Mobile Wallets: The Battle for Control of Point-of-Sale and Opportunity for FIS
SEE LAST PAGE OF THIS REPORT Howard Mason
FOR IMPORTANT DISCLOSURES 203.901.1635
June 19, 2014
Mobile Wallets: The Battle for Control of Point-of-Sale and Opportunity for FIS
Amazon’s announcement of the Fire ‘phone yesterday, along with the launch last October of pay-with-Amazon (allowing customers to use their Amazon credentials to pay on other e-commerce sites), raises the possibility of an Amazon wallet leveraging the firm’s 250mm cards-on-file (vs. 800mm for Apple and pay-with-iTunes and 140mm for PayPal). The prospect of a wallet, particularly if integrated with Firefly-enabled “show–rooming”, increases pressure on retailers to shape the evolution of mobile payments and control the point-of-sale.
- Mobile wallets will either be: bank-sponsored (and enabled by host card emulation so that the phone acts as a proxy for plastic with the card credentials stores in a virtual secure element in the cloud); retailer-sponsored (using Paydiant or similar white-label, cloud-enabled QR-code solutions); or based on extending card-on-file franchises from e-commerce to point-of-sale with Apple being the likely winner in the genre.
- In each case, payments functionality is not stand-alone: it is integrated into mobile banking for bank-sponsored wallets, into loyalty and offer programs for retailer-sponsored wallets, and into a beacon-enabled digital shopping experience for Apple and, possibly, PayPal.
- Banks are concerned that other digital wallets may put their brands “in the back seat”, and are fighting to control interaction at point-of-sale. With EMV compliance and tokenization, we expect bank-sponsored wallets to offer the same “card present” terms for merchants as card-swipes: that is relatively low fees and issuer responsibility for fraud risk. While bank-sponsored wallets will be treated as substitutes for plastic, card-on-file wallets will be treated as extensions of the desktop and so generate the same “card-not-present” terms for merchants as e-commerce transactions: that is relatively high fees and merchant responsibility for fraud risk.
- Among card-on-file wallets, Apple has a uniquely good case for card-present treatment because the fingerprint risk-scores from TouchID may reduce fraud risk below even physical plastic. However, tokenization will be necessary and raises difficult issues: large banks will want to maintain control of tokens, but this reduces the value to Apple of its cards-on-file data.
- Retailers are concerned that banks will reserve mobile wallets for credit cards as part of their ongoing response to the Durbin cap on debit interchange which has involved shifting consumer spending from debit cards to credit cards (see Exhibit below). In addition, retailers get the importance of understanding customer buying patterns in a world of data-enabled targeted marketing, and so want to control and protect transaction data. This has led to the formation of the merchant payments consortium, MCX, to promote an alternative acceptance infrastructure to V/MA within which participating retailers can operate their own wallets integrating payments, loyalty, and offers; MCX does not contemplate the sharing of transaction data between participating merchants.
- While the primary motivation of retailers may be to control and protect transaction data, it is likely they will promote low cost, and particularly ACH-enabled debit, solutions in their wallets. This is an opportunity for FIS which can act initially as an acquirer for ACH transactions and transition them over time to its PayNet infrastructure (providing real-time authorization and settlement through leveraging the connectivity to bank checking accounts provided by FIS’ core processing business and ownership of the NYCE debit network). And it is a concern of Visa/MasterCard that has led to a battle between the networks and large retailers over point-of-sale technology as follows:
- The Europay, MasterCard, Visa (EMV) standards establish a global protocol through which chip-enabled payment devices (whether card or phone) communicate with point-of-sale (POS) systems. To encourage merchant-adoption of EMV-compliant POS systems Visa/MasterCard will make non-compliant merchants liable for fraud losses on EMV-compliant devices beginning October 2015. From a security standpoint, it would be sufficient for merchants to install only chip-card readers, but they will not be relieved of fraud risk unless they also install NFC-enabled contactless terminals; in other words, Visa and MasterCard are using the EMV roll-out to establish an acceptance infrastructure for bank-sponsored wallets.
- Recognizing the threat, WMT is urging merchants to install EMV compliant contact terminals (i.e. chip readers) so as to reduce the system-wide risk of fraud but not the contactless terminals which open the door to bank-sponsored wallets. Indeed, MCX members commit not to enable acceptance of any digital wallet other than the MCX product.
- While MCX has been delayed by the decision, last February after the Target data-breach, to employ cloud-based tokenization and hence contract with Paydiant rather than exclusively with Gemalto, we believe it needs to launch in the first half of 2015. Any later and the risk is that merchants install EMV-compliant contactless technology to obtain relief from fraud losses (although these will be meaningfully lower with EMV compliance than at present) increasing the chance that bank-sponsored wallets become a de facto standard.
