With non-stop data breaches and the coming of EMV chip cards, virtual currency, and mobile wallets, payments seemed to be all over the news in 2014. Here’s our annual review of the top issues in electronic payments. They all defy a soundbite solution.
Heading toward its close, 2014 seemed to be the year of the dinosaur— as in the outmoded creature whose days were ended in the flash of a mighty asteroid strike.
Over and over again, the entities that clung to plastic cards with mag stripes, to slow-mo settlement processes, to old-fashioned price-based acquiring, seemed to be the ones caught flat-footed by explosive trends like EMV and mobile wallets, faster settlement, and cryptocurrencies. Indeed, it was a year of asteroids as much as it was a year of dinosaurs.
The vulnerability of plastic cards was never more dramatically displayed than in 2014. With Target Corp.’s massive payment card data breach making headlines as the year opened and an even bigger one at Home Depot revealed as autumn took hold—and with a steady stream of smaller breaches in between—Americans were constantly reminded of the insecurity of their magnetic-stripe credit and debit cards.
The breaches introduced millions to the acronym “EMV,” for Europay-MasterCard-Visa chip cards, and alerted consumers to the fact that their familiar routines of paying with plastic would be changing soon.
Virtual currencies were constantly in the news, too. Mobile wallets, meanwhile, seemed to be languishing until Apple Inc. unveiled Apple Pay. Withered hopes for the mobile wallet suddenly revived, even though it’s way too soon to judge Apple Pay’s performance.
The U.S. Department of Justice with its controversial Operation Choke Point also grabbed headlines in the mainstream media. Should government, in its quest to thwart fraud on consumers, deputize processors to deny access to electronic payment services to merchants the authorities deem suspect? Critics claimed the feds want to deny payments access to entire categories of ostensibly legal but disfavored merchants.
Payments executives are busying themselves with many other issues too. Discussion of tokenization of sensitive card data ramped up during the conversations about EMV and mobile wallets, but beyond technology is an old issue: control. Who gets to call the shots on specs and standards, and to what degree should the various tribes in the payments nation cooperate on tokenization?
How to make automated clearing house payments faster generated earnest debate at numerous industry conferences. Old-fashioned independent sales organizations found their tried-and-true business model under threat from a new breed of tech-oriented ISOs. Some merchant processors also perceived that Amazon.com Inc., which continues its expansion beyond the fringes of online retailing, might undermine their traditional practices.
Electronic payments continue to grow, although last year’s transaction growth was ho-hum following a revved-up 2012. Digital Transactions estimates card, ACH, and related payment transactions totaled 121.4 billion in 2013, up 2% from 119 billion in 2012. The seven-year average average annual rate of growth since 2006 is 5.71%.
What follows is the essence of the aforementioned issues, and how payments executives are hunting for substantive versus soundbite solutions.
1. The Tokenization Tussle
What do tokens, or digital replacements for sensitive payment account information, particularly the primary payment card number (PAN), have in common with interchange and other fees linked to credit and debit cards? Easy: Tokens, like transaction pricing, have become a battleground between competing interests in the payments industry.
For example, models under development include those from EMVCo, which is controlled by the major payment card networks, and The Clearing House, which is controlled by banks. Other proposals have come from the PCI Security Standards Council and the Accredited Standards Committee X9.
While there are plenty of technical matters to be settled, one of the hottest issues under debate is the use of static and dynamic tokens. Static tokens are easier to implement, but dynamic, or one-time-use tokens, offer even more security because they change with each transaction.
Meanwhile, some payments executives fear Visa and MasterCard are using closed token standards to extend the domination they enjoy in the magnetic-stripe card world into the emerging realms of Europay-MasterCard-Visa (EMV) chip cards and mobile payments. Others worry that separate groups are developing standards without enough back-and-forth among prospective token users and token originators.
