Digital Transactions Authoritative, insightful and timely information for payments professionals
Linda Punch
New authentication tools and other technologies are dimming the once-bright line between card-present and card-not-present transactions. Will the card networks take note of that trend any time soon?
In an era of mobile wallets, tap-and-go, and other alternative payments using devices other than traditional cards and card readers, the use of the longstanding card-present and card-not-present concepts to set interchange appears to be anachronistic.
And while changing or altering the definitions to fit today’s reality may seem to be an easy task, the results could mean a major loss of revenue for issuers and a sharp drop in interchange rates for e-commerce and catalog merchants. A change also could remove a barrier—higher interchange costs—that prevents widespread merchant acceptance of competing alternative payment methods.
The concept of using card present (CP), or face-to-face, and card-not-present (CNP) transactions as a criterion for determining interchange rates emerged in the early days of the card industry. Interchange is the percentage of a transaction sent back to the issuer to cover fraud, processing, and other costs. Acquirers pay interchange and then pass it along to merchants.
The card networks, including Visa and MasterCard, consider card-not-present transactions to be riskier than card-present transactions because the card cannot be verified as present at the time of checkout. Hence, CP rates are lower than CNP rates, typically by about 50 basis points. For transactions to qualify for CP rates, the card, cardholder, and merchant must all be present at the time of the transaction.
The networks also require that magnetic-stripe data be sent in the authorization message to the processor. Network rules prohibit the storage of mag-stripe data, so the card must be swiped at the point of sale for each transaction to send the mag-stripe data and achieve the lower CP rate.
“The [card networks] really care about those four things: swipe or imprint the card, check the signature on the back of the card, check the expiration date on the front of the card, and get an authorization,” says Tom Pouliot, payments evangelist at Litle & Co., Lowell, Mass., and former vice president of e-commerce at MasterCard. “What we had was mail order/telephone-type transactions—they couldn’t do three of those four things.” E-commerce transactions were later added to the CNP category.
A ‘Safer Purchase’
But over the decades, new technologies have blurred the distinction between CP and CNP transactions. For example, in the mid-1990s, the card networks allowed capped transactions at cardholder-activated terminals at gas pumps and vending machines to be processed as CP transactions, Pouliot says.
“They could read the card, but they couldn’t check the signature and they couldn’t check the front of the card for expiration date,” he says. “So we’ve always had these sort of face-to-face/non-face-to-face card-absent card transactions really since the mid-90s.”
That blurring of the CP/CNP line has only accelerated with the emergence of new technologies such as near-field communication (NFC), mobile wallets, and other alternative payments.
For example, with NFC, a stream of data is sent from a mobile device to a point-of-sale reader that authenticates the device, says Rene Pelegero, president and managing director, Retail Payments Global Consulting Group. NFC transactions using standards developed by Visa and MasterCard qualify for CP rates when used at brick-and-mortar stores.
If the same data captured by NFC can be transferred using a mobile phone or other devices, “why would that also not be considered card present?” Pelegero says.
Further, new technology promises to make the distinction even fuzzier. “You look at where some of these things want to go,” says Tim Sherwin, executive vice president, Cardinal Commerce Corp, Mentor, Ohio. “They want you to walk into a store and take out your phone, scan the products as you pick them up off the shelf and throw them into your bucket, and check out with your mobile wallet and walk out of the store. Was that card-present or card-not-present?”
In many cases, the new technologies are equal to or superior to using a card to authenticate the cardholder, says Bill Pittman, a payments consultant who formerly worked at Amazon.com. “You can authenticate yourself with your phone better than you could just by having a card in your hand,” he says. “There’s a lot of different two-factor authentication methods and everything else that allows you to authenticate yourself much better than you can with a signature.”
Many e-commerce merchants also have sophisticated fraud systems that change their risk profiles, eliminating much of the difference between selling online and in the real world, Pittman says.
“They have really sophisticated e-commerce fraud systems and they know their customer,” he says, noting that Amazon “sometimes had lower chargeback rates than brick-and-mortar retailers did because we had so much customer history and data and information about them when we were able to do the transactions.”
E-commerce merchants often have more repeat customers than retailers in the physical world, Pittman adds. “A repeat customer is a much safer purchase than someone walking in off the street because you’ve got all that history on them, you know what they buy, you know everything about them. And you’ve already done transactions with them and they paid their bills and received the merchandise, so it’s a much lower-risk transaction.”
Payment-processing gateways used by e-commerce and catalog merchants also have technology that mitigates risk and makes the CP/CNP distinction almost meaningless. And they can provide data that would allow networks to assess risk using such factors as where a transaction is initiated, whether the device uses a fraud screen, and other criteria, rather than just whether or not a card is present, Sherwin says.
“From a gateway-processor interchange perspective, all of the infrastructure is in place to be able to pass data in a transaction that impacts interchange and liability,” Sherwin says. For example, a transaction “was conducted with a [digital] wallet so we know the user had to log in and authenticate when their bank issues a wallet,” he says. “That data can go back to the merchant along with the payment information that would ultimately go through the authorization and impact it on some scale.”
