US Payments: A Primer on Merchant Acquiring
SEE LAST PAGE OF THIS REPORT Howard Mason
FOR IMPORTANT DISCLOSURES 203.901.1635
April 7, 2014
US Payments: A Primer on Merchant Acquiring
- Merchant acquiring – the business of providing merchants with authorization for card payments and settling and clearing transactions, often but not always through the branded (including EFT) networks, so that funds are moved from the merchant account to the cardholder account – will be transformed by the use of mobile phones by shoppers and cloud-serviced, often mobile, point-of-sale (POS) devices by merchants (rather than traditional POS computer systems with associated on-site maintenance and upgrade costs).
- Winners will have: a processing scale advantage from serving large merchants; access to distribution channels, such as value-added resellers (VARs) including merchant banks and independent software vendors (ISVs), where the sale is based more on system reliability and service than price alone; and issuer-relationships generating the potential to (a) save network fees through direct bank-identification-number or “BIN” routing which by-passes the branded networks particularly for PIN-authenticated transactions (where lower fraud content reduces the need for network-level fraud risk management); and (b) add value through access to cardholder PII (personally-identifying information) which can support merchant-clients in the design of digital marketing campaigns.
- Beyond Chase Merchant Services (which, with the cost-advantage of ChaseNet, will likely gain meaningful share of the acquiring volume on Chase-issued cards), our favorite name is VNTV which will gain share through leveraging its relationships with issuers (particularly in PIN debit where it is the leading acquirer) and by increasing diversification: geographically (from its Midwest roots as a wholly-owned subsidiary of FITB until June 2009); into e-commerce (with the acquisition in October 2012 of Litle); and into the SMB category through the merchant bank channel, with the 2010 acquisition of NPC, and with the acquisition of Element in July 2013 (improving access to ISVs).
- In 2013, VNTV grew US purchase volumes at 9% which was exceeded among large acquirers only by bank-owned Chase at 15% and Elavon at 11%; WFC grew at 18% but off a small base with less than 5% share versus over 12% at VNTV (see Exhibit below).
- Chase’s volumes growth is driven in part by its dominance of the e-commerce channel (with an estimated 25% share) where retail sales have grown at an annual rate of 16-18% since 2010 versus just under 5% for all total retail sales (excluding auto).
- We are cautious on business models limited to the SMB segment, as at HPY and MPS, although these firms are acquisition candidates as the industry consolidates for processing scale and vertical integration with issuers; there is a particular concern around allegations that MPS is using confusing sales practices and misrepresenting costs to clients.
- We do not see Square (with annualized volumes of ~$15bn versus over $500bn at VNTV) as a threat to large acquirers, and do not believe it (or anyone else) is generating adequate acquirer returns on the basic payments function in the micro-merchant segment given high churn and fraud rates. Square announced in November 2013 that it would seek to move up to SMB merchants but these typically operate on an interchange-plus pricing model where Square’s scale disadvantage will count more against it than with micro-merchants operating on a merchant discount rate (MDR) pricing model.
- The edge from Square’s mobile POS is eroding as players with processing scale and distribution advantages offer me-too/better product. For example, the “Clover” mobile POS system (developed by First Data and distributed by it and Bank of America) has an open-API that will leverage third-party developers to compete with the proprietary reporting, analytics, and other applications available on the Square product.
- PayPal faces increasing competition online as pay-with-iTunes/Amazon/Google expand from in-app and native-market purchases to e-commerce more generally, and as pay-with-Chase (announced this February). More generally, bank and network implementation of tokenization eliminates the original case for PayPal (avoiding the need to enter card credentials into a merchant web-site) so that volumes will increasingly depend on consumer inertia and a value proposition to consumers that is independent of perceived security advantage. A spin-out from eBay would accelerate PayPal share declines by depriving it of its own native market.
- Notwithstanding the acceptance partnership with DFS, PayPal will not gain meaningful share of mobile volumes because it does not have the economics to compete with issuer- and merchant-funded rewards; the experiment at HD indicates that convenience offerings (e.g. skip-the-line and order-ahead) are not enough.
