Chip and Signature!?

4 Decemberblue_credit_card

I finally received my very first EMV compliant piece of plastic from Citi this week. As I travel frequently to Asia and LATAM I’m very happy. This should help me avoid situations like being stuck at Vancouver Airport without anyway to buy a tram ticket from their ATM like ticket machine. Just one thing missing in the package.. a PIN. !!

I went online to see why there was no PIN

chip and signature

Can you believe it… we now have something unique to the US.. CHIP and SIGNATURE!?

Wikipedia tells me that the US, Australia and NZ are the primary countries for this model… I described some of the dynamics in my 2012 blog “EMV Battle Impacts Mobile Payments

From Chip and PIN to Chip and Choose? Visa wants  encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD.  PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment.  All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?….  Expect some Regulatory involvement here.


Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..


So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, EMV compliant ATMs

So WHY chip and SIGNATURE? The 30 second summary is that “Perfect Authentication” is a Nightmare to Banks (see blog). If there is no risk.. then anyone can be a card issuer. (Credit risk as opposed to the billion dollar fraud/authorization systems).

Business Drivers


  • PIN is not a desirable consumer behavior, PIN is despised by both Banks and Visa
  • Grease the skids for contactless EMV. Who wants to waive their phone and THEN enter a PIN!? Visa/MA understand that it makes no sense to force a PIN on plastic and provide a “pass” for a waive.
  • PIN provides fantastic fraud prevention and therefore decreases the NEED for other risk management services (by Network and Bank)
  • Ensure that transactions are routed through them (signature debit is primary transaction type at risk).
  • The January 2013 Visa Mandate was a complete surprise to Issuers. I asked a top 3 card issuing CEO why did you commit to EMV. “Tom I found out about it the way you did, in a press release.. Visa has yet to come by my office to discuss EMV”. This gives you an idea on issuer relations. Why did Visa push EMV? to encourage reterminalization and enable mobile (credit card) payments.  Visa knew the big issuers would hate it.. but the Chip and Signature was a “meet in the middle” strategy. Visa created opportunity to enable contactless, and big issuers kept their PIN less advantages.


  • Shifts Fraud to Merchants who do not have compliant POS payment terminals
  • Allows large banks to continue to leverage their multi billion dollar investment in fraud infrastructure (Signature + $$ Fraud Infrastructure == security of Chip and PIN)
  • Keeps consumer behavior away from PIN
  • Big banks win, enabling them to leverage multi-billion dollar fraud system investments at the expense of smaller banks. Banks that can not make the investments will be challenge to support contactless, or EMV, without PIN. This again demonstrates how large banks continue to exert substantial leverage over the card networks in rule making and incentives.
  • The only EMV products coming out in the US are Credit based. Payment strategy is centered around increasing consumer use of credit card products.
  • See my blog on PIN Debit (Signature Debit is Dead).,PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009 fraud numbers: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (interchange and fraud; 96% of PIN fraud losses assumed by issuers, vs 56% in Signature). Source FRB report

We have an environment where Large Banks and Networks are purposely rolling out a less secure payment product. From the FRP report

PIN verification provides superior protection against fraud losses… Signature based losses were 13 bps compared to 3.5 bps for PINfraud dollar losses 2

Obviously PIN is more secure, and DEBIT is where EMV should be focused.. But banks DON’T WANT TO MAKE DEBIT SECURE (no margin here). To a non-payments geek this must look completely insane. Is there any wonder that large merchants are working together on a new payment network (MCX)? To understand the payments industry you must throw out all logic.. and look at the incentives. Moves here are NOT logical..  Networks are measured on volume, the entities which are in control of volume are Issuers (switch portfolios). Merchants are motivated by cost of acceptance.

Another Bank Consortium? Paydiant

Banks have not put all of their eggs in the TCH basket. There is another Bank Consortium around payments which I have not discussed: Paydiant has been working with 27 odd banks around a “Push Payments” pilot for last 2 yrs.

PUSH Payments – 27 Bank ‘Consortium’


  • Banks have another “consortium” on payments I have not discussed: Paydiant Push Payments
  • Trials have been underway for over 2 years
  • Competes with TCH tokens
  • Led by BAC, FIS, and other top banks
  • Objective: minimize changes to POS, through a new payment terminal which displays QR code.
  • Flow: Customer takes picture of Payment Terminal QR Code (which contains MID and TID), Code sent from Consumer Phone to FIS service, translated in to card (currently), Processed in normal Auth flow, then Auth PUSHED to POS terminal.
  • Elavon in primary processor for TCH tokens, FIS is focused on Paydiantpaydient


On a flight to SFO today and I’m looking at 50 odd emails from last week questioning my blog on Host Card Emulation (HCE). It has certainly caused a stir with the NFC community. As most know, companies like SimplyTap have been able to make this work on the Blackberry platform for some time…. I don’t mention vendors by mistake… but can’t tell you much more here other than it would be worth your time to work with them if you want to evaluate HCE.

