NFC isn’t the real reason for Apple Pay

As I am sure many of you will remember, the thing I was most wrong about – ever – on the Tomorrow’s Transactions blog was that I was convinced that Apple would not bother with an NFC interface for the iPhone. Luckily, my blog is not a blockchain, so I could go back and delete this post if I wanted to. But I am gentleman and man of integrity and I cannot do sufficient violence to my conscience to rewrite history in this fundamentally misleading way. Hence my error stands as testimony to my integrity. My reasoning at the time of this broadcast error was that since “app and pay” would eventually come to dominate “tap and pay”, I thought that Apple would focus on the big picture and ignore the age-old card/POS interface. I assumed that they would use Bluetooth, wifi and mobile to link the customer and merchant and eventually dispense with the card in the middle, whether using stripes, chips or NFC. At that time, we had already built an HCE-over-BLE app for a project that we were involved in, so I knew that we could easily obtain better-than-chip-and-PIN security without having to tap anything, and I thought Apple would just ignore it: what did they care, I reasoned, if you can’t use your iPhone to ride the bus* in London?

Well, I was wrong. Apple implemented their own sort-of-NFC (they did not implement the full NFC standard) and they locked down the interface so that third-parties could not gain access. They implemented just enough to get the banks to spend gazillions on the tokenisation infrastructure that was needed to bring that better-than-chip-and-PIN security to online and mobile commerce. Well, it worked. They have created a secure and convenient payment platform. As I wrote before…

Select Apple Pay, thumbprint, done. Why isn’t all in-app purchasing like this. Come to that, why isn’t all purchasing like this. Actually, it soon will be…

From Don’t judge mobile payments by the way they work now | Consult Hyperion

This indeed where Apple is heading, and I’m not the only one who thinks that perhaps people who were focused on the NFC interface at retail POS (and complaining that not enough retailers take it and therefore Apple Pay is a bit of a flop) were missing the bigger picture.

He says Apple Pay is appealing, but he wouldn’t switch banks just to access that one feature. “Not over that. There’s too much work involved just for tap-and-go,”

From Early days, but Apple Pay struggles outside U.S. | Reuters

You can see the point. If you already have a contactless card that works everywhere, it’s not that exciting to be able to tap your phone instead of the card. So people don’t. They already had a perfectly good solution to the card payments problem: a contactless card (or, in my case, a contactless sticker). But the fact that it’s not exciting to tap the phone just does not matter. It’s not the play. There are reasons why I love Apple Pay (especially because I have on more than one occasion forgotten my wallet when going to the office) but when I dropped my iPhone in the toilet and was on an old phone for a couple of days, it didn’t really matter that much because of my contactless Curve card in my back pocket.

The thing is: paying with a plastic credit card isn’t really that difficult. With Apple Pay, the bigger point is that it’s also a way of paying for stuff online.

From Who Cares About the New iPhone Camera? The Real Change Is Apple Pay | WIRED

Brian Rommele, who I always take very seriously about this kind of thing, says that it is already clear that Apple Pay in the browser will be a very big deal indeed. I already find it frustrating when I go to pay in-app and I have to enter a CVV against a card-on-file just as if it were 1996 all over again (I’m talking about you RingGo) instead of just thumbing it so I can see that the in-app and online experience will be transformed.

In my early testing I can confirm that the checkout abandonment rate for websites that use Apple Pay Safari will be reduced significantly.

From The Apple Pay Safari Vs. PayPal Battle For Web Transactions Is An Invalid Argument. — Medium

Who won’t use this? For Apple Pay, Android Pay, Samsung Pay and every other pay, #appandpay is way more important than #tapandpay and way, way more disruptive. Note also that it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware alongside the revocable EMV payment tokens…

* I use my iPhone to ride on London underground, buses and Dockland Light Railway all time. All the time. 

 

 

A funny thing happened on the way to the Forum

The Tomorrow’s Transactions Forum, that is. I arrived in good time (it’s always best to add on a few minutes to give yourself time to buy a ticket) for the 7.39 Flying Glacier to Waterloo via Misery and Degradation. 

 

Of course, Woking station has changed a lot since this picture was taken. There’s a Flying Coffee Bean on Platform 2 now.

Hurrah! When I got into the ticket hall I discovered that they have installed machines to allow you to pick up a ticket that you have purchased online. Great. I have the excellent The Trainline app on my iPhone and it is integrated beautifully with Apple Pay. So you look up the tickets you want, hit “Pay with Apple Pay”, thumb it and away you go. When you get to the station you just thumb it again and tap your iPhone on the machine, it shows you the list of tickets you have purchased, you choose the ones you want and hey presto your tickets pop out.

