Tuesday, March 19, 2013

Friday, February 15, 2013

Mobile Payments are Growing - But Keep It in Perspective, Folks

Yesterday, Business Insider sent a Valentine to the mobile payments industry with the announcement of a new report.  The new report (I haven't seen it) covers the exciting stuff that's happening in payments from the mobile vector and, as we all know, that's a lot.  The press release put out some relevant numbers I thought were intriguing to examine.

Now, I'm a mobile transaction fan.  I just made my first Isis payment at my local pharmacy here in Massachusetts.  (No, Isis hasn't opened up here, I just had a SIM/UICC swapped out at the last Smart Card Alliance show in Salt Lake City.  And, yes, it worked.  More on that later as I gain more experience with it.)  

My wife's jaw dropped today when I deposited a check from one of her tutoring students using my smartphone.  

I've got Starbucks, Square Wallet, LevelUp, and more.

I like this stuff.  

But I'm something of an outlier.  It's my business.  And it's my business to be both encouraging and skeptical.

So, upon seeing the numbers reported in the BI report press release, it got me wondering about how big mobile really is when looked at  against the backdrop of all card payment volume.  So, using the press release's numbers and rounding them up to $25B and putting them against recent enough US credit and debit card volume of $2,158 trillion, we have, well, a start.

PayPal mobile volume  14.0
Square volume  10.0
All other in-store mobile .6
Total  24.6
rounded up to  25.0
All credit and debit card volume, 2011* 2,158
All mobile as percentage of all credit + debit cards 1.16%

* Nilson Report

Baby Steps

It's clear, we're still in mobile's infancy at 1.6%.  That's where we are today.  That number's diminutive stature would be almost laughable except for, at least, a few reasons:

1. These are the baby's first steps.  But, like the infant, all of the equipment's in place and it just needs practice and time to grow.  
2. Merchants are excited by what tablets can do with the right software.  And it's not just Square.  NCR's Silver iPad-based POS software is gaining attention.  There are dozens of others. Expect a LOT of Level 4 merchants (that's the small ones) to look seriously at this approach.
3. Consumers are, at least, intrigued by paying or handling coupons via their smartphones.  According to the report, there's 7.9 million of us who have used either NFC or QR code based mobile payments. That leaves 80 million and more to go.

Even if the mobile numbers are over or understated by 50%, the number is of sufficient size for everyone to acknowledge that mobile isn't just a fad and it isn't going away.  And it's still an infant.

Happy Valentine's Day, Kiddo!

(BTW, it might be pretty embarrassing for PayPal should Square's volume surpass it.  That's a race to watch!)

Monday, February 11, 2013

EMV and the ISO / ISV Bottleneck

In the payments industry everyone is holding their breath about something.  Customer experience management, cost of payment acceptance and processing, mobile wallets, NFC and mobile transaction origination techniques are all top of mind issues, any one of which has the capacity to shift the payments business.  But underlying all of them is the growing problem of fraud and the challenge of payment security.  

PCI - Driving in the Rearview Mirror

Few dispute the security inadequacies of the U.S. payment infrastructure.  The magstripe card and static data, potent devices that they were when the payment network ran on its own, cannot stand up to Internet-born technologies in the hands of Internet-powered hackers never mind the simple trick of card skimming. 

PCI has brought no little order and discipline to payment and networks security. But today's fast pace of innovation, particularly at the mobile edge of the network, makes standards development, and even development guidelines, challenging.  The PCI DSS has to be a reactive set of standards.  

The PCI data security standards cannot do more than require the construction of high coffer dams around a payments system that was, like the Internet itself, designed with limited security in mind.  As long as magstripe-encoded static data exists there will be breaches in that dam.  While PCI encourages stronger techniques, like EMV, it must deal with current operations and near-term options.

The payment industry's answer is, of course, EMV, the smart card-based security framework that, among other attributes, makes payment cards nearly impossible to counterfeit.  It is coming.  But, as the last magstripe holdout, the US is a fat target for counterfeit fraud at the POS and ATM.  EMV will go after the counterfeit card problem.  

It's Harder to Improve What You Don't Measure

One of the great shames of the payments industry is the lack of transparency regarding fraud losses.  Issuers don't want to report losses.  Neither do card networks or processors.  The origins of such reticence may have started in the now absurdly vain attempt to maintain consumer confidence in payment security.  Good job. No doubt, lawyer-driven CYA is today's main driver.     

So, that leaves us with today's unfortunately frequent reports of card data breaches, punctuated by an occasional spectacularly successful theft of millions.  (It's unfortunate that the card pictured in this news story is an EMV contact chip card because it's very unlikely that chip card data fueled these losses). 

However, in a brief private conversation, one processor reported to me that the losses it was seeing across all payment brands now exceed a $200 million annual rate.  Based on that and other sources, we are on a trajectory toward multiple billions per year in card-related losses. 

