debit card - Consult Hyperion

I’m sure by now you’ve all read about MasterCard’s acquisition of VocaLink. If not, you can listen to me talking to David Yates, the CEO of VocaLink, about it on the latest podcast in our Tomorrow’s Transactions series, either via iTunes or directly via our web site. It’s very interesting, in my opinion, to hear David’s rationale for the deal and his very positive view of the future that has VocaLink experience in instant payments married to MasterCard’s global presence. And for more on this deal, Karen Webster over at Pymnts spoke to MasterCard’s Chief Product Officer to look into the “why VocaLink and why now” behind the acquisition and wrote a nice piece about it.

With VocaLink’s Zapp proposition, Miebach explained, a consumer can go to a merchant’s checkout, use their mobile device to access their trusted bank’s mobile app, and see a variety of payment options including Zapp’s pay-by-bank offering.

From Mastercard Talks VocaLink Acquisition | PYMNTS.com

Personally, I think this initial analysis didn’t touch on a couple of issues that are relevant to understanding the deal. First of all, the reason why VocaLink was worth so much to MasterCard rather than anyone else (and thanks to the collapsing Pound was a bargain for them) is that Visa dominates the UK debit market and the push future for “instant payments” at retail presents a debit-like proposition to consumers. Zil Bareisis made this point over at the Celent blog.

Visa controls 97% of the debit card market in the UK. I would imagine that a Zapp-like solution would have more of an immediate impact on debit card transactions rather than credit card spend.

From The Future of Zapp and Other Musings on MasterCard and VocaLink

Secondly, if a push payment debit-like in-app and in-browser alternative to the traditional debit card which did not run through the card network but through the Faster Payment Service (FPS) is attractive enough for consumers to want to use then merchants will have to accept it and potentially pay more than they do for existing debit cards (which they will do, because the push product will have more attractive rules and rights) and that will give scope for MasterCard to offer rewards of one kind and another.

Somehow this takeover didn’t make the news headlines, but mark my words it was one of the most significant events in the evolution of the UK payments industry since Reg Varney got a tenner out of that first ATM in Enfield half a century ago. It’s a significant milestone on the road to #cardmaggedon, and it’s not only me who thinks this. Using mobile phones to make instant payments is going to impact the use of traditional plastic cards and plastic card products. Not just because the card will vanish into the phones but because the products themselves will be reinvented for the new age.

As ANZ rolls out Android Pay to its customers, the Australian bank’s chief executive Shayne Elliott has predicted that mobile payments could displace plastic cards in well under a decade.

From ANZ chief predicts mobile will kill off cards in less than a decade – BayPay Members Blogs

This is exactly what Anthony Jenkins said (when he was head of Barclaycard, before he was the CEO of Barclays) when he said, as memory serves, that mobile phones would get rid of cards long before they get rid of cash. But I think the change is more profound than he was thinking about back in the day.

The mobile phone isn’t just going to get rid of the 1940s embossing and 1950s card and the 1960s network and the 1970s magnetic stripe and the 1980s chip and the 1990s online card-not-present use and the 2000s 3D secure and keep only the 2010s network tokenisation in devices but it is going get rid of the whole bundling of PAN-based payment with credit and fraud management and merchant guarantee. The push for push, as they say (or, at least, I say) is inexorable.

The nice people at Breaking Banks invited me on to their radio show this week to comment on the impressive rise in card counterfeiting in the US, as reported in the Wall Street Journal.

Criminals are stealing card data from U.S. automated teller machines at the highest rate in two decades, preying on ATMs while merchants crack down on fraud at the checkout counter.
[From Theft of Debit-Card Data From ATMs Soars – WSJ]

The figures are astonishing: compromises at bank ATMs up a couple of hundred percent in the first quarter, comprises at non-bank ATMs up more than three hundred percent! What is being stolen is the data from the trivially-counterfeitable magnetic stripe on the back of the card (“skimming”). This data can only be used to make counterfeit magnetic stripes: you can’t use it make clones of the chips on the cards. Hence the data is only useful if you can find somewhere that will let you pay for something using a magnetic stripe copy of the trivially-counterfeitable magnetic stripe. Oh wait, I know somewhere..

