Early on in the pandemic my colleagues at Consult Hyperion and I did a lot of research to explore how it might impact our customers and our customers’ customers, just as I am sure every other organisation in the payments sector did. We looked at a lot of speculative forecasts, we looked at research and analysis from quite a wide range of organisations in the financial sector and beyond, we spoke to a number of people in the industry and we took part in a fair few discussions and debates on the topic. As a result of this, we identified a number of strategic areas where stakeholders in the payment space should be developing or at least preparing their strategies and where they should be planning for some changes to take them through and beyond the COVID-19 crisis.
The ongoing COVID-19 crisis has been ruthlessly exposing fragile business models and weak balance sheets across a whole range of industries but perhaps never more so than in the travel business. In fairness, no one could have anticipated a global, government dictated total shutdown and no business models could ever be flexible enough to support such an improbable scenario. Still, it’s become clear that many travel industry companies are effectively broke and that the payments model they rely on is broken. Going forward we need a better and more sustainable approach to payments in the industry.
Most travel industry payments rely on payments cards so it’s worth starting by recapping on how most card payment models work. When a cardholder makes a payment to a merchant – either in store or, increasingly, on-line, this is routed to the merchant’s card acquirer. The acquirer has a direct relationship with the merchant in the same way that a card issuer has a direct relationship with cardholders and the acquirer will route the payment request to the relevant issuer – usually by sending the request to a payment scheme who uses the card number to identify the correct issuer. If the issuer approves the transaction then the response is routed back through the same path and the purchase completed. This is no different from any other card payment, although there are hidden complexities where the merchant is an online travel agent sourcing flights, hotels, etc from multiple underlying vendors. However, that’s a detail.
Using mobile devices for securing payments has been, and continues to be, a key area of interest for Consult Hyperion and our customers. We have helped many of our clients in this space from: providing advice on the market landscape, advising on security, testing security, developing security architectures, and building solutions. Apple’s purchase of Mobeewave a couple of weeks ago has caught our, and everyone else’s, attention. This gives us some time to reflect on this and consider what it means for the SoftPOS industry and ecosystems.
The pandemic has revised interest in a topic that has surfaced repeatedly in Tomorrow’s Transactions events over the years, and that is the issue of local and complementary currencies. The Bristol Pound, the Brixton Pound, the Lewes Pound and many other experiments have sprung up around the country (indeed, around the world) to try to stimulate and regenerate local and regional trade and prosperity in response the changing economic circumstances. We tend to think of currencies as being instruments of the nation state but that’s actually a recent invention in the great scheme of things. There’s no reason to see optimal currency areas as inviolable laws of nature rather than transitional borders under prevailing monetary and financial arrangements.
Who’d have thought that the humble barcode – reimagined in 3D – would have posed a genuine threat to the global behemoths that are the international card payments schemes? And, of all the times, why now? Well, as always, there’s no single answer. We’re seeing multiple trends coalescing to drive uptake of QR code initiated payments, but the announcement by PayPal that they’re rolling their solution out to all CVS stores is perhaps a critical moment:
PayPal and InComm on Thursday (July 30) unveiled a QR code payment system that will enable touchless checkouts by PayPal and Venmo users with their mobile phones at brick-and-mortar stores.
It’s not so much that it makes QR codes mainstream, it’s more that it validates the point that they’re a perfectly viable way of making in-store payments, and then tying it to a e-comm type payment method: now that’s replicable. Four things are coming together to drive the adoption of QR codes:
- Smartphones: The widespread availability of smartphones makes them a perfect solution for retail payments. If everyone has one then creating a pervasive alternative to card payments is possible.
- Connectivity: In fact it’s not absolutely necessary to always have mobile data connectivity to allow QR code based payments, but I helps managing the risk. And even where mobile data isn’t available a lot of mainstream retail chains are providing in store WiFi or Bluetooth capability.
- COVID-19: Suddenly contact-free payments are the way to go – and QR Code initiated payments are a guaranteed way of ensuring that payments can be made without touching merchant equipment.