Exhibit: Banks Have Shifted Consumer Spending to Credit Cards from Debit Cards
We see retailer-sponsored wallets as an imperative for chief marketing officers given the importance of protecting and controlling transaction data in a world, catalyzed by mobile ‘phone adoption, where understanding customer buying patterns provides an edge in data-enabled targeted marketing.
Having launched a wallet, it makes sense for retailers to promote low cost, and particularly ACH-enabled debit, solutions over Visa/MasterCard products. This creates opportunity for FIS initially as an acquirer of ACH-settled transactions but, over time, as the provider of an alternative, real-time authorization and settlement using the connectivity to bank checking accounts from its core processing and NYCE businesses.
In particular, FIS has been retained as the network partner of the merchant payments consortium, MCX, whose launch has been delayed by the Target data-breach (and related decision to hire Paydiant to implement cloud-based tokenization) but will need to be before October 2015 given the way Visa/MasterCard have shaped merchant incentives around installing contactless NFC-enabled terminals which will support competing bank-sponsored wallets. Our December 8th note, titled “FIS: The MCX Opportunity for PayNet”, quantifies the upside to FIS.
Three Wallets in the Cloud
Amazon’s announcement of the Fire ‘phone yesterday, along with the launch of pay-with-Amazon last October (allowing customers to use their Amazon credentials to pay on other e-commerce sites), raises the possibility of an Amazon wallet leveraging the firm’s 250mm cards-on-file (vs. 800mm for Apple and pay-with-iTunes and 140mm for PayPal). Mobile wallets will fall into one of three categories:
I. Bank-sponsored: These “wallets” will be existing bank apps that have been extended to include mobile payments functionality using “host card emulation” which, in effect, fools merchant point-of-sale systems into thinking they are dealing with an EMV-compliant plastic card. Card credentials will be provisioned into a “virtual” secure element in the cloud (so that banks do not need to negotiate for access to a secure element on the SIM card or the device itself), and the entire system will be tokenized (so that raw card credentials are never on the device or in the merchant systems).
Since tokenization eliminates counterfeit fraud (where a card is cloned using stolen credentials), it renders moot the network distinction between card-not-present and card-present, and we assume the networks will develop a new taxonomy around “device-present” transactions. The result will be that merchants will not pay high “card-not-present” rates on transactions tendered through bank-sponsored apps (even if card credentials are in the cloud) but rather rates that are at least as low as existing card-present rates for card swipes. If banks have access to additional identification and verification (ID&V) information, such as the fingerprint risk-scores generated by Apple’s TouchID, some device-present rates may even be lower than existing card-present rates.
Bank-sponsored wallets will be EMV compliant, and in particular communicate with merchant point-of-sale systems using NFC, and banks will look to reserve these apps for credit cards rather than debit cards as part of an on-going strategy to shift payments to high-interchange products and, in particular, away from signature debit which, post-Durbin, generates a loss of about a nickel-per-swipe. The strategy has already been successful with the spend-to-loan ratio on credit cards increasing to 3.3x from 2.3x in 2009 (see Exhibit above).
II. Retailer-Sponsored: Retailers are understandably concerned at the prospect of banks reserving the mobile channel for credit cards and hence shifting the transaction-mix to higher-cost payments products as mobile moves along the adoption curve. In addition, they see mobile ‘phones as an important delivery channel for loyalty programs and e-coupon offers particularly if these can be integrated with the payment function so as to reduce the barrier between sales and cart abandonment. Given the importance to data-enabled targeted marketing of customer buying patterns, retailers also want to ensure they control and protect transaction data rather than having it “leak” into the Visa/MasterCard systems or, worse still, the hands of the online ad platforms.
Early retailer-sponsored wallets, such as those from Starbucks (more than 10% of US transactions) and Subway, have focused more on controlling and protecting transaction and loyalty data but the merchant payments consortium, MCX (whose members account for ~one-third of US payments volume), is explicitly focused on reducing acceptance costs; for example, it has announced that the debit option in the MCX wallet will be ACH-enabled following the precedent established by Target’s debit card (now 8% of US tender). The two leading technology-providers to retailer-sponsored wallets are Paydiant (which supported Subway) and Gemalto (which supported Starbucks).
