This weekend marks an anniversary. Although Consult Hyperion’s romance with smart cards had started many years before that, it will be fifteen years on Sunday that chip and PIN went live in the UK. I remember St. Valentine’s Day 2006 as if it was yesterday!
As I was scanning my list of security-related posts and articles recently, my eye was drawn by the first sentence of an article on (Google security engineer) Adam Langley’s blog, indicating that Her Majesty’s Government does not understand TLS 1.3. Of course, my first thought was that since HMG doesn’t seem to understand the principles of encryption itself, it’s hardly surprising that they don’t understand TLS. However, these aren’t the thoughts of an understandably non-technical politician but instead those of Ian Levy, the Technical Director of the National Cyber Security Centre at GCHQ – someone you’d hope does understand encryption and TLS. Now normally, I would read this type of article without feeling the need to comment. So what’s different?
Well, following the bulk of the article discussing how proxies are currently used by enterprises to examine and control the data leaving their organisation, by in effect masquerading as the intended server and intercepting the TLS connection, is the following throwaway line:
For example, it looks like TLS 1.3 services are probably incompatible with the payment industry standard PCI-DSS…
Could this be true? Why would it be true? The author provided no rationale for this claim. So, again in the spirit of Adam Langley, “it is necessary to write something, if only to have a pointer ready for when people start citing it as evidence.”
Adam’s own response – again following a discussion about how the problem with proxies is their implementation, not with TLS – is that
…the PCI-DSS requirements are general enough to adapt to new versions of TLS and, if TLS 1.2 is sufficient, then TLS 1.3 is better. (Even those misunderstanding aspects of TLS 1.3 are saying it’s stronger than 1.2.)
which would seem to make sense. Not only that, but
[TLS 1.3] is a major improvement in TLS and lets us eliminate session-ticket encryption keys as a mass-decryption threat, which both PCI-DSS- and HIPAA-compliance experts should take great interest in.
In turn, Ian follows up to clarify that it’s not TLS itself that could present problems, but the audit process employed by organisations
The reference to regulatory standards wasn’t intended to call into question the ability of TLS 1.3 to meet the data protection standards. It was all about the potential to affect (badly) audit regimes that regulated industries have to perform. Right or wrong, many of them rely on TLS proxies as part of this, and this will get harder for them.
So that’s alright. TLS 1.3 is not incompatible with PCI DSS. So what is the problem? Well, helpfully, Simon Gibson outlined this in 2016:
…regulated industries like healthcare and financial services, which have to comply with HIPAA or PCI-DSS, may face certain challenges when moving to TLS 1.3 if they have controls that say, “None of this data will have X, Y, or Z in it” or “This data will never leave this confine and we can prove it by inspecting it.” In order to prove compliance with those controls, they have to look inside the SSL traffic. However, if their infrastructure can’t see traffic or is not set up to be inline with everything that is out of band in their PCI-DSS, they can’t show that their controls are working. And if they’re out of compliance, they might also be out of business.
So the problem is not that TLS 1.3 is incompatible with PCI DSS. It’s that some organisations may have defined controls with which they will no longer be able to show compliance. They may still be compliant with PCI DSS – especially if the only change is to upgrade to TLS 1.3 and keep all else equal – but cannot demonstrate this. So what’s to be done?
Well, you could redefine the controls if necessary. If your control requires you to potentially degrade, if not break, the very security that you’re using to achieve compliance in the first place, is it really suitable? In the case of the two example controls above, however, neither of them should actually require inspection of SSL traffic.
For the organisation to be compliant in the first place, access to the data must only be possible to authorised personnel on authorised (i.e. controlled) systems. If you control the system, you can stop that data leaving the organisation more effectively by prohibiting its access to arbitrary machines in the external world. After all, you have presumably restricted access to any USB and other physical storage connectors, and you hopefully also have controls around visual and other recording devices in the secured area. It is difficult in today’s electronic world to think of a situation where a human (other than the cardholder) absolutely must have access to a full card number without (PCI DSS-compliant) alternatives being available.
