Rail usage up, so what?

The Office of Rail and Road (ORR) has just made a quarterly statistical release for Passenger Rail Usage. So what?

There are relevant economic and social trends to which public-sector bodies must respond with transport policies:

  • Circa 60% of the UK population lives in cities. Congestion is a real problem which in turn leads to increased pollution and reduced air quality.
  • As a population, we travel substantially less today than we did one or two decades ago.
  • We are travelling less by car and more by train and bike. Fewer of us are getting driving licences, and we are getting them much later in our lives.

A key response to these trends is to try to drive modal shift from privately owned cars to mobility as a service (MaaS). Rail is a key mode in MaaS solutions, and Rail, in the UK, is undergoing a root and branch review which was announced by Chris Grayling and the Department for Transport in September 2018. Keith Williams is leading the review, supported by an expert panel. Amongst other things, it will look at the structure of the whole rail industry, regional partnerships and improving value for money for passengers and taxpayers. Any emerging reform plans will be implemented from 2020.

One can imagine that there are many problems to be addressed as part of this review and that fares and ticketing might not get much of a look in. However, the ‘value for money for passengers and taxpayers’ part seems significant.

In a February meeting with DfT about the future of fare collection and transport payments, Consult Hyperion was asked to respond to the recent Rail PAYG Consultation covering:

  • what a Pay-As-You-Go (PAYG) travel area is, and how it would work in general
  • where a PAYG travel area could cover
  • the changes to fares that could be made within the area

The consultation ran from February to the end of April 2019 and now the Department for Transport is considering the responses.

In the context of this activity, the ORR statistical release makes perhaps more interesting reading than it otherwise would have done.

 “Passenger journeys using ordinary tickets increased by 5.0% in 2018-19 compared to the previous year. This was driven by a 6.9% growth in anytime tickets. In contrast, the number of passenger journeys made using season tickets fell for the third consecutive year, down 0.4%. Market share of season ticket journeys was 36% in 2018-19, down from 48% a decade ago.”

These would seem like exactly the right market conditions for introducing PAYG on rail beyond London. Today’s passengers cannot easily predict their journeys in advance, but would like to be rewarded for frequency of travel; which, by choosing Rail, will help meet social and environmental goals. Granted, PAYG is not well suited to long-distance Rail if ticket prices are high, but there are many train journeys that are in the right price bracket.

In time, it would seem desirable to phase out season tickets. Ticketing should be tailored to the increasingly flexible patterns of work: perhaps for a specified number of days per month or the use of digital carnet tickets (to be enabled prior to departure). It would seem that smartphone apps are ideal for handling this.

Flexibility is also required within each day. Passengers travelling out in off peak times frequently don’t know until they start their return journey whether it will be peak or off-peak. In addition, designations of peak and off-peak are complex, localised and require further study.

A PAYG solution which focuses primarily on the gate line may limit subsequent progress. Mobile ticketing has an important role to play. It provides the means to offer a variety of ticket types on a single device and is comparatively easily updated. It also offers much greater flexibility for passengers travelling from unmanned stations, where gate lines don’t generally feature, and ticket machines are frequently vandalized. Another benefit of mobile ticketing is the quality of travel data that can be collected (while respecting passenger privacy).

We have recently been advising three UK Sub-national Transport Bodies (STBs) and recently facilitated a transport operator workshop to discuss options for fare collection and transport payments. The thing that the operators seemed most excited about was PAYG.  The kind where customers just turn up and travel without having to worry about the tariffs in advance and trusting that they will be charged a fair price. Inevitably, the discussions dipped into which technologies are good at this and which are bad, but the fact remains, they are clear what their customers want and truly believe that by giving them what they want, they will receive increased ridership in return.

Clearly, this is what Transport for London already provides and their offering is slowly extending out from London into the SE region, for example to Gatwick Airport. However, the open-payment-based PAYG models (using contactless bank cards) are limited in the amounts up to which fares can be aggregated before payment is taken. This is for reasons of risk of payment for the journey never being received, but it also makes sense from the point of view of the customer who does not want to travel on trains all day not knowing how many hundreds of pounds they will be charged at the end and they also want to benefit from any available capping of fares.