Exhibit: 2013 Share of US Purchase Volume on General-Purpose Cards by Acquirer
Overview: The Acquiring Value Chain
Merchant acquiring is the business of enabling merchants to accept credit and debit cards for payment through obtaining transaction authorizations from card-issuing banks and through inter-mediating the transfer of funds from the cardholder account at the issuing bank to the merchant account at the acquiring bank. It gets its name because, from the perspective of the payments system, the transaction is “acquired” by the company representing the merchant in the system. Technically, only a bank can represent a merchant in the Visa/MasterCard systems and this bank is referred to as the “acquiring bank”; it acts as the ultimate financial underwriter of the merchant so that if, for example, a chargeback (i.e. disputed transaction) is resolved in favor of the cardholder and the merchant is not in a position to refund the amount, the acquiring bank is ultimately on the hook.
Perhaps confusingly, there are non-bank merchant “acquirers” that are more completely referred to as “acquiring processors” as distinct from acquiring banks. The acquiring processor is the entity which has contracted with the merchant to provide card-processing services; this may be, and often is, the acquiring bank but it does not have to be. Non-bank acquirers such as VNTV, GPN, and HPY have processing platforms and contract to provide acquiring services to merchants. These merchants are represented in the Visa/MasterCard systems by an acquiring bank but this acquiring bank simply franks the transaction; it has no contractual relationship with the merchant around card-processing.
Thus far, we have addressed two configurations. In the first, a bank both contracts with the merchant around card-processing (and so is the acquiring processor) and financially underwrites the merchant in the Visa/MasterCard systems (and so is also the acquiring bank); the largest bank-acquirers are Chase, BAC, USB (through its Elavon-branded acquiring business), and WFC which, between them, have a 40% share of the acquiring market. In the second, a non-bank has the contractual card-processing relationship with the merchant; the largest non-bank acquirers are First Data and VNTV (which was wholly-owned by FITB until 2009) with a combined share of 30%; other notable non-bank acquirers are GPN and HPY. In this report, we also talk about Mercury Payments Systems which has just filed an S-1 for an IPO (under the ticker MPS) and processed $34bn of card transactions in 2012 making it less than one-third the size of GPN; as another benchmark, the annualized volume of transactions processed by Square is $15bn and that processed by VNTV over $500bn (see Exhibit 1).
Exhibit 1: US Purchase Volume on General-Purpose Cards
There is a third configuration referred to as third-party processing which is distinct from the two direct acquiring configurations described above. The defining characteristic of direct acquiring is that the processor (which actually handles the card transactions) also owns the processing contract with the merchant (and so is the acquirer). There are cases where the acquiring processor chooses to outsource all or some of the processing to a third-party, creating a third-party processing relationship. Direct acquiring has a larger revenue pool estimated by TSS at over $12bn versus ~$500mm for third-party processing. Third-party processors are vulnerable if the acquirer chooses to switch processors as TSS (half of whose processing business is third-party rather than direct acquiring) discovered when BAC chose in 2009 to form its Bank of America Merchant Services (BAMS) joint venture with First Data and has over the last 4 years gradually transferred its processing business from TSS to BAMS.
Distribution and Smart POS (iPOS)
As in all businesses with processing-scale economies, distribution is important in merchant acquiring.
Typically, acquirers have a direct salesforce to work with larger merchants and then expand their reach through working with distribution partners such as value-added resellers or VARs and, providing additional feet-on-the-ground independent sales organizations or ISOs. The distinction between a VAR and an ISO is that, for a VAR, card-processing is not the main economic focus of the merchant relationship; rather, the VAR is looking to the acquirer to handle card-processing reliably so broader aspects of the relationship are not compromised. For example, a bank like FITB without an acquiring business will hand it off to VNTV in order not to allow a competitor such as Chase to get a foothold with the merchant client (and then expand the relationship to treasury and lending which is the economic focus of a banking relationship). For an ISO, however, card-processing is the economic focus of the relationship. As their name suggests, most ISOs have initially evolved as sales organizations but at some point can reach a scale where it is economically viable to integrate backwards into processing as, for example, MPS (which is a currently an ISO for GPN) indicates it will do in its S-1 filing.
