I write a lot about payment security. Mostly brief snippets embedded in our weekly Incite, but it’s a topic I follow very closely and remain deeply interested in. Early in my career, I developed electronic wallet and payment gateway software for Internet commerce sites, and application embedded payment options. In have been closely following the technical evolution of this market for over 15 years – back in the days of CyberCash, Paymatech, and JECF. But unlike many of the articles I write, payment security affects more than just IT users – it impacts pretty much everyone. And now is a very good time to start paying attention to the payment space because we are witnessing more changes, coming faster than ever.
Most of the changes are directly attributable to disruptive nature of mobile devices: they not only offer a convenient new medium for payment, but they also threaten to reduce revenue and brand awareness of the major payment players. So issuing banks, payment processors, card brands, and merchants are all reacting in their own ways. The following are some highlights of trends I have been tracking:
1) Mobile Wallets: A mobile wallet is basically a payment app that authorizes payments from your phone. The app interacts with the point-of-sale terminal in one of several ways, including WiFi, images readers, and text message exchanges. While the technical approaches vary, payment is cleared without providing the merchant with a physical credit card, or even revealing a credit card or bank account number. Many credit card companies look on wallet apps as a way to ‘accelerate’ commerce and reduce consumer reticence to spend money – as credit cards did in the 70s.
The flip side is that many card brands are scared by all this. Some are worried about losing their brand visibility – you pay with your phone rather than their branded credit card, and your bill might be from your telephone company without a Visa or Mastercard logo or identification. Customers can choose a payment application and provider, so churn can increase and customer ‘loyalty’ is reduced. Furthermore, the app need not use a credit card al all – like a debit card it could draw funds directly from a bank account. When you think about it, as a consumer, do you really care if it is Visa or Mastercard or iTunes or PayPal, so long as payment is accepted and you get whatever you’re paying for? Sure, you may look for the Visa/Mastercard sticker on the register or door today, but when you and the merchant are both connected to the Internet, do you really care how the merchant processes your payment, so long as they accept your ‘card’ and your risk is no greater than today? When you buy something using PayPal you draw funds from your bank account, from your credit card, or from your PayPal balance – but you are dealing with PayPal, and your bank or credit card provider is barely visible in the transaction.
The threat of diminished revenue and diminished brand stickiness – on top of a global reduction in credit card use – is pushing card brands and payment processors into this market as fast as they can go. From what I see, security is taking a back seat to market share. Most of the wallets I review are designed to work now, minimizing software and hardware PoS changes to ensure near-term availability. Basic passwords and phone-presence validations will be in place, but these systems are designed with a security-second mentality. And just like the Chip & Pin systems I will discuss in a moment, mobile wallets could to be more secure than physical cards or reading numbers over the phone, but the payment schemes I have reviewed has are all vulnerable to specific threats – which might compromise the transaction, phone, or wallet app.
2) Smart Cards: These are the Chip & Pin – or Integrated Circuit – systems used widely in Europe. The technical standards are specified by the Europay-Mastercard-Visa (EMV) consortium. Merchants are being encouraged to switch to Chip & Pin with promises of reduced auditing requirements, contrasted against the threat of growing credit card fraud – but merchants know card cloning has been a problem for decades and it has not been enough to get them to endorse smart cards. I recently discussed the issues surrounding in Say Hello to Chip and Pin, but I will recap here briefly. Smart cards are really about three things: 1) new revenue opportunities provided by multi-app cards for affinity group sales, 2) moving liability away from the processor and merchant and onto the consumer, and 3) compatibility with Chip & Pin hardware and software systems used elsewhere in the world.
More revenue, less risk, and standardized hardware for multiple markets reduce costs through competition. And a merchant that invests in smart card PoS and register software, is less likely to invest in payment systems that support mobile phones – creating PoS vendor and merchant lock-in. Once again, smart cards are marketed as advanced security – after all it is harder to clone a smart card – despite ample proof that Chip & Pin is hackable. This is about revenue and brand: making more and keeping more. Incremental security benefits are just gravy for the parties behind Chip & Pin.
