Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.
Well, the circus came to town again. Barcelona. It’s 100,000 people and non-stop meetings and basically no fun whatsoever. But it’s in Barcelona. The calendar is jammed from first thing in the morning until the evening, and then it’s out for dinner and drinks with customers and suppliers. Man, that Catalan pasta was delicious. It’s absolutely exhausting. My feet are killing me by coffee time and I’m not in heels. Loved that lemon beer though, never had that before. The communist traitors down the metro are on strike so we have to queue for buses. It’s lovely and sunny here. Eight halls! Still, let’s take a deep breath and get on with it.
I’ve been interested in mobile payments for 20 years. A decade ago, Consult Hyperion was lucky enough to be chosen by Vodafone to carry out the feasibility study on M-PESA. I can remember seeing the first Nokia with a contactless chip (Mastercard) embedded in it and being blown away by the convenience. I am the archetype for the stereotype in mobile futurists presentations, the person who often leaves the house with a phone but no wallet. Last year at MWC I gave a presentation about the impending shift to in-app payments. So, you can imagine how downhearted I was to see this vista before me on arriving in the host city.
Yep. Twenty years of mobile payments, twenty years of presentations about mobile payments at MWC, twenty years of pilots and trials and tests and MoUs, twenty years of arguing about SIM vs. embedded vs. SE, twenty years of closed-loop and open-loop and three-party and four-party, and there’s a queue a mile long for the ATM because you can’t use your phone to by a metro ticket or ride the bus into town. Where did it all go wrong?
Why aren’t there mobile payments everywhere? In a sane world, as we landed in Barcelona our phones would automatically fire up a Barcelona app that we could use to pay for the trains and taxis, restaurants and hotels. How long would it take for your bank to issue a four day, Barcelona merchant-only token to the handset? Five seconds? Why can’t I pay in-app for my hotel? Karen Webster wrote about this too.
…when it comes to commerce and payments, well, we’re still very much making our way to first base. And that’s more than two decades after the launch of the commercial Internet and nearly a decade after the introduction of the iPhone…
Karen points to the role of the carriers as a fundamental problem, and she is certainly right to note that their attempts to be toll collectors for the superhighway have been a boat anchor on progress in mobile commerce just as it will be for IoT commerce, but I wonder if there’s something more fundamental going on. What if the attempts to shoehorn the existing infrastructure (of PANs and acquirers and networks and schemes and issuers and authorisation and all the rest of it) are themselves responsible for the drag? What if we should have started again? What if we should have just said that the mobile phone gives us a mechanism to establish (and verify) the identity of everyone and once you know who the counterparts are, payments are easy. What if we should have started with mobile ID instead of taking 60+ year old way of doing a payment?
I was lucky enough to be asked to chair the MWC conference session on “Digital Identity for Connected Societies”. During this discussion, it became very clear to me (and, I hope, the rest of the audience) that we already have all of the building blocks that we need to create a strong identity infrastructure based on the mobile phone. If we take that architecture as a given, then what “payments layer” should be put on top of it? You know where my sympathies lie: in the “push to push”. Karen correctly, in my opinion, talks about the reshaping of retailing.
Mobile and online – together — is creatively destroying the retail model that’s been in place for millennia – a model that used to rely only on consumers and merchants coming together face-to-face to do business.
Why do we think that we can reshape retail without reshaping payments? Here’s just one example: why do you give card details to the merchant? It makes no sense: it’s because you used to hand your card to merchants in shops. Surely it would make more sense to send the _invoice_ to the bank, have the bank pay it and send back the _paid invoice_ to the merchant. Why should the merchant ever seen your card, tokenised or otherwise? Since merchants are installing BLE anyway, why not just transmit the invoice over BLE to your phone and have your phone send it to the bank for payment? I’m just giving a random example, but you see my point.
Here’s what’s gone wrong: we took amazing new technologies (smart cards, mobile phones, biometrics) and used them to emulate some cardboard hack from 1949. Time to scrub off the whiteboard and start again. I make this vow here and how: if you cannot use your phone to pay the airport bus in Barcelona at Mobile World Congress 2017, then I will never go again.
As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange. It is a safe bet that (with the odd exception) cash will be one of your available options. Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?
Well, you could talk to someone, of course. But this isn’t always possible, for instance due to language barriers. Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.
The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display. The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.
I say ‘should be possible’ because, unfortunately, this is not always the case. For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments. Still – whilst not as convenient, the payment can still be completed via Chip & PIN.
But now adding to the mix we have a brand new acceptance mark for Apple Pay. On the face of it, this seems a sensible decision. After all, if you want to use Apple Pay then it’s good to know where you can use it. But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol. Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.
What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark. It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction. For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)
But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all. Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay. Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?
Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees. As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme. This Article provides that:
Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.
In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept. Merchants may, for instance, choose to accept only debit cards and not credit. Or they may choose to accept everything except higher-fee rewards cards. “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.
To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU. In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information. It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.
So, when is an acceptance mark not a mark of acceptance? Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.
Gift certificates and gift cards are going virtual, in which mode they are becoming money. Where might they go in the future?
Taxis are a such an interesting case study when it comes to exploring the future of mass-market retail payments that I can’t help but be fascinated by them and their use of new technology.
We’d all, I’m sure, prefer a world in which children did not have access to corrosive and nauseating material that undermines our civilised society. But how can we stop children from seeing MTV and the Daily Mail? The government has given up on this, I’m afraid, and has instead decided to try to stop them from seeing porn.
There has been a lot of discussion about using Host Card Emulation (HCE) to support EMV payments over Near-Field Communication (NFC) interfaces. But HCE can be used to support EMV payments over, essentially, any interface. As part of Consult Hyperion’s prototyping programme, we developed a working (ie, using EMV data) proof-of-concept demonstrator (running on Android and iPhone) for paying with HCE over Bluetooth Low Energy (BLE) and showed it at the UK Cards Association last week. The demonstrator is so cool it superconducts.