Living abroad, with tokens

digital wallet app on smartphone

Living abroad, with tokens.

I have just completed a three-month stint building our business in Australia, and expect to return for a similar period in the near future. How were payments, for me? The first thing to note (to coin a phrase) is that I used no cash whatsoever and don’t recall seeing anyone else either. All retail payments, including transport payments (don’t knock commuting if you’ve never travelled to work on the Manly ferry), were via my Apple Watch, so no PINs, either. (Australia is online PIN, so if you do use an old-fashioned card, you’re unlikely to ever have to insert it into a reader.)

Of course, virtual cards, as wielded by (for example) Apple Pay and Google Pay, present tokens (Device PANs) as an alias for the Primary Account Number (PAN). This ensures that the issuer is able to block fraudulent transactions that could present the Device PAN from somewhere other than the relevant wallet (for example, during a standard e-commerce checkout).

Living and working abroad for three months requires payments for things beyond the usual touristic or business travel items—for example, rent and utility bills. Credit cards are not particularly well suited to many of these payments, with the requirement for recurring (and, sometimes, variable) payments, returnable deposits and so forth. Further, in Australia, it is standard practice for credit card payments for these kind of transactions to attract hefty surcharges. And, of course, forex charges and spreads apply.

What would have been better, would have been to have an Australian bank account and use all the domestic money transfer facilities. The trouble was, I didn’t have much idea of eligibility criteria (such as long-term residency) or how long KYC checks would take (especially without an Australian Tax File Number or driving licence, etc). Fortunately, there is a partial solution.

A number of fintechs (I used Wise) enable you to set up an account in your home country and then create (or have created, automatically) linked accounts in many other countries. Thus, I acquired an Australian BSB (Bank-State-Branch, equivalent to UK Sort Code or US/CAN Routing Number) and Account Number, exactly as any long-term resident.

In essence, the BSB/Account Number combination is a token representing my (UK-based) relationship with Wise. Just like a Device PAN, it enables a class of transactions, using a convenient digital representation; and also limits the scope of transactions; e.g. preventing anyone misusing the token from raiding my Sterling or US dollar funds.

One current limitation is that I cannot use the Australian bank details to set up a further level of indirection, that is, to use an Australian PayID, which would enable me to use a convenient handle, such as my mobile number, in place of hard-to-remember bank details (and, in fact, enable account portability). As well as providing more convenience, like other forms of token, this improves security, by making it less likely that someone impersonating me, and requesting payment, can pass off bank details which they control.

It would be nice to go one further step, which would be to use PayTo, the service set up by Australian Payments Plus, using the New Payments Platform (NPP), to manage payment relationships via mobile apps provided by banks and fintechs. I hope Wise (and others) are working on that. Then, a digital nomad could truly fit in!

Finally, a related grouch: I was frustrated, on a number of occasions, by useful apps not being available to people, demonstrably present in the relevant country, with an Apple ID associated with a different country. One example was my mobile provider; the obvious way to top up an account would be via their app, on a phone carrying their SIM, one would have thought. It was not to be, unfortunately. The same issue occurred with a government app and a newspaper app. Conceivably, I could have created an additional Apple ID or temporarily changed my residence details on the existing Apple ID. You’ve got to me braver than me to do that!

When is an acceptance mark not a mark of acceptance?

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

High value in Apple Pay

At a recent industry event, I overhead a discussion about paying contactlessly with Apple Pay that made it obvious to me that the (bank) participants were not at all clear about how the authentication options will work with the contactless no-CVM (“tap and go”) limits set by UK Cards. Naturally, instead of taking the time to explain it to them, I rather selfishly thought “what a great idea for a blog post”. So here we go.

Most contactless terminals today have a £20 transaction limit, which makes sense when you accept contactless cards, which offer no cardholder verification mechanism (CVM). It doesn’t make sense for an Apple Pay transaction which uses biometric cardholder authentication via Touch ID.

[From Celent Banking Blog » Apple Pay: welcome to the UK!]

That’s right, it doesn’t. Which is why the CVM can be replaced by the CDCVM if the terminals are running the correct software. Wait, what? CDCVM?

Consumer Device Cardholder Verification Method (CDCVM) is a type of consumer verification method (CVM) supported by the card networks when assessing transactions originating from mobile devices. Verification is used to evaluate whether the person presenting the payment instrument is the legitimate owner of the instrument, and affects where the liability lies for fraudulent transactions.

[From Consumer Device Cardholder Verification Method – Apple Support]

CVM, as you will recall, is part of the EMV standard.

The EMV specification allows for a number of different Cardholder Verification Methods (CVMs) and any particular card will have the acceptable CVMs stored on it, in order, by its issuer.

[From Signature solution | Consult Hyperion]

Right, so, when you have CDCVM, this is used as the CVM. Are we clear on this. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. I don’t know what the situation in the US is, but in the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.

