Tag: payment cards

Some observations on Japan

4th May 2011by Consult Hyperion2 Comments

Someone interrupted one of my rants against cash the other day by pointing out that in the last resort, cash is the only payment mechanism that society can depend on. Their trump card was reference to the aftermath of the recent Japanese cataclysm, where following a magnitude 9 earthquake and a tsunami, the nuclear reactors didn’t melt down but the payment system did.

I think this is wrong lesson to draw from it. Yes, there were some temporary problems with the card networks because of the disruption, but it’s important to note that this did not impact all cards: Japan has quite a rich retail payment landscape, as shown in this diagram (which I drew a couple of years ago, so it’s a bit dated, but you get the point).

I saw Nobuhiko Sugiura, Associate Dean of Chuo University Business School, give a good overview of the current situation at last year’s E-Money, Cards and Payments conference in Moscow. He said that e-money usage in Japan is growing rapidly but still a small fraction of total consumer spending (¥1 trillion out of a total of ¥300 trillion, a 300% increase in the last three years). A third of the population use e-money and half of them (ie, one sixth of the population) use it in their phones. It’s a competitive market, centred on non-banks because the Japanese banks have no real interest in handling small payments because or their cost base. The non-banks, as I’ve often noted on this blog, have different business models, not based on transaction fees. The railways, for example, don’t expect to earn anything from their e-money system, it’s about reducing their costs. In comparison, convenience stores want to issue e-money to reduce their cash float. The bottom line is that the of cash at POS in Japan is “already falling” because of e-money.

After the earthquake and tsunami, the offline electronic money systems (such as Edy and nanoco) carried on working so long as there was power and the backup battery systems or generators were working, so you could still pop round to 7-Eleven and buy your staples. In fact, it was people who kept their money in cash who suffered greatly.

In Japan, lots of people — especially older people — keep their life savings in cash in their homes. (The country’s banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out to sea.
[From Schneier on Security: Unanticipated Security Risk of Keeping Your Money in a Home Safe]

That’s not to say that people didn’t want cash after the event.

The tragedy playing out in Japan this past week highlighted that in times of crisis, there’s nothing like cash in hand as the universal method of payment. By all accounts the banking system in Japan survived and is functioning well after the earthquake and tsunami – such is the level of disaster preparedness. But Mizuho, Japan’s second largest bank, reported outages in its payments and ATM networks – coincidentally as demand for cash surged.
[From The end of cash for payments? Not so fast! – Microsoft Perspectives on Payments and Core Banking in Financial Services – Site Home – MSDN Blogs]

So they wanted cash, but did they need it? In this kind of catastrophe, where the online POS network goes down but the ATM network stays up and the ATMs remain stocked with notes, you could see people going and withdrawing cash. But suppose there are no ATMs?

Imagine that there was a magnitude 9 earthquake and a tsunami in Woking (unlikely – our last natural disaster was an ice age in 18,000 BCE) and when I go round to Waitrose to buy some bottled water and rice my John Lewis MasterCard proves useless because the acquiring network is down and the ATM proves useless because the ATM has no power. The store manager at Waitrose can leave the food to rot on the shelves or he can accept a signed IOU. He could accept no sale because of flaws in the electronic payments or he could develop a rational fall-back strategy. We discussed this a couple of years ago, with reference to the famous case study of the Irish bank strike.

The owners of shops and pubs knew their customers very well and so were perfectly capable of deciding whether to accept cheques (or just IOUs) from those customers. And since the customers also knew each other very well, they too could make sensible decisions about which paper to accept.
[From Digital Money: Payments without banks]

If I was the manager of Waitrose after the Woking earthquake, then I would simply accept payment by writing down card numbers, or photocopying driving licences, or taking pictures of customers, or whatever. The core of the issue is identification and trust, not the payment instrument. As many media commentators noted, society in Japan did not collapse. My conclusion: natural disasters are not a convincing argument for cash.

By the way, I case anyone was wondering about the origami cranes that I was giving out in Chicago this morning… My wife is a teaching assistant in a primary school in Surrey. The seven year old brother of one of the boys who was in her class (they boys have a Japanese mother) has been spending two hours every day for the last month making these (they are a symbol of peace in Japan) to raise money for the British Red Cross appeal for Japanese tsunami victims. Consult Hyperion have purchased a hundred of these beautiful and special cranes, so if you come to our office anytime over the next couple of weeks, please feel free to pick one up with our compliments.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Innovation is technology-enabled

26th April 2011by Consult HyperionLeave a comment

Around the world, when faced with new products in the payments space, banks naturally crank up their innovation departments and produce super new products and services to wow customers back. I’m joking, of course. What they actually do in many countries is to going whining to the regulator and force competitors to use the banks’ legacy infrastructure. This is what just happened in India, which really ought to be a huge and dynamic market for e-, m- and new payments of many kinds.

Consequently, from 1 March, the eBay unit says merchants in India cannot receive payments from abroad of over $500 per transaction. In addition, merchants will no longer be able to use any balance in their PayPal accounts to buy goods or services. Instead all payments must be transferred into Indian bank accounts first.
[From Finextra: RBI forces PayPal to restrict payments to Indian merchants]

Now, I’m not saying that banks are the only people who react to innovation in this way: that is, by trying to stop it. This goes on all the time.

