What’s keeping you up at night? If you said nothing, you’re lucky. Here’s a list of the biggest issues troubling most payments executives today.
We live in a world full of tribulation and turbulence, and the payments business is no exception. Herewith, we offer our annual catalog of the 10 biggest issues the industry faces today. We wish we could offer easy solutions, but hard problems are hard precisely because they admit no easy answers.
Still, we contend it’s useful to face these issues squarely, to round them up in a list like this and dig into them a bit. If you agree, you may find this list a useful start toward confronting and solving issues in your shop. We hope that’s the case. If you disagree … well, it’s a free country.
At any rate, if you think we’ve omitted something just as pressing as the items on this list, please let us know and we’ll consider it for next time. Just shoot me an email at john@digitaltransactions.net. Meanwhile, may all your problems prove solvable—and if they do, please let us know how you did it!
- No Solution for Data Breaches?
There are now three, not just two, certainties in life: death, taxes, and data breaches. Despite 13 years of PCI security standards and ever-increasing attention and money spent toward preventing and mitigating data breaches, they just keep on coming.
Risk Based Security Inc. says data breaches are on a record-setting pace this year. The data-protection analytics and consulting firm tallied 3,813 breaches in 2019’s first half, up 54% from a year earlier. Those breaches exposed more than 4.1 billion consumer records, up 52% from 2018. Of course, many compromised records are not payment card or bank-account numbers and related data, but millions still are.
There is some good news. Visa Inc. recently reported that for merchants who had completed their EMV point-of-sale terminal upgrades, dollars lost to counterfeit fraud—the bane of magnetic-stripe payment cards—had dropped by 87% as of March compared with September 2015. Over the same period, Visa says counterfeit fraud dollars lost by all U.S. merchants fell 62%, and Visa’s overall card-present fraud rate declined by 40%.
The payment card networks’ October 2015 EMV liability shifts transferred responsibility for counterfeit fraud to the merchant if a POS terminal couldn’t read an EMV card’s chip.
Fraudsters intent on counterfeiting credit and debit cards need supplies of card data typically stolen in data breaches. So while counterfeiting is in a steep decline as mag-stripe cards go away, data breaches continue because the demand for card data has not gone away. The data simply is being used for more online fraud and variations of identity fraud. So, sadly, breaches will continue for the foreseeable future.
- E-Commerce Fraud
There’s nothing new about the scourge of fraud in e-commerce markets. The difficulty in vetting users has always meant losses here are higher than in physical stores.
And the cost doesn’t stop with the purloined merchandise. Total costs—including mitigation efforts—are highest among mid-to-large e-commerce merchants, according to Alpharetta, Ga.-based Lexis Nexis Risk Solutions. The firm’s latest “True Cost of Fraud” report, released in September, found each dollar of fraud costs these sellers $3.50, higher than in any other category of merchant studied.
There are multiple reasons for this, but in general online merchants have been easier pickings for fraudsters because it’s harder to verify identities online. Indeed, LexisNexis blames synthetic IDs, automated bot attacks, and ID-verification challenges for an overall increase in fraud attempts against all merchants.
In response, the global card networks are ushering in two major technologies. One of them, called 3-D Secure 2.0, is the second generation of an older technology aimed at simplifying the process of making sure users are who they say they are. The other, called Secure Remote Commerce, has a twofold aim: securing transaction data with tokens and streamlining checkout flows with a single buy button.
SRC is expected to go live with most networks by the end of the year, and processors are already lining up to introduce 3-D Secure 2.0. Amsterdam-based payments gateway Adyen N.V., for example, is rolling it out across Europe (“Europe’s All-Embracing Regulations,” this issue) and expects to launch it in the United States next year.
The big drawback with the first version of 3-D Secure was that it complicated transactions, leading many merchants to abandon it. Will the new version be less forbidding? With SRC, some merchant groups are concerned about how the tokenization process will affect their transaction-routing rights under the Durbin Amendment. Networks like Visa and Mastercard say those rights will be respected. It remains to be seen whether merchants will buy that.