A new service that lets NFC phone users enter their PIN on their mobile device to confirm a high value transaction is making it possible for UK consumers to make contactless payments valued at more than the current £20 (US$32) transaction limit for the first time.

[From High value contactless payments arrive in the UK • NFC World+]

In essence, this means that the £20 (soon to be £30) limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Consumers, as far as I can tell, will have no way of knowing this. I know, for example, that Pret a Manger has updated their software, so when we went off to Pret to film a live item for the BBC Six O’Clock news, Rory Cellan-Jones (the BBC technology correspondent) could have bought more than twenty quids worth of coffee and pastries with a single tap there and then.

Behind the curtain

He didn’t. But back to the story. Apple Pay uses this infrastructure, so…

For Apple Pay transactions, CDCVM acts in place of other methods of verification when it’s supported by the payment terminal.

[From Consumer Device Cardholder Verification Method – Apple Support]

Good. Now, this has a specific implication in the case of Apple Pay, which is that Touch ID (fingerprint authentication) can take the place of entering a PIN or signature at the terminal or entering a passcode on the device for transactions above the contactless limit…..

With Apple Pay, Touch ID or the device passcode can be used as the consumer device verification method, instead of the more traditional methods of PIN, signature for transactions in stores, or 3D Secure for transactions within apps… For Apple Pay contactless EMV transactions, CDCVM is performed and verified entirely on the iOS device (e.g. iPhone 6 and Apple Watch).

[From Consumer Device Cardholder Verification Method – Apple Support]

OK, so (just as you would expect) if you have authenticated yourself to your phone, then you can just tap and go even if the transaction is above the contactless no-CVM limits. You don’t have to enter a PIN on the terminal or sign a paper receipt. It seems to me that there are plenty of retail POS situations where this will work very well: you “pre-arm” your Apple Wallet by authentication with TouchID and then tap and go. I was thinking about this in a cab yesterday because that’s an obvious case (as I’ve mentioned before: in the back of cab I tend to be sitting on your wallet but have my phone in my hand).

Black cabs could be legally obliged to accept contactless credit cards, as a new set of proposals are opened up to consultation… The proposal was backed at a meeting last month between TfL, the deputy mayor for transport Isabel Dedring, senior taxi trade representatives and card providers.

[From London’s black cabs could be made to offer contactless payments | City A.M.]

So if cabs are made to accept contactless payments and if they use the “high value” terminal software then, at last, things will work properly: open your Apple Wallet, pre-arm the transaction using Touch ID and then when the cab pulls up and your destination, at last, tap and go. None of this will matter to most people, of course, because they will pay using Apple Pay, Google Pay, Samsung Pay and everything else Pay inside Gettaxi, Uber, Hailo or another taxi app.

The dawn of the cardholder-present transaction (Salford edition)

Well, today was the big day. Yes, a cusp in the annals of payment history. The day that mobile payments became real etc etc. Apple Pay in dear old Blighty! And a surprising amount of media attention.

It is the first time the “tap-and-pay” system — which allows users to pay for goods and services by touching their smartphones on contactless payment points — will be available outside the US.

[From Apple Pay taps UK to shake up consumer spending – FT.com]

Hurrah! Now, I’ve been tapping and paying with my iPhone for ages using my splendid Barclaycard sticker. But now the rest of you can join in the fun. Well, at least those of you with some of the latest Apple gear, that is.

Owners of an Apple Watch synced to an iPhone 5, iPhone 5c, and iPhone 5s will also be able to use Apple Pay, albeit without the extra security of Touch ID available only on the latest iPhone 6/6S model. Those with the latest iPad Air 2 or iPad mini 3 will also be able to use Apple Pay within apps to make purchases online.

[From Apple Pay readied for UK live debut – E & T Magazine]

The launch of Apple Pay meant that I had a pleasantly busy media day, starting of in Salford with BBC TV’s national “Breakfast” show.  This was really fun but it’s quite difficult because you have to boil down what you want to say to the bare essentials and talk in a language that a normal person (i.e., not someone obsessed with the future of electronic transactions) can connect to. The main point that I wanted to get over was that this really does mean a payments revolution, but because it brings security and convenience in-app and online, not because you can tap to buy cups off coffee, no matter how cool.

Good Morning Britain

One question that I was asked more than once during the day was “is it secure?”. I sometimes find this a little odd, because it suggests that Apple, the international card schemes, Britain’s leading retail banks and top consultants were thick as planks and hadn’t thought about it. My consistent response was that not only is it secure (or, at least secure within the bounds of the economic parameters appropriate to the business model, which is what I always mean by “secure”) but it is very secure indeed. The truth is though that none of this actually matters when it comes to adoption.

according to our Technographics data from Q1 2015, 27% of UK online consumers owning an iPhone would trust Apple to provide a mobile digital wallet but they are still more likely to trust PayPal (43%), a bank (41%), a credit card network (40%), and Amazon (32%).