What is needed is flexibility. Open-loop transit payments are better than conventional card-based transport cards for travelling within cities. As we have said before, open-loop transit payment suffers from the passenger identifier (their bank card) being tightly coupled to just one of their payment mechanisms (one of their bank accounts). We have been exploring other mobile-based solutions with the Rail Delivery Group (RDG) recently and are hopeful that such customer-centric alternatives will emerge soon.

If you’re interested in finding out more, please contact: sales@chyp.com

Merchants, payments and the open banking ecosystem

A major focus for the entire merchant payments ecosystem in the coming year, will be the new threats, opportunities and players in the emerging open banking world. Starting with the U.K.’s move to open banking in January (the implementation of the Competition and Market Authority’s “remedies”, or the “CM9”) and moving ahead with PSD2 across Europe, the ability for trusted organisations to access consumer bank accounts to not only obtain transaction information but also to instruct payments, will inevitably change the landscape.
 
There are new opportunities for acquirers to become broad-spectrum merchant service providers (MSPs) to facilitate interaction between the open banking infrastructure and the merchant community. This very appealing vision of the future (for merchants) will draw them towards a once in a generation change at point of sale. Merchants can easily afford to incentivise customers to switch to account-to-account “instant payments” and at the same time offer considerable customisation based on customer account data.
 
Merchants definitely need some help, and it’s not all about payments. A recent Consult Hyperion survey found that more than 90% of merchants want to use PSD2 to reduce card fees, three-quarters of them also want to use it to reduce the impact of fraud and data breaches. An Accenture survey last year also found that half of the retailers they surveyed want to use customers’ bank account data to provide special offers and customised services at POS.
 
Apart from anything else, we expect to see a resurgence of interest in the “decoupled debit” proposition whereby platform-provided strong authentication to retailer apps will allow them to bypass the existing card infrastructure (with some projections indicating that a third of European card volume could disappear in the coming years) and perhaps even the physical POS itself. It’s easy to imagine self-scanning around the supermarket and hanging up the scanner at the end, to see the store app popping up on the customer phone with the total, prompting touch ID to confirm, and the merchant instructing an instant payment from customer account to merchant account.
 
As a customer, the instant payment proposition seems just as familiar as a debit proposition: customer walks out of the merchant and the money walks out of the customers account. The fact that it never goes near the existing rails isn’t something a customer knows nor cares about. This, as is often pointed out (by me), is a great opportunity for new players (eg, Google, Apple, Facebook and so on) to join the ecosystem. These are players with a business model built on data, not merchant service charges, and thus the business models in the ecosystem will reorient. This was one of the key themes picked up at last year’s Merchant Payment Ecosystem conference in Berlin, and I wrote at the time that my impression was that some of the big plays coming would be big data, analytics and machine learning.
 
Having said that the existing rails may be bypassed, open banking also provides an opportunity for the schemes to reinvent themselves and their propositions. (As we think that the UK is about to become an interesting, exciting and unpredictable laboratory experiment in open banking, it seems to us that Mastercard’s work with VocaLink should be a focus of industry attention in this regard.) After all, a payment scheme isn’t just a data switch that connects consumers, banks, merchants and retailers. If it was, there wouldn’t be any. Rates, rules and rights are fields in which Visa, Mastercard, Amex, Discover et al have decades of experience to leverage through both their existing relationships and the new ones that will arise.
 
The retailers themselves, especially the millions of small retailers, will also benefit from this transition because a variety of new products and services will spring up to help them to manage their bank accounts, funding requirements and general financial services needs. I’m no expert on small business financing but the ability to see the details of a retailer’s bank account will surely lead to new opportunities for specialist financial services providers.
 
All things considered, 2018 is going to be a pretty interesting year and we are very much looking forward to learning about the new possibilities at Merchant Payment Ecosystem 2018 in Berlin. If you want to meet me or our Principal Consultant in the POS field, Gary Munro, at the the event then just drop us a note and we’ll see you there.

Using Big Data to Identify Fraudulent Transactions

With Thanksgiving upon us and the drive for mass consumption to continue through the Black Friday and Cyber Monday purchasing frenzy in the US, we regularly hear the comment from US merchants that the migration to EMV (contact) payment cards has driven the increase in Card Not Present (CNP) fraud. I guess to a small extent they’re correct; smartcards are more difficult to clone so the fraudsters have been forced to look for alternative sources of income. However, I would suggest that the main driver has been the increase in the efficiency with which fraudsters collect and use PII (personal identifiable information) and account information.