So TLS 1.3 is a challenge to organisations who are using faulty proxies and/or inadequate controls already. It certainly doesn’t make you instantly non-compliant with PCI DSS.
Given this, we, as humble international payments security consultants, are left puzzled by the NCSC’s line about TLS 1.3 and PCI DSS compatibility. At worst, organisations need to redefine their audit processes to use the enhanced security of TLS 1.3, rather than degrade their security to meet out of date compliance procedures. But, of course, this is the type of problem we deal with all the time, as we’re frequently called in to help payment institutions address security risks and compliance issues. TLS 1.3 is just another tool in a complex security landscape, but it’s a valuable one that we’re adding to our toolkit in order to help our clients proactively manage their cyber defences.
As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange. It is a safe bet that (with the odd exception) cash will be one of your available options. Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?
Well, you could talk to someone, of course. But this isn’t always possible, for instance due to language barriers. Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.
The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display. The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.
I say ‘should be possible’ because, unfortunately, this is not always the case. For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments. Still – whilst not as convenient, the payment can still be completed via Chip & PIN.
But now adding to the mix we have a brand new acceptance mark for Apple Pay. On the face of it, this seems a sensible decision. After all, if you want to use Apple Pay then it’s good to know where you can use it. But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol. Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.
What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark. It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction. For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)
But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all. Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay. Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?
Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees. As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme. This Article provides that:
Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.
In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept. Merchants may, for instance, choose to accept only debit cards and not credit. Or they may choose to accept everything except higher-fee rewards cards. “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.
To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU. In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information. It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.
So, when is an acceptance mark not a mark of acceptance? Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.
Technologically speaking, the credit card as we know it should have vanished long ago. It’s surely not got much longer .
The horrible truth is that payments are boring, so they are going to go away.
While I was sitting through a presentation (a very good presentation, I might add) on social media strategy for one of our client’s financial services businesses, it struck me that they were slightly misjudging the more interactive and transactional nature of social media, doing great stuff but treating social media as another customer communication channel. I’m naturally more interested in social media for transactions: social commerce. I’ve given a couple of talks about this recently, pointing out the opportunities that social commerce opens up.
One prediction says social commerce will top $30 billion globally by 2015 with Facebook-generated sales one of the primary drivers.
There are many different ways that financial services organisations can exploit this. A good example, to my mind, is the way in which Amex works with Foursquare.
Just after announcing that it passed 10 million users, location-based check-in service Foursquare has said it is partnering with American Express to give members even better deals when they check in at merchants’ stores across the country.
This is a terrific proposition and it’s well implemented (through statement credits, so no coupons or vouchers or anything are needed). And, to follow this example, Amex also has a Facebook pages where its large number of fans can come to learn about products and services, share with the community of card holders and so on. Great stuff. And it isn’t only financial services organisations that are integrating themselves into social media to create new kinds of social commerce.
That is because the well-known mobile service provider is now allowing its customers to log on to Facebook to purchase phone credit.
Wow, that’s pretty interesting.
Pre-paid subscribers will now be able to access a secure app on the social networking website, where they will put in credit card details in order to purchase top ups.
Credit card details? Not Facebook credits? But you get the picture. Something like Facebook can be used to create a more intimate transactional environment without having to develop software, making it easy for consumers to “friend” and “like” and so forth. Personally, I don’t find this sort of thing particularly appealing because to me it’s the wrong kind of social relationship: I want something more granular.
Here’s what I mean. I don’t want to be friends with my bank — after all, I’m a typical consumer so I hate banks — but I do want to be friends with my bank account. Why can’t Barclays let me friend my current account so I can see its status updates like “Premium card fee £10.00”, “Direct Debit British Gas £37.85” and “Counter Credit £5.00” and so forth? I quite like the text messages that Barclays sends me but would prefer something more immediate and more detailed (I often call this “streaming commerce”) so that I can make decisions and respond.
Similarly, I don’t especially want to be friends with MBNA, but I do want to be friends with my MBNA American Express card. I’m using “friend” generically, of course, I don’t mean to imply that Facebook is the one and only way to implement a social media strategy.
