Digital Transactions Authoritative, insightful and timely information for payments professionals
By Steve Mott
Scratch most of the proposed or existing wallets, and you’ll find the same payments infrastructure everyone is trying to move beyond. What’s needed is an alternative that benefits consumers and merchants as much as it does banks, networks, and carriers.
The rising tide of mobile payments began late in the spring with a flurry of announcements for mobile wallets. Ever since, glamorous videos, breathless ads, and bold business proclamations have promised that these little software containers for payment credentials and marketing offers will transform the point-of-sale transacting experience forever.
But a closer look reveals that this first generation of mobile wallets doesn’t really change things much for the better, and might be creating more problems for both consumers and merchants than they solve.
Four mobile-wallet product offerings announced so far come from companies with deep pockets and grand ambitions:
– Google entered live-pilot mode in September in a few cities with a handful of merchant locations.
– Isis, a collaboration of the major U.S. wireless carriers, plans an initial launch in February 2012 in Salt Lake City.
– Visa announced a target fall introduction date for its digital wallet for both e-commerce and m-commerce, but is now expected to launch in 2012.
– PayPal, which originally planned to partner with Google in mid-2011, now plans to go live with its first merchant before the end of the year.
Close on their heels, a number of big banks are rumored to be entering the market, perhaps using the Visa wallet. And Apple and Facebook are poised to introduce their own self-contained mobile-transaction solutions at any time.
Yet most of these initial products don’t appear to provide much in the way of consumer privacy or safety. And while all declare that they will be “open” to various forms of payment and marketing participation, early indications suggest that these wallets could be restrictive and are far from merchant-friendly.
Path of Least Resistance
In their quest to cash in on the vast riches expected from mobile-marketing offers, each of these providers apparently expects to freely use consumer and merchant data to drive m-commerce that primarily benefits them, as wallet providers.
Ironically, none of these wallets (except PayPal’s) demonstrates any sign so far of promoting the safer and more cost-effective forms of payment that are now possible with the advent of digital technology. Instead, the first generation of mobile-payments products seems intent on preserving the status quo in payments, while triggering a horse race between new digital players and legacy payment brands for the largesse in mobile marketing.
While most of the rest of the world is content to do mobile payments through wireless carrier networks and non-banking business models, the U.S. is deeply rooted in trying to convert the contents of physical wallets and pocketbooks into the metaphor of digital containers for plastic cards and paper coupons.
Some 400 such mobile-wallet offerings are reportedly offered by someone somewhere in the world, but most prognosticators view it as likely that there will be no more than half a dozen popular wallets in the market by mid-2012.
Moreover, a number of researchers believe that most consumers will download just one wallet, or at most two, into their handsets. Then they’ll simply load the payment accounts they were most comfortable with, and collect the offers they like, into that container or two.
Hence the rush to get into the marketplace, in many respects well in advance of having an infrastructure available to accommodate much adoption.
With that in mind, the path of least resistance for the new digital players was to simply convert their existing payment card accounts from the physical world to mobile venues. This is easier and faster than taking on the legacy payment brands and financial institutions by trying to introduce new and safer ways to pay.
Pricey Wallets
This is not to say there weren’t a few attempts at real innovation. Early on, Isis, which comprises AT&T, Verizon Wireless, and T-Mobile, proposed creating a new mobile-payment type based on the decoupled-debit card model, riding the Discover Network rails. But, earlier this year, that consortium did an about-face and decided to accommodate the legacy payment brands.
Similarly, Google, which has struggled with its Checkout online payment service that is now being folded into Google Wallet, quickly decided to be payment-agnostic in mobile. Rather than challenge the status-quo payment players by innovating on the wallet “front end,” the online-advertising king decided to put its competitive focus on extending its marketing dominance to the mobile-offer “back end.”
Visa, of course, is all about extending its dominance in 20th-century mag-stripe forms of payments to all things digital (“What Visa Is up to,” July). While it professes to make non-Visa payment options available in its “open” wallet, nobody expects it to accommodate, say, a low-cost ACH payment alternative, or host merchant-based private-label credit cards.
More important, Visa clearly hopes to extend its business model by joining the gold-rush to cash in on serving and redeeming mobile-market offers.
Only PayPal offers the possibility of breaking away from the status quo. It is following a business model that extends its blended-funding payment mechanism to mobile transacting, with the opportunity to change the account-loading choice after the sale.