Yep. The USA. Skimmed card data from around the world makes it way to America, which is why payment card fraud losses there are so a greater of world losses (double, in fact) than payment card volume is of world payment card volume.

Total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15% from the prior year. The United States—the only country in which counterfeit-card fraud is consistently growing—accounted for 47% of that amount, according to the Nilson Report
[From Skimming off the top | The Economist]

Now, we all know that in the long run the way get round this is to get rid of trivially-counterfeitable magnetic stripes (and the use of card numbers online, but that’s a different story) and use chip and PIN instead (actually, in terms of fraud reduction it’s the PIN that’s doing the heavy lifting, the chip not so much). And, indeed, chips are making their way on to US cards at last, just in time to be rendered obsolete by Apple Pay, Android Pay, PayPal Venmo, Samsung Pay and the like.

However, most ATMs don’t yet accept the [chip] technology, though J.P. Morgan Chase & Co. and Bank of America Corp. have recently begun to install the more advanced machines
[From Theft of Debit-Card Data From ATMs Soars – WSJ]

Actually, this won’t stop the card data from being stolen. All of the ATMs in the UK read chip but you still have to put the card into a slot that can read stripes from the legacy cards carried by American tourists. Since you have to put the card into a slot, the fraudsters can still fit their devilish devices to the machines and read the stripe as you push the card through. Then they steal the PIN by shoulder-surfing or keypad cover plates or hidden cameras or whatever. This has been going on for ever. Here’s what I wrote about it eight years ago.

Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.
[From Card fraud in the UK]

So where do we go? Well, one obvious way would be to simply decline all stripe transactions made using chip and PIN cards, but I have chip and PIN cards that I still use in card swipes when in the US so this might generate too many customer service calls. Another way would be to let me use my mobile app to turn my debit card on and off, and for someone like me who rarely uses a debit card (basically for ATM withdrawals only) this might work. But another idea might be to stop me from having to put my card into a slot.

Spain’s CaixaBank has commissioned Fujitsu to build 8,500 ATMs with contactless capabilities.
[From Spanish bank spends €500m on contactless ATMs]

My debit card has been contactless for years, yet I’ve never seen one of my bank’s ATMs with a contactless interface as CaixaBank has. But my bank has an excellent mobile app too, and surely there must be some way of using this instead of a card when I nip out for a late-night legal high just before the government ban comes into force.

With the new CommBank app and its Cardless Cash feature, you can withdraw cash from over 3,000 ATMs without your card.
[From Cardless Cash with the new CommBank app – CommBank]

Unfortunately my bank doesn’t yet have cardless withdrawals either, but it does have an excellent text message authentication and alert system that deals with the ATM problem, so if my card gets ripped off it’s harder to use and, to be fair, although I’ve used my card in some pretty dodgy-looking ATMs, to the best of my knowledge it’s not been skimmed.

Mobile is surely the way forward though, isn’t it? Perhaps my bank could put in some mini-ATMs at branches: no keypad, no screen, just a contactless reader and cash dispenser. I tell my bank app how much I want to withdraw and than tap the phone on the reader and the cash pops out. This way, the bank app can send a token instead of the real card details and the criminals will leave my account alone and move on to easier pickings.

Doing away with card and PIN entry is possible because the mobile phone provides for an effective alternative identification and strong authentication mechanism. There are other strong identification methods that could be used though, like the finger vein readers used in some countries. My favourite suggestion is…

You stand at the ATM but, instead of producing your card and PIN, you unbutton your trousers while a dachshund, trapped in the machine, sniffs around your intimate regions, identifying you by your unique scent.
[From ATM dog: Forgotten your pin? Please join the queue for the dachshund | Technology | The Guardian]

Using the dog’s nose as a biometric system to identify people is actually rather an old idea. In fact I wrote this about it eight years ago.

if I could integrate an odour detector and analyser with the power of a dog’s nose into a chip in my laptop, then my laptop would know who else was in a room with me, because dogs can easily discriminate between different people.
[From Going to the dogs]

I rather keen on smell as a biometric, but whether this particular implementation will overcome the embarrassment of being seen drawing out cash in a public place, I can’t say.

Tag: debit card

MasterCard and VocaLink is a big deal

Breaking ATMs