Tokens: Any Volunteers?

19 June 2013

I’ll be leading a panel on Tokens at Money 2020 so thought I would spend a little prep time this week.

V, MA, TCH token initiatives all share one very big problem: no volunteers. Visa is the furthest along organizationally.. they tried tokens before (2010 Token best practices), technically there was nothing wrong with Visa’s previous efforts. The primary problem was that network participants (POS, Card Reader, Gateway, Processor, Acquirer, .. ) were ill suited to transmit anything but a 16 digit PAN.  Now that we have 16 digit tokens (likely based upon ISO/IEC 7812 BIN ranges owned by individual banks), the network CAN forward them for resolution..  these tokens are not Visa, MA, or ACH numbers.. they are an identifying “key” to information (other cards).. which only the holder can determine. This is the heart of what I referred to in Directory Battle Part 1.

If you were a merchant and a vendor came to you with this proposition “give me all of your customer information, I will lock it up.. and give you one of my keys for you to access it”… would you do it? There are some possible business cases around fraud/data leakage liability…. but customer information is somewhat important to most businesses. Token value propositions are not much different.. give me all your stored cards and I’ll give you a token.  At least Visa and Mastercard have rules around PAN.. but what are the business rules around tokens? Think of the Amazon world where I select from a list of stored cards… does the customer have to consent to exchange of PAN for token? In instances where I have multiple bank accounts/cards. Will there be a token for each bank? for each card?  (Networks are prohibiting “non compliant” schemes today). How does customer select instrument (debit/credit) if multiple products are behind token.

I believe that if the consumer has given a merchant payment information, it is an asset that they should only part with if there is a significant value exchange (data, rates, …).  The idea that a merchant would willingly part with card data is just plain silly.. and hence the lack of pilot participants.

The only way I see this working is if banks “push” tokens into every wallet/retailer. Automatically enrolling them into Google, Amazon, V.me, Apple, PAYPAL, … In this model consumers are permission banks to assist with “fast checkout”. In the NFC world this is akin to “provisioning” a card.

We are very far away from seeing tokens at the POS “work” in any business sense, as there are no clear business drivers (beyond giving banks greater control of payments). Banks are not solving a consumer problem, nor are they solving a merchant problem. It is a strategy to maintain control (rules, rates, liability, speed, clearing, network, …). There is also friction within competing networks as MasterCard and Visa do not want to be wrapped by a TCH token, nor vise-versa… As stated previously, in the eCommerce world V/MA could see substantial success if they replace VBV/MSC with this token approach, shift liability to banks and give discount CNP rates. Banks would have great trouble replicating this eCommerce approach because they are in a very poor position to influence eCommerce gateway/processors.

From my view the future of any Token must be driven by customer first. This is where the best opportunities exist for MNOs, and the Banks (physical distribution). I call this federated identity management. Enabling a way for your real world ID to be associated with your virtual accounts and IDs (see my blog on Apple – http://tomnoyes.wordpress.com/2013/04/03/apple-and-nfc-part-2/).  Currently Apple, Google, Amazon and Square are leaders here… although there is a$5B opportunity for MNOs if they could put a team together with some focus.

My updated view on TCH token framework – Usage (“Wallet” transaction for JPM Visa Credit Example)

  1. Consumer presents Token (virtually or physically) held by consumer (or 3rd party)
  2. 16 digit “token” treated same as card (although not a V or MA PAN)
  3. Processor routes token to Bank Token Authority (TCH) in an ISO 8583 transaction
  4. TCH can resolve token directly (switch to network), or forward to participating bank for resolution (switch to network)
  5. JPM resolves token to Visa Credit, if on Merchant is CMS customer.. then on-us (No Visa Interchange). If non CMS, route through Visa.
  6. Authorization sent to Acquiring bank/Processor
  7. Authorization sent to both merchant payment terminal and to 3rd party wallet provider (?). Pilot prospects.. negotiate this one HARD
  8. POS settlement

Business Implications of Payment Tokens

US mobile payments will have a new “network”, a system to use tokens which are neither V or MA card numbers. Thus Banks need not route these transactions through either V or MA, but will be able to leverage same acceptance infrastructure. Virtual card numbers will be bank numbers that banks resolve. JPM’s is first to align w/ plastic, leveraging common authorization authentication and other services

21 Feb 2013 (pardon the typos as always)

US mobile payments will have a new “network”, a system to use tokens which are neither V or MA card numbers. Banks’ position is that the need not route these transactions through either V or MA (in order to leverage same acceptance infrastructure), whereas V/MA clearly say that an account can’t be both a network account and a XPAY account (see no wrapping).