Facebook usage in the UK fell nearly 4pc in July to its lowest level since 2009, sparking concerns that the social network has hit its peak and may be declining in popularity.
I don’t use Facebook that much — it’s really for sharing with my brother and sister, other family members and a few old friends — and I’ve not got a crystal ball to see whether we’ll still be using it in a couple of years.
Many of the smartest people I know are leaving Facebook as well. I predict we’ll see many people leaving over the coming months and adopting Twitter.
My idea would work even better with Twitter though. Suppose Twitter made a small change to their system so that a user could opt to be in “secure” mode. A secure mode user can only be followed (or searched) by users in their “secure list” or whatever. Then, my MasterCard could be secure user “mc-53XX-XXXX-XXXX-XXXX” the only name in its secure list would be “@dgwbirch”. Now, when anyone else tries to follow or search mc-53XX-XXXX-XXXX-XXXX they see nothing.
I’d love to follow my John Lewis MasterCard on Twitter in the way instead of having to log in to find out what it’s been up to. Since I use Twitter all day and every day anyway, it would be a much better channel for payment products to develop a more intimate relationship with me. And think of the practical benefits: if I get a tweet from my debit card telling me it’s just been used to withdraw money from an ATM in Belarus, I can call Barclays right away to block it from further misbehaviour. This doesn’t seem terribly complex: all Barclays need to know is my twitter name and then it can use the Twitter API to post tweets and only allow me to follow them.
If I could follow my transactional instruments, I could also (in time) feed their tweets, status updates, notifications and so on into other software for mash-ups. I don’t know what kind of mash-ups – I’m not smart enough for that – but I’m sure there are people out there who could do great stuff with the data. So a plea to my account, card and service providers: I don’t want to be friends with you, because you are corporations and not mates, but I don’t want to be friends with my stuff: my money, my cards, my phone. How hard can it be?
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
Our good friends at Glenbrook summarised the final outcome of the Durbin process:
Debit interchange cap – $0.21 plus 5 bps (for both signature debit and PIN debit)
Fraud prevention adjustment – $0.01 (interim rule)
Routing restrictions and network exclusivity – Option A (two unaffiliated debit network)
Card Present vs Card Not Present – No distinction
Now there will be a lot of comment from people far better qualified than me on what all of this will mean for the payments industry, so I don’t want to get into those specifics here, but there’s something that bothers me about the whole thing. I went back to Steve Bartlett’s article on Durbin in the EFPLP [Bartlett, S. Announcing the death of the debit card in E-Finance & Payments Law & Policy (Mar. 2011)] and it prompted me to have another reflection on the Durbin process as it seems (to a foreigner!).
Plenty of lawmakers are anguished about their swipe fee position, but largely because they’re worried about falling out of favor with good friends in the corporate world.
I think what this means is that they knew that government price-fixing is wrong, but that big companies (particularly retailers) spend a lot of money on lobbying. This isn’t something to be cynical about, it’s just the real world. I’m happy to offer these lawmakers a solution though. Why not go down the European route and create a regulatory framework that allows competition from non-banks? There is no reason for payments to be a banking business, and competition rather than regulation is a better way to reduce costs to the rest of the economy.
There are other ways to reduce total costs too, but these mean some short-term spending (which no-one wants to do) in order to improve the situation for the longer term (which, naturally, congressmen don’t care about).
The Federal Reserve could, and should, use the Durbin Amendment as a vehicle to move the United States onto the EMV smart card standard
Why would this save money in the long term? It’s because one of the key reasons why US debit card fees are so much higher than elsewhere is that they are predominantly signature debit transactions. Moving to PIN, and offline PIN at that, and offline completely for low-value contactless transactions, ought to kill a few birds with the same stone.
the Fed has the power to change this equation. By allowing card issuers to recover some of the costs of issuing smart cards in the form of higher interchange, it could make it profitable for banks to issue smart cards. At the same time, card networks such as Visa and MasterCard could then impose a liability shift policy, similar to that deployed in other regions
In reality though, none of the lobbying seemed to be about pursuing the best long-term strategy for USA Inc. It just all came down to fighting between banks and retailers. I assumed that banks were going to lose.
