What with the Durbin Amendment taking effect and serious moves in mobile payments, many observers had the feeling that the pace of change in e-payments quickened in 2011. But along with faster change come more problems. Herewith some of the most salient.
By Jim Daly and John Stewart
If the only constant in life is change, then executives in the electronic-payments business may be forgiven if they wish to append a corollary to that well-worn maxim: as change accelerates, problems proliferate.
Many of the issues outlined in this, our fifth annual recital of the industry’s most acute headaches, stem in one way or another from two of the most momentous changes payments execs have had to grapple with in years: a regulatory regime that now includes a federally mandated ceiling on debit card interchange and the intrusion of major corporate entities in the business of mobile payments.
Take mobile. Banks and merchants have just begun to sort out how best to make point-of-sale payments work on handsets—with near-field communication (NFC) chips or with barcodes, for example. Meanwhile, banks and payment networks have never resolved key disputes over revenue sharing, control of consumer credentials, and other issues. But none of that has stopped the likes of Google Inc., Sprint Nextel, AT&T Inc., Verizon Wireless, and T-Mobile USA from putting together their own NFC-based mobile wallet consortia.
Google is working with Sprint, Citigroup Inc., First Data Corp. and a long list of merchants to launch an ambitious NFC initiative. AT&T, Verizon, and T-Mobile formed an NFC joint venture late last year called Isis, and after a strategic adjustment in its plans this spring it’s aiming for a launch in Salt Lake City, Utah, and Austin, Texas next year.
Both of these initiatives bear implications for at least half of the issues raised in this year’s inventory, including questions regarding EMV and the role of the automated clearing house network in tracking mobile payments and in speeding up settlement.
The implications of the Durbin Amendment, whose letter and spirit took effect Oct. 1 courtesy of rules from the Federal Reserve, are almost too numerous to mention. We count at least three issues in this year’s list stemming from that law, which for the first time in history imposed a cap on card interchange.
But change also ushers in opportunity. The wobbly recovery from the deep recession of 2007-09, together with increases in prepaid, debit, and consumer-based image-exchange activity, have helped boost transaction volume. Our annual estimate of total U.S. electronic consumer transactions climbed to 100.7 billion in 2010. That’s after plunging to 87.4 billion in the depths of the recession in 2009 from the previous high point, 94 billion, the previous year.
That’s the good news. The bad news is that among Durbin’s many implications could be a severe dampening effect on the growth of debit, and perhaps of prepaid. But that’s yet to be determined. Managers and strategists have enough to do grappling with the items on the following pages.
1. Does the PIN Have a Future?
When it comes to card security, who wouldn’t choose a personal identification number over a signature? Seems like a no-brainer. The Federal Reserve, in developing its Durbin Amendment regulations, noted that fraud losses on PIN-debit transactions are about one-fifth of those on signature debit cards.
But the PIN, as a static authentication tool, has its weaknesses. Hackers sometimes access the encryption codes that protect PINs. And unless bolstered by newer technology, the PIN is virtually useless for e-commerce. Perhaps most important, issuers generate much more than enough interchange from signature transactions to offset signature’s higher fraud.
The U.S. issuers that have experimented with EMV chip cards—Wells Fargo & Co., JPMorgan Chase & Co., and North Carolina’s State Employees Credit Union—have come out with versions that rely on signature rather than PIN authentication.
Ominously, in the eyes of PIN partisans, the sweeping program Visa Inc. announced in August to jump-start EMV and mobile payments in the U.S. seemingly shunts the PIN off to the sidelines. Visa is playing up so-called dynamic-authentication technology that provides one-time transaction identifiers.
Few would argue that dynamic authentication has its advantages, but the PIN still has plenty of support among merchants, acquirers, and electronic funds transfer networks.
David Keenan, general manager of the Accel/Exchange EFT network, predicts it will be hard to discount the PIN because of its popularity with consumers and proven security advantages. “My sense is that PIN debit is going to do just fine,” he says.
2. Who Pays for EMV?
About the only thing everyone agrees on about bringing EMV chip card payments to the U.S. is that they won’t be cheap. In a late 2009 report, Aite Group LLC pegged the cost at $12.7 billion, to be borne mostly by merchants, which would have to pay for chip card-accepting terminals. Issuers would have to distribute new cards containing chips at a per-card cost of at least double and perhaps four times the expense of a magnetic-stripe card.
Aite noted that some other technologies would cost less and be as or nearly as effective as EMV in reducing fraud. Since then, however, EMV’s prospects have improved, though by how much is still very much a matter of debate.