- Integrated retail experiences – “omnichannel”: Merchants with a good omnichannel experience are having a better crisis because the ability to order and pay on one channel and fulfil on another is critical. Increasingly merchant POS estates have API based access to backend systems which can be used to access QR code authorisation or approval channels.
The pay-by-app model, we’ve been touting for years is actually, finally, coming to fruition. Lots of individual merchants – and probably every major supermarket chain in the world – has its own app that allows QR code based payments. Those apps allow a range of other functions to be integrated, including scanning, checkout, automated loyalty redemption and real-time customer data analytics. The ability to make the customer relationship sticky is attractive and with the average supermarket basket value increasing as customers shop bigger and less often ensuring that you’re the retail destination of choice is critical.
Behind this, however, is another change – and one that the PayPal deal with CVS lays bare. There is nothing that forces one of these QR code initiated payment apps to use payment cards as the means of transaction. Sure, they’ll be there as a backup but any API-based payment solution – and there are hundreds, if not thousands – can be integrated. As direct to account payment APIs, such as the PSD2 payment initiation API that’s mandated in Europe, become more widespread, it will be possible to go direct to the payment account in order to authorise payments.
This trend has other, major implications for other aspects of payments such as settlement and refunds but, as we can see from our own clients, a lot of thought and effort is going into resolving those issues. For retailers who can see lower cost of payments, reduced fraud, significant reductions in the cost of handling chargebacks and faster settlement this is a win-win-win-win situation.
As you might surmise, here at Consult Hyperion, we are heavily involved in all aspects of this change. From helping to develop and secure the apps, to advising on the business and governance models, through to designing and developing the solutions, and providing regulatory advice. We’re leaders in the field. If you’re interested come back to the future with us, QR codes are coming…
We’ve just had an important anniversary. I’m sure you are all thinking of July 4th and, of course, who can forget it! It’s a date that is very important to many people because it is the anniversary of the birth of The Clash, who played their first live gig on 4th July 1976. But for me, there is a much more important and personal anniversary. Here is the front page of the Swindon Evening Advertiser from 4th July 1995. The day I finally made the front page of my home town newspaper. Got to see my picture on the cover, got to buy five copies for my mother…
Yes, I was there on 3rd July 1995 in Swindon town centre when the Swindon Evening Advertiser vendor Mr. Don Stanley (then 72) made the first ever live Mondex sale. And here is the photographic evidence of same — in case you don’t happen to have copy of that Swindon Evening Advertiser — as I emerge Zelig-style from the crowd to watch Don take the e-cash. It was a very exciting day because by the time this launch came, my colleagues at Consult Hyperion, who were instrumental in creating Mondex devices and software, had been working on the project for some years (and for the first three or four years it was entirely in secret).
So for those of you who don’t remember what all of the fuss was about: Mondex was an electronic purse, a pre-paid payment instrument based on a tamper-resistant chip. This chip could be integrated into all sorts of things, one of them being a smart card for consumers. Somewhat ahead of its time, Mondex was a peer-to-peer proposition. The value was transferred directly from one chip to another with no intermediary and therefore no cost. In other words, people could pay each other without going through a third party and without paying a charge. It was true cash replacement, invented at National Westminster Bank (NatWest) in 1990 by Tim Jones and Graham Higgins. Swindon had been chosen for the launch because, essentially, it was the most average place in Britain. Since I’d grown up there, I was rather excited about this, and while my colleagues carried out important work for Mondex (software specification, development and testing for all of the core components), I watched as the fever grew out in the West Country.
Many of the retailers were quite enthusiastic because there was no transaction charge and for some of them the costs of cash handling and management were high. I can remember talking to a hairdresser who was keen to get rid of cash because it was dirty and she had to keep washing her hands, a baker who was worried about staff “shrinkage” and so on.
The retailers were OK about it.
“From a retailer’s point of view it’s very good,” said news-stand manager Richard Jackson. “But less than one per cent of my actual customers use it. Lots of people get confused about what it actually is, they think it’s a Switch card or a credit card.”
That’s if they thought about it all.
It just never worked for consumers. It was a pain to get hold of, for one thing. I can remember the first time I walked into a bank to get a Mondex card. I wandered in with 50 quid and had expected to wander out with a card with 50 quid loaded onto it but it didn’t work like that. I had to set up an account and fill out some forms and then wait for the card to be posted to me. Most people couldn’t be bothered to do any of this so ultimately only around 14,000 cards were issued.