Lobbying on behalf of banks is a bit of a lost cause at the moment, so you can’t blame the retailers for striking while the iron is hot, but if Congress wants to reduce the fees paid by retailers for payments, then it should create a regulatory environment that allows new entrants to come in and provide (non-bank, if necessary) solutions to the marketplace.
Well, despite their (entirely deserved) lack of popular support, it looks as if I was wrong about the banks’ capacity to lobby. They mounted a serious campaign.
Last year US banks generated $536.9 billion of interest income, according to FDIC data, and while that is down from heights of the boom years, it is still a hefty amount of revenue. Non-interest income, which includes fees, climbed to $236.8 billion last year from $207.7 billion in 2008.
It’s very difficult to obtain an accurate picture as to what proportion of the non-interest income relates to payments. The last figure that I have that I believe to be reasonably accurate was 45%, but many commentators seem to think that this is too low. So let’s say that all of the “other” category of non-interest income reported is payments, and call it 50%. There was a paper published last year called “Banks’ Non-Interest Income and Systemic Risk” by Brunnermeier, Dong and Paliac that showed that the higher the proportion of non-interest income, the greater a bank’s exposure to systemic risk. In other words, the more a bank depends on income that comes from outside of the core business of savings and loans, the more exposed it is to changes in market conditions (eg, Durbin amendment, non-bank competition, that sort of thing). I read this as meaning that it’s better for the economy as whole if banks make less money from running debit card systems.
The lesson here is that if we want serious regulation of banks, we can’t trust it to be done by bank regulators.
Therefore, it seems to me, that the ruling wasn’t that bad for banks. If you have to have a cap, from the banks’ perspective, it might as well be this one. Retailers wanted a cap, and they got it, but the cap is high enough that banks won’t suffer a catastrophic collapse in fee income, so the banks ended up with not such a bad deal provided that they shift signature debit to PIN debit. The banks will lose some fee income because of this, retailers will pay a bit less and customers won’t see much difference because the difference won’t be passed on them. I disagree with observers who think that Visa and MasterCard will see big trouble because of the loss of signature debit transactions. I think that Visa and MasterCard won’t be too affected because they will boost their PIN debit offerings to make them more attractive to banks and they will push PIN debit into mobile, online, retail and so on. This means that the income lost from signature debit transactions can be made up by replacing cash and other kinds of transactions with PIN debit (I think – but I’m keen to hear from others who know far more about the US market dynamics).
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
Eric Schmidt’s very bullish comments about near-field communication (NFC) technology in the US retail market have got people talking about business models again.
Eric Schmidt, Google’s executive chairman, believes that a third of check-out terminals in retail stores and restaurants will be upgraded to allow wireless “tap and pay” from mobile phones within the next year.
These follow a series of statements by Google executives that, whether they are true or not, seem to have legitimised the technology in the eyes of a broad range of businesses.
She added that there is a ton of activity around NFC in international markets, giving the example of a successful trial of the technology that Starbucks ran in London.
I’ve never heard of this Starbucks NFC trial, so if anyone can point me in the right direction I’d really like to read up on it. But that’s beside the point. The point is that lots of people are now taking NFC seriously in the retail space and the mobile operators are developing NFC strategies. But what business model will there be for them? And what options do they have?
The question will then be how operators manage to regain relevance for their role in NFC transactions (which will come later, if at all), when the first trillion NFC interactions will have bypassed them.
You can see the problem that he is alluding to, but it may not be immediately obvious why it is such a problem specifically for operators. Look at the issue from a slightly different perspective, one that stems from security. I would argue that there are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.
Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. These are what Dean means by “interactions”. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. These are what Dean means by “transactions”.
Working out how to do implement secure electronic transactions is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?
In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).