The days of shoulder-surfing people at the ATM for their PIN and/or stealing a phone for the PII and account information stored within it are confined to the minor or opportunistic criminals. Today the specifications for PANs, test PAN numbers and real PII and account information from data breaches within the many high street names, can be purchased on the internet. These are used by organized criminals as the basis for attacks in which a range of PAN and CVV numbers are sent to multiple merchants to identify valid combinations. Valid account information is the then used to procure goods from a range of merchants.

Luckily for the merchants and banks that Consult Hyperion work with, there is a wealth of information available to determine whether or not a transaction is valid. The mobile network operators, either directly or through brokers such as Payfone (USA) and Enstream (Canada), can provide the location of the account holder’s mobile phone, which should be close to the location from which the payment transaction is initiated. The account holder’s behavioral patterns can be monitored to determine whether or not the transaction is out of character. Device fingerprinting companies such as InAuth and mSignia can tell them if the transaction has been initiated from a new device, or one with odd characteristics, such as a foreign keyboard.

However, not many companies understand the scope of the information that they have in their possession or how it can be used to mitigate the risks associated with fraudulent transactions. Recognizing the opportunity, a number of third parties are offering AI based services to help such organizations to use the patterns in their data to identify fraudulent transactions. Consult Hyperion’s customers have benefited from a more rigorous analysis of the data in their possession and how it is generated, before they started working with these third parties.

My colleagues at New York and Guildford, UK, have a detailed understanding of the messages passed between the Merchant and Issuer and all parties in between in a retail payment transaction. Over the last 15 years, we have used this knowledge to de-bug or optimize the flow of information between all parties. More recently we have been asked to evaluate how patterns in the data can be used to identify fraudulent transactions. You would be surprised how often the PAN number is included in the transaction message. Comparing each instance of the PAN will allow you to check that the criminals have not tampered with those messages.

The results of our analysis helped our clients to focus their engagement with prospective vendors. They now have a better understanding of how the different parts of their authorization systems interact with each other, what data can be monitored and why. Their initial discussions with third parties have moved from “Is this possible?”, to “This is what we want to do”.

I hope that you have a Great Thanksgiving if you are in the US or London this weekend and that between them, Uber, Equifax et al have left you with sufficient credible payment credentials to allow you to enjoy the consumer fest that follows. Me, personally, I am heading somewhere I can be off-grid for the weekend, if only to stay away from all those tempting offers.

The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

Why can’t digital identity be easy, like payments?

 

I have often seen payments (especially the card networks) used as an analogy for digital identity. In fact, I brought up the analogy myself at the fun OIX meeting in Amsterdam last Thursday. Certainly when you look at something like GOV.UK Verify there are some striking comparisons:

  • A central scheme with a brand, rule book, governance body and switching infrastructure (i.e. Verify itself),
  • Issuers (i.e. the private sector identity providers), and
  • Merchant acquirers (well merchants anyway, in the form of government relying parties).

We have to keep reminding ourselves that these card networks did not appear overnight. What we have today is a result of 60 or more years of evolution. Admittedly the pace of change has increased significantly but we need to recognise it often takes time to build scale and gain adoption. There are special cases of course. PayPal, for example, grew out of a significant pain point within eBay – which gave it immediate scale.

There is however one key difference between payments and identity. You cannot sell stuff online without a means to receive payment and normally that means integrating with a payments scheme that works for your customers. You can however sell stuff without leveraging an external identity scheme – you just give the user an ID and password specific to the service. This is however bad news for users – resulting in the fragmented personal data and password mess we find ourselves in today. There needs to be an incentive for merchants to do something different to this. Perhaps merchants need a big stick? Like GDPR for example. Merchants are going to have to be a lot more careful with personally identifiable information in the future. One thing they could do is use an identity provider to hold that data and in the process reduce their risk.

Individuals also need to realise that their personal data is valuable, just like their money. That is going to require some education because so far they’ve been taught to share data without considering the consequences.