Brilliant.

Except it isn’t. The machines don’t work this way. You have to take a payment card with you and insert it into a slot and then type in a confirmation number that you were sent by e-mail. It’s actually quicker just to go to one of the other machines and buy your ticket in the usual way.

Joined Up Thinking (Not)

The new machine on the block.

I don’t get it. Surely the Apple Pay token used to buy the ticket can be matched to the Apple Pay token presented at the machine? You should only need to put the card in if you’re forgotten your phone or it is out of battery (and even then they should do it by implementing PARs properly).

Surely South West Trains, when they were planning these machines a few years ago, had at least heard about mobile phones even if they hadn’t actually seen any. And surely they had noticed that something was going with contactless technology? Perhaps one of the South West Train’s Executive Board had overhead their servants talking about “tapping” cards to ride the bus in London and never asked what they meant? Or did they just take it be a some new lingo below stairs, a slang term for writing out a cheque?

They must just have thought that contactless was something happening to other people.

This left me wondering if other train-like options are adopting contactless. I thought I’d give it a try at Heathrow, so I downloaded the Heathrow Express and tried a couple of times to buy a ticket to see if I could use Apple Pay, but the app asked me to scan in my credit card (presumably for some hello-1996 card-not-present transaction) then crashed, so I never to got to see it in action.

So much for joined-up thinking. The whole world is moving to contactless and mobile and the most up-to-date technology on the newest machines installed (I see they got rid of the machine for connecting by video link to customer service) is the decade-old chip and PIN reader. Come on.

Queue at Woking

OK, so sometimes there’s a bit of queue.

Why can’t we buy our tickets on our phones while riding the bus on the way and then just tap and collect when we get to the station?

The only improvement in the ticket purchasing experience at Woking station since it opened on 21st May 1838 — you still stand in line, they still take cash, they still give paper tickets — is that you no longer have to fill out a “reason to travel” form, and I wouldn’t put it past Theresa May to have these re-introduced in time for the next election.

How can we reshape retail without reshaping payments?

Well, the circus came to town again. Barcelona. It’s 100,000 people and non-stop meetings and basically no fun whatsoever. But it’s in Barcelona. The calendar is jammed from first thing in the morning until the evening, and then it’s out for dinner and drinks with customers and suppliers. Man, that Catalan pasta was delicious. It’s absolutely exhausting. My feet are killing me by coffee time and I’m not in heels. Loved that lemon beer though, never had that before. The communist traitors down the metro are on strike so we have to queue for buses. It’s lovely and sunny here. Eight halls!  Still, let’s take a deep breath and get on with it.

I’ve been interested in mobile payments for 20 years. A decade ago, Consult Hyperion was lucky enough to be chosen by Vodafone to carry out the feasibility study on M-PESA. I can remember seeing the first Nokia with a contactless chip (Mastercard) embedded in it and being blown away by the convenience. I am the archetype for the stereotype in mobile futurists presentations, the person who often leaves the house with a phone but no wallet. Last year at MWC I gave a presentation about the impending shift to in-app payments. So, you can imagine how downhearted I was to see this vista before me on arriving in the host city.

BCN ATM MWC

Yep. Twenty years of mobile payments, twenty years of presentations about mobile payments at MWC, twenty years of pilots and trials and tests and MoUs, twenty years of arguing about SIM vs. embedded vs. SE, twenty years of closed-loop and open-loop and three-party and four-party, and there’s a queue a mile long for the ATM because you can’t use your phone to by a metro ticket or ride the bus into town. Where did it all go wrong?

Why aren’t there mobile payments everywhere? In a sane world, as we landed in Barcelona our phones would automatically fire up a Barcelona app that we could use to pay for the trains and taxis, restaurants and hotels. How long would it take for your bank to issue a four day, Barcelona merchant-only token to the handset? Five seconds? Why can’t I pay in-app for my hotel? Karen Webster wrote about this too.

…when it comes to commerce and payments, well, we’re still very much making our way to first base. And that’s more than two decades after the launch of the commercial Internet and nearly a decade after the introduction of the iPhone…

From Mobile Is Everything, But Where’s The Progress? | PYMNTS.com

Karen points to the role of the carriers as a fundamental problem, and she is certainly right to note that their attempts to be toll collectors for the superhighway have been a boat anchor on progress in mobile commerce just as it will be for IoT commerce, but I wonder if there’s something more fundamental going on. What if the attempts to shoehorn the existing infrastructure (of PANs and acquirers and networks and schemes and issuers and authorisation and all the rest of it) are themselves responsible for the drag? What if we should have started again? What if we should have just said that the mobile phone gives us a mechanism to establish (and verify) the identity of everyone and once you know who the counterparts are, payments are easy. What if we should have started with mobile ID instead of taking 60+ year old way of doing a payment?