And its innovations in using near-field communication (NFC) solutions that do not require carrier-based security components, accepting cards at the POS that encrypt mag-stripe credentials, and using phone numbers with PINs for some transactions actually do move the industry’s needle forward on digital payments.
PayPal’s dependence on funding accounts half the time with signature-based cards, however, might keep it from extending meaningful price breaks to most merchants.
PayPal aside, the wallet developments so far have been all about extending to mobile venues all of the problems of the mag-stripe, plastic card paradigm: unabated fraud, use of stolen card credentials to fund Al Qaeda operations, chargeback handling costs, PCI-compliance nightmares, and so on.
Worse, the additional costs of mobile transacting (such as loading payment accounts into wallets with additional security measures, additional authentication, offers processing fees, etc.) at legacy plastic card fees stand to make mobile transacting more expensive for merchants than what they have today.
The NFC Trap
So what’s the business case for adopting mobile?
Most of these mobile wallets (again, PayPal is a notable exception) are designed to exclusively use NFC, the tap-and-go form of passing payment credentials via radio-wave transmissions from handsets to POS terminals.
NFC is an upgrade from the marketplace’s disappointing experience with one-way contactless payments, where Visa and MasterCard provided 150,000 tap-and-go terminals to merchants largely free-of-charge, but offered only signature-based credit and debit card payment options at existing rates.
At those fee levels, with little support from issuers to get consumers to even know they could transact in this new format, there was no real business model for either consumer adoption or merchant acceptance.
With NFC, the business model ought to be much improved. To be sure, payments data flow the same one-way path, in this case from the handset to the terminal, through a standard terminal interface known as ISO 14443. But loyalty, marketing, and rewards information could pass bi-directionally through an updated interface known as ISO 18092.
This ISO 18092 upgrade, in turn, has enormous potential to improve buyer-seller interactions and communications and make ad and marketing spends much more cost-effective.
On top of that, the unique capabilities of mobile (for example, knowing the buyer’s location, having the ability to reach the consumer any time, anywhere in real time, enabling two-way information exchanges in real time, and so on) will make possible more relevant and targeted marketing offers, such as coupons and discounts. And marketers will pay a premium for such efficiencies.
Yet the Google, Isis, and Visa wallets not only stand to offer high-priced signature-based, plastic card payment options for the foreseeable future, while charging additional fees for mobile use. They also appear to intend to capture consumer and merchant data from mobile transactions to place coupons and other marketing offers with only minimal remuneration to merchants for hosting these transactions and generating that data.
NFC use, however, requires that the contactless terminal receive a payment credential only from a tamper-proof computer chip (in the card or handset) known as a secure element (SE). Once a payment type is loaded into the SE, the NFC computer chip, which houses the mobile wallet, accesses and transmits those payment credentials to the terminal.
That means that consumers could only make NFC payments if they have a handset with an available SE. As of today, SEs are in highly limited availability, access to them is rigidly controlled, and their use for payments aggressively priced by the mobile carriers.
What all this boils down to is that an NFC-only solution hits merchants and their customers with a triple whammy just as interest in mobile transacting at the POS is gathering steam: bank-based legacy payment costs and baggage; carrier-based restrictions and limitations; and digital-marketing business models that play fast and loose with their data security and privacy.
No wonder so many forecasts for U.S. mobile-payments growth remain so modest!
Mobile’s Dark Side
Moreover, until alternative approaches to security gate-keeping from either banks or carriers are developed and deployed, the mobile-wallet story gets even worse.
Mobile payments can and should be much safer than magnetic-stripe plastic cards, where account credentials are easily compromised and fraud is rampant. Mobile transacting offers several more sources of identification (unique handset number, mobile phone number, carrier-network designation, location, etc.) and important new means of verification (real-time responses, location confirmation, out-of-band authentication, etc.).
And the big payoff for mobile transacting is its digital form, which makes encryption and tokenization of account data a natural and efficient mode for securing payments.
Merchants are therefore naturally excited about bringing mobile to POS transacting so that they can finally get relief from the scourges of legacy mag-stripe payments. In particular, an estimated $20 billion in merchant expenses has been largely wasted on compliance with the Payment Card Industry data-security standard (PCI), according to a Merchant Advisory Group survey. That sum could have paid for the costs of deploying a secure, chip-based NFC and EMV infrastructure three times over!