[From Expect Faster Adoption Of Apple Pay In The UK | Forrester Blogs]

Now, it’s very important not to listen to consumers at all about this sort of thing. How secure a transaction mechanism is or is not has almost no bearing on whether people think it is or is not secure and no bearing at all on whether they actually use it or not. If you look at what people say and do, it’s clear that they are unconnected and surveys are a bit of a waste of time.

So, broadly speaking, people think that mobile payments are not secure, but since they don’t care about security and value convenience more highly, they will use mobile anyway.

[From I don’t trust public opinion on trust (or anything else) | Consult Hyperion]

The fact is that whatever people think, mobile payments are more secure than card payments. They might even, as it happens, lead to their demise. Anthony Jenkins, when head of Barclaycard, rather famously (to me) said that mobile phones would get rid of cards before they got rid of cash. I hate to say it, but it looks like he was right. Look at the trajectory. A decade ago, Bank Technology said that:

In the US, bank-issued contact smart cards are already in decline. In March of this year, Target said that it would discontinue its smart card programme because so few of the cards were ever used to download coupons as intended. Financial Insights reckon that the numbers in circulation will continue to fall from the peak of 21 million in 2002. Unless there is a dramatic increase in card fraud in the US, the business case for investing in anything other conventional magnetic stripe cards remains non-existent.

Well, there was a dramatic increase in fraud, yet the business case remains uncertain. US issuers are hardly racing to implement EMV. The costs of card-not-present (CNP) fraud and PCI-DSS all fall on the merchants, not the issuers, so their incentive to change is limited. But — and this is a perspective we need to explore — EMV has not been a magic bullet against fraud elsewhere in the world. The UK has had EMV for years, yet card fraud is still a major, major problem.

Damning research shows up to 3.8million bank and credit card frauds are left out of the Crime Survey for England and Wales, distorting the true scale of offending. If they were included, the number of annual offences would rise by 50 per cent, from the record low of 7.3million to 11million a year. It means seven people are defrauded every minute.

[From Why crime is really UP 50%: Upbeat official figures ignore slew of offences, from card fraud to murder | Mail Online]

The reason is two-fold. First, over time, criminals have become more inventive and have found many scams to obtain cards and PINs. Second, and most importantly, EMV did nothing about CNP. This is what Apple Pay is about to change, followed by bank schemes, Google Pay, retailers own schemes, Samsung pay and what ever else.

UK Card Fraud 2003-2014E

According to a variety of figures I’ve looked at, retail e-commerce is growing at around 10% per annum whereas card fraud in retail e-commerce is growing at double that rate. It’s time for a step change in the fight against card fraud. But what? Well, back in January 2014, I said in passing that “until we get a more secure mobile phone-based card infrastructure in place with working tokenisation” we would be stuck with these high levels of card fraud. Of course, I’m not quite the guru you might imagine for saying this, because I knew that my colleagues at Consult Hyperion were already working on tokenisation, but you can see what I was getting at.

I made this point again when I got caught up in an interesting discussion about card fraud a couple of days ago. The circumstances aren’t germane and I wouldn’t want to mention any of the organisations involved, and I hope none of them will mind if I mention that one of the main points of discussion was the relative security of mobile transactions over conventional card transactions. I think is fair to say that, broadly speaking, the discussion subgroup who came from banks agreed with me that mobile would in time be more secure than cards while the subgroup who came from merchants wanted to know if this meant changes to rules and rights. (I think it will.)

So why did the bank group think that mobile holds so much promise in security terms? As you’d expect, device fingerprinting and location-based services were seen as transforming the security around the payment transaction, and I couldn’t agree more. They also thought that this would mean that, in time, card-present (CP) rules and rights could be extended to mobile transactions. Personally, I am more bullish than that and would push further. I think that in time “cardholder present” transactions will actually be cheaper for the merchants than CP transactions and will be more desirable for the merchants because they allow for the sophisticated handling of payments related data within a transaction.

This must mean that in the longer term merchants will incentivise the use of mobile payments (e.g., Apple Pay) over the use of plastic cards and this will further support the evolution of in-app payments. As I said to a journalist this morning, Apple Pay is huge, but not because you can tap your phone to buy a coffee. Apple Pay is huge because it is the mass-market dawn of the change from card-present and card-not-present to cardholder-is-present and cardholder-was-present transactions.

But back to breakfast television. In the “green room” I ran into Mark Thompson, the astronomy chap, who was in to talk about the Pluto mission. As an experiment we decided to try out Apple Pay on his iPhone, which all went swimmingly. He opened up “add a card”, scanned his credit card and then… “sorry, your card is not supported”. He was using a Barclaycard.

Good Morning Britain

I showed him my sticker.

In-app and on-message in Barcelona

Dgwb blog white border

Wandering around #MWC15 in Barcelona this year I got involved in a bunch of conversations about Apple Pay, Loop, NFC and so on. But I thought that focus on the physical, in-store interface, could be diverting people away from the central strategic shift to in-app payments.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights