At last! Now we can start building the legacy system

Is recent EMV announcement the catalyst the U.S. needs to catch up?

[From Portals and Rails]

Richard Oliver, Executive Vice President at the Atlanta Fed opened up the Smart Card Alliance Chicago conference with a great talk about the dilemma facing the US payments industry because of the evolution of payments technology. I was really looking forward to hearing Rich talk, for a couple of reasons. First of all, Rich played a big part in Check21, so he understands what it takes to co-ordinate major change across the US payments industry. Secondly, he just co-authored the white paper on mobile payments in the USA that I’ve been reading. He didn’t disappoint.

As an aside, I should say that I thought that the event keynotes worked quite well, and flowed nicely I thought because Rich was looking at the big picture around the US payments industry and then he was followed by Toni Merschen who was looking at the big picture around EMV and then I followed on to talk more specifically about the EMV roadmap through contactless and on to mobile, where I made the point (not exactly new) that the strategy for EMV in the US will depend on mobile, contactless and internet as much as the retail point-of-sale (POS).

Anyway, Rich was looking at the big picture around payments. As he pointed out, payments used to be a rather sleepy segment of financial services, but life is changing. He pointed out that Check21 took six years, Canadian EMV migration took five years, the Single European Payments Area (SEPA) is four years in (and nothing much has happened) but these timescales look absurd to people in the technology sector. This must, it seems to me, mean that the cultural differences between technology businesses and payments businesses will continue to make co-operation difficult.

While organisations in the payment sector are facing a variety of difficult choices in difficult economic circumstances, the sector as a whole is facing a really serious issue about competitiveness. Rich illustrated the dynamics with the case at hand: contact chip and PIN technology. Will the US be late to market and have to change again soon, be addressing a selected subset of the customer base, be betting on near-obsolete (his words, not mine!) technology? Rich called for a new business paradigms. He was illustrating the classic “disruptive innovation” dilemma, whereby companies listening to their existing customers can innovate their way into oblivion, because meeting the requirements of existing stakeholders (e.g., banks, regulators and networks) does not result in new ways to do business. I was thinking about what Rich said in Chicago after seeing the Atlanta Fed’s comment on that announcement about EMV in the USA by Visa (more on this later).

Rich was very funny talking about the great visions from people who have never implemented anything, but was using a few examples to make a general point about the fragmented, pilot-oriented, evolution of new payments before he went on to talk about the Industry Mobile Payments Forum that has been organised by the Boston and Atlanta Feds. The white paper that has come from this Forum (which I intended to blog about, but have still only half-finished the post) introduced the idea of a US mobile framework—that is centred on an open mobile wallet that supports multiple payment credentials in a secure container—and is well worth reading, but perhaps its most useful short term recommendation is that there ought to be a collaborative, neutral forum to address common issues such as standards and business rules. In the UK, this was under the auspices of what was then called APACS (now the UK Payment Administration and related bodies—see my who’s who), but the US doesn’t currently have a similar body and this would seem to be an obvious and sensible step to take.

I noted that Rich also pointed out that the merchants who were members of the IMPF were not against investing in new POS hardware, software and systems (this mirrors my own experiences with clients: merchants like the idea of mobile wallets and are not against spending money on them) but they are not investing at the moment because they don’t see a plausible roadmap from the payments industry and they don’t want to waste money on technology dead ends. He finished up noting that some members of the Forum think that the US should skip the contact chip and PIN step and go straight contactless, that some members want to skip contactless and go straight to mobile and some want to miss it out altogether. Although that might be a plausible strategy in niches, I don’t think it will happen.

One of the key reasons for this is that Visa have just announced that they will require acquirers to support chip and PIN by 1st April 2013 and that they will implement the “liability shift” on 1st October 2015. This means, essentially, that the merchants who don’t take chip and PIN transactions will be liable for fraud on magnetic stripe signature transactions. I’m glad to see that Visa also announced that they would bring the Technology Innovation Programme (TIP) to the USA from 1st October this year, but with an interesting twist.

Visa insists on the rollout of terminals able to support both contact and contactless chip acceptance, including NFC-based mobile payments. In fact, unlike in Europe, only such terminals will qualify for the TIP incentive.

[From Celent Banking Blog » Applauding Visa’s Plans to Accelerate EMV Adoption in the US]

This makes the roadmap I presented in Chicago back in March look even more prescient since, as I said, contactless delivers the rails for mobile to run on. I also made the point about internet authentication and I stand by it: in the medium term, the EMV application in the mobile handset will be used for dynamic authentication on the internet and much as it will be used at the retail POS, making for a convenient common platform for consumers. If issuing banks can co-operate on this, there’s an opportunity to create a standard identity management with two-factor authentication (2FA) scheme—within the NSTIC framework—that would greatly improve the lot of all stakeholders (who wouldn’t want to log on to Facebook securely using their mobile phone?) and raise the bar on internet security substantially.

In summary, what all of this means, I think, is that now that US is on board, EMV is now officially the legacy infrastructure for retail payments and that we can start work on designing its successor.

In England, the phrase “since time immemorial” actually means “since the death of Henry II”, who reformed and unified the English legal system… In our world, “since time immemorial” means “since before the Netscape IPO” (9th August 1995). EMV comes from time immemorial.

[From Digital Money: He’s losing touch, surely?]

Rich was right. These things take time. But the coming era of innovation in payments no longer depends on the payments industry, so the timescales of SEPA and EMV, Check 21 and 3D-Secure will never be seen again. When work started on EMV, the new technology solution was the smart card and business problem was that networks were unreliable and expensive. Now, the new technology solution is the mobile phone and the problem is that no-one (still) knows you’re a dog (or, at least the dog you claim to be). I hope that some of the lessons learned from EMV (for example: never put a PIN into something that isn’t yours)

I don’t have a crystal ball, but if I were to be looking around for the germ of a successor, I might be tempted to look in the direction of NSTIC, because I think that a standardised identification and authentication infrastructure is the natural platform for future payments. Or, to put it another way, identity is the new money.