- Authentication: Confusion at the POS
Merchants have long wanted to ensure the consumer conducting a payment transaction at the point of sale is who she says she is. With streamlined options—think mobile wallets and biometrics—merchants have access to digital verification techniques. But one stalwart, the signature, continues to persist despite card-brand changes that made signature authentication optional for EMV-accepting merchants.
A year ago, a National Retail Federation survey found that 40% of retail executives planned to drop signature requirements for payment card transactions. Without data, it’s unknown how many merchants continue to ask for a signature when it’s not necessary.
Efforts to move even farther from signature authentication at the point of sale progressed with the release this summer of the Apple Card. This digital-centric credit card sequesters all of the card information—full card number, expiration date, and card verification code—in the companion iPhone wallet. The Apple Card also eschews a signature panel.
The Apple Card is among the first credit cards to make such a drastic push for digital authentication, especially for e-commerce transactions. “Apple Card is a step in the right direction from a data-security standpoint,” Jordan McKee, research director at New York City-based 451 Research, says in an email. “The go-forward goal of the industry should be to eliminate the usage and visibility of sensitive data wherever possible.”
The reliance on Apple Wallet to house confidential payment information for the card won’t change how payment data will be processed and stored for transactions, says Krista Tedder, director of payments at Pleasanton, Calif.-based Javelin Strategy & Research.
“What will change is the authentication approach used to authenticate the payment, store the credentials for subsequent usage, and how the consumer can access the information,” Tedder says. “Leveraging Apple Pay or other stored-credential applications, which require additional authentication, such as device fingerprinting, biometrics, or other tools, meets multifactor authentication guidance that the industry is moving towards.”
- FedNow’s Impact on Real-Time Payments
Until August, everything seemed to be cooking along for real-time payments in the United States. That’s when the Federal Reserve, which had been hinting for months that it might get involved, jumped into the game with both feet. Now observers are fretting that the newly christened FedNow real-time payments effort, which isn’t supposed to begin operating until 2023 at the soonest, could slow the momentum that had been building for blink-of-an-eye payments processing.
Much of that momentum has been the result of a real-time service rolled out in 2017 by The Clearing House Payments Co. LLC, the New York City-based automated clearing house and wire operator owned by 24 of the nation’s biggest banks. By this fall, TCH’s RTP service had connected to just over half of the nation’s accounts for real-time receipt.
Mid-size and small institutions are said to welcome the public option offered by FedNow as a counterweight to the private-sector service from TCH. Some bankers worry that, with only TCH to turn to, pricing will skyrocket. But others are concerned that waiting for FedNow to go online four or five years from now will only slow progress in the United States toward the long-held goal of real-time payments.
Meanwhile, the RTP service, built on technology from Mastercard Inc.’s Vocalink unit, is still signing up customers. In September, New Jersey’s Cross River Bank was the latest.
- The EMV Fuel-Pump Conversion Looms
Even with three additional years beyond the original liability shift for EMV transactions, the petroleum-industry outlook for full EMV compliance is not good.
With its original compliance date of October 2017 postponed to October 1, 2020, the fuel-retailing industry’s EMV conversion for in-store transactions has progressed well. A recent survey from Conexxus, an Alexandria, Va.-based information technology association, found that 86% of those surveyed reported full EMV compliance inside their stores. It’s at the pump where the challenge looms. Here, only 13% said they have contact EMV deployed.
The good news, especially with a year to go, is that 80% of those without EMV at the pump planned to implement it. The big impediment is software. Fifty-two percent said the lack of available software stood in the way. Only 42% said that they are or will be 100% compliant by the 2020 date. One-fourth did not know when they might be ready.
The extra time for EMV at the pump appears to have been very necessary, especially as vendors prepare EMV-compliant products. One, Gas Pos, launched a service that puts EMV-compliant card readers in fuel dispensers and in convenience stores, all of which are connected to a fuel controller.