First, the U.S. appears to be increasingly isolated as the only major nation that has yet to implement or commit to EMV. Like EMV or not, can the U.S. continue to ignore it?
Second, some large merchants report they are gradually configuring their payment and back-office systems for EMV. And new point-of-sale terminals capable of supporting EMV are making their way to merchant countertops. These developments will reduce, though hardly eliminate, merchants’ upfront conversion costs when EMV’s day comes.
Third, Visa in August announced a three-part program to spur EMV and mobile payments, and it has a big carrot. Under Visa’s Technology Innovation Program (TIP), heretofore available only to international merchants, the network next October will eliminate the requirement that merchants annually validate their compliance with the Payment Card Industry data-security standard (PCI) provided that 75% of their Visa transactions originate at chip-enabled terminals. To qualify, POS terminals must be enabled to accept contact and contactless chip cards as well as near-field communication (NFC) contactless payments from mobile devices.
Visa still expects merchants to meet the PCI standards, but not having to validate compliance annually will be a big cost saver. The two other components of Visa’s program include a liability shift from issuer to merchant for counterfeit POS transactions that happen on terminals that don’t read contact chip cards, and a requirement that acquirers be able to support chip transactions and dynamic authentication.
Henry Helgeson, co-chief executive of Merchant Warehouse, a Boston-based independent sales organization, says that merchants “will bear the brunt” of EMV conversion costs even with Visa’s program, “but it’s not going to be without benefit.”
3. Small Tickets, Big Pain
The Durbin Amendment’s detractors predicted all along that the measure would produce unintended consequences. The early going seems to have proved them right, with banks adding consumer fees galore. For merchants, especially notable was the conversion by MasterCard and Visa of the Federal Reserve’s interchange cap into a floor, or, more accurately, a single price for accepting debit cards from regulated issuers for retail purchases under $15.
A cap means you can impose any price up to the cap. But both networks now apply the Fed’s cap of 21 cents plus 0.05% of the sale (plus another 1 cent under consideration for fraud control) for debit card transactions from issuers with more than $10 billion in assets as the replacement for their former small-ticket consumer debit interchange rate of 1.55% plus four cents.
Visa had planned a modest increase for big issuers, to 1.60% plus a nickel, but revised its schedule to match MasterCard’s after MasterCard revealed that its price would be a straight 21 cents plus 0.05%. (For unregulated issuers, Visa’s small-ticket rate is now 1.60% plus 5 cents while MasterCard’s rate remains 1.55% plus 4 cents).
Now, every transaction below $15 on a non-exempt card generates more interchange by applying the Fed rate than it would by using the old rates. (The lines don’t meet until $17.) The upshot: interchange costs more than triple on purchases under $2.50. Big issuers’ cards account for more than 60% of debit purchases.
Howls of pain have emanated from vending-machine owners and fast-food restaurants. “Those kinds of things will hurt the payment networks more than they will help them,” says Merchant Warehouse’s Helgeson. “We just closed the doors in attacking cash.”
A stock analyst who covers Coinstar Inc., parent company of the popular Redbox DVD-rental kiosk company whose base price is $1 per rental, predicted the new schedules would “kill the economics for small-ticket debit purchases and influence a shift back to [unregulated] credit cards. It will almost certainly lead to a merchant revolt against the card networks.”
Specialty vending-machine processors USA Technologies Inc. and Apriva Inc. said they were working to mitigate the effects of higher interchange, but as of mid-October the networks had not announced any pricing changes.
4. The Fraud Goblins Get Scarier
Halloween is over, but hackers and related demons haunt the payments business more than ever. Individual issuers and businesses may say their losses are under control, but the fact remains the industry is under determined attack by clever hackers using devilish bits of code called malware (“Malware Becomes More Malicious”).
Meanwhile, reports emerge every week about skimming and compromised point-of-sale terminals, with the Michaels Stores Inc. breach earlier this year being one of the most prominent cases.
Headlines like these deter consumers from using electronic payments, some experts warn. “It’s a huge red flag the industry has to deal with,” says Philip J. Blank, an analyst who follows fraud and security issues for Javelin Strategy & Research, a payments-research firm in Pleasanton, Calif.
The most common way to spread malware is through phishing e-mails, which either plant keyloggers or other code on recipients’ PCs or provoke visits to spoofed sites that download the malware. And these fake e-mails have gotten so sophisticated they’re just about indistinguishable from the real thing, Blank says. That means human gullibility remains the industry’s biggest point of vulnerability. “The best antivirus software in the world can’t keep someone from doing something dumb,” he says.