Fortunately, EMV is coming to remove counterfeit cards and let dynamic data kill off transaction replay attacks.  End-to-end encryption and point-to-point encryption promise to remove card data and PII from the transaction stream.  Tokenization, encryption's handmaiden, simplifies securing transaction history and other data-at-rest concerns.  Mobile approaches based on NFC or more data-driven schemes promise to tighten the mobile perimeter. 

All of that effort will make $200 million breaches, and even the $2,000 variety, far harder to accomplish.  From a security point of view, we're headed in the right direction.

Largest Retailers Get It

The largest retailers are already well along the path.  Knowing the cost of brand damage due to data breach never mind actual data loss, PCI compliance among the largest retailers exceeds 90%.  They already have EMV-capable terminals or have them in their acquisition plans.  They already have scope-mitigating encryption and tokenization approaches in play.  They get it.

The Coming Level 4 Disaster

While the Level 1 and 2 merchants, those largest of retail brands, have payment security on their corporate radar, the Level 4 merchants who represent the millions of small business operators in the US can hardly spell it.  

Last fall's survey by PCI compliance solutions vendor ControlScan and Boston-based ISO Merchant Warehouse shows how far small merchant awareness has to rise before they get the scope of the PCI problem. 

  • After 7 years, just 54% of small merchants said they were aware of PCI.  
  • And compared to last year's report, among the aware, action has declined.  Just 50% report themselves as validated PCI, a drop of 7%.  Fewer can even find their SAQs.
  • Down three points, only 48% are spending any money on compliance.  

In other words, talking to Level 4 merchants about the risks of payment security is like, as Crash Davis said in the film Bull Durham, like a Martian talking to a fungo.  


An industry mandate to push merchants, all of them, to adopt new security technology is the only viable approach.  That's what the October 1, 2015 liability shift date is about.  Pushing a portion of that growing fraud burden onto the merchant should get their attention.    

The key question for the industry is "how do we get EMV and other security protections down to the Level 4 merchant?"  There are no few barriers to achieving that goal:

  • If they're even aware of it, many merchants are looking at the impending liability shift - still 900+ days away - and saying "I'll take the counterfeit risk.  It's cheaper than replacing all of my POS gear."
  • Level 4 merchants believe terminals should last forever.  They simply want to take payments so there's no need to upgrade to a more secure device.  The millions of technologically ancient dial-up terminals still in use are proof.  Oh and, by the way, how is it that security expenditures improve my sales?
  • As the ControlScan / Merchant Warehouse survey showed, many already believe they're secure.

Yes, It's Complicated

Besides the sheer scope of the US card market, we have many more moving, and often independent, parts.  In Europe, where they are still in the acquiring business, banks enforce compliance, limiting choices and excuses.  But here in the US, the merchant services business is a supply chain of acquiring processors, merchant acquirers, gateway operators, independent sales organizations, merchant-level sales reps, independent software vendors, and value-added resellers.  It's a cat-herding problem. 

Yes, some acquiring processors take a different approach.  Heartland Payment Systems is vertically integrated with its own tightly managed sales force who are taught to sell, and have available, a widening set of services that go well beyond credit and debit card processing.  But they're the exception.

A Weak Link in the Deployment Plan

A major complicating factor is the mismatch of incentives between the organization who sell merchant services and the merchants they serve.  The ISO "feet on the street" whether in-house or contracted merchant level sales reps have, for a decade, been principally focused on portfolio development and management, not about offering innovative, non-payment related services that help their merchant customer be more successful.  

Many ISOs are on a dive to the bottom trajectory, selling card services on price.  As a result, this cadre views good account maintenance by how long they can stay away from the customer because when they do contact the customer, it only invites a discussion on price.  

Fox in the Henhouse?

The merchant services industry has made a high art of pricing and fee obfuscation.  Very few merchants can decipher their own statements. Some ISOs and their channel allies look at PCI compliance, and non-compliance fees, as an additional revenue source.  Profiting from security concerns, they can charge high-margin fees for network scanning and other "security" services.  

This is the channel that, through complicated statementing and fear-based fees, has pushed card acceptance costs for some merchants past 5% of sales.  

And this is the channel that the industry will be relying on to roll-out EMV terminals and new security services.  ISVs, with their vertical software for merchants of all kinds, will also be responsible for pushing security to the edge of the payment network.

No wonder Square's 2.75%, with its rich software offerings, is making inroads at the POS and generating high decibel buzz and merchant mindshare.

Get With It or Go Away

The merchant services industry has few options.

1. Clean up the Act.  Price transparency matters.  Today's obfuscation makes the price predictability of Square and its like all the more compelling.
2. Sell on Value.  Besides card acceptance, what can be sold to merchants that make the merchant more successful selling?  If the answer's nothing more than card acceptance, maybe it's time to leave the business to those who can.
3. Get Real about Security.  That doesn't mean ripping out every creaky dial-up terminal today.  It does mean getting it into the merchant's mind that enforcement is on the way.  Even if the liability shift date slips (and my guess is that it will) we're at the end of a technology's life.  