In late July, several major merchant trade groups called for an open approach to tokenization, as did the Secure Remote Payments Council (SRPc), which represents debit networks. The Mobile Payments Industry Workgroup (MPIW), a group formed under the auspices of the Federal Reserve banks of Boston and Atlanta and which includes payments executives, also urged the industry to find common ground on tokenization.
2. Can Apple Revive Mobile Wallets’ Sagging Prospects?
The mobile wallet, a deceptively simple concept in which a smart-phone or tablet-computer application holds access to whatever credit and debit cards and loyalty programs a consumer loads into it, has proven exceedingly difficult to implement for some of the nation’s most techno-savvy firms. Few consumers have seen a need for mobile wallets, and the buy-in wallet providers need from telecommunications companies, merchants or other supporting players sometimes hasn’t come.
Google Inc. was forced to do a major retrofit of its Google Wallet, which is based on near-field communication (NFC) technology. Square Inc. canned its Square Wallet for a more modest app called Square Order. The telco-backed, NFC-based Isis mobile wallet recently was forced into an unplanned rebranding—new name “Softcard”—in order to avoid association with a beheading-prone Middle Eastern militant group using “Isis” as one of its English acronyms. Two rare large-scale successes in mobile wallets belong to PayPal Inc. and Starbucks Corp. with its closed-loop wallet.
But the mobile wallet’s flagging fortunes seemed to reverse on Sept. 9, when Apple Inc. confirmed persistent rumors that it would enter the payments space. Apple unveiled its Apple Pay service for the new iPhone 6, a wallet that draws on the phone’s first-ever NFC antenna and Touch ID app for a double layer of security as well as high-speed transactions at contactless terminals.
Now, there’s no guarantee Apple Pay will succeed. Apple Pay doesn’t have any upfront incentives for either consumers or merchants, and card issuers will be paying fees to Apple. Currently only 220,000 out of about 8 million U.S. merchant locations can accept contactless payments.
On the other hand, while Apple has its critics, few would argue its marketing competence. The company, which has hundreds of millions of iTunes accounts that can be marshaled for use with Apple Pay, sold 10 million iPhone 6s the first weekend the device was available. Plus, the winds will be at Apple Pay’s back as the U.S. begins converting to the Europay-MasterCard-Visa (EMV) chip card standard, which will simultaneously bring the capability for NFC transactions to millions of newly installed point-of-sale terminals. If an NFC-based mobile wallet from Apple can’t succeed, it’s hard to think anyone else’s will.
3. Choking on Operation Choke Point
Federal financial-services industry overseers continue to champion Operation Choke Point, an effort to ferret out merchants that wrongfully collect electronic payments by targeting processors that enable their access to payment networks.
Payments companies are paying keen attention to the program. Acquirers cut off 10,000 fraudulent merchant accounts in 2013, the Electronic Transactions Association said. Erring on the side of caution to avoid regulatory scrutiny, sponsor banks are asking their independent sales organizations to take a closer look at some merchants and cancel their merchant accounts if there are any potential problems, according to Greg Cohen, until last month chief revenue and strategy officer at Merchant Warehouse, a Boston-based ISO and payment and customer-loyalty technology provider for merchants.
“What we have noticed is that our sponsors … have added to the merchant types that they have asked us to de-market,” said Cohen, who is a member of the ETA’s board of directors. “It probably has increased over what we’ve de-marketed over the past year.”
The Department of Justice, however, says its goal is specific, and not a blanket attack on payment providers. “Our policy is to investigate specific conduct, based on evidence that consumers are being defrauded—not to target whole industries or businesses acting lawfully, and to follow the facts wherever they lead us, in accordance with the law, regardless of the type of business involved,” Stuart F. Delery, assistant attorney general in the DoJ’s Civil Division, said in written testimony to a House subcommittee.
U.S. Attorney General Eric Holder even posted a video on the DoJ Web site supporting Operation Choke Point. He outlined the rationale for targeting banks and third-party payment processors. “But the fraudsters can’t act alone,” Holder said. “In many cases they need access to the banking system to pilfer money from their victims. They frequently use third-party payment processors as intermediaries to route payments through financial institutions.”