So why not tap the full power of chip-based technology and move on to a better payments paradigm?
The answer lies in the interests of legacy payment brands and members in preserving the status quo. Visa, for example, consistently looks for opportunities to merely tweak the existing mag-stripe infrastructure to help its issuing and acquiring banks avoid big investments in upgrading their systems to chip-based technology until they have a compelling business case to do so. This incremental, take-small-steps approach to security is manifested in the Visa-led solutions to NFC and EMV.
Visa’s solution to doing mobile payments with NFC (via the ISO 14443 standard), provides dynamic data encryption of the cardholder verification value (CVV) and some related transaction information, but continues to retain key account credentials (the 16-digit personal account number, or PAN, and the expiration date) in-the-clear.
This approach solves the relatively small problem of man-in-the-middle attacks, where intercepted card transactions and credentials can be replayed fraudulently, but it does little to address the problem of online fraud.
For example, these exposed card credentials—if intercepted by the bad guys—can be used to commit online fraud at up to 30% of Web sites (including Walmart.com and LLBean.com) that do not require consumer verification through capture of the CVV on Internet orders.
Visa’s digital wallet is reportedly coming to market utilizing one-time password technology, among other mechanisms, to provide additional security beyond what it is deploying for NFC and EMV. It will also have the potential to encrypt all of the card data except the first six-digit Bank Identification Number (BIN) in the PAN, which is used everywhere in the payments infrastructure for authorization routing, but is of no use to thieves.
So if the digital marketplace does need a better solution than it’s getting now—well, Visa will have it!
Further, in industry conferences over the past year, Visa officials have declared or hinted at its intention to “move payments into the cloud within five years.” In addition to supporting the gee-whiz mobile-transacting innovations that cloud-based applications such as AisleBuyer, ModivMedia, and ShopKick offer, a strategy of encrypting and tokenizing payment credentials and managing them in the cloud actually does deliver the full promise of mobile technology.
This promise, however, could come with a dark side. When Visa cultivates sufficient adoption of its initial digital-wallet solution, it will pull the trigger on moving everything to the cloud. At that point, most of the marketplace will have already been wired-in to its remote transacting infrastructure. If successful, Visa can then shut out virtually every other player (and source of innovation).
Apple’s Example
The question then becomes whether mobile-transaction parties and technology providers should craft a better alternative for the here and now. This is particularly critical for merchants, which are largely being left out of the current mobile transformation.
The alternative solution is likely to rest on how fast the marketplace can transition from mobile wallets to a freer, more open, and more efficient mode of mobile interacting. That mode is already embodied in the most value-liberating fruit of the mobile transformation. It’s called apps.
Mehul Desai, co-founder of C-Sam—arguably the leading wallet-management system provider in the industry (and the wallet provider for Isis and Discover)—is fond of saying that mobile wallets are transitional, albeit an important first step in making mobile transacting feasible at the outset.
What will drive adoption in the long term, he says, will be the specific nature of how the consumer’s transactional experience is enhanced through mobile applications. Apps also enable merchants to craft their own targeted and relevant marketing offers to mobile customers while controlling the use of transactional data in a manner that builds on the trust they’ve established with them.
Mobile will get very big very fast if unfettered by legacy payment brands and digital players obsessed with milking quick profits from a deluge of unproductive and unsafe marketing offers. Like Desai, CellPoint Mobile’s Kristian Gjerding points out that merchants, banks, and third parties can get control of payments and offers with enterprise-level mobile platforms that both embody their specific value propositions to their customers and integrate in a scalable way with their information systems.
So why not start now?
For evidence of whether this philosophy will work, one need only to look at what Apple has achieved in offering intelligent and convenient apps that make all the difference in transforming consumer behavior and adoption of new technology. Maybe that’s why—despite continuing rumors of impending NFC participation—Apple has not pulled that trigger yet.
But Apple does all this in a walled garden. The trick for the rest of the digital merchandising world is to figure out how to do the same thing in an open, competitive environment, how to quickly scale alternative solutions to critical mass, and how to convince consumers that a safer, more private path to the mobile promised land is in their best interests.
The technology is clearly ready. What remains to be seen is who has the will and vision to enable buyers and sellers to interact more naturally, freely and safely together in the mobile-transacting space—without embedding the legacy payment players or most of the current crop of mobile-wallet providers in the middle? Such an alternative seems certain to arise.