None of these steps will be new to the merchant services industry or the ISV community.  Many have been ignoring similar advice for years.  But given their critical role in deploying new terminal technology, where will payment security be if they fail?

Thursday, February 7, 2013

Canada retires the penny

Chicago Tribune - Canada drops penny from its currency [feedly]

Time for the US to follow?

Meanwhile, Remote Mobile Acceptance Continues to Spread

I've got a lot more to write about the Smart Card Alliance 2013 Payments Conference in Salt Lake. (And about Salt Lake, too. It's an intriguing, friendly, and on the downtown streets, very quiet city). 

But before I go there again, literally and figuratively, proof that remote mobile payments are now firmly in the culture was abundantly clear on my taxi ride to Salt Lake City's friendly airport (my best TSA experiences are always in SLC - and I generally loathe the TSA process as pure security theater). 

My driver had a tablet based scheme that he didn't care for. He also uses Square. But his favorite is PayAnywhere because of the fact they actually have real customer service. They call him every two months to see how he's doing. They have phone support. They even answer the phone when he calls. They sent him a 1099 to help him prepare his taxes. The swiper works. He likes the fact that the tip calculator is on the top of the signature screen. The customer adds the tip when she signs for the transaction instead of beforehand like Square. He pays 2.69% v. Square's 2.75% and he gets customer service. 

He wondered how Square could manage without phone support.  

PayAnywhere provides detailed receipts, too, when compared to Square.

PayAnywhere is a registered ISO/MSP for HSBC Bank USA, NA, Buffalo, NY

Wednesday, February 6, 2013

US EMV Pulling out of the Station

At this year's Smart Card Alliance 2013 Payments Summit, at least one thing is clear in this complex US payments environment.  The EMV way of payment device authentication and management is coming to the US.  For years, constituents have been filling the water tanker and the coal car and assembling the passenger and box cars on the track.  At last, there's a head of steam up and the train is in motion.

This is good news for the US payments infrastructure and as Vantiv's Patty Walters eloquently and forcefully put it, "good for our children and grandchildren."  Secure payments is a no-BS, no-kidding component of social and national infrastructure and EMV is a proven method of improving payment security.  

For a country that's been woefully short on infrastructure investment (lights out at the shared national festival of the Super Bowl? Really?!) this is progress.

Steam Train, Amtrak, or Tres Grand Vitesse?

But there are multiple forks and switches in the track ahead and it remains unclear which track the train will take.  

It's also unclear how strong the engine is going to be.  Will we have an out-of-date, steam-powered approach?  EMV's been around for awhile.  Are we going to "rush into the Nineties?" with a single purpose approach?

Will we do a little better but still underinvest to create an Amtrak-like scheme that limps along, serving only a subset of the need?  

Or will we have a high speed system like the French TGV and its feeder rail systems?

EMV is a security platform that can be applied to use cases way beyond the contact-only chip card and its anti-counterfeiting role at the POS or ATM.  That minimal investment approach is advocated by Visa as a way to get things moving.  A number of merchants and MasterCard want EMV's more costly offline capabilities to be employed, for the increasingly rare instances where offline transactions are required during international travel or the even rarer cases when POS networks go down at major retailers because of a fiber cut or a Sandy or Katrina level event.

The TGV solution requires a dual interface card and a contactless acceptance infrastructure.  But now we've doubled the cost from $1 to $2 per card and $50 to $100 per terminal on the bet that merchants will deploy new terminals with contactless capabilities (fairly safe) and that we can develop the business models to encourage use of these cards for authentication in online banking, e-commerce and more as well as payments (not so safe).

The entire industry will be spending billions on deploying EMV into what is the largest card market with the greatest number of POS terminals and transaction points.  It's an ecosystem build out.  But if we take the cheapest, lowest common denominator track, the ROI potential for that investment could be constrained and it will definitely be delayed.  

Perhaps that choice is what's needed to get the train rolling.  Going down the track a ways will teach us a lot about EMV and its potential while we start to decrease the size of what's become the fattest global payments fraud target.  But there'd better be plenty of connections to the high value system ahead or we'll have spent a lot of money and careers-worth of time to manage a counterfeit card problem that has been, for the most part, under control with today's tools.  The fact that today's tools are losing the battle may in fact be the best argument for getting underway.

Here's to building robust infrastructure and here's a shout-out to all those driving to do so.  

For those who were at the session, Walters' remarks about the urgency and importance of making the right choice around EMV deployment was an inspiring moment.  Here's to more such leadership.

A special shout out to Randy Vanderhoof and his team at the SCA, too.  What was a sleepy, preaching to the choir event five years ago has expanded and improved enormously.  Randy's holding the space for the EMV Migration Forum, too.  It's a big important job.  Thanks, Randy.

Sunday, February 3, 2013

The road trip continues. Next stop Salt Lake City

The Smart Card Alliance conference gets started tomorrow.  Looking forward to seeing old friends and getting that dang certification exam over with.