 MWC16 Digital ID Connect Societies

I was lucky enough to be asked to chair the MWC conference session on “Digital Identity for Connected Societies”. During this discussion, it became very clear to me (and, I hope, the rest of the audience) that we already have all of the building blocks that we need to create a strong identity infrastructure based on the mobile phone. If we take that architecture as a given, then what “payments layer” should be put on top of it? You know where my sympathies lie: in the “push to push”. Karen correctly, in my opinion, talks about the reshaping of retailing.

Mobile and online – together — is creatively destroying the retail model that’s been in place for millennia – a model that used to rely only on consumers and merchants coming together face-to-face to do business.

From Mobile Is Everything, But Where’s The Progress? | PYMNTS.com

Why do we think that we can reshape retail without reshaping payments? Here’s just one example: why do you give card details to the merchant? It makes no sense: it’s because you used to hand your card to merchants in shops. Surely it would make more sense to send the _invoice_ to the bank, have the bank pay it and send back the _paid invoice_ to the merchant. Why should the merchant ever seen your card, tokenised or otherwise? Since merchants are installing BLE anyway, why not just transmit the invoice over BLE to your phone and have your phone send it to the bank for payment? I’m just giving a random example, but you see my point.

Here’s what’s gone wrong: we took amazing new technologies (smart cards, mobile phones, biometrics) and used them to emulate some cardboard hack from 1949. Time to scrub off the whiteboard and start again. I make this vow here and how: if you cannot use your phone to pay the airport bus in Barcelona at Mobile World Congress 2017, then I will never go again.

Barclaycard contactless mobile is up and running

I can’t remember if I told you about this cool project that Consult Hyperion has been helping out with over the last year or so. One of our very favourite clients, Barclaycard, decided to exploit the Host Card Emulation (HCE) technology in Android mobile phones and make a payment app so that customers could pay with their phones at any of the 300,000+ contactless terminals in the UK.

Barclaycard is set to become the first financial services provider in the UK to introduce contactless payments from any NFC enabled Android phone via its app

[From Mobile App Transforms Android Phones | News | Home.Barclaycard]

Well, they started rolling it out to customers, and it’s great. It’s the Barclaycard Contactless Mobile app, and it has some interesting features that you should know about.

  • While the contactless limit in the UK is £30, with the Barclaycard app you can perform transactions up to £100 by entering you card PIN on the phone.

  • The app works with Transport for London (TfL) so you can use it to ride the bus and get on the tube.

  • Customers can choose to have “PIN to Pay” on, in which case you have to enter your PIN before all retail payments, even below £30 (except at TfL gates – even with “PIN to Pay” you can just tap and ride).

It’s been designed to be very simple to use, just a single card enabled at any time (no card clash!) and just requires the screen backlight to be on to work for payment. Here’s what it looks like.

Barclaycard HCE

You can choose between your cards and select the one that you want to be active.

Barclaycard HCE

And here’s our very own Matt Barker using the app to buy an actual coffee. When you try the app, you’ll be surprised by how fast and convenient it is.

Barclaycard HCE

And just to prove it – here’s the receipt.

Barclaycard HCE

One of the features I rather like is that they have a real-time replacement service.

Barclaycard customers will be able to use the host card emulation (HCE) function being added to the bank’s app to have lost or stolen plastic cards instantly re-issued to their mobile devices

[From Barclaycard to use HCE to instantly replace lost and stolen cards • NFC World+]

So well done to all the team up at Barclaycard. It’s a great app, and it works really well, and I’m genuinely not just saying that because we helped out. I said from the beginning that HCE would make for some interesting developments. Remember this, from a couple of years ago?

Visa’s support for cloud-based payments follows the introduction of a new feature in the Android mobile operating system called Host Card Emulation (HCE); HCE allows any NFC application on an Android device to emulate a smart card, letting users wave-to-pay with their smartphones, while permitting financial institutions to host payment accounts in a secure, virtual cloud.

[From Visa to Enable Secure, Cloud-Based Mobile Payments | Business Wire]

Now, as we said about it at the time, HCE was an earthquake. It shifted the tectonic plates (the banks, the schemes, the mobile operators, the retailers in my clumsy metaphor) and created new fault lines between them. It’s not as if we were the only people that noticed. Again, from a couple of years ago.

According to Visa head of Digital Solutions for Developed Markets Sam Shrauger, the new cloud-based implementation of its payWave service will free up the NFC payments from a few specialty digital wallets, allowing any developer to embed point-of-sale payment options into their apps.