‘Too Entrenched’
But while many in the industry believe the definitions of CP/CNP need to be updated, thus far MasterCard and Visa have not publicly announced any plans to revise the definitions. And many observers don’t foresee any action in the near future. MasterCard and Visa did not return calls asking for comment.
“The challenge is that the [networks] make up the rules and is it in their best interests to change them?” Pittman says. “But if you think about having a card present and a signature, it really is a pretty antiquated, non-verifiable way of authenticating yourself. There are much better ways to do that with new technology where that would be applicable to e-commerce merchants, card-not-present and mobile merchants, and everything else.”
But the networks traditionally have been reluctant to broaden the CP definition to account for new technologies because they want to preserve the differential in interchange for issuers, Pelegero says.
He cites his experience as head of payments at mega e-retailer Amazon.com when he considered adopting new payments technology that would have captured the data from the magnetic stripe needed for authorization as a CP transaction.
The card networks “immediately pushed back,” saying that in addition to the mag-stripe data, they needed “a clerk to look at the card and make sure it’s not a blank piece of plastic and we needed to have a signature” to qualify as a face-to-face transaction, Pelegero says.
“I thought that was a little hypocritical to the extent that when you go to an unattended gas pump, none of that happens,” he says. “When you go to many department stores, they have the card reader facing the consumer, just put the card in and the clerk never sees the card, yet that is considered card-present. So the business of being able to do card-present versus card-not-present I think is an artificial one.”
The card networks also hold a virtual monopoly on payments in the e-commerce and mail-order/telephone-order worlds, says Avivah Litan, technology and security analyst at Gartner Inc., Stamford, Conn.
“They’re too entrenched right now,” she says. “When you talk about changing interchange-fee policies, they’re not going to do it unless they absolutely have to. And right now, they don’t have to.”
Adds Pouliot: “Right now, [credit cards] dominate that space. There’s no real economic reason for them to say ‘Wow, you’re an electronic-commerce merchant, we really like you, we want to promote electronic commerce, therefore we’re going to give you a break.’ They’re going to say, ‘Hey, you’re an electronic-commerce guy, you need my product for you to be successful. So why should I give you a break?’ That’s the mentality that has to switch.”
‘Not in Their Interests’
But Sherwin believes the networks are moving toward revising the CP/CNP concept within the next 18 to 24 months. “Being networks and public companies—no longer associations of banks—I’ve seen them be a lot more aggressive or independent in defining interchange rules and liability rules,” he says, adding that the networks “don’t have to go through such rigorous processes and committees and get sign-offs from all these banks.”
In addition, the networks want to differentiate new products, such as mobile wallets, “and I would suspect they’re going to be a little more aggressive in terms of creating stronger value propositions in terms of merchant acceptance,” Sherwin says.
Pouliot notes that the card networks already demonstrated a willingness to lower interchange rates on CNP transactions when they adopted the Secure Electronic Transactions authentication protocol for e-commerce transactions in the late 1990s. Visa and MasterCard offered the authentication tool as Verified by Visa and MasterCard SecureCode. It allowed online shoppers to use their credit card online without actually giving their account number to the merchant.
Using the SET protocol, cardholders provided their information to their card issuer to confirm their identity, and created a password. Shoppers used the password at checkout to confirm their identity, rather than enter their account data. On transactions processed under the SET protocol, liability transferred from the merchant to the issuer.
Although the protocol “failed miserably,” it indicated that the networks are willing to develop alternatives to CP/CNP, Pouliot says. “It shows the associations are at least open to going ahead in a non-swipe/non-face-to-face transaction and have regulations that shift the liability from the merchant to the issuing bank.”
Sherwin sees the card networks treating e-commerce and MOTO transactions “as a payment-authenticated qualified e-commerce transaction,” which will have lower interchange than non-authenticated transactions. “You could easily argue now that if I have downloaded an app on my phone, gone through an authentication process, loaded my wallet with my Citibank app, and make a transaction, that’s a pretty secure transaction,” he says.
The growing popularity of NFC also could play a role in the card networks changing the CP/CNP definitions, Pittman says.
“With NFC, you’re going to be able to store the cardholder data in your phone or your mobile device,” he says. “Theoretically, if you’re going to purchase something in e-commerce, and you’ve got your card-present data on your phone, you could then do a card-present transaction. You’ve got your device, you can authenticate yourself with your device, and you’ve got your cardholder information in that device.”
But Pouliot, like others, is pessimistic the card networks will make changes any time soon despite the increasingly fuzzy line between CP and CNP transactions. “If this thing is blurring, do you think electronic-commerce, mobile merchants are going to go ahead and actually pay less? Wow. No,” he says. “Why? I’m not sure quite yet you can make a business case that the issuer can give up that revenue. It’s really a business thing.”
Adds Pittman: “Unless something changes—there’s a competing alternative payment or something the associations see as a threat—then they’re likely to move very slow or not likely to make changes. Just from a business perspective, it’s not in their interests.”