In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Nexus handset, not on the SIM). The operator has no control over the SE and can extract no “rent” for its use. I notice that in the Nilson report (#972, page 7) it says that the Nexus S is the only smartphone in the US market with an SE not controlled by the mobile operators: it might have said that it’s the only smartphone in the US with an SE, full stop. The operators (in the form of Isis) are not yet in the marketplace. Why are Google being so active then? Well, on the Catalyst Code I read a while back.
Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.
Karen is, as usual, spot on about this. But I’m not so sure about this…
What’s amazing is that Google was the first to connect all of these dots
This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators and from these experiences have developed (I think) a reasonably accurate map. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.”
So how come banks and operators didn’t connect the dots, then? Banks and operators have smart people in them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments but they didn’t sell any NFC tchotchkes, such as blank NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets for a gig you and your mates are running… well, hard luck. This is problematic, because we need lots of people to be experimenting, developing and playing with the new interface to create the new, open applications.
In April, Nokia’s vice president for industry collaborations, Mark Selby, speaking at the WIMA NFC conference in Monaco, contended that NFC applications not securely stored on SIM cards, embedded chips or other secure elements will account for two-thirds of the revenue that NFC technology will generate through 2013.
I hope Mark won’t mind me mentioning that we discussed this over dinner a couple of weeks ago and, while I agreed with him about the market, I bored him at length with my moaning about the slow development of the ecosystem. Where are the Nokia NFC tags for kids to buy? Where are the NFC USB sticks to connect laptops and phones?
But, looking forward, there’s another issue here. This classification of open/interactive vs. closed/transactional NFC uses is too simplistic, because as the technology spreads in the mainstream, interactions will need to be secure too. When I tap my phone against an advert at the bus stop, I want to find out more about “Kung-Fu Panda 2” and not get directed to a porn site, a reverse-charge premium rate phone call to Honduras or send a text message to someone who wants to sell my mobile number to commercial organisations. I want my phone to check the digital signature on the tag and make sure that it is valid, and that it is signed by an organisation recognised by UK phone operators, or banks, or the government, or whoever. But signing the tags (which is part of the NFC standards, but no-one uses at the moment) means that someone has to distribute keys, and certificates and all that stuff. None of this exists right now, but in the future it will have to.
So… Not only is there no ecosystem for transactions, there’s no ecosystem for interactions either. Now you can see why the mobile operators are going to have to work so hard to stay in the NFC loop. A couple of years ago they could have started to roll out the handsets for open, interactive purposes and started many communities off on experimenting with the new technology while they developed the necessary infrastructure for both secure transactions and secure interactions, but they didn’t because they couldn’t see a business case. What’s the business case for selling public key certificates so that advertisers can digitally sign tags using their internally-generated private keys?
It’s hard to work out a conventional business case around a business that simply doesn’t exist yet, and I understand that. But I think that even three or four years ago, the consumer response to the early pilots and trials was so positive that it was clear that the technology would make the mainstream. Now that Google’s activities have served, in an odd way, to legitimise both NFC technology and the business models around it, maybe the operators should adopt a more Google-like approach to business model: start building way more cool stuff, monetise what works and then be ruthless in killing off what doesn’t.
My employer, Consult Hyperion, has provided paid professional services to some of the organisations named here in connection with products and services discussed here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public
Someone interrupted one of my rants against cash the other day by pointing out that in the last resort, cash is the only payment mechanism that society can depend on. Their trump card was reference to the aftermath of the recent Japanese cataclysm, where following a magnitude 9 earthquake and a tsunami, the nuclear reactors didn’t melt down but the payment system did.
I think this is wrong lesson to draw from it. Yes, there were some temporary problems with the card networks because of the disruption, but it’s important to note that this did not impact all cards: Japan has quite a rich retail payment landscape, as shown in this diagram (which I drew a couple of years ago, so it’s a bit dated, but you get the point).