[From Visa, Mastercard just made it much easier to buy stuff with an Android phone — Tech News and Analysis]

Sam was spot on. Anyone can use HCE to add payments to apps for retailers. But as we’ve seen since that “KitKat” announcement, organisations can also use HCE to add loyalty, ticketing, travel, coupons, access control and all sorts of other fun stuff to their apps! So if you want to take your Android app and figure out how to add secure, reliable tap-and-go magic, give us a call!

Doing something about US card fraud

OK, OK, so we all know that the world’s card fraud has been steadily migrating to the US because the rest of the world was busy adopting EMV (“chip and PIN”) cards while the US insisted on sticking with magnetic stripe technology for as long as possible. You remember magnetic stripes? Signatures? 

Untitled

Chip cards reduce certain kinds of fraud over magnetic stripes cards because, basically, you can’t use stolen chip card data to make a bogus chip card but you can use stolen magnetic stripe data to make a bogus magnetic stripe card. You have to go somewhere that takes magnetic stripe cards to use it, of course: the US.

As the US experiences an unprecedented spike in fraudulent ATM cash-outs, it is reported that the US accounted for 47% of the fraudulent cross border transactions seen on UK debit cards in 2014

[From 25% jump in cross border fraud on UK debit cards – Payments Cards & Mobile]

The gap between US card fraud and card fraud everywhere else in the entire world is substantial. In fact US card fraud runs around triple the rate outside of the US. That’s a lot of money, whichever way you look at it. And remember, the reported figures for fraud are for the direct losses to the issuers – they do not take into account the money that merchants have to spend on PCI-DSS or the sales they lose because of complex authentication processes or the money that goes into data breach notifications and repair.

US fraud losses equaled 12.75¢ for every $100 in total volume last year. Fraud in all other regions combined was only 3.73¢ per $100.

[From Global card losses will exceed $35 billion by 2020, says The Nilson Report » PaymentEye]

And unless we do something about it, it’s going to get a lot worse. Why? After all, now the US has finally started switching to EMV, surely the situation should improve? Sadly , no. As well all know, EMV only help with “card present” (CP) fraud. That’s why people have been talking about the expected surge in “card not present” (CNP) fraud in the USA following on from the introduction of EMV as sure as night follows day. That’s exactly what has happened everywhere else.

While POS card fraud is expected to decline gradually in an EMV-enabled U.S. market, CNP fraud will nearly double by 2018

[From A Hole in the Balloon Analogy: The Complex Evolution of Card Fraud in the US – Javelin Strategy & Research Blog]

The US already has half of the world’s card fraud so this is an impressive effort. But hey, they’re on track because it looks as if that surge has already started – even before the EMV liability shift – and the number of fraud attempts is escalating.

Between January and July, one in 86 online transactions was an attempted fraud, compared to one in 114 for the same period a year earlier,.. That’s a 33% jump in fraud attempts in one year.

[From The Surge in Online Fraud Is Already Here]

Now, this figure may not be as scary as you think, because while the number of fraud attempts is climbing, the amount of fraud is climbing more slowly. We’re getting better at defending ourselves. And this is why I think there is some cause for optimism, even in the US. The reason is that the number of ways to fight card fraud is increasing and because, in time, the cards themselves will be supplanted by much smarter devices (i.e., phones) that have more security capabilities. Actually, whether they replace cards or not, phones are a critical component. Knowing where you are is a really big factor in working out whether a transaction is valid or not, and knowing where your phone is is a reasonable proxy. Hence my interest in initiatives like the Visa location-based fraud analytics.

Mobile Location Confirmation is an optional service for consumers that will be offered through participating financial institutions’ mobile banking applications. The service uses mobile geo-location data in real time as an additional input into Visa’s predictive fraud analytics… When a cardholder’s mobile device is in the same location as the payment transaction, the issuing financial institution can more confidently approve the transaction.

[From Tech Matters]

I love learning more about this sort of thing, so on Friday 15th January I’ll be taking part in IBM’s “Blab” on real-time fraud detection at 1pm EST. A “Blab” is a bit like a Google Hangout – so I’ll be on webcam with my chum Cherian Abraham from Experian chatting about the topic and mulling over some interesting questions. You’re welcome to come and join us!

When is an acceptance mark not a mark of acceptance?

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

We still haven’t finished talking about mobile wallets

Dgwb blog white border

I had assumed that the world had got bored with talking about mobile wallets by now, but that certainly wasn’t the case in London last week, where I had the great fun of chairing a couple of discussion panels on the topic and found new perspectives on the likely marketplace trajectory.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.