Trends & Tactics

 

PayPal (Sort of) Embraces NFC …

 

With rivals like Google Inc., Visa Inc., and Master­Card Inc. having jumped into near-field communication technology, there has been no little speculation in the payments business about when, or whether, PayPal Inc. would take the plunge.

 

Wonder no more. The eBay Inc. unit last month made available an upgraded Android app that includes a widget for person-to-person payments using NFC rather than Bump, the wireless technology PayPal has used since last year.

 

The launch represents PayPal’s first live product based on NFC, a short-range communication protocol that has been adopted by Google for its Google Wallet rollout as well as by the nation’s biggest wireless carriers in a joint venture called Isis. MasterCard and Visa are both participating in the Isis wallet, and Visa is developing its own wallet product, which is expected to come to market early next year. Last month, the network opened the wallet to outside developers.

 

But industry observers who are trying to read any larger NFC plans into PayPal’s launch can put the tea leaves away. While the new widget exploits cloud-based payment credentials for users rather than a secure element in the phone, a PayPal spokesman says the product does not indicate how the company might deploy NFC in the future—or even whether it is committed to NFC. “What we’re not doing is betting the farm on any one technology,” he says.

 

The “Request Money” feature, part of what is now version 3.0 of the free PayPal Android app, works on any handset that supports NFC and Google’s Android operating system. Right now, that’s a pretty limited range of devices, embracing about half a dozen models including the Google Nexus and some versions of the Samsung Galaxy S II.

 

But the range of available phones could have been even narrower. By deploying the so-called peer-to-peer mode of NFC, PayPal avoids the need for a secure element, a chip embedded in a handset to lock down payment credentials. That widens the range of NFC phones beyond the Nexus device, which is just about the only smart phone that has the chip.

 

To use the widget, one user enters a requested sum of money, then taps his phone on the other user’s device. That transmits the request to the other phone, whose owner completes the transaction by entering a password.

 

The service resembles a feature called Bump, which PayPal licenses from Mountain View, Calif.-based Bump Technologies to allow users to exchange funds by tapping phones. Unlike NFC, which relies on radio waves to make connections between devices, Bump uses sensors built into smart phones to detect touches. But PayPal says NFC is more streamlined. NFC “is a very fast, reliable connection,” says the spokesman. “NFC in our initial tests does seem to be a little faster than Bump.”

 

Besides each having an NFC-equipped phone, users of the widget must also each have a PayPal account. Payments are free if funded by the sender’s bank or PayPal account. Fees apply only if the sender funds his transfer with a credit card, the spokesman says.

 

While PayPal may not be tipping its hand about whether it is now leaning toward cloud-based NFC, some observers argue this is a direction other providers could follow now that PayPal has introduced its widget. “This is a big, big indicator of the future. There will be more [cloud] applications,” says Todd Ablowitz, president of Double Diamond Group LLC, a Centennial, Colo.-based consulting firm.

 

PayPal, meanwhile, is rapidly penetrating the nascent market for mobile transactions. It recently projected it will process $3.5 billion in mobile payments this year, which means it will have quintupled its volume both this year and last.

 

 

 

… While Square Opens Some Tabs …

 

Square Inc., which made a splash two years ago when it introduced a reader that attaches to a smart phone to let individuals take card payments, made another splash in May when it launched a wallet application called Card Case. That’s a service that lets users walk into a store and use a smart phone to link to the merchant’s Square account to buy merchandise. Square calls this linkage “opening a tab.”

 

Now the San Francisco startup says you can leave the phone in your pocket and still walk out of the store with your goods.

 

Last month, it introduced an en-hancement to Card Case that detects when a user is near a participating store and automatically opens a tab. By relying on this method, the user can walk in, give his name, say he’s buying with Square, and make his purchase.

 

The enhancement brings Card Case in line with what appears to be a nascent trend toward hands-free in-store payment technology. PayPal Inc. in October unveiled a service it calls Empty Hands, which it plans to launch early next year. It will allow PayPal account holders to access their digital wallets by entering a phone number and a PIN in a store’s point-of-sale terminal.

 

The new Card Case app works for now only with Apple Inc.s iPhone 4 and iPhone 4S, though Square plans to launch an Android version later, according to an account in the San Jose Mercury News. Square did not return a call from Digital Transactions seeking comment.

 

The app relies on a new geo-location feature in iOS 5, the recently introduced operating-system upgrade for Apple mobile devices. The feature detects when users are within 100 meters, or about 328 feet, of a Square merchant location, triggering the app to open a tab with that merchant. In case you’re wondering, the feature works only if users enable it.

