Black Friday, Cyber Christmas, and a Contact-Free New Year

paper bags near wall

For most of us 2020 isn’t going to be a year to linger fondly in the memory. It’s been a monumental slog in the face of grim news and little cheer but from a payments perspective we’ve seen an unsurprising surge in interest in all things payment related.

People have moved from cash to electronic payments – contactless transaction numbers have soared. People moved from face to face purchases to online. And, there’s been a ton of stress on payment systems as people have demanded refunds for holidays and flights they couldn’t take due to various travel restrictions. It’s been a year like never before.

We can expect this to be exacerbated over what will likely be an extended Black Friday and Christmas holiday shopping period. Online payments are expected to grow even though economies are in recession. For us in Europe it’s the last hurrah before PSD2 requirements on strong customer authentication come into force on January 1st. Merchants and payment companies will be well staffed on News Year Eve as they wait and see how the systems will hold up, and what sort of abandonment figures they’ll see as puzzled customers are presented with confusing authentication screens. We can probably expect a flood of concerned calls about phishing which are actually Strong Customer Authentication requests.

NHS test and trace text messaging scams target vulnerable people

person using smartphone

Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…

I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.

Travel Broke and Broken

The ongoing COVID-19 crisis has been ruthlessly exposing fragile business models and weak balance sheets across a whole range of industries but perhaps never more so than in the travel business. In fairness, no one could have anticipated a global, government dictated total shutdown and no business models could ever be flexible enough to support such an improbable scenario. Still, it’s become clear that many travel industry companies are effectively broke and that the payments model they rely on is broken. Going forward we need a better and more sustainable approach to payments in the industry.

Most travel industry payments rely on payments cards so it’s worth starting by recapping on how most card payment models work. When a cardholder makes a payment to a merchant – either in store or, increasingly, on-line, this is routed to the merchant’s card acquirer. The acquirer has a direct relationship with the merchant in the same way that a card issuer has a direct relationship with cardholders and the acquirer will route the payment request to the relevant issuer – usually by sending the request to a payment scheme who uses the card number to identify the correct issuer. If the issuer approves the transaction then the response is routed back through the same path and the purchase completed. This is no different from any other card payment, although there are hidden complexities where the merchant is an online travel agent sourcing flights, hotels, etc from multiple underlying vendors. However, that’s a detail.

Back to the future – QR codes are coming

QR codes are coming

Who’d have thought that the humble barcode – reimagined in 3D – would have posed a genuine threat to the global behemoths that are the international card payments schemes?  And, of all the times, why now? Well, as always, there’s no single answer. We’re seeing multiple trends coalescing to drive uptake of QR code initiated payments, but the announcement by PayPal that they’re rolling their solution out to all CVS stores is perhaps a critical moment:

PayPal and InComm on Thursday (July 30) unveiled a QR code payment system that will enable touchless checkouts by PayPal and Venmo users with their mobile phones at brick-and-mortar stores.

Paypal teams up with CVS to offer touch-free payments

It’s not so much that it makes QR codes mainstream, it’s more that it validates the point that they’re a perfectly viable way of making in-store payments, and then tying it to a e-comm type payment method: now that’s replicable. Four things are coming together to drive the adoption of QR codes:

  1. Smartphones: The widespread availability of smartphones makes them a perfect solution for retail payments. If everyone has one then creating a pervasive alternative to card payments is possible.
  2. Connectivity: In fact it’s not absolutely necessary to always have mobile data connectivity to allow QR code based payments, but I helps managing the risk. And even where mobile data isn’t available a lot of mainstream retail chains are providing in store WiFi or Bluetooth capability.
  3. COVID-19: Suddenly contact-free payments are the way to go – and QR Code initiated payments are a guaranteed way of ensuring that payments can be made without touching merchant equipment.
  4. Integrated retail experiences – “omnichannel”: Merchants with a good omnichannel experience are having a better crisis because the ability to order and pay on one channel and fulfil on another is critical. Increasingly merchant POS estates have API based access to backend systems which can be used to access QR code authorisation or approval channels.