3) Debit Cards: Mobile wallets may change the debit card landscape. If small cash transactions are facilitated through mobile wallet payments, the need for pocket cash diminishes, as does the need to carry a branded debit card! This is important because, since the Fed cut debit card fees in half, many banks have been looking to make up lost revenue by charging debit card ‘privilege’ fees above and beyond ATM fees. Wells Fargo, for example, makes around 45% of their revenue on fees; this number will shrink under the new law – potentially by billions, across the entire industry. Charging $3 a month for debit card usage will push consumers to look for cheaper options.
ATM and debit card security is suspect, and there have been monthly headlines of system compromises and organized attacks. While it’s not clear that ‘ewallets’ will be more secure than the simple magnetic-stripe-and-PIN security model of current debit cards, mobile payments have the potential to be much more secure. If backed by a credit card on the back end, there is also a new opportunity for customers to limit liability to theft or hacking, which has already been lost with today’s debit cards – and many consumers want this choice.
4) On line Banking: Despite the risks, most banking customers prefer to bank online. What’s more – despite the risks of browser compromises and account hijacking – customers trust ebanking. This is a growing phenomenon, and mobile banking apps are poised to extend this trend.
Consider what we have been calling ‘online’ banking for the last 10 years, but instead of on your Windows PC it could run on a mobile phone app provided by your bank. Many banks do this already – what’s to keep them from offering payment apps directly to their customers? The distinctions between Internet banking, mobile banking, and mobile payments, all seem likely to blur. And the question of where Visa, AmEx, and MasterCard fit into the picture comes to mind. Standardizing payment interfaces should be straightforward – with or without EMV. If I were on a bank executive team, looking at taking a bigger share of fees generated from transactions to offset lost revenue, I would be loudly questioning the value provided by Visa and Mastercard. After all, most banks have created Windows and mobile phone apps to help secure their customers’ banking information. There are very few additional hurdles to keep them from offering debit card replacement apps, or even a revolving line of credit to replace credit cards, for small transactions.
Ultimately I wonder if mobile payment apps undermine smart card adoption. And whether banks and payment processors will go directly to consumers, dropping card branding. Regardless of what happens, there are strong competitive forces at work here, so I expect big changes in how we pay for stuff and who provides payment services.
Reader interactions
4 Replies to “Payment Trends and Security Ramifications”
A few minutes ago PayPal released this video on the subject: http://www.finextra.com/news/fullstory.aspx?newsitemid=22954
This is how a lot of the payment processors view shopping in the future. And how merchants will deliver coupons in context to shopping. And how merchants will wage SEO wars to skew search results to make it incredibly difficult to find competitive prices. But the point that the mobile device is part of the shopping process is what is being leverages. You decide if this is good or bad.
For the record: I have never, in my life, had to ‘Wait to Pay’.
-Adrian
A couple general comments:
If you have not seen projects like this: http://www.gemalto.com/mobile_banking_for_unbanked/index.html these are mobile banking applications that also provide some pre-pay options for services (like paying your phone bill). This can be extended for Internet payment and -possibly- point of sale as well. A really interesting trend is Oberthur’s ‘Convergence’ model where they are blending identity (think smart cards) and EMV (also smart card) support based on mobile SIM cards. The concept is not that the phone is _easier_ that the Chip & Pin based card, it’s that the cost to the bank/issuer is lower when delivered as software on a device you already own. Does that make sense?
PayPal is not a bank – at least not in the U.S. But the point is to both show that the affinity will be with PayPal, and that there are few impediments for banks to go direct.
-Adrian
Interesting article and I agree with most of your points.
But I will note that I do everything possible to avoid doing business with PayPay. (No, they haven’t done anything to offend me directly.) PayPal likes to *act* as if they are a bank and they would like customers to *think* of them as being a bank, but in fact they are NOT a bank at all. PayPal is not subject to any of the state and federal banking regulations, compliance auditing and regulatory oversight that exist to keep “real” banks honest.
For me, that puts PayPal into the “Too Risky” category.
I once worked for a company that had a mobile payment solution, was owned by a credit card processor and had customers like T-Mobile and Vodafone. Why don’t we have mobile payment yet?
Simple – why would banks hand over their merchant fees to a TelCo? Plus the branding, you say?
My prediction: not gonna happen anytime soon.
And personally, I still don’t grok why pulling out my phone and using some weird app is easier than pulling out a card and putting it into a reader… (and I’m not at all convinced this is any less secure than a “mobile wallet”).