National Retail Federation (NRF), Why They SHOULD Hate PCI

In a recent CSO Online article; “The National Retail Federation is dead wrong about PCI“, the author made, in my opinion, one the most reprehensible defences of PCI I’ve ever seen. Even the SSC have not been so bold as to make these kinds of off-the-mark and clearly self-serving assertions.

After an innocuous 2 paragraph preamble, the author(s) state;

Despite NRF assertions to the contrary, the payment card industry has asserted that their card security standards are voluntary. Merchants have a definite choice if they want to accept credit and debit cards or not. It’s quite safe to say if retail establishments couldn’t accept payment cards; most would see massive sales reductions, and a large number would simply go out of business.

How can he possibly say that merchants have a choice, when he says it himself that most would see “massive sales reductions”!? Call that a choice!? That’s right up there with ‘face or gut?’!

The fact remains that the card brands STILL have merchants by the short-and-curlies when it comes to non-cash payments. You only have to look at the anti-competition or unfair business practice suits that card brands have had to fight over the years to see how distastefully are their business practices perceived.

And quite frankly, this all shows a complete lack of understanding of the NRF’s main issue; They don’t CARE how they receive payment, payments are NOT core to their business. Being paid for their product / services is.

The author goes on to say;

Given the significance of payment cards, we would have expected the NRF to be at the forefront of PCI advocacy and compliance. Yet the reality is that they have an extremely disdainful view towards PCI.

Seriously? Ask me to pick up the cost of fixing your crappy service and I’ll be equally ‘disdainful’. Sod that, I’d be thoroughly pissed-off, but I still wouldn’t have a choice, not if I wanted to stay in business.

The NRF have every right to expect the card brands to do something more appropriate, THEY are the ones providing the service and THEY (and their associated middle-men) are the ones who’ve made billions through merchant transactions over the course of 50+ years.

But it’s the merchants who are the ones who are paying the interchange rates. And it’s the merchants who have to spend billions on infrastructures that do absolutely NOTHING to help them improve their customer’s shopping experience.

Guess who pays for this in the end? Yep, us, the consumers.

As I have written (or at least allude to) many times in the past, the very technology behind payment cards is past its usefulness. Anyone trying to prolong this ancient, inherently insecure, and zero-value-add technology clearly has a vested interest in doing so. Card Brands, Issuers, Acquirers, Payment Service Providers (PSPs), and Terminal Manufacturers are obvious stakeholders. However, QSA companies exist to a large degree on the budgets that PCI compliance extorts. Call them PCI War Profiteers if you wish, I’ve heard worse, and I have also benefited.

In the card brand’s defence, they have done a truly astonishing job over the course of 5 decades in bringing trust into non-cash payments. That’s what their logos are; a symbol of trust. The next generation of payment providers owe them an enormous debt of gratitude. That said, we didn’t keep horses around because we felt sorry for the ferriers, we jumped head first into the automobile.

Mobile phones are now more ubiquitous, and can be infinitely more secure and ‘value-add’ than branded plastic (even while tokenised in ‘[X] Pay’ services). All we need now are the banks to get their acts together and provide the trust and there will be little need for the innumerable middle-men.

Which brings me to my final point on the article; yes the NRF and all other retail associations have the right to be angry, but they have done next to nothing to help themselves. They played a game whose rules were set by the card brands and used none of their extraordinary power and influence to tip the balance in their favour.

For example, I have estimated that the Top 10 retailers in the US alone account for almost 1 TRILLION USD in branded transactions. If we assume an average of 1.75% interchange, that’s 1.75 BILLION in fees the retailers have paid to ‘middle-men’. How much influence would you exert over those middle-men if it was your business?

So in summary;

QSA Companies: Keep your opinions of retail to yourselves, your self-serving diatribes are inappropriate. Serve your clients, don’t brown-nose the brands.

Card Schemes/Issuers/Acquirers: Use your incredible knowledge and combined talent-pool to lead the way in the removal of plastic, and therefore the need for PCI. It’s time to move on.

Retailers: Put aside your differences, stop bitching to the wrong people in the wrong way, and do something useful with your power. Focus on what you WANT, not want you DON’T want.

All of this boils down to one thing; what do consumers want? Most have no idea, but I do, as do thousands of others like me. Ask us.

…and it had better not involve yet another piece of plastic.