So, why I am wallowing in this nostalgia again? Why do I think more people should be celebrating the Mondex Silver Jubilee? Well, look East, where the first reports have appeared concerning the Digital Currency/Electronic Payment (DC/EP) system being tested in four cities: Shenzen, Chengdu, Suzhou and Xiong’an. DC/EP is the Chinese Central Bank Digital Currency (CBDC).
with the kind permission of Matthew Graham @mattysino
The implementation follows the trajectory that I talk about in my book The Currency Cold War, with the digital currency being delivered to customers via commercial banks. The Deputy Governor of the People’s Bank of China, Fan Yifei, recently gave an interview to Central Banking magazine in which he expanded on the “two tier” approach to central bank digital currency (CBDC). His main points were that this approach, in which the central bank controls the digital currency but it is the commercial banks that distribute it, is that is allow “more effective exploitation of existing business resources, human resources and technologies” and that “a two-tier model could also boost the public’s acceptance of a CBDC”.
He went on to say that the circulation of the digital Yuan should be “based on ‘loosely coupled account links’ so that transactional reliance on accounts could be significantly reduced”. What he means by this is that the currency can be transferred wallet-to-wallet without going through bank accounts. Why? Well, so that the electronic cash “could attain a similar function of currency to cash… The public could use it directly for various purchases, and it would prove conducive to the yuan’s circulation”. How will this work? Well, you could have the central bank provide commercial banks with some sort of cryptographic doodah that would allow them to swap electronic money for digital currency under the control of the central bank. Wait a moment, that reminds me of something because… yep, that’s how Mondex worked.
That was the big difference between Mondex and other electronic money schemes of the time, which was that Mondex would allow offline transfers, chip to chip, without bank (or central bank) intermediation. Offline person to person transfers. Just like cash. That’s huge. Libra can’t do it, and never will be able to because, like Bitcoin, it needs to be online to check for “double spending”.
Mondex was a window into the future of money.
That’s why this week’s special webinar is a Mondex reunion! Tim Jones, one of the co-inventors and Mondex CEO, will be joining with Debbie Gamble who was head of Mondex North America. On our side, our CEO, Neil McEvoy (who led the Mondex specification and implementation team) and Tim Richards (who designed the underlying portable, secure operating system), will join Tim and Debbie to reminisce and have a bit of fun, but much more importantly, to talk about the lessons learned from that incredible experiment, and to share ideas for the coming generation of digital currency innovators. And there may be one or two special guests…
As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.
I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?
Since the FCA announced a further 6 month delay in the UK’s deadline for Strong Customer Authentication there’s been a general expectation that the EBA would follow suit and relax the date for the EEA. However, it now appears that won’t happen – the 31st December 2020 remains the key date and there won’t be any further relaxation in the rules.
This hasn’t been officially announced but appears to have been the gist of a letter by the European Commission’s Executive Vice President Valdis Dombrovskis which makes clear that there’s no consideration in place for a delay and that, in the Commission’s view, the Coronavirus pandemic and the subsequent rise in e-commerce makes it more urgent to implement rather than less. It looks like the Commission is not for turning and with only a little over six months left to be prepared any merchant or payment service provider than hasn’t been planning for this is likely to be in full panic mode.
At one level it’s hard to disagree with the Commission’s position – the deadline has been shifted already from last September in order to accommodate the industry’s inability to implement in time. Although, in fairness, it ought to be noted that original requirements require a degree in semiotics to fully understand and clarifications have been fitful and, on occasion, too late. However, there’s a degree of real-world pragmatism missing from the decision – the last thing the European economy needs right now is an e-commerce cliff edge right in the middle of the busiest shopping period of the year.
The divergence between the UK and Europe also starts to raise some interesting questions. PSD2 applies to countries within the EEA and not to transactions starting or finishing outside – and as of January 1st 2021 the UK will be fully outside. PSD2 will apply within the EEA ex-UK and within the UK ex-Europe but, barring some kind of passporting agreement, not between them. One option for desperate European e-tailers may be to shift operations to the UK where the SCA deadline is a further 9 months away. Of course, the same applies in reverse: logically there ought to be a compromise, but those seem thin on the ground.