I saw Nobuhiko Sugiura, Associate Dean of Chuo University Business School, give a good overview of the current situation at last year’s E-Money, Cards and Payments conference in Moscow. He said that e-money usage in Japan is growing rapidly but still a small fraction of total consumer spending (¥1 trillion out of a total of ¥300 trillion, a 300% increase in the last three years). A third of the population use e-money and half of them (ie, one sixth of the population) use it in their phones. It’s a competitive market, centred on non-banks because the Japanese banks have no real interest in handling small payments because or their cost base. The non-banks, as I’ve often noted on this blog, have different business models, not based on transaction fees. The railways, for example, don’t expect to earn anything from their e-money system, it’s about reducing their costs. In comparison, convenience stores want to issue e-money to reduce their cash float. The bottom line is that the of cash at POS in Japan is “already falling” because of e-money.
After the earthquake and tsunami, the offline electronic money systems (such as Edy and nanoco) carried on working so long as there was power and the backup battery systems or generators were working, so you could still pop round to 7-Eleven and buy your staples. In fact, it was people who kept their money in cash who suffered greatly.
In Japan, lots of people — especially older people — keep their life savings in cash in their homes. (The country’s banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out to sea.
That’s not to say that people didn’t want cash after the event.
The tragedy playing out in Japan this past week highlighted that in times of crisis, there’s nothing like cash in hand as the universal method of payment. By all accounts the banking system in Japan survived and is functioning well after the earthquake and tsunami – such is the level of disaster preparedness. But Mizuho, Japan’s second largest bank, reported outages in its payments and ATM networks – coincidentally as demand for cash surged.
So they wanted cash, but did they need it? In this kind of catastrophe, where the online POS network goes down but the ATM network stays up and the ATMs remain stocked with notes, you could see people going and withdrawing cash. But suppose there are no ATMs?
Imagine that there was a magnitude 9 earthquake and a tsunami in Woking (unlikely – our last natural disaster was an ice age in 18,000 BCE) and when I go round to Waitrose to buy some bottled water and rice my John Lewis MasterCard proves useless because the acquiring network is down and the ATM proves useless because the ATM has no power. The store manager at Waitrose can leave the food to rot on the shelves or he can accept a signed IOU. He could accept no sale because of flaws in the electronic payments or he could develop a rational fall-back strategy. We discussed this a couple of years ago, with reference to the famous case study of the Irish bank strike.
The owners of shops and pubs knew their customers very well and so were perfectly capable of deciding whether to accept cheques (or just IOUs) from those customers. And since the customers also knew each other very well, they too could make sensible decisions about which paper to accept.
If I was the manager of Waitrose after the Woking earthquake, then I would simply accept payment by writing down card numbers, or photocopying driving licences, or taking pictures of customers, or whatever. The core of the issue is identification and trust, not the payment instrument. As many media commentators noted, society in Japan did not collapse. My conclusion: natural disasters are not a convincing argument for cash.
By the way, I case anyone was wondering about the origami cranes that I was giving out in Chicago this morning… My wife is a teaching assistant in a primary school in Surrey. The seven year old brother of one of the boys who was in her class (they boys have a Japanese mother) has been spending two hours every day for the last month making these (they are a symbol of peace in Japan) to raise money for the British Red Cross appeal for Japanese tsunami victims. Consult Hyperion have purchased a hundred of these beautiful and special cranes, so if you come to our office anytime over the next couple of weeks, please feel free to pick one up with our compliments.
Around the world, when faced with new products in the payments space, banks naturally crank up their innovation departments and produce super new products and services to wow customers back. I’m joking, of course. What they actually do in many countries is to going whining to the regulator and force competitors to use the banks’ legacy infrastructure. This is what just happened in India, which really ought to be a huge and dynamic market for e-, m- and new payments of many kinds.
Consequently, from 1 March, the eBay unit says merchants in India cannot receive payments from abroad of over $500 per transaction. In addition, merchants will no longer be able to use any balance in their PayPal accounts to buy goods or services. Instead all payments must be transferred into Indian bank accounts first.
Now, I’m not saying that banks are the only people who react to innovation in this way: that is, by trying to stop it. This goes on all the time.