How does HCE play in a world of Tokens, QR codes, merchant run networks, NFC, and Push payments? Well quite frankly nothing is happening now, and until a critical mass of Banks, retailers and platforms start to deliver value (beyond payment) nothing will.  I’ve stated many times that existing networks are ill equipped to drive fundamental change. For example banks look at mobile as a chance to cement use of credit card and maintain control over payments (and consumers).

Those that have read my numerous Token articles know that Banks have been working to disintermediate Visa/Mastercard. The theme is “if there is a number stored on the mobile phone, we want that number to be one we own and control.. not a V/MA number.. but ours”. This number is the Token I referred to in Tokens – Volunteer Needed, Directory Battle, and Tokens and Networks,  …etc. Last month Visa, MA and Amex launched their own competing token scheme to ensure Issuers did not end run them. This has put significant dampers on the TCH project, together with the loss of its early bank champions (Paul Gallant now CEO of Verifone).  The TCH project is likely to morph into ACH and perhaps debit tokens, as well as coordinator of standards, with the Card Network consortium winning the battle over Card tokenization. The only significant piece of new information on this is that the TCH bank champions were emphatic that Regulators would FORCE TOKENs in pending rules. Lets see if that happens.


Banks have not put all of their eggs in the TCH basket. There is another Bank Consortium around payments which I have not discussed: PAYDIANT ( Paydiant has been working with 27 odd banks around a “Push Payments” pilot (see blog for Push discussion).

Paydiant Flow

  • Merchant has specialized Payment Terminal that can generate a Paydiant QR Code. No POS change necessary
  • Consumer has Paydiant application or Bank white labeled version
  1. Merchant pushes normal card button on ECR
  2. ECR sends Payment amount to FIS Card Reader
  3. FIS Reader Generates Unique QR code based upon Amount, Merchant ID (MID), Terminal ID (TID)
  4. Consumer launches application and takes a picture of the QR Code
  5. Application sends QR code to FIS/Processor for transalation and asks consumer to confirm amount/payment instrument selection
  6. Consumer confirms transaction
  7. FIS sends transaction through normal payment Auth flow.
  8. FIS receives Auth
  9. FIS Sends Auth to pending MID/TID
  10. Merhant Payment Terminal receives Authorization and communicates to ECR
  11. Transaction is completed

I think of this as a reverse Starbucks. Consumer reads a QR code instead of the other way around. In a perfect world this is a great example of push payments. Only supporting issuers can participate, and they can set rules for interchange, fraud or anything else they want to with Merchant. Banks can also completely circumvent Visa and Mastercard as actual card number did not have to be used.

This solution, while very attractive, does have a few problems. In my own personal experience

#1 Connectivity. Over half of participating merchants had to install wi-fi hot spots as consumers did not have data connectivity in stores. This makes for a very bad (and slow) consumer experience.

#2 Glare. I couldn’t take picture of the terminal without holding another hand up to block glare. Of course we could solve this with Bluetooth LE, or some other factor.. but today it is a problem.

#3 Learning curve. Taking a picture of a QR code is not something most of us do..  Cashiers are not in a place to help

#4 Why? This entire solution is cool.. but why? It is MUCH EASIER to just pay with my card. Just as in Card Linked Offers, there are very few advertisers or other offer content to make this attractive.  FIS seeks to offer LevelUp like loyalty services, but currently in its infancy.

Bank Chaos

The reason I’m telling this story is  to show you the chaos going around mobile payments. Just because the technology works doesn’t make this a great idea. However, I do like this particular initiative very much, as it is the BEGINNING of a new network and a NEW APPROACH to payments that could reinforce Bank roles in authentication.  The flow makes sense to me.. we just have a few problems with the phone to Payment Terminal interface.  Imagine if I could couple this with a SQUARE voice experience and Apple’s new fingerprint technology.

Paydiant was quite sure they were going to win the MCX business. The solution’s complete dependence on processors and issuers made this quite unattractive, and hence Gemalo’s win (see blog).

I have a number of friends in the payment s industry, and each bank seems to be involved in multiple intitiatives:

  1. Tokens
  2. CLOs
  3. NFC
  4. Paydiant
  5. Apple/Google Wallets
  6. MCX
  7. EMV/Reissuance
  8. Visa/MA/Amex Scheme
  9. …etc

It is a crazy time. Small companies and mobile investors need to be aware of this Chaos, and understand the diffusion of focus.

Obopay in VentureBeat (update)

Yet another strategy shift by the ever elusive Obopay, a group with around 2,000 customers globally.

What a complete waste of $126M in invested capital. My response to VentureBeat article is a picture from CGAP

Thats right.. 1000 customers in a Yes bank pilot.. that will make for a global total of .. 2000 !? I’ve also spoken to 3 of the major banks which hosted the Obopay team as they described their new services…. lets just say there will be few returned calls. In the US (retail banking side) The Clearing House and Cashedge already own this space, internationally it is Monitise (1M+ consumers). On the card side there are few attractive P2P models and card teams’ focus is therefore on POS. The problems that Obopay continues to face at banks:

  1. Branding payments Obopay
  2. Weak business case for P2P
  3. Technology is easy.. risk management and fraud ops is hard
  4. Card groups are focused on mobile at POS (NFC).
  5. Banks are not very fond of Visa or MA right now.. they feel that payments is their business (imagine that).