For the last fifty years, hard disks have been increasingly super-charged gramophone records: at their heart, there is still a real disk rotating very fast on a real spindle. That’s not the only way to store data, as the memory stick revolution shows, but until now, solid state drives (which have no moving parts) have been too small and expensive to replace traditional hard disks as the main storage device for a computer. Now that’s changing, with real advantages for users as a result… Seagate’s response is to threaten to sue all the new entrants for patent infringement, while insisting that their existing market is not threatened.
[From Public Strategy: Innovator’s irony]

At the dawn of the industrial revolution, the steam engine delivered the fundamental business school case study in this topic, something that I wrote about when I was invited to speak at the European Patent Forum back in 2009.

In his keynote address, the Czech Prime Minister Mirek Topolanek said that we had to find a balance in the intellectual property system, that it was right to let Stevenson patent his steam engine but not the screwdriver he used to build it (he didn’t explain why..).
[From Patent error | 15Mb: yet another blog from Dave Birch]

In fact, as I discussed in this post, history teaches the opposite lesson because the patent system held back the evolution of the steam engine for a generation! But back to our business. What kind of innovation is relevant to the payments industry? This is not clear to me. On the one hand, it seems reasonable to say that…

What would be refreshing is if the focus of innovation could be pegged to the value that it delivers to the entire ecosystem, not just the engineers who get a kick out of building cool new toys.
[From Payment Gadgets at The Catalyst Code]

But is this true? When Apple put together the iPod, it didn’t benefit the “entire ecosystem”. The disruptive innovations in fact devastate parts of the ecosystem, like forest fires that allow new shoots to grow. I hate to harp on about the M-PESA example, but I think it illustrates this point well. The banks complained about M-PESA and tried to stop it but fortunately failed. Now that M-PESA has 13m customers and 20,000 agents, the banks are able to deliver new services to new customers using the platform. Were they devastated by the forest fire? No: it gave them space for new shoots as well.

Where do we look for the next new shoots then? Not in banks, generally speaking, but elsewhere in the ecosystem. The payment innovations to come will be technology-enabled, which is why it’s important for businesses throughout that ecosystem to understand the new technologies relevant to payments and, just as importantly, understand the business model ramifications of seemingly dreary technology architecture decisions being made by nerds right now. While they will be technology-enabled, though, it’s the sustainable new business model that is the key. A good example of this is Square.

..if Square can provide just enough added-value with their app to get traction in the small business sector (they are already processing a million dollars a day), then when new payment technologies come along (eg, NFC phones that can accept payments from contactless cards) the merchants will just expect Square to handle them for them. We have long been advising clients that the key disruptive role of mobile phones in the payments world is the ability to take payments, not to make them.
[From Digital Money: Hip to be Square]

And we still do, in fact. I think Square is an interesting innovation case study. It does not compete with existing acquirers, but opens up the market so that more people can accept card payments.

So where is Square seeing the most traction? Without a doubt, small businesses, independent workers and merchants comprise most of Square’s rapidly growing user base. The technology only requires its tiny credit card scanner that fits into your audio jack and Square’s app. The device and the software are free, but Square takes a small percentage of each transaction (2.75% plus 15 cents for swiped transactions).
[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

In a way, this is a real-world PSP and an fascinating niche play in a large volume-driven acquiring market, one that can be seen to adumbrate mobile disruption and our projection that the mobile-phone-as-POS meme will be more revolutionary than the mobile-phone-as-card meme. But there’s something else to it as well. Conventional acquirers use conventional methods to assess applications.

Square’s qualification rules are more relaxed than those of standard credit card processors, There are no initiation fees, monthly minimums, and when merchants apply for a reader, Square doesn’t just focus on a credit check, but also takes into account the influence a company holds on Yelp, Twitter or Facebook.
[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

That, it seems to me, is more of a window into the coming economy based on the reputation interweb (or web 3.1, as I propose to call it, to avoid clashing with web 3.0). Can you imagine Barclays Business or Streamline giving you a merchant acquiring account according to the number of twitter followers you have rather than your trading history or bank references?

By the way, I can’t remember if I’ve blogged this before but one of my favourite stories about accepting merchants for acquiring accounts goes back more than a decade to the hazy days before the LastMinute flotation. I was doing some work over at what was then NatWest Capital Markets, who had invested millions in Lastminute, when they went beserk because NatWest Streamline wouldn’t give LastMinute a credit card acquiring account because it didn’t have two years’ trading history!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Licensed operators

13th April 2011by Consult Hyperion1 Comment

France has been in the forefront of the NFC revolution, with an early commitment to cross-industry co-operation, considerable work on standards and models and an aggressive timetable for getting phones into the market. Remember this?

A dozen French cities plan to launch wide-scale contactless payment and information service on mobile phones with the backing of the ministry of industry, reports Les Echos. The city projects approved under the initiative will receive state assistance for consultancy and engineering, but no other subsidies are planned at this stage.
[From Aid from French Ministry of Industry for mobile contactless cities. « Contactless & NFC City League]

You will undoubtedly recall that a few months later, the French mobile operators decided to get together with a processor and form a mobile payments proposition to launch a serious assault on the banks’ retail payment franchise.