4. Will Anything Stop Data Breaches?
It used to be that data breaches were seemingly rare (although many escaped public notice before passage of 40-plus state notification laws) but certainly appalling events. That’s all changed. A recent study by the Ponemon Institute and sponsored by Experian plc found that 43% of companies of all types surveyed had been breached, up 10% from 2013.
The headlines in recent months have told of not one but two payment card compromises at Supervalu and Albertson’s supermarkets, with damages under investigation. There was Home Depot’s breach, 56 million cards exposed; point-of-sale systems compromised at 216 stores of sandwich chain Jimmy John’s, card implications still being assessed; Kmart and P.F. Chang’s, effects undetermined; Michael’s, about 3 million cards; and Neiman Marcus, a mere 1.1 million cards. And who can forget Target, with 40 million cards and non-card data on 70 million customers exposed.
Even giant banks are not immune. JPMorgan Chase & Co. in October said a summer cyberattack exposed names, phone numbers and email information on 76 million consumers and 7 million small businesses, but apparently not account numbers, passwords, or user IDs.
The technology and know-how to prevent or at least greatly mitigate data breaches exists. Every breach since 2006 has happened while the card networks’ Payment Card Industry data-security standard (PCI) has been in force. But many merchants detest PCI’s long list of dos-and-don’ts, and consequently don’t give security matters enough attention.
Some, like Target, have not locked down their computer systems tightly enough to thwart hackers from finding an obscure backdoor through which they can plant malware that captures and exports card data. Too many third-party vendors that handle card data for merchants ignore some of PCI’s simplest precepts, such as not using default or easily guessed passwords.
The pending conversion of U.S. cards from the vulnerable magnetic stripe to the Europay-MasterCard-Visa (EMV) chip card standard promises to greatly reduce counterfeit fraud at brick-and-mortar stores, but EMV has no special protections for online payments. End-to-end data encryption and the coming of tokenization along with EMV, which will mask real account numbers with digital strings useless to hackers, offers hope, as does biometrics. Apple Inc.’s new Apple Pay mobile-payments service will employ not just tokens, but also Apple’s Touch ID fingerprint technology.
But Apple Pay, like much new security technology, has yet to be proven in the mass market. Forward thinkers say that if ironclad security is the goal, the payments industry should look to the new cryptocurrencies such as Bitcoin and its cohorts. Those systems, however, would require expensive changes in payments infrastructure as well as massive consumer re-education.
Bottom line: We’ll be living with data compromises for a while yet.
5. EMV’s Race Against the Clock
The U.S. payments-industry transformation from reliance on magnetic-stripe cards to using chips is well under way, with merchants, issuers, and consumers preparing to join acquirers and processors in ushering in mass acceptance. The great unanswered question: How many companies will be ready for chip cards by October 2015, when the networks will start assigning liability for counterfeit card transactions to the entity that isn’t prepared to support the Europay-MasterCard-Visa (EMV) standard?
Acquirers and processors generally are ready for transactions using the EMV technology that requires cards to be dipped into a reader rather than swiped. The technology should help prevent counterfeit card transactions at the point of sale.
More than 100 million EMV payments cards will be issued by the end of 2014, forecasts the EMV Migration Forum, an affiliate of the Smart Card Alliance. The forum also says 4.5 million EMV-capable POS terminals will be installed by then. Both figures are expected to grow in anticipation of the October 2015 liability shift for non-EMV transactions. Rumors of a delay in the liability shift were quelled following the Target Corp. POS system breach.
Much hinges on merchant uptake of EMV-capable POS terminals. It will not be a uniform adoption across all merchant categories and sizes. Factors such as what kind of merchandise the retailer sells, how well the merchant knows his customers, how much recurrent business the merchant gets, how much counterfeit fraud the merchant sustains, how many locations the retailer maintains in areas where banks are issuing the most EMV cards, and what type of point-of-sale configuration the retailer is using, will be vital.