Citgo Petroleum Corp. released its EMV-acceptance Passport software, provided by Gilbarco Veeder-Root, this summer. Gilbarco, in conjunction with Chevron Corp., developed a trade-in program for retailers to get EMV-compliant equipment. And Wayne Fueling Systems LLC launched an online EMV resource center for c-store operators.
The work will prove essential. Already aware of EMV at the point of sale, consumers have a heightened perception of payment security. Sixty-two percent of U.S. adults in an ACI Worldwide survey from earlier this year said they were concerned about the security of their financial data when making a payment at fuel pumps.
- Merchant Account Attrition & Retention
Not only is merchant retention valuable to acquirers for the immediate needs of generating revenue, but as competition incessantly intensifies, strategies to support lower attrition have a long-term value.
Reasons for this are many. ISO executives looking for an exit by selling their entire portfolio will get higher multiples on revenues if their merchants are spread across multiple industries, and the portfolio has relatively low attrition, according to Jon Engleking, chief operating officer at Super G Capital LLC. “The buyers are looking for a well-balanced portfolio,” he said. “You’re going to get a higher multiple the more diversified your portfolio is.”
A buyer may view a balanced portfolio with a lower attrition rate relative to another as the better acquisition.
Retaining merchants, though, is a daunting challenge. The industry’s concerted effort in the past few years with cloud-based point-of-sale systems directly aims at this issue. Such POS systems can be a hub for all of a merchant’s data, not just for enabling and tracking its payments. Even online payments companies are getting into the point of sale. Stripe Inc. added in-store payment software for certain countertop devices its merchants can use.
“While we mostly focus on Internet businesses, 90% of consumer spending still takes place in person,” Devesh Senapati, product manager for Stripe Terminal, said in a blog post.
One piece of advice when using cloud-based POS systems and integrated software in this way is to start by pitching it to the existing merchant portfolio, says Pierre-Emmanuel Perruchot de La Bussière, vice president of business development and partnerships at Vend Ltd., a New Zealand-based POS-system developer with offices in San Francisco.
Trying to sell a new solution to existing merchants “might be the better idea,” he says, because the sales organization already has an established relationship with the merchant and doesn’t need to forge that simultaneously with a sale.
- Discounting & Surcharging: Confusion Persists
Merchants are always interested in reducing their payment card acceptance costs, and two ways to do that are by adding a surcharge for card payments or by giving customers a discount if they pay with cash. Thus, surcharging and cash discounts have been hot topics for several years now at regional conferences for independent sales organizations.
Despite all the educational sessions, implementing surcharging and cash-discount programs properly remains a confusing and sometimes perilous task for ISOs and their merchants, who must abide by network rules governing the programs or risk losing their card-acceptance privileges.
While surcharges require proper notifications and have other requirements, cash discounts can be especially troublesome to implement and are “one of the most misunderstood programs” for merchants, one merchant-acquirer executive said at a conference this year. Critics say cash discounts frequently are just surcharges in disguise because merchants often raise prices before applying the discount.
Cash discounts generate questions partly because of a paucity of network rules governing them compared with surcharges, one acquiring executive on a conference panel noted. One key requirement is that only credit card sales can be surcharged.
Confusion about rules governing cash discounts became so widespread that Visa Inc. a year ago issued reminder guidance to the acquiring community. Acquirers are charged with enforcing Visa and Mastercard Inc. network rules.
Some ISOs remain enthusiastic about surcharging and cash-discount programs because of their high margins. Relatively few merchants have implemented either cash discounts or surcharges so far, but expect more if margins remain high—and the networks don’t crack down.
- Can Anyone Ever Get Away With Charging for P2P Payments?
The good news for payments companies is that person-to-person payments are wildly popular. But that’s also the bad news. The reason? For the most part, P2P payments are free to users. Two of the country’s biggest networks, PayPal Holdings Inc.’s Venmo and Early Warning Services LLC’s Zelle, charge users exactly zero for each payment.