In the UK, arguably the most significant digital identity initiative over the past 5 years has been the GOV.UK Verify programme. They are at the stage where they need to grow. The scheme is up and running and so they are now busily signing up citizens and services. It is a critical point in its development. We are very pleased that David Rennie who leads industry engagement on the programme will be taking time out of his busy schedule to join us at Tomorrow’s Transactions. Come along and find out how it is going.

You can also get added to our mailing list here.

Quite an ecosystem

A funny thing happened on the way to Merchant Payment Ecosystem in Berlin. Three funny things, actually. I tried to use an app to buy something on the way and I got a message saying “transaction failed”. It didn’t tell me why. I’m sure the service provider didn’t know either, as they just got a decline from the issuer. Some forensic work on my behalf later determined the cause of failure was that the card I’d given the app a couple of years ago had expired. The new card was on my kitchen counter back home, but of course it was my problem to have to go around all the stupid apps on my phone that didn’t use Apple Pay and update update each of them individually.

 new BA POS sighted

Then on the plane on the way to Berlin the British Airways cabin crew said that the on-board POS had a problem because it would accept AMEX and Visa cards but not MasterCards. No one knew why. I was desperately hoping that they would put out an emergency call over the public address system “is there a merchant acquiring expert on the plane” (there were about 200 of them by my estimate) but, sadly, they didn’t and so those people prepared to cave into BA’s new policy of making passengers pay for coffee had to struggle by as best they could.

When I got to Berlin I jumped in a taxi at the airport and set off for the hotel where we were going to be discussing all the new stuff going on in the world of merchant payments. We got to the hotel, I took out my card and was actually stunned to hear the driver tell me “I don’t take cards”! Seriously! In a supposedly civilised country and a city that wants to challenge London’s position as fintech hub! So the driver had come into the hotel with me and wait until I checked in so that I could get hold of some cash in order to help him to evade tax.

I drew on these experiences in my opening address to make three main points to the delegates:

  1. Electronic payments are not ubiquitous, but that’s not because of the technology. The taxi driver could perfectly well have taken electronic payments if he wanted to, but he didn’t want to. When I went to dinner the following night, I of course used an app

  2. Evolution in our sector isn’t really about payments, it’s about identity. Since BA know who I am, and since I had to show a passport to get on board, and I have British Airways Amex card and a BA app on my phone, why are BA messing about with chip and PIN at all? Why not just use my BA app to charge to a token on file?

  3. We’re on the edge of the thingternet. Look at IBM’s recent announcement of a partnership with Visa. Everything is becoming a card, everything is becoming a POS. So what happens when I’m driving down the motorway and my card expires and a new one is issued? Does my car stop dead in the business class motorway lane while I have to send a motorcycle courier to fetch the new card from my house so I can type in the new expiry date and the CVV? We’re shoehorning systems into environments they were never designed for so maybe it’s time to rethink and construct a new kind of infrastructure (based on identity, obviously).

While I’m on the topic, by the way, this was my first visit to Merchant Payment Ecosystem despite a number of recommendations from our guys and others, and I have to say that it’s an excellent event. I was genuinely flattered to be asked to chair the first morning and the key panels. The first was with the panel about digital commerce and omnichannel payments with:

The discussion was absolutely first-class. Sometimes it can be difficult to get the conversation going on the first panel of a major event but we hit the ground running on this one. As I explained the audience at the time there were no rehearsed questions and no PR scripts to follow. We had a genuine conversation about a wide range of topics and I can see from the feedback that the delegates greatly appreciated hearing smart people speak their minds. I really hate to paraphrase such a fascinating discussion, but if forced to I would say that there is a shift underway from the POS as a device to the POS as a platform and there is a convergence under way but that convergence is towards the virtual rather than the real. In other words, the checkout and payment experience is converging to the app, not the tap (okay, that’s my bumper sticker and not exactly what the participants said but I think it conveys the sense of the discussion!) and the payment experience will be the same whether in-store, on the phone or at a web site.

