The Next BIG Thing is...

The consumer or retail payments industry is thoroughly dynamic and for industry pundits is very exciting. Yet as we all know, it is full of media noise from journalists, consumer groups, regulators, schemes and suppliers.

Yet while we trawl through this noise looking for the next big thing to happen in payments, the consumer continues on blissfully unaware trusting in that their next purchase will go through without a hitch - funds permitting!

It is when there is a failure in the system - fraudulent activity resulting from a point of compromise; or network points failing at the transaction moment, that we see another small thread unravelling from this trust model.

So while consumers continue to use the products we deploy, we question what next? - Especially if you look at developments over the last 8 years alone. Chip & PIN, Mobile banking platforms, massive take up of online banking, introduction or the proliferation of open loop prepaid card programs, payment system reforms, bill payment services and so on...

Post Chip & PIN, the industry has focussed on contactless, Near Field Communications (NFC), peer to peer payments (particularly mobile) and in Australia the next wave for domestic debit (EFTPOS) and Bpay (MAMBO) to meet the innovation drum beat of the Reserve Bank.

In addition to these activities, a focus on cross sector convergence is unavoidable; as is the level of unrest at the growing number of compromises of cardholder data.

Despite this position, the industry is in danger of myopically focussed on the transaction method at the moment - contactless, NFC, increase the speed of interaction. Yet payments, is a Customer relationship product and product built on trust.

At MBNA, the key message to all was "Think of Yourself as a Customer". It was placed above each and every door in the organisation. So if I am blissfully unaware as a consumer what the next big thing is, what should we the industry be looking at?

Security & Authentication

An extremely innovative thought leader in the industry recently pointed out to me a 1964 newspaper advertisement for Sheaffer pens. It shows the image of the card being 'beamed' from a ring to be written down and then to sign with the pen. Is this about convenience and security, or simply a belief that the pen will never be obsolete at the point of sale?

The point being, that with new approaches to payment transaction methods, the security and authentication layers can not be ignored.

An increasing number of new starters will continue to appear in the market (most with extremely short life spans, others developed for longevity) and some large global brands will continue to evolve into payment services providers. Yet the underlying integrity of the traditional and core payments system and funds sources remains with the banking sector, regulators and the payment schemes.

So Google, Sony, Apple, Amazon etc will all have their roles to play - but it should not be at the expense of network integrity and betrayal of the consumer trust in the payments ecosystem.

Indeed some of these players could in themselves launch a new global payment brand tomorrow, and while transaction moment security may be wanting in some cases - they walk away with the dis-intermediated transactional data which is a powerful Customer relationship management by-product of payments.

Mobile and secure

The high focus on mobility and services from app stores is potentially a train wreck waiting to happen. Not all apps are security accredited and even if they are, it is not a consistent or accredited process in many cases. The focus on NFC functionality requires the app store to consider enhanced functionality underpinning application life cycle and security token life cycle management. Clearly an area for solutions companies like Bell ID to succeed in.

Yet do the app store providers understand this requirement and philosophy?Banking and Government sectors are well aware from their forays into multiple application smart card programs over the years and bodies like Global Platform. Is this now a new service call for Credential aggregation? If so, which brands and organisations are best positioned to uphold this trust model?

Losing sight

Payment system security and customer/merchant authentication is critical - no one can deny this. Yet, after 11 years, 3D-Secure for SecureCode and Verified by Visa remains an elusive solution in many online environments, particularly Australian online retail sites.

New retail and payments platforms go live each week, with some questionable propositions behind them, yet they are able to attract a base of transactors willing to participate - especially where convenience is strong.For example the Heathrow Express application for iPhone/iPad etc.

So while contactless/NFC may provide convenience, is a fraction of a second of card handling at the point of sale what the cardholder is looking for - understanding that the transaction is still going online for authorisation and the food is still cooking and the shopping is still being placed into bags?

Keeping in front of counterfeit, lost/stolen, account take over fraud remains unresolved. A partial Chip & PIN environment with mag stripe does not close the gap. Inconsistent terminal PINpad designs which expose Customer PINs in many retail environments to in-store cameras is another opening. The UK push for PIN shields was well received by all.

Phishing remains significant, yet the level of consumer education and even card issuer education remains wanting. Should issuers really be sending email marketing promotions that require you to click through to a website to register for cashback on your credit card - and worse request the cardholder to enter the card number into this webpage that has a dubiously selected URL name?

If we lose focus on the basics of payment system security, how can we logically ensure that each 'next big thing' in payments will stand up to the test of time? Importantly how do they stand up to the criminally minded segment who seek to either compromise data to make a point or use that data to conduct fraud?