About 10.4 million malware samples were discovered in the second half of 2010, or about 17% of all samples found since 1990, according to the most recent report from the Anti-Phishing Working Group, an 8-year-old industry group that tracks phishing. It says phishers increasingly target corporate officers to gull them into revealing credentials that can be used to siphon funds from the business’s accounts. Indeed, some 55% of malware consists of Trojans, which can take control of corporate accounts.
The industry is taking steps to combat the problem. More financial institutions, for example, are offering free protection against so-called man-in-the-browser attacks, Blank says. Still, he warns, the plague “is going to get worse before it gets better.”
5. Merchants’ New Routing Freedom
There’s more in the Durbin Amendment than just pricing caps. It also bans so-called exclusive network affiliations on all issuers’ debit cards. That means any card that featured, for example, just the Visa brand for signature debit and the Visa-owned Interlink network for POS PIN debit must add at least one unaffiliated network.
Durbin also outlaws issuer or network policies that restrict merchants’ ability to get transactions onto any network available through a particular card.
Now, instead of competing for issuer business by constantly raising interchange, networks have a greater incentive to compete for merchant business by lowering rates. But will the theory prove true in practice, and will merchants take advantage of their freedoms?
It’s too soon to say if Durbin has indeed created network competition that benefits merchants. Debit leader Visa in July announced a new, fixed “network participation fee” to prevent a predicted drop in Interlink’s business, but revealed few details publicly. PIN-debit networks are reporting, however, that they’re getting lots of inquiries from banks and credit unions looking to add an unaffiliated network to their cards.
Regarding transaction routing, the seers expect big merchants that already prompt for PINs to use their new freedoms to hunt for even lower costs. The real question may be whether Durbin motivates smaller merchants to educate themselves about the minutiae of network pricing and transaction routing, and then make the needed changes in their systems to get the lowest debit-acceptance costs possible.
That’s a tall order. Payments consultant Janet R. Langenderfer, former senior director of credit cards at Amtrak, says issues such as transaction routing go over the heads of most merchants. Plus, she says, many third-party processors have their own deals with networks that limit merchant choices.
“The processors have been very quiet in terms of how they’re going to respond,” she says.
6. Who Controls NFC?
The industry made big strides this year toward finally creating mobile-payments networks based on near-field communication (NFC) technology, which is a two-way, short-range communication standard that, among other things, lets consumers make contactless payments with their handsets.
But who’s driving things? From all appearances, not financial institutions, even though you—and they—might expect them to be in charge when it comes to a payments system. Instead, players like Google, AT&T, Verizon, and T-Mobile have put together the projects that are grabbing headlines, Google with Sprint and the other three big carriers with an initiative called Isis. Sure, both Google and Isis have included banks, but banks aren’t in their usual commanding position.
“Banks won’t get cut out but they don’t control things,” notes Mark Beccue, a senior analyst at ABI Research who follows mobile payments. That’s because the non-banks in these emerging systems control the so-called secure element, the chip (or “wallet,” as it’s coming to be known) that houses the consumer’s payment credentials and media.
Access to that mobile wallet is the golden ticket in NFC-based mobile-transaction services. That’s why banks and carriers wrangled over it for years, delaying the long-anticipated launch of NFC. Now it appears banks may have to get used to ceding control to third parties—and possibly paying for access. “They just lose the primary control they’re used to having” in payments, says Beccue.
But the situation may not be all bad for banks, even if Google and Isis take off. The non-bank giants will have made all the big capital investments, notes Beccue, rather than banks. “That’s not cheap,” he says. And, notes Menekse Gencer, founder of mobile-payments consultancy mPay Connect, NFC “still makes the banks better off than if they were still issuing plastic.”
7. Post-Durbin ISO Economics
Lost in most press accounts about the Durbin Amendment was a key fact of bank card payments: Merchant acquirers, not merchants, technically pay interchange to card issuers.
Acquirers typically pass on the expense to their merchants. Any reduction in interchange rates by card networks presents to acquirers and independent sales organizations an opportunity to pad profit margins. For them, Durbin’s 45% cut on regulated issuers’ debit card interchange is actually an unprecedented profit opportunity.
So, will they or won’t they pass on the savings to merchants?
Heartland Payment Systems, which serves more than 100,000 small and mid-size merchants, declared long before Durbin took effect Oct. 1 that it would immediately pass on the reduced expenses, saying its average merchant would save more than $1,000 a year.
