged for non EMV purposes (Beacons, QR, wi-fi, …)
- HCE is GPL, but ability to generate one time use tokens for EMV generation is unique.
Form M – MCX/Target Redcard
- Consumer Directory: Wallet/Retailer
- See Gemalto/MCX Blog
- Very similar to Model S (Square) below except wallet is owned by the retailer and form factor is QR code
Form P – Paypal/Discover
- Consumer Directory: PayPal
- OK… this is not mobile yet.. but since I have Square down below, I thought I would be fair
- Consumer registered for Paypal Card running on Discover network.
- Consumer enters phone number at POS + PIN
- Processor translates phone + PIN into Discover transaction
- Discover routes to Paypal for authorization
- Very similar to Model G above
- Transaction authorized
Form S – Square/Starbucks/LevelUp – POS translation
- Consumer Directory: Wallet/Square/Starbucks
- Consumer account mapped to phone, ID, voiceprint, card, picture, location
- POS translates ID to Card
- POS request authorization as a card not present transaction
- Consumer Authorization was taken during service registration
- Consumer receives digital receipt for transaction
- See Square Stand, LevelUp
Form V – Visa/Amex/MA – Network Tokens (TBD)
- Consumer Directory: Network (Issuers don’t like this)
- Press Release
- See blog on Battle of the Cloud Part 4 – Clusters Form
- Tokens will evolve to a very long number which will be translated to an issuer/account number. This is what Visa/MA do today.
- Patents will be around generation, use and validation of token. In the future, merchants will not store your card numbers on file (COF), each merchant will have a unique token based upon your actual account number and their own ID.

From Business Implications of Tokens

Business Drivers

As I outlined in New ACH System in US, my view of Bank business drivers for Tokenization are:

Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
Own New Mobile POS Schemes to protect their risk investment
Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
Regulatory, Financial Pandemic, AML controls (per blog on HSBC)
Take Visa and MA out of the debit game (yes this is a major story)
Maintain risk models (see both sides of transaction)
Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (seeDirectory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

Gemalto CEO: We will make “hundreds of millions” from MCX

4 Dec 2013

I had a large institutional investor forward me this article.. it is 60 days old.. but still I spit out my coffee laughing, so be careful.

http://nfctimes.com/news/gemalto-offers-details-mcx-deal-vendor-will-earn-fees-transactions

Gemalto CEO’s assertion that he will make “hundreds of millions” from MCX is a big pile of… um… “optimism”. Given he is a public company, I can’t imagine how he could possibly give forward looking statements that are so completely and utterly unfounded. Perhaps communication by public companies in Amsterdam is a little more relaxed (a trip to the “coffee shop” with Bob Dylan. I better watch out, or I may be treated like Bob was yesterday see CNN – Bob D Inciting hatred).

Let’s do a little math.

MCX will likely process payments in a decoubled debit model with a net payment cost of $0.05 (plus 10-20bps for fraud). If Gemalto were able to get 10% of $0.05 ($0.005/tran) it would take 20 BILLION transactions to generate $100M in revenue, at $40 per average transaction that would be 800 BILLION in sales. For perspective, total US retail sales are $2.4T (not including restaurants, auto, services, gas). Wow…. Quite Gemalto has quite an “aspirational” view on MCX adoption. I wonder if Gemalto’s CEO knows that the US operates in a competitive free market??

The only possible way to (re) interpret quote is that MCX will make 100M TRANSACTIONS. This means that Gemalto’s revenue from MCX would be $500,000 (at the VERY top end) in Year 5. I hope the institutional investors priced this “cloud” revenue…

I’ve yet to meet any vendor that has not left in tears after working with WalMart. These guys are supply chain Pros.. and no one makes hundreds of millions.. and if you were.. you sure wouldn’t go tell the press about it before your product went live. Gemalto’s innovation is a pretty QR code.. they are complete idiots if they think that they are the only option for presenting a payment “token” to a POS (see Gemalto QR codes for detail).

12 Party

I own no Gemalto stock, but if I did.. it would be a short position. Their bread an butter businesses are handset SIMs and Credit Card Chips. My view of the world is that dedicated hardware is moving toward software. For instance the SIM card.. most have seen Apples plan to virtualize the SIM (see blog). Gemalto’s hopes for NFC are also dashed by things like Host Card Emulation (HCE) and the 12 Party supply chain. See this picture on the right? The 12 parties… ? Well they ALL need to make money.. and I can tell you with great certainty that the NFC suppliers in this market don’t have 2 dimes to rub together on NFC.. everyone is taking a bath. Gemalto represents 2 boxes of the 12 (UICC and TSM).. Twice the risk.. non of the cash. Investors look at it this way.. do you really want to bet on Gemalto over both GOOGLE and APPLE? FUBAR!

What is left for Gemalto? EMV Cards.. They will see a bump in demand over next few years due to US reissuance.. but Gemalto is a commodity supplier here. I see nothing in their future that will help them evolve toward a software model.. MCX revenue projections are complete bull&*^*&^

[yop_poll id=”3″ tr_id=”101010″]

Issuers … give HCE a shot now

Imagine expanding your existing bank mobile app to do card emulation.. with NO TOLL to the TSM or carrier.. you are in complete control. A project which should be sub $1M AND NO CONTRACTS!!

The only current dependency is Android 4.4 with an NFC or HCE capable handsets.. with over 40 new OEMs handsets shipping in next few months.

I’ll fill this blog out in more detail, but here are the key actions

mobile app development
workout how your static signing keys can be deployed. SimplyTapp has solution in place (https://www.simplytapp.com/)
Test with legacy embedded handsets and new OEMs to establish your test pool
Create a new consumer registration service where virtual keys are provisioned to application (again SimplyTapp has this)

Google’s phones are ringing off the hook. Retailers, loyalty providers, Banks are all working to leverage this new approach. The Android team can help you with the APIs.. but recommend you get in touch w/ SimplyTapp today

(I have no current relationship with SimplyTapp… but think it is something that makes sense as hardware evolves to software)

– Tom