For the last fifty years, hard disks have been increasingly super-charged gramophone records: at their heart, there is still a real disk rotating very fast on a real spindle. That’s not the only way to store data, as the memory stick revolution shows, but until now, solid state drives (which have no moving parts) have been too small and expensive to replace traditional hard disks as the main storage device for a computer. Now that’s changing, with real advantages for users as a result… Seagate’s response is to threaten to sue all the new entrants for patent infringement, while insisting that their existing market is not threatened.
At the dawn of the industrial revolution, the steam engine delivered the fundamental business school case study in this topic, something that I wrote about when I was invited to speak at the European Patent Forum back in 2009.
In his keynote address, the Czech Prime Minister Mirek Topolanek said that we had to find a balance in the intellectual property system, that it was right to let Stevenson patent his steam engine but not the screwdriver he used to build it (he didn’t explain why..).
In fact, as I discussed in this post, history teaches the opposite lesson because the patent system held back the evolution of the steam engine for a generation! But back to our business. What kind of innovation is relevant to the payments industry? This is not clear to me. On the one hand, it seems reasonable to say that…
What would be refreshing is if the focus of innovation could be pegged to the value that it delivers to the entire ecosystem, not just the engineers who get a kick out of building cool new toys.
But is this true? When Apple put together the iPod, it didn’t benefit the “entire ecosystem”. The disruptive innovations in fact devastate parts of the ecosystem, like forest fires that allow new shoots to grow. I hate to harp on about the M-PESA example, but I think it illustrates this point well. The banks complained about M-PESA and tried to stop it but fortunately failed. Now that M-PESA has 13m customers and 20,000 agents, the banks are able to deliver new services to new customers using the platform. Were they devastated by the forest fire? No: it gave them space for new shoots as well.
Where do we look for the next new shoots then? Not in banks, generally speaking, but elsewhere in the ecosystem. The payment innovations to come will be technology-enabled, which is why it’s important for businesses throughout that ecosystem to understand the new technologies relevant to payments and, just as importantly, understand the business model ramifications of seemingly dreary technology architecture decisions being made by nerds right now. While they will be technology-enabled, though, it’s the sustainable new business model that is the key. A good example of this is Square.
..if Square can provide just enough added-value with their app to get traction in the small business sector (they are already processing a million dollars a day), then when new payment technologies come along (eg, NFC phones that can accept payments from contactless cards) the merchants will just expect Square to handle them for them. We have long been advising clients that the key disruptive role of mobile phones in the payments world is the ability to take payments, not to make them.
And we still do, in fact. I think Square is an interesting innovation case study. It does not compete with existing acquirers, but opens up the market so that more people can accept card payments.
So where is Square seeing the most traction? Without a doubt, small businesses, independent workers and merchants comprise most of Square’s rapidly growing user base. The technology only requires its tiny credit card scanner that fits into your audio jack and Square’s app. The device and the software are free, but Square takes a small percentage of each transaction (2.75% plus 15 cents for swiped transactions).
In a way, this is a real-world PSP and an fascinating niche play in a large volume-driven acquiring market, one that can be seen to adumbrate mobile disruption and our projection that the mobile-phone-as-POS meme will be more revolutionary than the mobile-phone-as-card meme. But there’s something else to it as well. Conventional acquirers use conventional methods to assess applications.
Square’s qualification rules are more relaxed than those of standard credit card processors, There are no initiation fees, monthly minimums, and when merchants apply for a reader, Square doesn’t just focus on a credit check, but also takes into account the influence a company holds on Yelp, Twitter or Facebook.
That, it seems to me, is more of a window into the coming economy based on the reputation interweb (or web 3.1, as I propose to call it, to avoid clashing with web 3.0). Can you imagine Barclays Business or Streamline giving you a merchant acquiring account according to the number of twitter followers you have rather than your trading history or bank references?
By the way, I can’t remember if I’ve blogged this before but one of my favourite stories about accepting merchants for acquiring accounts goes back more than a decade to the hazy days before the LastMinute flotation. I was doing some work over at what was then NatWest Capital Markets, who had invested millions in Lastminute, when they went beserk because NatWest Streamline wouldn’t give LastMinute a credit card acquiring account because it didn’t have two years’ trading history!