What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.

 

Froud on Fraud: Top 5 Predictions for 2016

If I was any good at predicting the future, I would be writing this from my yacht in the Caribbean, and not from my kitchen in Southwest London. That said, I do get to work mostly from home, so maybe I’m doing something right.

While my predictions for 2016 will necessarily be as narrow as my field of expertise, there is a lot going on that will eventually change we the way everyone performs many of their daily functions. Probably not this year, and maybe not within the next 5, but once they DO begin to change, there will be no looking back. This is a good thing, and well past its time.

Prediction 1: Identity Management will begin to replace single-factor authentication ANY single form of authentication is inadequate, and even multi-factor and multi-mode authentication is of limited use. For the Internet of Things, payments, or any other transaction to take place securely and accurately in the future, identities must be seamlessly and mutually introduced. Authentication only provides the what-of-you (and usually only in one direction), not the who-of-you, the full function of ‘distributed transactions’ (i.e. mobile based) requires both.

Prediction 2:Identity Management will be decentralised onto consumer mobile devices as a corollary of prediction 1, the control of identities and authentication will decentralise from individual credential stores (user databases) to APIs and/or block chain-esque distributed ledgers that create authentication and identity mechanisms on-the-fly. The level of information provided will be agreed and controlled by the consumer prior to any transaction taking place, and must be mutually assured. i.e. the receiver of the authentication must themselves authenticate, unlike almost all e-commerce today.

Prediction 3: HOW you pay will become increasingly irrelevant you have a value in the bank you want to spend, you should not have to care HOW you get to that value as long as you are getting the best deal to do so. Third Party ‘Money Management’ Services, APIs, and even regulations like the Payment Services Directive 2 (PSD2) here in the EU are forcing traditional financial institutions to open their books. You’ll open ONE application, regardless of which retail store you’re in, comparison shop against price and ratings, and your app wil choose not only the best price and rewards, but the best WAY to pay, all behind the scenes. Credit / debit / direct debit will mean little to you, nor should it, the only thing that matters is that we will eventually stop paying the price of plastic.

Prediction 4: Value-Add Services and Customer Service will be the only differentiators with the enormous competition available to the global economy, price and quality will have little impact on the purchase decisions you make, they will be much the same. Brand loyalty (even if this exists in the future) will instead be driven by the services provided around the products you want; from instant coupons, to ratings and reviews, to reward and loyalty choices, to availability and payment terms, these will be made available instantly in a multi-function app (much like, or even the same as, prediction 3) for consumers to make an educated choice of vendor. But the Customer Service provided throughout the entire consumer journey will be the ultimate differentiator, and any vendor not treating their customer like royalty will be out of the game, regardless of everything they may do well.

Incidentally, this is also why mobile payments have yet to reach anything like their true potential, they are no better than the plastic they will replace.

Prediction 5: Loyalty Programs will begin to centralise I think we can all agree that there are simply too many loyalty and reward programs out there. Every coffee shop, retailer, airline and hotel have their own points scheme, few of which are interchangeable. How many points would you say you have floating around out there that you will likely never use? It just makes sense that the single app provider (per predictions 3 and 4) will begin centralising and normalising any point scheme available. This will be very difficult, but will be their differentiator to which app provider consumers choose.

While these may seem very narrow in focus, perhaps even of little relevance to the ‘masses’, the payments industry alone is a multion-TRILLION £/$/€ industry and the opportunities for innovation and/or investment almost limitless. We already have the device upon which all of these future trends will rely, all we need now are the APIs and Third Party Providers to bring it all together.

Unfortunately we still equate our value with money, and have done for millenia. Money itself is irrelevant, and you work in order to obtain the things you need to survive / be happy, so HOW that transaction is effected should be irrelevant. The above predictions should get us back on track.

Technology and even regulation is pushing simplification down to the consumer, this can only be a good thing.

Done correctly…

PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond; and
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years to write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Those steps may not sound all that radical, but there are two incredibly important facts here:

1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and

2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.

[If you liked this article, please share! Want more like it, subscribe!]

EMV in the US, I Still Can’t Figure Out Why?

Way back in July 2013 I wrote the blog; “Why the US Will Not Adopt EMV (Chip & PIN)“, which, given the current state of EMV adoption in the US, was wayyyy off the mark.