The American Banker Article is spot on in Obopay’s continuing evolution. The “salmon swimming upstream” from the Citi pilot is complete rubbish (bankers ask them to give you names, references and volumes). It would seem that there is an organizational tendency to tell a story and how that story led to product design. Whether it was Carol’s trip to Africa, or the only US Bank pilot. The real story seems to be that they can’t find any traction with anything they do.  Now they plan to create ” a mobile platform” for banks. Looks like that space is “a little” crowded already (back to the future?).

I would like to see Obopay take on a little more candor, they know their situation and will have a hard time finding customers while they blow smoke over their status, plans and platform. See Nokia’s India market evaluation here. Perhaps Obopay is launching the US services based upon the realization of the Nokia analysis…. there is no revenue in emerging markets.

Why am I so hard on Obopay? Because this team is focused on the unbanked, a group that needs protecting. Obopay has received far too much attention (and capital) that could be allocated to successful ideas and teams.  As they shift their focus off of the unbanked world, I will be less inclined to criticize as the large banks have the resources to clear the obfuscatory fog that is generated by this amazing marketing machine called Obopay. My hope is that Nokia and Mastercard restructure Obopay’s few assets and create a new organization without the accumulated baggage, perhaps  into 2 entities : one focused on the unbanked in honest partnership with NGOs, and the other focused on Nokia’s handset/wallet.

See CGAP Article

P2P on Mobile – CashEdge POP Money

Just announced at Finovate today

I know the folks at CE very well. Fantastic organization.. they excel at both the Sexy front end as well as the messy back end (risk/fraud) of payments. Their new POP Money service is rock solid and could give FSIs a strong contender in competing w/ PayPal in Sending money to any phone number or e-mail address.

CashEdge is a “Bank Friendly” service provider in that all of their services are white labled for banks. Few people know that if you use Wachovia, Citi, or Bank of America today, to transfer money outside of the bank, you are using a CashEdge Service. In 2004 I selected CE (Wachovia) because they provided a higher quality service at a lower price point then what I could build  internally (fully loaded). Many eCommerce teams only focus on the User Interface and top level design when assessing the cost of delivering P2P payments.  However it is risk and fraud management where you will find the true costs of “payments” to the organization. 

This new POP service will allow banks to create a revenue generating service, and take back consumer mindshare from PayPal.  Existing CE customer have a tremendous advantage in enabling this service, particularly given the current resource constraints within bank IT.

Many large banks are just beginning to offer A2A transfers (accounts that I own across FSIs). Wells just made this service available on a pilot in June.. Chase has it, but it is buried deep within the online functionality. There will be a big first mover advantage here, and my informed opinion is that Bank of America will be the the leader… or should I say stay the leader in payments.

Move over PayPal.

BlingNation Review – Updated 11/2

Was on the phone w/ the CEO of Bling Nation recently. The company’s advisory board includes John Reed, a former chairman of Citibank and of the New York Stock Exchange and Jeff Stiefler, a former chairman of Digital Insight and a former president of American Express. I was very impressed with the focused value proposition and team they have put together.
Stick RFID tags on phones, establish NEW RAILS, NEW SWITCH and provide merchants POS terminals. Focus is “on us” payments within community banks.
Key items that should give Visa/MC and the big banks pause:
NEW RAILS. They have direct integration w/ core deposit systems (think JackHenry)
NEW SWITCH. They are the switch between DDA and POS, completely new Auth system
Consumer Adoption. They have 10 community bank pilots going on now. 25% of all DDA volume is going through them within 4 months. John Reed said “if this consumer behavior is true.. it would be the fastest consumer adoption [of a new Payment method] in banking”
Value Prop is FOCUSED.
    Merchant:             Small merchants.. 50% reduction in interchange
    Community Bank: Replace Cash, Interchange revenue, customer retention (loyalty program), minimal
                               IT work for bank. Core deposit system “plug in”, hosted services
    Consumer.           Use your phone as a payment device, get rewards and account status. Keep your money with local banks
USABILITY. Instant activation.. get the tag in the mail, call up your bank and give them the number
Board of Advisors. John Reed is a visionary.. how often have you seen his name on anything? These guys will be successful
– Private networks have typically faced regulatory and compliance scrutiny. How advanced are the operating rules and agreements? Think ACH return… 🙂
– Long term consumer adoption.. is it just a flash in the pan.. or could this be an enabler for repacing cash for “community POS” payments (thing barber and soda shop) and move upstream from community to micro payments.. Something like this help small banks take back customers from the big guys?
– Fraud. Fraud doesn’t attack a system until there is sufficient volume to warrant investment.  If Cash replacement focus, then system should be air tight as it will be tough to commit investigative services to $0.50 transactions.