With thanks to @KSthankiya

 

The second panel  was great too. The organisers did me the great honour of allowing me to cross-examine some of the industry’s most senior people on behalf of the wider audience. The panel was:

The panellists allowed me to push them on some of the tough issues facing the acquiring and processing parts of the industry. I made the point that in an environment moving towards instant, push payments the role of acquirers and processors will change substantially. Naturally, since everyone on the panel knew more about this than I did and had already thought of it, they had some great perspectives.  I was particularly interested by their views on future value-added services which, it seemed to me, had a lot to do with data. Hence I was left with the impression that some of the big plays coming in this space are no longer about devices or charging bundles or apps but about big data, analytics and machine learning. I also rather liked the suggestion that emerged from the panel that we need to begin to reframe the acquirer as a merchant service provider (MSP).

mpe-from-aci

All things considered it was a terrific event. My colleague Gary Munro (Consult Hyperion’s principal consultant on the acquiring side), who chaired a couple of excellent sessions at the event, has attended for the last couple of years and he knows a fantastic amount about this business and he always recommended it highly.

Gary Munro at MPE

 

This will definitely be a fixture in my calendar from now on – a couple of days very well spent and the whole experience was only slightly undermined by the Berlin airport baggage handlers strike on the final day.

Fintech “banks” are coming to the USA

A few years ago, I wrote that when it came to the regulation of payments, America could do worse than adopt something along European lines. By “European lines”, I meant that a regulatory framework which separated systemically risky operations such as lending people money from systemically unrisky operations such as low-value payments would benefit all concerned.

The US has no equivalent of the EU’s Payment Institution (PI) licence, but this would be a practical way to allow new entrants access to the infrastructure needed to deliver great new products and services.

From In payments, the US is an emerging market | Consult Hyperion

Hence it was rather exciting to read the news that the US regulatory environment is about to change, and about to change significantly. This announcement is, I think, really important.

The Office of the Comptroller of the Currency will start granting limited-purpose bank charters to fintech companies,

From OCC Grants New Charter to Fintech Firms — with Strings Attached | American Banker

These special limited-purpose national bank charters (I can’t think of a snappy name for them yet  – I want to call them “near-banking” licences because they allow you to do some of things that banks do) mean that fintech companies can apply for a national licence instead of having to apply for licenses in every state. So if you want to offer some form of payment service, you will no longer have to apply for 50 (different) state money transmission licences.

Fintech firms that can apply for an OCC charter must offer at least one of three financial services: make loans, pay checks or receive deposits. The OCC is currently developing guidelines for a fintech bank charter that will be based on the comments received from the proposed paper.

From Regulator will start issuing bank charters for fintech firms

Were I to comment on the proposed paper, I would focus on the first of these financial services. It is the provision of credit that is the systemically risky service and it is this service that requires strict regulation. I make no comment on the issue of whether this should be dealt with at the federal level or state-by-state, but it does seem to me that if the proposed special fintech banking charter were to exclude this activity then it would create a regulatory category that is much more like the European Union “payment institution” or the Indian “payment bank”. I don’t know what other people think about this but I think that the European Commission’s general drive to separate regulation of payments from the regulation of banking makes a lot of sense and is founded both in sound regulatory strategy and economic theory. It’s the right way to go.

we can see a “back to the future” roadmap where banks go back to savings and loans and the “pooling” functions needed to support a modern economy, non-state actors provide money and — and most importantly in the short term — third-parties provide payment systems. In Europe, the regulatory wind is already in these sails.

From Why do banks run retail payment systems? | Consult Hyperion

To begin with an obvious example, Facebook recently obtained licences in Europe to operate as a Payment Institution (PI) and as an electronic money institution (ELMI). The regulatory burden of complying with these licenses is very limited compared to complying with a full banking licence, which is good for both Facebook and its customers who will be offered innovative new services through the platform (sending people money using Facebook as a front-end to national and international payment networks, allowing people to carry stored value accounts in Whatsapp and who knows what else).

The notion of a special-purpose charter has also drawn concerns from some consumer groups who want to ensure all of the banking and fair-lending laws apply to fintech firms and banks that fear they would lose business to fintech if they had to compete within the same banking system.

From Regulator will start issuing bank charters for fintech firms

 I am not an expert on consumer lending but I would have thought that the concerns of consumer groups in this area are perfectly reasonable and that the simplest way to satisfy those concerns is to keep the provision of credit with existing institutions that are tightly regulated in that regard. Therefore I would comment to the OCC that if they want to encourage more competition in lending it should be through a separate kind of special charter.