The banks desire in 2011 is that Tokens will be bank numbers that banks resolve.  JPM’s is first to align w/ ChaseNet and ChasePay.  Banks are putting in place “controls” around ACH debit and card rules which will “encourage” token adoption.  Watch out payment start ups.. rough seas ahead. As I stated: Banks will WIN in payments.

In the US, merchants own liability for Card Not Present (CNP) fraud which aligns online merchants to the risk of using a payment instrument for a consumer they cannot physically verify (see VBV exception). However well an individual online merchant manages their own payment risk, their remains extraneous indirect risk to banks, as card data loss could result in: counterfeit plastic, identity theft, other first party fraud, …etc. Thus the fallibility of the current card “token” which relates Bank to Consumer relationship. Through this NEW token initiative, Banks are seeking to expand the account identifier by making it unique to: consumer, bank AND merchant.token

Today merchants receive an authorization for use of the card and behind the scenes Banks use very large sophisticated risk models (ex software HNC’s Falcon) to make authorization decisions. As eCommerce merchants are responsible for fraud, they perform their own risk management either directly or through payment specialists (Cybersource, PayPal, Amazon, Digital River, …etc). Banks have few problems approving online transactions.. as they bear none of the loss… and hence a game is played. Banks have little incentive to share their fraud data and merchants have little incentive to share theirs. Remember that within banking, margins are driven by the ability to manage risk and banks therefore incented to differentiate capability (not harmonize it). Which leads to other interesting dynamics (perhaps a topic for a later time).

At the Physical POS, the situation is different. Merchants bear little fraud and with EMV (Chip and PIN) the US will further reduce fraud where plastic is presented (if EMV in the US does happen). As I described in EMV Battle Impacts Mobile Payments, Retailers love EMV and are biased toward PIN and Debit. Retailers are continually looking for a way to reduce payment costs and influence consumers AWAY from Bank reward schemes.Payment-Gateways-growth

Mobile payments remain “green field”  and may be significantly disruptive at the POS. One of my favorite quotes around payments ” if you solve authentication.. everything else is just accounting”  (Ross Anderson @ KC Fed). The mobile device can provide a much richer set of information which to authenticate (vs a piece of plastic). Banks have invested billions in their card risk and authentication infrastructure. Mobile could render most of this investment moot, thus Banks are working to control and influence mobile payments at POS, particularly given NFC’s complete failure. Additionally, new payment providers like LevelUp, Google Wallet, MCX, Passbook, …etc all present large challenges to banks efforts to own the consumer relationship and payment choice at the POS (See MCX Blog).  Banks have some latitude to create incentives around mobile. For example is an MCX QR code backed by a Visa Debit card a CNP Visa transaction? Card Present? Or will MCX try to encourage consumers to back with DDA like the Target RedCard model?  Mobile payments are a key battle ground for many parties.. it is imperative to recognize that mobile payments are not just about payments.. but also about loyalty, relationship, data, influence, banking… etc.

In architecting incentives, banks have diminished ability to force V/MA to change acceptance rules. The same is true for retailers. Thus both are looking to create networks based on direct consumer accounts with account numbers (tokens) they can control. This is a very big statement.. if the banks can create a “token” which represents a credit account or a debit account.. they have “wrapped” Visa and MA (see blog Don’t Wrap Me). If successful, they could subsequently change networks anytime they wanted… or create their own. Why on earth would they want to route any debit transaction through V or MA if the token represented a debit card that represented a DDA? Or similarly doubtful: a token that represents a credit card which represents a credit account? (see  PayPal at the POS). Taking card number out of merchant (and consumer) possession, and replacing it with a token, enables banks enormous flexibility.

Yes my head is spinning too. I am implying that banks could leverage their entire acceptance and authorization infrastructure without routing anything through V or MA. No direct consumer involvement would be necessary in this token scheme since something like an MCX QR code could be mapped to multiple tokens in a single back end process. Banks are looking to make ACH changes as a defensive play to ensure that ACH rails are protected against funding a Retailer/3rd Party wallet directly (as PayPal, Target RedCard, Safeway Fastforward do today). This was my point in yesterday’s blog on ACH Debit.