Overall, then, the message to all organisations involved in electronic payments is to assume that SCA will be enforced from January 1st next year and any firm that can’t support it should expect to see transactions declined. Merchants and PSPs may choose or may not be able to handle SCA but issuers will be ready and won’t want to be upsetting the regulators. For any companies out there that don’t know what to do come and talk to us, we can help guide you through the process – first by helping ensure you’re compliant and then by addressing the additional friction that SCA will introduce.
It isn’t too late to do something about SCA but it does very much look like we are at the eleventh hour.
It feels strange to be writing about paying for food, one of the basic skills we learn in early childhood. However, these are exceptional times, when the basic notion of how we pay is being challenged. It seems we are now considering the different options for paying safely when physical contact must be kept to a minimum.
Consult Hyperion has been alerted to many requests for advice from community groups who normally rely on cash payments, so in response we have drawn up some guiding principles:
1. Maintain good practice: be aware of the vulnerability, both real and perceived, of people unable to leave their homes. Asking them to do things differently risks increasing anxiety and leaving them open to fraud.
2. Keep it simple: work with payments options people already use, and those they are familiar with. The large spike in phishing attacks over the past month highlights scammers’ eagerness to abuse this situation.
3. Maintain records: clear and consistent transaction logging is essential to protect both organisers and the people they are helping. Keep invoices for tracking and reconciliation purposes.
4. Work with existing networks: local authorities, housing associations, care providers, charities, community groups, faith groups, even village shops. The mix will vary according to the community.
5. Only allow demonstrably trustworthy individuals to handle payments: the list of people permitted to countersign passport applications could be a good starting point, but each community is different. Trust is vital in payments.
6. Keep payments and shopping separate: older readers will remember having an account with their local shop and having items added to their tally, paying the bill weekly or monthly.
7. School meals provide a good example: cards (or biometrics) are used to ensure all students have equal access to food, without the stigma attached with free school meals. Food is still served, even if the system has technical issues.
8. Take the time to discuss people’s preferences over the phone: The person receiving the shopping doesn’t have to be the person who pays. Be creative in encouraging people to contribute a little extra, or allow friends and family to pay on their behalf.
When organising payments, only use options people already have. This is not the time for a stressful sign-up process. In order of preference:
Online – PayPal, Bank Transfer, Pingit
With any new online payment, if there is a level of trust through an existing relationship, ask the account holder to send a small sum of 1p or 10p to the intended account, to check that it does arrive in the right place.
PayPal: convenient if you already have an account. Allows you to choose different sources of funds to transfer. Can be used for paying individuals as well as organisations. Includes a degree of protection.
Bank transfer (frequently referred to as Faster Payments): Despite communication from many of our banks, the full roll out of Confirmation of Payee is delayed. There is uncertainty over whether the money will arrive in the right place, so test initially with small amounts. It is irreversible. It can be performed easily via internet banking if you have the capability. Telephone banking is currently overloaded.
Some apps enable an invoice with bank details to be presented through a link to web page. This is better than simply sending requests for payments within an email, as fraudsters can’t just intercept the email and change the recipient details. It requires more effort to set up a fraud and is more likely to get spotted.
Pingit: Less widespread but convenient person-to-person payments which can be sent to a mobile number.
Contactless at the door
Using a portable reader from companies like iZettle, SumUp and Square. Apple Pay and Google Pay are good options as they allow higher value payments without the need to touch the device, if people already have the capability. Appropriate distancing must be observed.
The householder only has to part with a single piece of paper and does not have to receive change. Cheques will have to be paid in and take a while to clear but there is very little risk of the householder absconding.
People are encouraged to avoid handling cash and avoid touching ATMs. Keeping cash in the home makes people more vulnerable. However, some people rely on cash. Where change is to be given, this should be arranged in advance and put in an envelope.