Orange, SFR, Bouygues Telecom et Atos Origin créent une société commune pour proposer une plate-forme unique de paiement en ligne, sécurisée par le mobile.
[From Union sacrée des opérateurs mobiles dans le paiement sur Internet – OPERATEUR DE TELECOMMUNICATIONS SERVICES INFORMATIQUES ATOS ORIGIN FRANCE TELECOM SFR BOUYGUES TELECOM]

Well they’ve made their first assault on the enemy positions and have been granted a PI licence. Why would they bother, you might wonder, when polls show that the majority of consumers don’t want to use mobile payments?

The 59% of consumers who were against the idea, meanwhile, gave their reasons as: Security (79%)
[From Most French consumers not in favour of mobile payments • NFC World]

The answer is, of course, that consumers don’t know what they are talking about and it’s a waste of time asking them about anything new. Whatever they might say a priori, in all of the pilots and trials that we have been involved in, they really, really, liked mobile proximity.

But there are some real issues, and we need to address them.

Dead phone batteries. Wrong merchant terminals. Terminals turned off. Terminals unrepaired. No terminals at all.

These and other, less obvious glitches suggest contactless technology may not be the mobile payments panacea for tattered magnetic stripes and other problems with plastic cards.
[From Mobile Payments Inheriting the Problems of Contactless – American Banker Article]

Well, yes and no. (I am a consultant, after all). Let’s have a look at these

Dead phone batteries. NFC is interoperable with the existing contactless payments and ticketing systems. As you may have noticed, your Oyster card doesn’t have a battery in it: that’s because it is powered through the electromagnetic field of the terminal you touch it to, and the same is true for the NFC interfaces in phones: if the phone has no battery you may not be able to access your m-wallet to check your transactions, redeem coupons and so on, but you will be able to to use it pay in a shop and ride the subway.

Wrong merchant terminals. I don’t think this will an issue. Right now there are some problems with some cards not being accepted in some terminals, but this is the result of standards problems three or four years ago. The contactless EMV standard should interoperate seamlessly. Some of the terminals are certainly “wrong” from the point of view of consumer experience, but that’s a different thing.

Terminals turned off. Fair enough, I do see this from time-to-time. But it’s a teething problem. There is a problem with terminals being turned off after the merchant has rung up the purchase and then having press some more buttons to turn it on, but that’s an implementation issue.

Terminals unrepaired. I don’t think this is a long term problem. Contactless terminals (since they have no slot or contacts) are considerable more reliable in practice than contact or stripe terminals. Experience from other sectors suggests to me tha tthe cost of maintaining an estate of contactless terminals is less than half the cost of maintaining an estate of conventional terminals.

No terminals at all. This, I think, is the real problem. When I was last in the US, I saw contactless terminals in places where they didn’t really have much impact, like in CVS. But in the places where contactless would have really helped and speeded things up — BART machines, airport carts, Coke machines and so on — nothing.

The point is, that those are real issues that do need dealing with, whereas what the public says are their concerns, such as about the security are, in my opinion, not real issues and it should be handled through marketing communications. Oh, wait…

85% of users said they considered the protocols for operating with the NFC system to be sufficiently secure.
[From Sitges trial results: Consumers pay more often and spend more with NFC phones than with cards • NFC World]

This must be a translation from Spanish, because I’m not sure that “protocols for operating with the NFC system” translates properly in English, but it’s good news all the same. I’m not saying that everything is perfect in the NFC world. Even in France, where progress has been slow despite the commitment of major banks and operators. It’s still a new technology.

The problems are one of the main reasons bank Crédit Mutuel-CIC has held back on launching its m-payment service, according to Patrice Hertzog, payment systems manager for Crédit Mutuel-CIC. He said it has been difficult for the bank’s trusted service manager, Gemalto, to set up and manage the bank’s PayPass application on SIM cards produced by other vendors, such as Oberthur Technologies.

The problems have occurred despite much standards work by the French Association Française du Sans Contact Mobile, or AFSCM, and prior trials involving multiple French banks, mobile operators and vendors.
[From ‘Open’ Battles Break Out Among NFC Vendors Over Android | NFC Times – Near Field Communication and all contactless technology.]

To be honest, this suggests that vendors are not building TSMs from scratch based on the new standards but are putting wrappers around their existing card personalisation systems. That sort of thing is, to me, more of a real issue than incorrectly worrying about what the public think, but whatever. Things are moving. Even in the US, the new technology is getting a foothold and there will soon be TSMs there too.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011
[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

There’s plenty of activity in the US as elsewhere, and since I’ve been looking at the US for clients recently I was interested to read about the work done by the Federal Reserve Banks of Atlanta and Boston. This work suggests that the success factors for the US will rest on the evolution of an open eco system for NFC.

The mobile infrastructure would likely be based on Near Field Communications (NFC) contactless technology resident in a smart phone and merchant terminals.