But back to the rest of the special-purpose charter. As to the concerns of the banks that they will lose business, well, tough. The purpose of the financial services regulatory environment is not to maintain the status quo and to defend incumbents against competition of all kinds across time. If some banks are concerned that the new special-purpose charter “banks” will be able to deliver payment services at a much lower cost (which I sincerely hope will be the case) then the rather obvious strategy is for these banks to form a subsidiary to handle payments and to have that subsidiary regulated through the same special-purpose charter as their competitors. 

This may not be enough to save them, by the way. Thomas Watson Jr is often quoted as saying in 1943 (*) that there was a world market for five computers. It turns out that he was right: they are Apple, Amazon, Facebook, Google & Microsoft and everything else is just a window into those. (I think Thomas was wrong – he didn’t forsee WeChat or Alipay – but you get the drift.) When these “internet giants” get their special-purpose charters, they will control both the customer interface and the financial system interface. Why will I ever come out of Facebook and run my bank app ever again? If my Mac’s “Messages” application can send money to your WeChat, what will happen to Transferwise? If I google “PayDay Loan” and the money arrives in my gmail account before you can say “where is the 21st century anti-trust legislation” what will happen to competition in the lending space? What happens why Microsoft asks you add to your bank account to LinkedIn and can then offer both “request to pay” and  instant payments on the platform? 

On final note, most of the commentary I read about this over the weekend focused on the ability of these “Internet giants” to obtain these charters and deliver payment services. There are, however, plenty of other types of organisations that might want to obtain one of these charters in order to provide financial services that either compete with lazy and fat incumbents or deliver innovation into new or underserved niches. AT&T could get a licence and launch USA-PESA. NetFlix could get a licence, join Visa and then issue its own credit cards. But if I were to grab my crystal balls and get all Nostradamus on your asses, I’d say keep an eye out for the retailers. If I was Walmart, I’d be thinking about getting me one of those special-purpose charters myself so that I could operate my own payment services without having to have a joint venture with banks (e.g., its partnership with GreenDot) or go through the expensive process of getting a subsidiary regulated as a bank.

In the late ’90s and early ’00s the company made numerous attempts to get into banking after it argued that the 1999 Financial Services Modernization Act allowed nonbank commercial operations to acquire financial services companies and operate their own banking operations. It failed to acquire a bank in Broken Arrow, Okla., in 1999, and its attempt to acquire a bank in California led to the state legislature to pass a bill specifically outlawing what is arguably permitted by the controversial banking deregulation bill signed into law by then-President Bill Clinton.

From Wal-Mart Would Love To Have A Banking License, But It Doesn’t Necessarily Need One

As I said back in 2011 when someone asked me who might become the Walmart of payments, I said Walmart. The OCC move brings this one step closer! My reasoning was obvious: the customer interface. Retailers are where the customers are and is where they make their payments. Right now if you want to use Walmart Pay you have to register a card, but there’s no reason why Walmart Pay couldn’t, as a bank, instruct the transfer of funds directly from your bank account.

Who knows what the result of the OCC consultation process will be, but on the whole I think that the notion of the special-purpose charter that makes it easier for non-banks to come into the space and compete is a good one. With Venmo up and running, the big banks launching Zelle, NACHA going to same day, The Clearing House launching instant payments and others, I’m sure, just around the corner with their blockchains and cybercurrencies and so forth, we are about to see the US landscape transform, much to the benefit of the users of the payment system.

(*) He never said this, but let’s not spoil it for all of the management consultants who like to put this on a slide about innovation.

Secure-enough transit mobile ticketing

ITSO with HCE app and Handy

This year, I’ve been mostly working on ITSO ticketing in NFC mobiles devices with HCE and without secure elements. ITSO is the e-ticketing specification supported by the Department for Transport in the UK.

So far, high level design, risk analysis and proof of concept have been carried out by our team. Suitable controls are being developed. We are heading towards a trial this year on live schemes. More details to follow in next few weeks. But for now, see page 10 of the latest ITSO News.

 

When is an acceptance mark not a mark of acceptance?

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.