The pay-by-app model, we’ve been touting for years is actually, finally, coming to fruition. Lots of individual merchants – and probably every major supermarket chain in the world – has its own app that allows QR code based payments. Those apps allow a range of other functions to be integrated, including scanning, checkout, automated loyalty redemption and real-time customer data analytics.  The ability to make the customer relationship sticky is attractive and with the average supermarket basket value increasing as customers shop bigger and less often ensuring that you’re the retail destination of choice is critical.

Behind this, however, is another change – and one that the PayPal deal with CVS lays bare. There is nothing that forces one of these QR code initiated payment apps to use payment cards as the means of transaction. Sure, they’ll be there as a backup but any API-based payment solution – and there are hundreds, if not thousands – can be integrated. As direct to account payment APIs, such as the PSD2 payment initiation API that’s mandated in Europe, become more widespread, it will be possible to go direct to the payment account in order to authorise payments.

This trend has other, major implications for other aspects of payments such as settlement and refunds but, as we can see from our own clients, a lot of thought and effort is going into resolving those issues. For retailers who can see lower cost of payments, reduced fraud, significant reductions in the cost of handling chargebacks and faster settlement this is a win-win-win-win situation.

As you might surmise, here at Consult Hyperion, we are heavily involved in all aspects of this change. From helping to develop and secure the apps, to advising on the business and governance models, through to designing and developing the solutions, and providing regulatory advice. We’re leaders in the field. If you’re interested come back to the future with us, QR codes are coming…

No Delay to SCA

Since the FCA announced a further 6 month delay in the UK’s deadline for Strong Customer Authentication there’s been a general expectation that the EBA would follow suit and relax the date for the EEA. However, it now appears that won’t happen – the 31st December 2020 remains the key date and there won’t be any further relaxation in the rules.

This hasn’t been officially announced but appears to have been the gist of a letter by the European Commission’s Executive Vice President Valdis Dombrovskis which makes clear that there’s no consideration in place for a delay and that, in the Commission’s view, the Coronavirus pandemic and the subsequent rise in e-commerce makes it more urgent to implement rather than less. It looks like the Commission is not for turning and with only a little over six months left to be prepared any merchant or payment service provider than hasn’t been planning for this is likely to be in full panic mode.

At one level it’s hard to disagree with the Commission’s position – the deadline has been shifted already from last September in order to accommodate the industry’s inability to implement in time. Although, in fairness, it ought to be noted that original requirements require a degree in semiotics to fully understand and clarifications have been fitful and, on occasion, too late. However, there’s a degree of real-world pragmatism missing from the decision – the last thing the European economy needs right now is an e-commerce cliff edge right in the middle of the busiest shopping period of the year.

The divergence between the UK and Europe also starts to raise some interesting questions. PSD2 applies to countries within the EEA and not to transactions starting or finishing outside – and as of January 1st 2021 the UK will be fully outside. PSD2 will apply within the EEA ex-UK and within the UK ex-Europe but, barring some kind of passporting agreement, not between them. One option for desperate European e-tailers may be to shift operations to the UK where the SCA deadline is a further 9 months away. Of course, the same applies in reverse: logically there ought to be a compromise, but those seem thin on the ground.

Overall, then, the message to all organisations involved in electronic payments is to assume that SCA will be  enforced from January 1st next year and any firm that can’t support it should expect to see transactions declined. Merchants and PSPs may choose or may not be able to handle SCA but issuers will be ready and won’t want to be upsetting the regulators. For any companies out there that don’t know what to do come and talk to us, we can help guide you through the process – first by helping ensure you’re compliant and then by addressing the additional friction that SCA will introduce.

It isn’t too late to do something about SCA but it does very much look like we are at the eleventh hour.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.