Ubiquitous platforms for mobile should leverage existing rails, including the ACH network for non-card payments, and support new payment types that meet emerging needs.
Some form of dynamic data authentication would be at the heart of a layered mobile payments security and fraud mitigation program.

Standards would be designed, adopted, and complied with through an industry certification program to ensure both domestic and global interoperability, including a standard to ensure that devices used to facilitate mobile payments do not create any electronic interference problems.

A better understanding of a regulatory oversight model should be developed in concert with bank and non-bank regulators early in the effort to clarify compliance responsibilities.

Trusted Service Managers should oversee the provision of interoperable and shared security elements used in the mobile phone.
[From Mobile Payments in the United States Mapping Out the Road Ahead – Boston Fed]

On that final point, things are already moving.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011
[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

So there’s plenty of activity in the US as elsewhere and plenty of organisations are looking at how the move to mobile proximity may impact their businesses.

A white paper that outlines the survey findings, including how the most forward-thinking financial institutions are building a business case for mobile payments, is available at http://www.fiserv.com/mobilestrategy.
[From Forward-Looking Financial Institutions Focused on Mobile Payments Business Case, Says Fiserv Survey – pymnts.com]

I couldn’t help but think, as I read this, that the very act of building a business case for something like this is fundamentally backward-looking, trying to shoehorn something that is the basis of a new value network into the existing business models. The report says that the factors that the FIs evaluated across these business lines included customer retention and profitability, cost reduction, revenue generation and retention, increased customer engagement and competitive parity. When I looked at the revenue generation part of it, though, it only referred to revenue generation in terms of debit card transactions and keeping the connection to the DDA. This isn’t how forward-looking organisations are thinking about revenue generation from mobile payments, they are thinking about delivering entirely new products and services that are simply not possible in conventional (ie, card) environments, generating revenue from things that banks don’t do.

Google is to run tests of mobile payments at stores in New York and San Francisco in the summer, according to anonymous sources cited by Bloomberg. The search engine giant will pay for installation of thousands of NFC cash-register systems from VeriFone Systems at merchant locations, one source told the wire.
[From Finextra: Google to run commercial trials of NFC at the POS – Bloomberg]

Well, well. So while financial institutions are agonising over the business case, Google is giving out the terminals for free. It’s not hard to see why: they don’t care about the miniscule margins on the payment transaction and arguing about how to slide and dice the merchant fee, they care about building new business around knowing who is buying what and where. So leadership in the NFC space is may well shift away from the payment incumbents. Perhaps the answer to the age-old question about whether banks or operators would control the mobile payments space is… neither.

Free parking

28th February 2011by Consult Hyperion1 Comment

I’ve often mentioned that car parking represents, to me, the prosaic benchmark for e-money. Car parks are a straightforward and daily example of an environment where cash is a pain and e-money would be a better alternative. This is why I made a big deal of the fact that contactless payments never made it to my local car park, where cards have now been supplanted entirely by mobile payments. This is not true everywhere. I think I’ve mentioned before that on-street car parking is an obvious place to start contactless acquiring: no keyboard, no slot, low-maintenance, simple. Westminster started doing this last year.

From January and over a three-month period, 20 pay and display machines in the West End will be retrofitted with wave-and-pay card readers, so motorists will be able to pay car parking charges by waving a credit or debit card at a meter. According to the local authority, the project is intended to eliminate the need to carry cash around or enter chip and pin details to pay to park.
[From Westminster Council introduces contactless parking payments – 28 Oct 2009 – Computing]

I’m going to try find out what customers think about this approach. Franky, I’m sure they would rather use their Oyster cards, and here’s one reason why…

The machines also incorporate a security function that requires cardholders to confirm their identification with a chip and pin transaction on a regular basis.
[From Westminster Council introduces contactless parking payments – 28 Oct 2009 – Computing]

Hhmmm. This means having to having both a slot and a keypad, which raises costs significantly, and annoys customers when the contactless transaction fails and they are asked to insert the card and enter the PIN. I’ll put in a call to see how this went when I’m back in the office sometime. Meanwhile, the alternative apporach, of using mobiles, continues to gain ground, and it’s not only in Woking that the mobile has trumped the card.

North Devon Council has replaced its Smart card facility with a more modern, pay over the phone system called ‘RingGo’.
[From North Devon Gazette – Council winds up pre-pay parking Smart cards scheme]

It’s not favouritism, although I have mentioned RingGo here before, but I can’t help but notice that when I first went to see them (to interview them for a podcast) I thought that they were a company to watch. I’m actually one of their customers, because they operate the mobile parking at Woking station.

Councils, rail operators and other car park providers across the UK are ditching smartcard and scratchcard parking schemes in favour of streamlined, paperless RingGo.
[From RingGo Proves the Power of Paperless Parking]

I think I’ll try and get some of these guys along to the Digital Money Forum 2012, as it will be useful to learn some of the experiences from the front line. Meanwhile, I can’t help noticing that not everyone wants to remove cash from the car park. Take, for example, Wokingham council. It car park machines (according to The Daily Telegraph of 26th February 2011, p.4) took in £982,057 last year but only issued £945,417 of tickets. The discrepancy, as you might expect, comes from the machines that don’t give change, a form of institutionalised extortion. Simply arithmetic reveals that hapless motorists are thus facing a 4% service charge for using cash. It’s time to take action: councils should start making car parks cash-free as soon as possible and learn to cut their cloth. But if the car parks are cash free, and not everyone is using mobile payments, and the banks haven’t issued contactless cards to everyone yet, then how to close the gap? Well, why not have local prepaid cards that function as “town cards” as well.