Business Drivers

As I outlined this week in New ACH System in US, my view of Bank business drivers for Tokenization are:

  1. Stop the dissemination and storage of Card numbers, DDA RTN and Account Numbers
  2. Control the bank clearing network. Particularly third party senders and stopping the next paypal where consumer funds are directed to unknown destinations through aggregators.
  3. Own New Mobile POS Schemes to protect their risk investment
  4. Improve ACH clearing speed (new rules, new capabilities to manage risk). In a token model the differences between an ACH debit and a debit card will blend as banks leverage common infrastructure.
  5. Create new ACH based pricing scheme somewhere between debit ($0.21) and credit cards
  6. Regulatory, Financial Pandemic, AML controls (per  blog on HSBC)
  7. Take Visa and MA out of the debit game (yes this is a major story)
  8. Maintain risk models (see both sides of transaction)
  9. Control Retailer’s efforts to form a new payment network

What banks seem to be missing is that mobile payment is not just about payment (see Directory Battle Part 1). Payments SUPPORT commerce, Banks therefore do not operate from a position of control but rather of enablement. Most retailers recognize that Consumer access to credit has resulted in improved retail spending, however most would also say consumer addition to bank rewards has been detrimental to their margin.

Tokens for Mobile POS?

Why would any merchant or wallet provider choose to exchange consumer payment instrument(s) for token(s)?  Reduction in CNP rates, liability shift are significant. But the mobile device has many additional “identifiers” that far exceed what is available on a piece of plastic (IMEI, location, history, password, interaction for challenge). IMHO the bank business case for tokens must be built on CNP rates and Customer Choice. If Banks directly assist consumers provision their account into a mobile wallet, every wallet provider should support it. In other words the bank has done the work to integrate and “push” the customer’s choice into a given wallet from their online banking site (ex yesterday V.me and SavetoAPI).

But this bank led provisioning does nothing for the millions of accounts that consumers have already provisioned themselves in: PayPal, Apple, Amazon, Google, Target, Safeway… All of these companies have worked to deliver consumer value and obtained a direct consumer relationship, which subsequently resulted in the consumer choosing to store payment information directly. I can’t imagine a scenario (or business case) for them to part with that asset, particularly prior to 100% acceptance of tokens by all merchants (online and offline).

Token Acceptance

The value of a bank issued token is completely dependent on: ACCEPTANCE, cost and Risk Mitigation. At the physical POS Retailers are firmly in control of acceptance, unless the tokens perfectly mimic existing card schemes. Banks will likely work to ensure that any non-tokenized payment (QR Code) will be treated as a CNP transaction with merchants bearing fraud responsibility. If tokens are in the format of a 16 digit account number than there will be very little change necessary to the payment terminal. However, the downside of using 16 digit account numbers is that it would not enable banks to firmly separate from V/MA bin routing (and network fees). It will certainly be interesting to see the plan here.

Retailers, Banks, Networks, Consortiums… are all at odds… all trying to own the consumer relationship and control a directory which they can resolve.Payment Value

In general I see the token initiative as a distraction for banks. They are far too focused on control and throwing sand in the gears of commerce. Commerce will find the path of least resistance in an open market.

Summary

My guess is that many Card CEOs are skeptical of all this network tokenization strategy. Banks card teams have tremendous assets in their consumer relationship, established consumer behavior, brand, network of acceptance, merchant white label relationships. Why not work to partner and extend today’s model in a way that benefits consumer and merchant? Example Payment enabled CRM.

This tokenization project’s ability to positively impact mobile payments and retailers may be like squeezing Jello… American Express can only be laughing to themselves. As US Card issuers are 5 years behind them in innovation  Amex is extending their lead as they endeavor to “pull their weight” by while helping retailers obtain new insights on their customers. This sounds like a much better idea than tokens.. probably one that investors will understand better as well.

My message to Bank CEOs: stop trying to lock in your market position and start trying to justify it through value.  Tokens will provide you more control, but it is significantly detrimental to your acceptance network (V/MA). You have brilliant payment executives.. there is true genius in the token design here, but it is completely myopic. If you had a cross functional team with experience in retail, advertising, data, processing, CRM you would realize that mobile will change the way consumers interact with their environment. Banks will NOT be the intermediary in every interaction. The barriers you are constructing will only further inhibit your ability to partner and take part in processes which add value.  Remember your customer is not yours exclusively, we also are customers of Google and WalMart and Verizon…. Banks have an OPPORTUNITY to orchestrate commerce IF they deliver VALUE.  Payment people design payment solutions to payment problems. Banks must redefine the problem and the opportunity.

The questions banks must answer (for a retailer): when was the last time you brought me a customer and helped me build my brand, and consumer relationship?

Another scenario Card CEOs should consider: if Payments become “dumb pipes” …. where retailers and non bank intermediaries can perform Least Cost Routing (LCR)… how do we compete? How strong is your customer relationship?  Why did the consumer choose you as the bank in the first place?