Merchants that sell goods that can be readily converted into cash—jewelry and electronics, for example—should be lining up for EMV because of their susceptibility to fraud. Other considerations are how many chargebacks based on counterfeit codes merchants receive annually and whether they operate in markets where banks are early issuers of chip cards, which is likely to increase local customer expectations for the new plastic.
6. Meet the Value-Added Reseller
As if the merchant-acquiring business weren’t competitive enough for independent sales organizations, point-of-sale technology resellers now loom large not only as trusted advisors to merchants, but in some cases as direct competitors to ISOs.
Indeed, how ISOs can work with value-added resellers—or VARs—is a question that is likely to remain open for some time. Sensing opportunity, some merchant processors are shelling out big bucks to acquire ISOs that can work with VARs. Witness the $1.65 billion deal Vantiv Inc. made this spring for Mercury Payment Systems, a multiple of nearly 18 times Mercury’s earnings.
Increasingly, the equipment and software VARs install for merchants includes payment acceptance—terminals, tablets, PIN pads, and readers for Europay-MasterCard-Visa (EMV) and contactless transactions. VARs often specialize in business-management equipment and solutions for a particular “vertical” market, such as law offices or small restaurants. In some cases, VARs work with ISOs by referring the payment-acceptance piece of the business to them. In others, the VAR itself has become the ISO.
Both cases can present opportunities and headaches for traditional ISOs. The opportunity is obvious—a chance to ride on a sale made by another party that the merchant knows and trusts, and whose referral the merchant is likely to follow through on. The headache is equally obvious—VARs that set up as ISOs can take for themselves prospective business traditional ISOs might have had. Even in cases of collaboration, the VAR is likely to have the upper hand, giving it the right to extract concessions in return for the referral.
Smart ISOs will figure out how to work with VARs to the benefit of both parties.
7. Look Who’s Coming to the Point of Sale
Once an online merchant only, albeit a dominant one, Amazon.com Inc. moved to the physical point of sale in August with Amazon Local Register, a payment service that lets merchants use a tablet or smart phone to ring up sales and view data on sales.
Amazon thus has joined a long line of technology companies that have jumped into this market, including Square Inc., PayPal Inc., and Groupon Inc., not to mention merchant processors like First Data Corp.
That alone makes the business more competitive, potentially keeping a lid on pricing. And with Amazon’s famed indifference to profits, the new service could keep pricing down for some time.
Local Register transactions are already cut-rate. On Visa Inc., MasterCard Inc., Discover Financial Services, and American Express Co. credit and debit cards, payments are priced at 2.5% for swiped transactions (1.75% through 2015 under a recent promotion), 2.75% for those manually entered. That undercuts Square, which charges 2.75% and 3.5% plus 15 cents, respectively. Amazon is the merchant of record for Local Register clients.
Some observers add that Amazon later could funnel its own orders to Local Register merchants, picking up local distribution in the process. That’s a move most payments providers would find it hard to compete with. The service works on the iPhone 4 and newer smart phones from Apple Inc., three Samsung smart phones that use Google Inc.’s Android operating system, and Apple’s iPad and iPad Mini tablets, in addition to Amazon’s own Kindle Fire HD and HDX tablets.
Amazon’s Achilles’ Heel is the alleged distrust most online merchants entertain toward it as a competing merchant. While that sentiment may be real, it could be a mistake to rely on it too heavily in the case of the company’s tablet entry, which after all is aimed at brick-and-mortar sellers.
8. If at First You Don’t Succeed…
NACHA, the organization that regulates the automated clearing house network, is trying again to introduce same-day settlement. The latest proposal, which it floated in March, is not likely to come up for a membership vote until early next year at the earliest.
Same-day proponents, many of whom would really like to see things speeded up to near real time, hope this proposal fares better than its predecessor, which was shot down in a NACHA membership vote in August 2012. While those in favor won a majority, the margin wasn’t big enough to carry the day against opposition from big banks that feared faster settlement would ravage their wire business.