PXT Payments (PXT, formerly Parcxmart) an electronic payment solutions provider, today announced the launch of its new chip-based, secure smart debit cards, designed to create a safe, local currency that boosts consumer spending in municipalities nationwide. The town of Brookline, MA, will be the first town to adopt both Parcxmart and the smart debit card program.
[From PXT Launches Chip-Based Smart Debit Card for Cities, Towns, BIDs | Earth Times News]

I’m really interested in this kind of thing. It illustrates two points that I have been making for some time: first of all, it emphasises the role of transport in the evolution of new payment systems and secondly, it touches on the role of local parallel and alternative payment systems as a potential growth area. Fortunately both transport payments and alternative payments have their own expert panel discussions set aside at the 2011 Digital Money Forum so we’ll be able to explore both topics in detail. (Coincidence? You be the judge!)

Holding court

26th February 2011by Consult Hyperion1 Comment

When I was in Beijing I decided to try and eat some “real” Chinese food as opposed to the stuff in the hotels and tourist joints. In one of the guide books I spotted a suggestion for a cheap food court downtown where you can try and bunch of different dishes from different cooking traditions. So off I went. It was great, despite the fact that the menus and adverts were all in Chinese with no English translation. So I walked around and pointed at things that looked good (eg, not the skinned bullfrogs). I had some great food, learned to eat fried egg with chopsticks and had some wonderful fresh juice too. So why am I posting this here?

Well, the court had an interesting payment system. At the entrance is a booth where you buy a prepaid contactless card, much like an Oyster card. Inside the food court – which was big, with lots of stalls – there is no cash. When you buy something, they tap your card and off you go. Fast and convenient. When you leave, you either keep the card for next time or you can return it to the booth for a refund.

This seemed very beneficial to the retailers: no cash handling, no wasted counter space, no “shrinkage”, no counting, no security, no bank runs. Why don’t they do this at Glastonbury? Or Westfield? Or in the food court in The Friary in Guildford? Put it in the lease that the retailers have to have contactless terminals and offer a prepaid mall-branded card (like they do at the Trafford Centre, but rechargeable) with special offers. Just a suggestion.

China as a whole is cash-centric, but in Beijing many of the shops and restaurants take cards. I’ve been using my Travelex prepaid Visa card US dollar card while here and I have to say it has worked perfectly so far. Some shops ask for the PIN, some ask for PIN and signature, some ask for signature, but it’s always worked. And it worked in the ATM when I quickly needed to cash for a taxi. I left my credit cards locked up in the room safe and only took cash and prepaid when out and about.

Talking about cards, I had an annoying experience yesterday. It was a lovely spring day and the wind had blown away the pollution, so we looked in the guide book and ended up deciding to go for a bike ride (Beijing is very flat). We choose Bike Beijing and booked a tour. When we got there, however, it turned out that they don’t take cards. And I didn’t have enough cash. I was thinking about borrowing one of their bikes to cycle to an ATM when they mentioned that although they don’t take cards, they do take PayPal on their web site. Hurrah! So using my iPhone I logged into their web site and paid with PayPal. Off we went.

When I got back to the hotel that night, however, there was an e-mail from PayPal saying that my account had been restricted and that I should log in and change my password, which I duly did. The next day I got an embarrassing e-mail from the nice guys at Bike Beijing saying that PayPal had cancelled the transaction. So I figured, OK, this is some annoying fraud detection system, so I’ll connect via VPN so I don’t look like I’m in China and then sort it out. I logged in and tried to send the guys their money but got “Your account is limited. Please check your Account Overview page for messages about resolving this problem.” In order to remove the limitation, I had to verify my location through my home telephone number (which, of course, I couldn’t do because I was in China and no-one was in at home), so I tried to add my mobile number to the account, but however I typed it in I was told “Mobile Telephone: The phone number is not properly formatted.”, presumably because it’s not in a US format. I gave up.

I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money. I promise I won’t send them a cheque.

The fraud trajectory

25th February 2011by Consult Hyperion2 Comments

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.
[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.
[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.
[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011
[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment
[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.
[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

Will they or won’t they pay?

21st February 2011by Consult Hyperion1 Comment

The outsourcing company Accenture conducted a survey to find out if consumers want to use their mobile phones for payments. Unsurprisingly, there is a strong correlation between countries where people have already used their mobile phones for payments (eg, China) and where people wanted to use their mobile phone for payments (eg, China).