 

As with the original Card Case application, a clerk inside the store can bring up a screen showing the user’s photo as authentication. The user gives his name, and the transaction is charged to the card he has linked to his Square account. The user then receives a text receipt. Square has signed up 20,000 merchants so far to accept Card Case, according to the newspaper account.

 

While Card Case transactions are considered card-not-present payments, which carry higher interchange than card-present transactions and so are more costly for merchants, most sellers aren’t likely to let that bother them, says Russ Jones, a partner at Glenbrook Partners, a payments consultancy in Menlo Park, Calif.

 

“The merchants doing this are selling modest-cost things,” says Jones. “There’s just pennies of difference between card-present and card-not-present. I think the merchant would be delighted to pay that to get more sales. The bagel guy is trying to sell you a bagel. He’s not trying to minimize his payment-acceptance costs.”

 

The Card Case enhancement is the latest in a string of changes and announcements Square has released in recent months. Last month, cofounder Jack Dorsey, celebrated as the co-founder of Twitter, said the service was processing as much as $11 million a day, up from $4 million in July.

 

Square also announced it now has more than 800,000 merchants using its original product, a dongle that attaches to a smart phone through the device’s ear jack and allows merchants and individuals to swipe cards for payment. And it introduced features that let Square merchants create custom loyalty programs and link to their receipt printers and cash drawers.

 

Earlier, the company said it was eliminating holds on funds for new merchants and was crediting their accounts the ncxt business day. Square also eliminated its signature requirement for transactions under $25 and simplified its checkout process for phones running iOS, so that transactions take as little as four seconds.

 

Jones says Square, often dismissed by some observers as the beneficiary of the Silicon Valley buzz surrounding Dorsey, has begun to make its mark in payments. “It’s buzz, but there’s something also tangible about Square,” he says. “I’m amazed at the number of places taking cards using Square. It’s not a lot different from where PayPal was a year into their ramp-up.”

 

 

 

… And Apple (As Usual) Goes Its Own Way

 

Talk about speculation. Tightlipped Apple Inc., which has not said anything publicly about its plans in payments, whatever they may be, has nonetheless sparked plenty of talk in the industry. Observers expect to see near-field communication (NFC) capability with each new iPhone release. And some Apple patent filings that came to light last year and that involve NFC applications added fuel to the speculative frenzy.

 

One reason Apple is at the center of so much talk is iTunes, its slick online-payment system that lets some 225 million registered users buy digital goods with a password and user name linked to a credit card. When it comes to digital wallets, they don’t get much bigger than this.

 

And last month, Apple brought iTunes to the brick-and-mortar world with the introduction of EasyPay. This self-service feature, technically part of the upgraded Apple Store app, allows iPhone users to walk into an Apple store, take an item off the rack, scan its bar code, enter an Apple ID and three-digit card-verification value to make payment, and walk out—all without dealing with a sales clerk. The app then stores an electronic receipt in an EasyPay folder.

 

There are some restrictions. The service works only with the iPhone 4 and 4S models. Older versions won’t fly. And, to help control losses to theft, only low-end merchandise—think iPhone cases, AC adapters, car chargers—is eligible for EasyPay. Also, again to put a lid on theft, items must be rung up one at a time. And users must either have the credit card with them that is linked to their iTunes account, or must have memorized its CVV.

 

Some observers have said EasyPay is a great feature for users in a crowded store where it’s hard to get a clerk’s attention, but if things are slow, or if a customer has picked up a lot of items, users might be better off button-holing a clerk. And, while Apple Store folks say they have security systems in place, without for obvious reasons going into details, there might not be much to stop someone from pretending to pay and then walking out with ill-gotten goods.

 

There can also be unexpected glitches. One blogger noted he was able to open the Apple Store app but couldn’t find the EasyPay feature. He enlisted several sales clerks to help him work on the problem but they couldn’t bring up EasyPay on his phone, either.

 

But one of them was able to trigger the feature on her own phone, and that led them to the solution: The blogger had disabled the location services on his phone to conserve battery power. EasyPay needs these services to detect which store the user is in so it can calculate sales tax. With these enabled, the transaction proceeded.

 

Still, EasyPay is a streamlined, easy-to-use mobile-payments system that requires no hardware upgrades at the store, something that can’t be said for near-field communication (NFC) or much other mobile-payment tech.

 

Whether Apple might take the system to other merchants, or whether indeed it is even available yet in all of the company’s 245 U.S. stores, is hard to say. The company did not return a call from Digital Transactions.

 

But some observers wouldn’t be surprised if Apple continued to implement home-grown technology. “Apple might bypass NFC, for all its warts. Bar codes you can do in-house, on us,” notes Steve Mott, principal of Stamford, Conn.-based consultancy BetterBuyDesign (for more of Steve’s take on the current mobile-wallet landscape, see page 23).