That’s costing the networks a lot of foregone revenue. PayPal, for instance, reported in July that Venmo’s volume soared 70% in the second quarter to $24 billion. But the free transfers helped knock the company’s take rate—the percentage it keeps on each transaction—down 13 basis points to 2.25%. Early Warning faces much the same problem with its $44 billion in quarterly Zelle volume. So does any outfit offering P2P these days.
How to solve the ironic problem of overwhelming popularity for a free product that the market expects to remain free? PayPal has promoted fee-bearing services based on Venmo, like instant withdrawal, a Venmo card, and Pay With Venmo, an e-commerce service. On these services, some 1.5 million Venmo users performed a “monetizable” transaction in the second quarter, PayPal said, letting the company draw user or merchant fees. The instant withdrawals alone account for about half the take.
Will that work for everyone? Time will tell, but for now the best things in life—including P2P payments—remain free.
- Can Private-Label Wallets Survive?
Most observers would agree that while they have yet to set the world on fire, the general-purpose mobile wallets often called “the Pays”—Apple Pay, Google Pay, and Samsung Pay—are likely to be around for a while. Apple Inc. claims Apple Pay is on track to hit 10 billion transactions this year. Samsung Pay just added an international money-transfer service and a virtual prepaid card, and Google continues to integrate Google Pay with its many other services.
Meanwhile, consumers have embraced a handful of mobile wallets offered by individual merchants, particularly Starbucks and Dunkin’. And Walmart continues to enhance the Walmart Pay service within the Walmart app.
The same can’t be said of the bank mobile wallets that began appearing at mid-decade. Only a few big banks—most notably Chase, Citigroup, Capital One, and Wells Fargo—offered them, and they functioned as private-label alternatives to the Pays. Customers could load credit and debit cards from those banks into the wallets to pay where Visa and Mastercard mobile payments were accepted.
Despite having tens of millions of customers, though, the banks’ smart-phone payment apps failed to catch on with consumers. Cap One and Wells quietly folded their wallets last year, and Citi shuttered its Citi Pay service Aug. 31.
The biggest blow came when Chase, the nation’s largest credit card issuer and provider of the Chase Pay mobile wallet, said in August that it would discontinue the app in early 2020. The Chase Pay service, however, will carry on as a payment option on merchant Web sites that display its logo and through merchant apps, as well as through PayPal. And some Chase Pay features are now in the Chase banking app.
Thus, while the Pays and the mobile wallets of a few dedicated merchants seem likely to survive, not so for standalone payments apps from banks. Observers say banks would be better off improving their mobile-banking apps rather than competing head-to-head with the Pays. “The days of bank-branded wallets are coming to an end,” says payments analyst Jordan McKee of New York City-based 451 Research.
- Real-Time Payments and the ACH
The growth of real-time payments, especially since the Federal Reserve proposed its FedNow real-time gross settlement service in August, has generated a tide of questions (“The New Reality in Real-Time Payments,” September). Among them are the possible effects of real-time payments on the nation’s automated clearing house network.
Once considered a massive but dull backwater of payments, the ACH in recent years has adapted to changing technologies and merchant and consumer demand with new transaction categories and speedier settlement.
ACH governing body Nacha rolled out same-day ACH settlement in 2016, and same-day transactions now number more than 1 million per day. In September, a requirement for faster funds availability took effect. Next up is an increase in same-day transaction dollar limits, from the current $25,000 to $100,000, set for March. Extended operating hours are planned for a year after that.
What the ACH needs to do to stay competitive in a rapidly changing market for faster payments is a matter of debate. In written comments for September hearings by U.S. House and Senate committees probing faster-payments issues, Nacha noted that the ACH, for which The Clearing House and the Fed are the two U.S. operators, already is a model of interoperability—a key issue as faster-payment systems proliferate.
But Nacha said the payments industry needs more from the Fed than just FedNow, especially expanded hours of operation from the Fed’s National Settlement Service.