Overall, 69 percent of survey respondents in Asia indicated they favored using mobile phones for most payments, led by Chinese consumers (76 percent) and India (75 percent), followed by Korea (56 percent) and Japan (47 percent). Outside of Asia, the next highest positive response was in Brazil, where 70 percent of consumers favored using mobile phones for most payments… asked if they had used a mobile phone to make purchases in the past six months, nearly half (47 percent) of tech forward consumers in China indicated they had, followed by Korea (42 percent) and Japan (33 percent).
[From Interest in Mobile Phone Payments Strong Among Most Active Mobile Users Despite Security and Privacy Concerns | Business Wire]

Now, the figures cannot represent a desire for mobile out of a lack of alternatives. I’m in China right now, where China UnionPay already has gazillions of cards out there and I’ve been using my splendid Travelex prepaid Visa card all day without a problem (some shops just wanted signature, some wanted online PIN and signature, I don’t know why). Meanwhile, back home, the situation looks rather different.

In the U.S. and Europe, combined, however, only 26 percent of respondents favored using mobile phones for most payments.
[From Interest in Mobile Phone Payments Strong Among Most Active Mobile Users Despite Security and Privacy Concerns | Business Wire]

Oh well, I guess there’s no need to spend much money on m-payment solutions in Europe or the US then, when only a 100 million or so people will want to use them, especially so in the US where another survey shows that few consumers are prepared to pay for m-payments.

However, the [Yankee Group] consumer survey results also indicate that less than 10% of respondents would be willing to pay extra for mobile transaction services such as mobile banking, mobile coupons and mobile payments
[From Less than 10% of US consumers willing to pay for mobile payments • NFC World]

But hold on, I thought. If you asked consumers in the US if they were prepared to pay for debit cards then only 10% would have said yes. Yet everyone has (and uses) a debit card. Hhmmm…

So who does pay for debit cards then? In the US, where the merchant fees are much higher than in Europe, transaction fees are the major source of income. But the economics of debit are different in Europe where the already lower debit interchange and fees mean that in some countries (eg, the Netherlands) the banks lose money on every debit transaction, whereas in some countries (eg, the UK) they make a small but vanishing margin. Yet debit is profitable for banks. Why? It’s because the major component of income from debit schemes is not the transaction fee but

The interest foregone on current accounts. Consumers who use their debit cards keep money in their current accounts to fund and the bank earns interest on that money.
The fees earned from unauthorised overdrafts and such like. If you are out spending on your debit card and you see something that you want, you might go into the red to get it. Or you might make a mistake.

This led to an interesting twitter conversation with Forum friend Scott Loftesness. As Scott pointed out, people do, of course, pay for debit cards, but they just don’t see explicit pricing. But they might, if the “Durbin debate” ends with issuers being forced to reduce interchange. The National Retail Federation (NRF) in the US has told Congress that delay to debit card swipe fee reform will save banks and their customers more than a billion dollars for every month of delay. Actually, that’s not quite what they said…

A postponement of the debit card swipe fee reform could cost US retailers and their customers more than $1bn per month, the National Retail Federation (NRF) warned Congress.
[From Debit fees regs delay could cost $1bn]

I wrote before that if retailers think that they are being so grotesquely overcharged for debit schemes then they should start their own, and I do have to say that I am puzzled that more of them haven’t already gone down the decoupled debit route, especially those with strong loyalty databases (eg, Tesco).

My wife’s visit to Target this week prompted a revisit to the decoupled debit space. Target’s value proposition: hand me your check and sign a release form, you will then receive a RedCard linked to your checking account and good for 5% off all future purchases
[From Decoupled Debit « FinVentures]

Retailers in the US, it seems, prefer a different kind of competition. A little while ago I read a piece in the Financial Times, which I couldn’t find given five minutes googling, that said that the regulatory capture of $1 billion a month, most of it going to America’s biggest retailers, wouldn’t make any difference to the prices that consumers pay. I’m sure that’s true, and I don’t suppose banks pass on all of that billion to customers any more than retailers would, but let’s face it: someone has to pay.

Banks have never lost out because of their gracious generosity in allowing customers to use cheque books, debit cards or cash machines for free.
[From The end of free banking would be another slap in the face | Chris Leslie | Comment is free | guardian.co.uk]

This is what people in the UK genuinely believe. As Scott says, they see debit cards as free. There’s no way you can now charge them for them. So why wouldn’t mobile payment cost be bundled into the bank account fee just as the debit card cost is? Actually, I suspect that it won’t be, for the simple reason that I don’t believe that consumers won’t pay. Mobility has value. If you had asked me whether I would be happy to pay an 8% transaction fee for using mobile payments a few months ago then I would have told you no way. But that’s exactly what I did last week when I went and parked at Woking station, cheerfully paying a 40p extra charge for using RingGo (a mobile payment for parking scheme) rather than use cash for a £5 parking charge.

Scott asks how mobile payments can deliver additional value to the merchants. I would say that in my recent dealings with issuer/acquirer/merchants, three general themes have emerged (I stress that these are general: they don’t relate to any specific project we are involved in).

The first is that retailers like mobile wallets. anticipate lower online abandonment rates with mobile wallets and I suspect they may also anticipate a higher average sale than with cash in physical environments.
The second is that retailers expect to be able to use these mobile wallets to interact directly with consumers through loyalty products, coupons, special offers and so on.
The third is that mobile should mean fewer disputes and chargebacks, which cost retailers time and money.