A critical transformation in the payments industry is that large, and increasingly SMB, merchants are looking for their point-of-sale (POS) systems to evolve from managing payments as a stand-alone utility to integrating payments into a broad suite of business applications including customer relationship and inventory management; a particular focus is the implementation, and integration into payments, of mobile apps and loyalty programs including digital marketing. This transformation is changing the way acquiring services are distributed as they are increasingly bundled with these other business applications in an integrated point-of-sale or iPOS system. The assembly of these broad application suites is done by independent software vendors or ISVs who provide merchants with (typically cloud-enabled) software; aside from integrating payments into other applications and offering reporting and analytics based on payments data, this software also provides an interface between the iPOS terminal and the “back-end” processing platform of the acquirer.
These ISVs, and the dealers who sell iPOS hardware, are becoming an important distribution channel for acquirers, who can embed their payments technology in third-party software applications. As a result, VARs (which include ISVs) generated 15% of new merchant accounts in 2011 (up from 11% in 2009) versus 32% from direct sales forces and 21% from ISOs. Largely driven by ISVs, VARs are gaining distribution share and projected to have accounted for 24% of new merchant accounts in 2013 and we expect this to continue as iPOS hardware increases merchant penetration, particularly among SMBs, with the upgrade cycle likely to be accelerated by EMV adoption; aside from broader functionality, the value-proposition to merchants of cloud-enabled iPOS terminals, over traditional stand-alone POS systems, is that they do not require as much onsite maintenance. In its S-1 filing, MPS cites research that for large merchants (with chains of over 1000 stores), iPOS represents 94% of installed POS devices while the equivalent figure for single-location SMBs was 45% in 2012 up from 39% in 2011.
While the business model at MPS is presented as riding the iPOS wave and distributing through the ISVs who supply software to merchants and the vendors who supply hardware (with MPS distribution outlets split 1:4 between ISVs and dealers and growing at a 12% CAGR over the last 8 years), other acquirers are also participating in the channel. In 2013, for example, VNTV acquired Element Payment Services which deploys payments technology “through partnerships with point-of-interaction (POI) hardware vendors and business management software vendors”; and, in January, VNTV went on to announce a partnership with MSFT around mobile POS and cloud-enabled payments services. HPY and First Data have also forward integrated into the ISV channel. HPY, for example, was a reseller for the Leaf mobile-POS system and open-app platform and, in October 2013, made a $20mm strategic investment. That same month, First Data purchased Clover which provides iPOS hardware and software for a POS system that includes card payments, payroll integration, inventory tracking, and employee time-stamping.
The integration of payments into broader business management applications is driving acquirers to make a strategic decision about distribution, with VNTV and HPY making different choices which, over time, will cause them to evolve distinct business models. VNTV is focused on processing-scale, and so looking for advantaged access in all distribution channels. Aside from the purchase of Element for the ISV channel, VNTV also acquired online payments company Litle in October 2012 so as to compete for e-commerce volumes against incumbents such as Chase-owned Paymentech. HPY, on the other hand, is focused on merchant service and distributes only through a direct salesforce which allows it to tightly control pricing and service.
This is important given HPY’s positioning for transparent pricing in an industry where ISOs, whose economics depend on the spread between the charge to the merchant customer and the cost of the acquiring processor, have made a “high art of pricing and fee obfuscation”. However, it means that HPY does not have the distribution scale of competitors accessing other channels and grew volumes in 2013 at below 4% (versus industry growth of near 6%). Furthermore, as the payments sale to merchants is becoming integrated into a broader discussion about business management applications, HPY is being pushed to expand its offerings to include payroll (with the acquisition of Ovation Payroll in January 2013, for example) and hardware (where, as discussed, it is a reseller for Leaf). Indeed, there is a striking contrast in iPOS strategy between HPY which is a reseller for the Leaf offering of software solutions and VNTV where third-party software vendors (i.e. the ISVs) are the reseller of VNTV processing.