My broken crystal ball aside, – hey, if I was any good at predictions I’d be blogging from my yacht anchored in the Med, not from my kitchen in Barnes – I still can’t figure out why the US would spend billions upon billions of dollars on EMV without demanding that those players with the greatest vested interest in ‘plastic’ build in a more permanent ROI.

Those player are:

  1. The Card Brands: This one is a given, any move away from plastic and towards mobile is one step closer to obsolescence (yes, I am ignoring EMV tokenisation, for many reasons).
    o
  2. Issuers: Also a given, what ELSE are they going to do?
    o
  3. Acquirers / PSPs: They have the best chance of segueing their current position into bringing their merchant-base future-proofed payment innovations and value-add services designed to improve the ‘consumer journey’.
    o
  4. Terminal/PED Manufacturers: Once the US has spent billions replacing their mag stripe PEDs with Chip / Contactless, what is left for PED makers to do? When the whole world finally works out that mobile phones and wearables only need something to read them (e.g another bloody phone), why buy crappy, massively expensive, devices that do next to nothing to improve the customer’s shopping experience?

These players have been around for so long that they are seen as the de facto standard, while all along they have been intermediaries designed only to make non-cash payments safe. To make them trusted. And they did a superb job, so superb in fact that it has taken technology almost SIXTY years to find something better! We went from the first production car to landing on the bloody MOON in the same time!

But it’s here now, and it’s been here since Apple created the iPhone. A device capable of so many modes of every factor of authentication, that we can really start calling it Identity Assurance, which is the foundation of only thing on which a payment is truly based; trust.

A credit card number, regardless of where it’s stored, how it’s stored, or even if it’s tokenised, will never be able to match what my phone can do.

For years now, the functionality of mobile devices has been perfectly placed to provide alternatives to plastic; e-wallets, direct debit, merchant-side tokens, even block chains, but here we are, in 2015, and we are still spending billions on the same technology our parents or even grandparents first used back in the 60’s.

Again, why?

Let me answer that with another question; How do YOU want to pay for things in a store? If whatever you wanted in payment technology could come true tomorrow, what would it look like?

The odds are that unless you’re in the payments innovation line of work, you really have no idea. You just want it to be painless, convenient, and if you’ve had issues in the past, safe. Payment cards are so much part of our lives that we cannot even imagine anything simpler. It’s only when you know what goes on in the background that the true cost of plastic comes to light.

From interchange fees, to PCI compliance, to fraud, to PEDs, to the plastic cards themselves, taking card payments is a massively expensive undertaking, and if you think those costs are not passed down to us, the consumers, then I have a bridge to sell you.

But you really can’t blame the consumer, we are not the ones who live and die at the whim of consumers in general …but retailers do. Would Walmart be as big if they only took cash? Of course not, they NEED non-cash payments, but what if the top TEN retailers in American had told the card brands that the first one to negate the need to EMV got ALL their business, can you imagine what would have happened?

Top 10 Retailer’s Revenue in 2013

Rank Retailer                   Rev. (USD Millions)
1 Wal-Mart $ 334,302.00
2 Kroger $ 93,598.00
3 Costco $ 74,740.00
4 Target $ 71,279.00
5 The Home Depot $ 69,951.00
6 Walgreen $ 68,068.00
7 CVS Caremark $ 65,618.00
8 Lowe’s $ 52,210.00
9 Amazon.com $ 43,962.00
10 Safeway $ 37,534.00
$ 911,262.00

That’s close to 1 TRILLION USD, the lion’s share of  which was accepted through plastic.

And what could Target have done with the $100M they spent on new PEDs, or the millions they are paying in fines and reparations for their 2013 breach? I point not to their ridiculous back-end processes as the cause of their woes, but their inability to focus on the true cause of their vulnerability; their inability to innovate collaboratively.

I guess, in retrospect, EMV in the US was inevitable, without consumer pressure for alternatives the retail industry just followed along like sheep, perhaps assuming payment cards were some kind of ‘official’ mandate. They are not, and the retail industry in the US missed an incredible opportunity for change. Now all they’ve done is set themselves up to not only pay for the ‘new’ infrastructure (at least up front), but to pay for the fraud as well.

While not entirely appropriate, it’s one of my favourite sayings, and applies to every level in payment food-chain, including the consumer.

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

― Harlan Ellison