All of which means that the retailers will incentivise customers to use mobile, so customers will use it even if it costs them an explicit fee versus the implicit fee associated with debit. Ultimately, I’m pretty sure, that the fact that only 10% of consumers say they will pay doesn’t mean anything.

Why us?

11th February 2011by Consult Hyperion3 Comments

Our good friends at ACI Worldwide have just released their annual Global Card Fraud Survey, which contains some rather bad news: the UK has more card fraud than many other countries. We’re up there with the US, with three times as many people affected than in Germany and the Netherlands. So a third of us have been victims of card fraud compared to only a tenth in Netherlands. Why? Are the Dutch more honest than Brits? Are their cards more sophisticated? No. I think there are two main reasons for this discrepancy.

First of all, while chip and PIN has cut fraud on the high street, card-not-present fraud is still a big problem. In the UK, cards still account for a big portion of online payments. In the Netherlands, and some other countries, they don’t. More than two-thirds of Dutch e-commerce purchases are made with iDeal, a bank-based scheme that has no equivalent in the UK (or the US, or pretty much anywhere else for that matter).

Second, UK credit cards have high limits. In the last couple of weeks, both of my main card issuers have written to me raising credit limits (I didn’t ask for this in either case). If you’re going to steal some card details, you’d go for cards that are likely to be some way from their limit.

The survey wasn’t all bad news, by any means. I found it interesting that the proportion of people who had been victims of card fraud but were satisfied with the response of their issuer had actually increased slightly, to almost four-fifths, which isn’t bad. Personally, like the majority of people surveyed, the last time there was a strange charge on my card, the bank took off the charge then cancelled and reissued the card.

The agent informed me that new cards for me and my wife would be Fed-Ex’d, to arrive today or tomorrow. What followed were a series of texts from merchants that have my credit card on file for automatic billing, delighting me with the knowledge that I won’t be able to use such services as the Bay’s FasTrak toll lanes or uninterrupted cable service until I update my records.
[From I’m a five-time ID Fraud victim; How crazy is that? – Javelin Strategy & Research Blog]

Think how expensive this all this though: cancelling and re-issuing cards, call centre seats, letters and whatever else. So we still need to do better. Only around a third of people (fewer than before) said that they would switch financial institutions because of card fraud, which is bad news for people trying to sell anti-card fraud solutions to high street banks.

The poll of 970 UK adults, part of the bi-annual global Unisys Security Index, reveals that cyber-security is the public’s chief concern, with 85% of respondents worried, and over 50% “seriously concerned”, about bank card fraud and identity theft.
[From Finextra: Brits switching banks over security and privacy concerns – Unisys]

This is odd, I think. I couldn’t care less about bank card fraud, since it’s the banks’ problem and not mine. I never use a debit card for anything, offline or online, so I’m totally protected by the legislation around credit cards. I’m more worried about identity theft, because it’s more time consuming to put right, but that’s a different issue (being discussed at the CSFI yesterday, as it happens).

The press release also noted that 81% of people have confidence in their issuer protecting them from fraud. I think that this may be a little simplistic, for that very reason: had I been asked for the survey, I would have said that I don’t really care about Barclays’ ability to prevent fraud on my splendid OnePulse credit card because it’s their problem.

If you don’t like cards, don’t take them

25th January 2011by Consult Hyperion7 Comments

The cases of debit interchange in the US and cross-border interchange in Europe will, in the longer-term, serve to illustrate a general point: price controls don’t work, a fact well-known since the days of Diocletian:

Despite the fact that the death penalty applied to violations of the price controls, they were a total failure. Lactantius, a contemporary of Diocletian’s, tells us that much blood was shed over “small and cheap items” and that goods disappeared from sale. Yet, “the rise in price got much worse.” Finally, “after many had met their deaths, sheer necessity led to the repeal of the law.”
[From How Excessive Government Killed Ancient Rome]

OK, so the Durbin amendment probably wont lead to rioting in the streets, but it’s still price control, and it will have unfortunate consequences (not for me, since I never use a debit in the US anyway). There’s a good article in the January issue of Digital Transactions by Lauri Giesen examining the US card market. She’s specifically looking at the strategy of retailers with respect to cards. Having won lower debit card fees, retailers are going to go after the credit card business. Trixi Wexler, a spokeperson for the Washington DC-based Electronic Payments Coalition, says that retailers didn’t spend $10 million in lobbying “just to walk away with lower debit card fees”. I’m sure that’s true, but even if it isn’t, that $10 million represents pretty good value for money, since it will result in considerable savings for retailers.

The big retailers and other merchants — who are the real winners — claim they are going to help consumers from their end by passing their savings on in the form of lower prices… But those claims are spurious at best. In countries where these types of interchange rules have been adopted, like Australia, consumers have seen no benefit.
[From Bill Cheney: New Interchange Rules for Debit Cards: A Perceived ‘Win’ Is Really a Loss]

Retailers in the UK make the same claim.