 

Apple’s accustomed reticence will no doubt fuel yet more speculation about its plans in payments. But for now, what’s above the surface and visible to the world may be sufficient for Apple, whether there’s much below the surface or not.

 

 

 

Don’t Know Much About PCI

 

It’s the elephant in the room when it comes to payments fraud: Just how secure are the card data small merchants deal with every day? One way of getting at the question is to find out how many Mom-and-Pops comply with the Payment Card Industry data-security standard (PCI).

 

Trouble is, years after that set of requirements was introduced, nearly half of small-fry merchants have never heard of PCI, let alone complied with it.

 

Specifically, a recent survey found that some 53% of small merchants are now at least aware of PCI, a small increase from the 47% a similar survey found in 2010. “Awareness of the PCI DSS is shockingly low” among these merchants, concludes the report, which was co-sponsored by Alpharetta, Ga.-based security-solutions vendor ConrolScan Inc. and Merchant Warehouse, a Boston-based independent sales organization.

 

PCI compliance among so-called Level 4 merchants (those that process, per year, 1 million or fewer brick-and-mortar Visa transactions or fewer than 20,000 Visa e-commerce transactions) has been a concern for some time. In part this is because these merchants are considered more vulnerable to compromise. And in part it’s because Visa Inc., which tracks compliance with the security standard, doesn’t measure compliance among Level 4 merchants as precisely as it does among larger merchants.

 

Even so, the scant progress among small merchants since ControlScan and MerchantWarehouse issued their last study a year ago magnifies that concern. “It’s a wakeup call,” says Heather Foster, vice president of marketing at ControlScan. “There’s still a lot of work to be done.”

 

Compounding matters is that small merchants remain nonchalant about their chances of sustaining a data breach. Some 83% of surveyed Level 4 merchants rate their risk of a breach as either low or nonexistent. This perception is “misguided,” the report’s sponsors say, citing small merchants’ greater vulnerability compared to larger businesses.

 

The reason for this false sense of security is that “many think they’re too small for anybody to care about,” says Foster. Yet breaches among small merchants are on the rise because fraudsters find them to be easier targets than larger businesses with more resources to guard data.

 

Small businesses “are worried about making that pizza dough or paying that light bill” rather than installing security technology, says Markiyan Malko, PCI security compliance officer and program manager at Merchant Warehouse.

 

Foster and Malko add that anywhere from 70% to 80% of small merchants are still using dial-up point-of-sale terminals, which are not connected to the Internet and so may give proprietors a sense of security compared to more advanced, Internet-linked devices.

 

But these merchants are still vulnerable to compromises, they point out. For example, using dial-up terminals “doesn’t mean someone you’ve hired isn’t selling credit card data,” says Malko. Indeed, the report found 18% of respondents named “insiders,” or employees, as a greater security threat than hackers (“outsiders”).

 

The larger the business, the bigger the insider threat becomes as proprietors find they must share more responsibility with persons who aren’t family members or other trusted associates.

 

There are some positive results in this year’s survey. Some 60% of merchants aware of PCI correctly say the standard is mandatory, up from half in last year’s study. E-commerce merchants (68%) and larger small merchants (82% of those with 51 or more employees) were most likely to regard PCI as mandatory.

 

Also, 57% of those small merchants aware of PCI say they have validated compliance, up from 47% last year. Among those that have not gone through validation, “don’t understand” is the most frequently cited reason (61%). “This is an unabashed cry for help to the industry,” notes the report.

 

Malko and Foster say ISOs and merchant processors can help small merchants most by playing an educational and advisory role. Most important, they say, is to address PCI upfront, in the first conversation with a merchant prospect. This not only informs merchants, it avoids unpleasant consequences later on, they say. “It adds friction to the sales cycle,” Malko concedes, but “a merchant seeing [an unexpected] PCI fee on his statement four months later creates a negative customer experience.”

 

Nor should ISOs leave this “extra step” to third parties, who might call later to discuss PCI and the fee, Malko cautions. Most merchants won’t recognize the caller and so won’t take the call or understand what the caller is talking about, he says.

 

For this year’s report, entitled, “A Perfect Storm of Complacency,” researchers canvassed Level 4 merchants in August and received responses from 621. Forty-two percent were brick-and-mortar merchants, 15% were e-commerce sellers, and the remainder were multichannel businesses.

 

 

 

Correction

 

Because of a mathematical error, the values that appear below two of the headings in the chart headlined “Small-Ticket Debit Interchange, Pre- and Post-Durbin” on page 32 of the November issue are incorrect. The correct figures, for the $2 and $10 scenarios respectively, are 22.1 cents and 22.5 cents under “Revenue, Fed Rate,” and 211% and 15% under “Change.”