Heartland uses the “interchange-plus” pricing model that adds processor charges on top of clearly delineated interchange expenses. Hundreds of thousands of small merchants, probably millions, however, are on so-called tiered or bundled pricing plans in which interchange is harder to discern.
Many ISOs say their merchants like bundled or tiered pricing plans because of their simplicity. With most merchants much more concerned about running their businesses than about payment cards, Durbin will not spur many to shop for lower rates, they say.
Countering that is the intensely competitive nature of the ISO business. ISO salespeople will make sure every mom-and-pop merchant knows that costs have come down, and they’ll make it easy for them to get those savings (“The New Pricing Puzzle”).
The bottom line on the bottom line: Profits will grow for many ISOs in the near term, but three to five years from now, it may be hard to discern any Durbin difference.
8. Is Faster ACH Coming Too Slowly?
Last year, the Federal Reserve started a service that allows debits on the automated clearing house network to clear and settle the same day they’re initiated, rather than the next day. It was an important step toward keeping up with competing payment systems that offer faster transaction speeds.
But the Fed only switches 57% of ACH volume, and its service is voluntary for receiving banks. These and other factors have slowed adoption, and led to pressure on NACHA, the Herndon, Va.-based organization that regulates the ACH, to create a network-wide system for faster settlement, with mandatory participation by endpoints.
In September, NACHA obliged with a 22-page request for comment on a proposal for same-day settlement. That’s progress, but don’t expect any major action any time soon. Comments are due on the proposal, which technically amounts to a change in NACHA’s rules, by Nov. 18. NACHA will then prepare a ballot for a vote on the measure by its membership in the first quarter of next year. NACHA proposes that, if approved, the Expedited Processing and Settlement system will go into effect March 15, 2013. Approval will require a supermajority, or around two-thirds, of members’ votes.
Is 2013 soon enough? Competing payment channels are already faster. Check image exchange, for example, is capable of clearing funds the same day. And increasingly mobile consumers and merchants are looking for faster payments.
At the same time, some financial institutions have formed direct links among themselves outside the network in part to enable faster funds movement, especially on returned items, a development that concerns NACHA because it diverts volume from the network and hampers risk control.
Will EPS be worth waiting for? Maybe. It has some key advantages over the Fed system. It would apply to both debits, or transactions in which merchants pull funds from consumers’ accounts, and credits, payments initiated by consumers to pay merchants. The proposal also requires that all so-called receiving financial institutions, the banks that take in ACH transactions and then debit or credit accounts, support EPS.
Now, a lot is riding on how businesses—with feelings still raw after a titanic battle with banks over debit card interchange—will react to the eventual fees originating banks will charge for the faster service.
9. A PCI Netherworld for Mobile Acceptance
Companies that offer applications that let merchants accept payments on handsets entered a sort of limbo a year ago when the PCI Security Standards Council, which manages the Payment Card Industry data-security standard (PCI), announced it would stop reviewing such apps.
The Wakefield, Mass.-based Council said the existing Payment Application data-security standard (PA-DSS), a set of PCI-related security rules that apply to payment software, needed to be reworked to account for mobile acceptance. Fair enough. After all, the PA-DSS was written for software that works with conventional, fixed point-of-sale terminals.
In June, the Council released its first policy for mobile acceptance. It was a hopeful sign, but for some not hopeful enough. While the Council said certain apps can now be considered for validation under PA-DSS, it continued to bar programs written for consumer handsets, such as smart phones. It said it will not review such apps until it has developed further guidance, which it said will be done by the end of the year.
Products that can now be considered include: those that work only on mobile devices that are approved under the Council’s PIN Transaction Security requirements, which govern devices with PIN-entry capability; and those included as part of a dedicated system that can be used only for payments.
Still, mobile apps for merchants and even individuals to accept card transactions continue to flourish, leaving critics complaining that the Council’s moves so far are too narrow and too tentative.
10. The ACH And Mobile Transactions
Should the ACH have a dedicated transaction code for mobile payments? Some experts think so, and were disappointed last year when NACHA decided for the time being to track mobile activity under an existing code, WEB, which applies to online bill payments.
Programming for a new ACH transaction code can be time-consuming and expensive, but by including mobile under an existing code, banks may be assuming too much risk as mobile traffic gains volume, some observers fear. To properly monitor mobile risk, “It’s going to be very important to separate this out,” says Gencer of mPay Connect. “It’s even more important now,” she says, than when NACHA first decided to use an existing, rather than a dedicated, code.