Think of Yourself as a Customer

Ultimately, the consumer continues to transact blissfully. An increasing number of us are hit with ATM skimming fraud, online fraud and bear the pain of waiting for our bank to refund the lost monies and the frustration of re-establishing payments and direct debits for new accounts and cards.

The Customer, seeks their payment system to work first time, and every time. If it fails them, they do not want to be impacted by the fall out of that failure.

Who has truly developed the next big thing that will answer to that call?

Contactless 'Tap & Go'...wait...Please Hold!

Chip & PIN - the baseline

After fifteen years of stabilising (EMV) Chip & PIN, we the industry like to think we are on a winner. Indeed this should be viewed as the case and the reality, despite the global media and the occasional journal from Cambridge.

That said, the number of ongoing bulletin releases on the EMVCo website and the pro-longed migration to Chip & PIN does highlight that this is not always a straightforward exercise for those involved.

Now let's consider the payment Schemes themselves - international and domestic (where they still exist). Establishing an interoperable, consistent Chip & PIN environment has triggered much marketing on payment security for counterfeit, lost and stolen fraud activity.

Costs have decreased, but for many this is attributable to strategic sourcing of chip masks, operating systems and point of sale upgrades. Divergent activity to the main market solutions has and will continue to challenge stakeholders.

So now I don't need a PIN?...

Contrast to this is the parallel push for contactless payments and payments without the need for a cardholder verification - PIN or signature (CVM). Well, that is the media play anyway! See recent media backlash to FastPay in Australia for transactions less than A$35.

Depending on the market, the no CVM limit for contactless transactions can be as high as three figures as it is in Australia - set at A$100 for both PayPass and PayWave. It can be low, as in the UK at the new level of £15. Yet, this is not the actual limit for contactless transactions - transactions can still occur in excess of these levels, as long as a PIN is applied as well. Consider the current focus on mobile and the use of Near Field Communication (NFC) for tap & go with the phone.

It is not expected that up to A$100 you can use your phone, only to have to pull out the old fashioned plastic for transactions in excess of A$100.

Consistent payment experiences

So what of the experience of contactless. As a carrier of multiple PayPass cards, the experience in 3 key markets has been quite telling. The UK, US and Australia.

As a regular in the UK throughout 2010, I frequented a local coffee shop on Kingsway in London who has a contactless reader. Needless to say, coffee is not overly expensive, yet not once in 12 months was I directed to that device. Contactless in the UK was contained solely to Oyster transactions.

The US was markedly different, both in buying lunch at the MasterCard HQ cafe and making transactions in retailers in Ohio. Nothing overly stood out other than proving that my Australia PayPass cards did work effectively in the US markets Mag Stripe Defined (MSD) implementation model and were fast.

Now for Australia. With Chip & PIN consistency has always been the goal. Yet for contactless this is far from the experience.

Please hold sir...

Sydney has a mono-rail system which now has contactless payment acceptance. Depending on the station you from which you purchase your ticket the contactless experience could lead to missing the mono rail as it passes by. A CBD based station allowed me to wave my card - and after 2 goes we had success. A station at Darling Harbour required me to hand the card over as the reader was behind the secure glass and the attendant took 3 attempts to get the transaction to process - only by HOLDING the card in place. After waiting for the ticket and receipts etc; perhaps cash may have been a better bet had I not been conducting a mystery shop exercise. (The bank was advised to no avail.)

A chip card being used to its full potential...incredible

The trigger for today's blog was a McDonalds transaction yesterday. Perhaps hard to believe, but the receipt (yes not an option, we waited for all 30cm of it to be printed) actually had an Authorisation Response code of 'Y1' on it. This is fascinating - to actually experience an offline authorisation approval. Not even an electronic fallback transaction! As I still had to wait for the food, I watched the device subsequently commence connection procedures and submit an advice to its acquirer. (They know who they are - well done for using chip to its full potential).

Most clients question the transaction speed benefit! It is indeed hard to defend the speed benefit when devices are authorising online in most cases and receipts are being printed etc. It is extremely hard to defend when you know that the card more often than not needs to be held in range longer than expected. While merchant training can be resolved - a number did not know how the reader activated or worked. Delays in activation are also a problem.

Ubiquity in contactless...not so fast - but eventually

So with fifteen years to achieve the current state for Chip & PIN (and the US reaching an inevitable tipping point), the contactless and NFC advancement of main stream payments may yet continue to struggle. Perhaps the point should be not to compare to traditional main stream card payment methods of swipe/dock and PIN/sign.

Perhaps this is why contactless transit operations and innovative start ups like sQuid, Snapper and the like are accepted. Their attention is on cash and are separated from access to consumer banking accounts - credit or transactional debit.

So let's not rush deployments if we are to compromise brand consistency and trust at the point of sale. This is the moment of truth for a Customer of both the card issuer and the retailer/acquirer - and it is the greatest moment of trust!