ACH transactions typically take two days to clear and settle, an interval may experts and payments startups argue is woefully slow for a consumer and business market accustomed to faster results in everything from shipping times to online search results. Also, other countries have already moved to speed up settlement times.
The latest same-day ACH concept differs in two key respects from the proposed rule that fell short of passage in 2012: it would be phased in over time and it would offer two settlement windows, rather than just one. Like that 2012 proposal, however, the new one would make same-day settlement mandatory for all receiving financial institutions—the banks and credit unions that act as counterparties to the institutions that originate transactions on behalf of persons and businesses.
Even if the proposal ultimately becomes a NACHA rule, it could present fresh complications for banks. Perhaps the trickiest part of the proposal is the idea of multiple same-day settlement times, one in the morning and one in the afternoon.
The phase-in calls for ACH credits to be subject to same-day settlement first, followed by debits at a later point. Credits are often used for payroll, person-to-person payments, and expedited bill payments; debits for utility, mortgage, and credit card payments.
NACHA argues that while the effort for financial institutions will be considerable, it will be worthwhile. Unlike real-time messaging, which doesn’t involve the actual transit of money, same-day ACH will offer actual faster payments, the organization says.
9. The Real Issues Surrounding Virtual Currencies
Digital currencies are on a streak to gain legitimacy with merchants, consumers, and the payments industry. To the extent they become established, they pose a threat to acquirers’ traditional, card-based revenue streams and invite the attention of wary regulators.
That hasn’t scared off some processors, retailers, and investors. Most recently, PayPal Inc.’s Braintree affiliate opted to accept Bitcoin, the most popular incarnation of digital currency. Merchants using Braintree’s new v.zero software development kit will be able to accept Bitcoin by opening an account with Coinbase Inc., a San Francisco-based startup that processes Bitcoin transactions for merchants and also provides Bitcoin wallets for consumers.
Square Inc. announced earlier in the year its Square Market online marketplace also would accept Bitcoin transactions. E-retailer Bitcoin Shop Inc. debuted in September and only accepts digital currencies, including Bitcoin, Litecoin, and Dogecoin. The Web site operates as an online marketplace much as eBay Inc. and Amazon.com Inc. do.
Bitcoin also has attracted the attention of investors, like venture capitalist Timothy Draper, who bought nearly 30,000 Bitcoins auctioned by the U.S. Marshals Service with the intent of using them to start a Bitcoin trading platform. Such systems are necessary for the value of Bitcoin to grow.
Bitcoin even found favor with Apple Inc. when it allowed Bitcoin wallet apps back into its App Store.
10. The Painful Sales Adjustment
Finding and recruiting top-performing salespeople for merchant acceptance always has challenges because so many companies seek them. Compounding this is the incessant pace of change in merchant services and its accompanying technology.
Independent sales organizations and acquirers now look for salespeople who can sell more than a basic point-of-sale terminal, who have the insight to explain how a tablet-based POS system can help a merchant retain customers, or how to start a sales call with something other than price.
Already on the path to retirement, the selling-on-rate-alone strategy is being quickly displaced with another one that requires greater sophistication on the part of a merchant-services company and its salespeople. It’s one that may endear the small-business owner to the MSP, and one, in the long run, that may have a positive impact on that old bugaboo—attrition. Why is this happening?
Small-business owners want more tools to grow their businesses, and the advent of tablets and smart phones is empowering that demand. Smaller businesses are thinking more and more about ways to better understand their customers. In turn, that is altering how they regard payments. With valuable data tied to the transaction, such as size and frequency of purchase, merchants want tools that let them use that information to learn more about their consumers.
It’s not enough to talk to merchants just about a product, such as a payment terminal. Now agents must focus on business solutions that encompass software and hardware that aid merchant sales.
That’s a winning strategy, but one that’s not easy to master.