These are extraordinary times, which force us to look differently at the way we pay. Consult Hyperion have been enabling secure payments for over 30 years and we are able to apply our own Structured Risk Analysis process to understand the threats and possible countermeasures in every situation. These threats normally relate to the security of systems but in this case also encompass the risk of infection and people being left without essential supplies.
If you are reading this from home and need help, try phoning your local shop. If they are not organising deliveries themselves, they may well be aware of groups who are. Many local stores and community groups are providing help to these who need it, providing a much needed service. Get in touch with your local group.
In these extraordinary times with the need for social distancing, the payments industry is raising the contactless limits across many countries in order to prevent the need to touch PIN Pads in order to pay for our essential supermarket and pharmacy shopping. Indeed, such is the concern over the use of cash that contactless payments are being actively encouraged over cash, with some countries, notably China and Russia now requiring that cash is sanitised before it is allowed back into circulation.
The Dutch Payment Association has moved to double their contactless CVM limit from €50 to €100, similar increases are being introduced by Poland; Norway; Canada; Turkey etc. Yesterday the British Retail Consortium announced that the UK too will raise its contactless limit from £30 to £45 on the 1st April.
So why do we need to wait a week? What does it mean? What are the alternatives?
First let us explain how contactless limits work and understand the difference between contactless payments in the UK compared to most other countries. Contactless payment terminals have 3 limits:
- Floor Limit
- CVM Limit
- Transaction Limit
The Floor Limit determines if the transaction should be sent online to the Issuing bank for authorisation. In the UK the contactless floor limit has been set at £0 for some time, ensuring all transactions are sent online, preventing spend from any cards that have been reported lost or stolen.
The CVM Limit is the one which is being changed on the 1st April. Above the CVM Limit a transaction requires a cardholder PIN or biometric authentication in order to be approved, which generally means a Chip & PIN transaction is needed. We are now seeing the introduction of some biometric contactless cards, but there are very few of them in the market today. By raising the CVM limit to £45 any contactless transactions below this will be sent to the Issuer for authorisation, which should result in the need to touch the POS less by reducing the number of Chip & PIN transactions.
The Transaction Limit is the maximum value that is allowed for any contactless transaction at that Merchant. This has been badly handled in the past, creating different customer experiences at different merchants. Ideally the contactless Transaction Limit should be the same as the Chip and PIN transaction limit. This then allows a contactless transaction carried out using a mobile phone, with Apple Pay or Google Pay, to be treated in the same way as Chip & PIN transactions. In the coming weeks, most payments will be made at Supermarkets, and whilst the raising of the limit to £45 will enable a higher number of contactless transactions, a large family shop will exceed £45. To be able to Pay without PIN, people should enable their cards in Apple Pay or Google Pay, this will allow them to Pay by contactless no matter the transaction amount.
In the UK, the Transaction Limit has not been uniformly implemented, in some merchants it is set to the same as the CVM Limit, meaning contactless can only happen below £30. The result has been confusion over when Apple Pay and Google Pay transactions will work and when you need to perform Chip & PIN. POS providers and merchants need to take the opportunity of this limit change to test their systems to ensure that both the CVM Limit and the Transaction Limit are set appropriately to provide the maximum opportunity to pay by contactless.
As my fellow Principal Consultant Tim Richards points out in our video blog, other countries are using mobile apps to prevent the need for PIN – completely “Contact Free” transactions. We don’t have that capability in the UK yet, Apple Pay and Google Pay being the best options for now. We expect this to change as Open Banking progresses and payments without the need for PIN become more common.
Consult Hyperion have extensive experience in contactless and “Contact Free” payments and testing, we will be able to help organisations ensure they optimise their payments capability to meet the needs of their customers, get in touch for more information on how we can help.
In the meantime, to avoid PIN Pads, shop below £45 or ensure Apple Pay or Google Pay is working on your mobile device, and stay safe.
 https://www.finextra.com/newsarticle/35509/russian-banks-act-to-decontaminate-cash?utm_medium=newsflash&utm_source=2020-3-24&member=56902  https://www.finextra.com/newsarticle/35493/dutch-banks-raise-contactless-limits-for-pin-entry  https://www.theguardian.com/money/2020/mar/24/limit-for-contactless-spending-to-rise-to-45-at-beginning-of-april