The BRC claim that if charges for every payment method were as low as they are for cash, its members could pass on £480 million in cost savings to their customers.
[From Retailers concerned over ‘unjustified’ fees]

Yes, I’m sure they *could*, but they won’t. The evidence from Australia shows that the retailers managed to persuade the regulator to cap bank fees (for no real economic reason) and then simply kept the loot. That’s exactly what I’d do if I was them: it’s called “regulatory capture” by economists, because market participants are using regulation rather than competition to obtain a larger share of market rent. This all left me wondering, once again, what exactly the lobbyees (is that a word?) think that they are achieving by transferring this share of market rent from banks to retailers. Why, for example, are retailers more deserving of 0.1% of my supermarket purchase than banks? It’s not even as if it’s all retailers anyway.

Cooper said 80% of the projected debit card interchange revenues banks stand to lose will go to 1% of merchants.
[From Untitled]

This, to me, looks less and less like Durbin striking a blow for the little guy and more and more like regulatory capture by some of America’s biggest businesses, the culmination of a well-managed campaign.

Retailers have begged Congress for years, in vain, to limit the fees they must pay to banks when customers swipe credit or debit cards.
[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

I imagine consumers have begged Congress for years, in vain, to limit the fees they must pay to retailers for food or to gas stations for fuel, so what’s the difference? Why has Congress intervened in order to transfer wealth from one group within society (consumers) to another group (retailers)? The answer, of course, is lobbying.

But retailers mounted an unusually effective yearlong campaign to frame the issue as a chance for Congress to help small business. A leading trade group for chain retailers worked with small-business groups to make sure that every time a senator held a town hall meeting back home, a local business owner showed up to ask about card fees.
[From Debit Fee Cut Is Rare Loss for Largest U.S. Banks – NYTimes.com]

Lobbying on behalf of banks is a bit of a lost cause at the moment, so you can’t blame the retailers for striking while the iron is hot, but if Congress wants to reduce the fees paid by retailers for payments, then it should create a regulatory environment that allows new entrants to come in and provide (non-bank, if necessary) solutions to the marketplace. Are they going to do this? (It’s not a rhetorical question – I genuinely don’t know, and look forward to hearing from some of our US readers to tell me.)

In short, then, if banks had gone up the hill asking regulators to cap the price of food, on the perfectly reasonable grounds that employee salaries are a big part of their costs and that employees spend a lot of their money on food, they would have got short shrift. But given the general hatred of banks, retailers spotted a good opportunity to transfer some of their costs away.

MasterCard said… This provision stands to benefit some of the largest retailers in the world and will harm not only consumers, but also community banks, credit unions, and government benefits administrators. Currently, merchants pay their fair share of debit acceptance; in the future, consumers will be responsible for bearing this cost.
[From Consumers to Pay More for Merchants’ Debit Card Benefits | MasterCard®]

I don’t want to be accused of being MasterCard shill [full disclosure: my employer Consult Hyperion has provided paid professional services to MasterCard within the last year] but there is a valid point here: what’s best for society is to have payment systems that have the lowest total social cost. Speaking in very general terms, this means debit cards (and in particular, PIN debit). So if that’s best for society, how should society apportion the costs? Unless we think we can do better than the market, then we should leave the market alone. Since neither I, nor retailers, nor banks, nor regulators know what the interchange fee should be, they should focus on competition to set them at the right level.

There’s another point that the Digital Transactions article makes that I found interesting. Trixi says that the money from card fees goes to pay for innovation and that without the income, issuers will stop innovating. This may be correct, although innovation is more about non-banks than banks and it is not only Durbin that is hampering payment innovation.

Rich started his address with the assertion that the “Payments system is under attack,” from a regulatory barrage – the CARD ACT, NSF/OD regulation, forthcoming rulings under the Durbin Amendment and the newly formed Consumer Financial Protection Bureau (CFPB) all are paralyzing innovation in the financial services sector. At the same time, innovations from outside the financial services industry are happening at an incredible pace.
[From Payment System Under Attack? Solutions Found in Georgia! – pymnts.com]

I think that in the US case it also means that the retail payments business will slide down the priority list. The lost income from debit interchange, which should have been reduced by competition (ie, the regulators should have told the big retailers “if you don’t like cards, don’t take them” or “if you think you can do it cheaper, go right ahead”) rather than by regulation, will be replaced by fee income from consumers and the marketing, management and retention of checking accounts will surely become more of a priority than debit card activation.

If retailers think that payment systems are too expensive, then why don’t they start one? Or why don’t they invest in payment startups? Starbucks seems to have done quite well by running its own prepaid card scheme and its own mobile payment service, and has been exploiting the benefits of integrated mobile so successfully that it has now decided to go for an immediate national roll-out with barcodes, switching to NFC when the handsets are out there.

However, Starbucks Corp., one of the few stores with a mobile payments program in place, says these transactions are little different from other card purchases, and the real benefit to the merchant comes when people use its app to reload their accounts while waiting in line instead of at the register.
[From Upside For Mobile Payments Comes Before The Payment – PaymentsSource Article]

Perhaps it will be the innovative retailers, working in partnership with technology companies, who will make the breakthroughs while the biggest retailers still find it more cost-effective to spend the money on lobbying.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]