Paydiant has an important (and patented) edge in cloud-based tokenization which improves security by keeping card credentials off the device and out of merchant systems, and is top-of-mind following the Target data breach. Indeed, in February, MCX announced that it would be working with Paydiant whereas it had previously been working exclusively with Gemalto; the change of tack has probably pushed back a launch date for MCX to 2015 but will allow the product to launch with best-in-class security including for merchants who have not upgraded to EMV-compliant point-of-sale systems. Since a picture is worth a thousand words, we recommend investors view the video demonstration of Paydiant technology at the following URL:
A striking, and to our mind not coincidental, feature of the demonstration is that the top card in the Paydiant wallet is an ACH card. We believe retailers, whether or not members of MCX, will increasingly launch Paydiant-enabled wallets as much for the integration of payments and loyalty as anything else. Having done so, however, it is a short step to promote to consumers an ACH-enabled debit product as an alternative to Visa/MasterCard cards much as PayPal is doing in the e-commerce environment. This creates an opportunity for FIS at least as an acquirer of ACH-based transactions and, given connectivity to checking accounts at from its core processing business and the NYCE PIN-debit network, as a provider of an alternative, unbranded, real-time authorization-and-settlement infrastructure that the firm refers to as “PayNet”.
III. Card-on-File: The third category of wallets is from online payments platforms that have assembled large databases of card credentials as a result of their e-commerce businesses, and are looking to allow consumers to use these “cards-on-file” at other e-commerce web-sites and, through the extension of the desktop screen by mobile phones, to point-of-sale. The overt challenge of these card-on-file models is that they do not have an acceptance infrastructure (and so cannot provide the general-purpose utility of Visa/MasterCard cards and
hence bank-sponsored wallets) and do not offer the protection and control of transaction data (and so do lack a key business case for retailer-sponsored wallets). PayPal is looking to overcome these challenges through partnering with Discover (for access to merchants accepting Discover-branded cards) and through developing features, such as order-ahead and skip-the-line, to favorably shape consumer preferences. The experiment has had mixed results with order-ahead attracting some consumers at QSRs such as Jamba Juice but de minimis PayPal use at Home Depot (one of the few merchants to accept the brand).
The more covert problem of the card-on-file models is that banks, and particularly Chase whose acquiring business accounts for ~one-third of Visa/MasterCard e-commerce volumes, can attack their core e-commerce franchises. Indeed, Chase’s “Quick Checkout” product (where consumers use their Chase log-on credentials to “pay with Chase”) is an emerging direct competitor to PayPal’s “Express Checkout” with a cost advantage, at least for credit cards, because it runs off ChaseNet, and so outside the costs and protocols of the Visa network. More generally, card-on-file models emerged because consumers are reluctant, for security and convenience reasons, to enter card credentials into multiple merchant web-sites. However, bank-sponsored wallets and the ability of ‘phones to exchange information with desktops (using Bluetooth if not NFC) could eliminate this: simply tap ‘n’ pay on your computer just as you would at point-of-sale.
That said, we expect Apple to be successful in mobile payments as a feature integrated into the Passbook app (embedded in the operating system and already capable of QR-code enabled payments for gift cards). We believe Apple’s objective is to position the iPhone as a digital shopping assistant that communicates with iBeacons in suitably-equipped merchants to provide consumers with in-store, location-based messaging and, from within the same app, payments capability at checkout. Of course, card credentials could be passed to merchant systems using the same Bluetooth wireless technology that provides the channel between iPhones and iBeacons, but this would not meet EMV standards which are centered on NFC wireless.
Apple likely wants EMV compliance so that its wallet is equivalent, from a merchant-standpoint, to bank-sponsored wallets and card-swipes: transactions attract “card-present” rates, not the higher card-not-preseent rates of e-commerce transactions and issuers bear fraud risk not merchants as with e-commerce transactions. Like both bank- and retailer-sponsored wallets, Apple will likely want to tokenize so that card credentials do not get into merchant systems (reducing fraud risk and the merchant-burden of PCI compliance), and we assume there is a vigorous debate occurring between Apple, banks, and networks because all will want to maintain the token directory mapping tokens to card credentials; in practice, we expect tokens to be issued to Apple directly by large banks and by networks for smaller banks.
- The Firefly button on the Fire phone allows users to price-check an in-store item against Amazon by scanning the barcode. This gives Amazon valuable SKU-level data particularly if integrated with a wallet extending pay-with-Amazon to point-of-sale.
- The other form of fraud arises from “lost-and-stolen” cards where a legitimate card is used by a criminal who poses as the true cardholder; this accounts for ~15% of total card fraud in the US and is largely a function of the prevalence of signature authentication (vs. PIN authentication which is the standard in developed Europe).