Pricing and the Heartland/Mercury Complaint
There are two pricing models in the acquiring business: the merchant discount rate or “MDR” model where the merchant pays an all-in rate (quoted as a percentage of the transaction value) and the acquiring processor takes responsibility for the various fees imposed by participants in the payments system including, in addition to its own fee, the “interchange” fee assessed by the issuer bank and the network fees assessed by the Visa or MasterCard (or, for some PIN transactions, EFT) networks; and the “interchange-plus” model where the acquiring-processor contracts for an acquiring fee (typically a few cents/transaction) and, at least as presented to merchants, transparently passes-through other fees such as interchange and network assessments. Large retailers have long used the interchange-plus pricing model and WMT has the clout to treat acquiring processors like other vendors: First Data and VNTV compete head-to-head for “jump ball” volumes (although both are also guaranteed some minimum volumes).
Until the mid-2000s, most SMBs used the MDR pricing model allowing ISOs to capture the spread between the discount rate negotiated with the merchant and the aggregate fees charged by the various participants in the payments system. Indeed, there was an ISO windfall when the Durbin cap on debit interchange went into effect in October 2011 because many did not pass through their savings to merchant clients (and were not contractually obliged to do so). Some sales organizations, most notably that at HPY and particularly after Durbin, have sought to win business by educating SMB merchants around card-processing fees and selling the benefits of transparent “interchange-plus” pricing; indeed, honoring this commitment is a key reason HPY distributes exclusively through a tightly-managed salesforce and not through ISOs.
As more SMBs are pitched interchange-plus pricing by ISOs seeking to displace the owner of an MDR contract, merchants became more aware of the potential for savings and demand of transparent rather than MDR pricing. As a result, the ISO channel has been in a race-to-the-bottom around profitability which is why VAR channels can generate better margins (because the sale is based more on reliability and service, with acquiring being incidental to the VAR’s broader business relationship). Mercury Payment Systems (MPS) appears to defy this trend with gross and net margins in 2013 of 68% and 26% respectively compared with corresponding figures at HPY, which serves the same SMB segment as an acquiring processor while MPS is an ISO of GPN, of 17% and 5%.
Notwithstanding is materially higher margins, MPS is gaining share (growing volumes over 17% in 2013 versus less than 4% at HPY) and, according to HPY, winning on price in head-to-head competition for clients. HPY provides the 2008 example of a California-based restaurant chain where it bid on a cost plus 7 cents/transaction (plus 0.02% of the transaction value and a monthly service fee of $7.50) but lost the business to MPS which, according to the merchant client, offered “by far provided the best rates”. HPY adds that it believe MPS won the business with a price-quote of cost plus 6.5 cents/transaction (plus similar add-ons to HPY). As an ISO which outsources processing to GPN, it is not clear how MPS has the cost advantage to be more profitable than HPY with its own processing at a lower price-point.
Of course, this transaction could be an anomaly. However, HPY alleges that it followed up with the merchant to view the statements provided by MPS and found that while MPS was indeed charging its “plus” of 6.5 cents, it did so on pass-through costs that were inflated by 4 cents. If so, given that these interchange and network costs are independent of the acquiring processor, the net effect is that MPS was actually charging the client cost plus 10.5 cents, so significantly more than HPY’s original, and supposedly price-uncompetitive, bid of cost plus 7 cents. Such supra-competitive pricing, if HPY’s claims are accurate, would lift operating margins at MPS and provide it with the ability to show higher payouts to its channel partners than they are actually receiving (because, in this example, any distributor mark-up would be based on 6.5 cents/transaction and not the “plus” of 10.5 cents alleged by HPY).
In filing a federal complaint against MPS in January this year, HPY commented: “the deceptive pricing practice of falsely inflating pass-through interchange fees not only constitutes unfair and illegal competition, it also costs even the smallest of merchants hundreds on sometimes even thousands of dollars each year without their awareness”. Mercury Payments Systems adamantly denies HPY’s allegations and commented: “we believe they [HPS] filed this lawsuit as part of a marketing campaign against us in order to win business .. Heartland simultaneously launched an aggressive sales and marketing push directly targeting Mercury’s merchants and channel partners”.
PayPal, Square, and the Aggregator Wave
PayPal and Square have received a lot of attention for successfully marketing their payment services to merchants and as disruptors for the acquiring industry, if not the entire payments value-chain; however, they are not acquirers and, in fact, for the most of their payments business are clients of acquiring processors and acquiring banks. From the perspective of Visa and MasterCard, they are merchant “aggregators” allowing merchants to accept credit and debit cards without having to go through the cost and compliance/credit checks necessary to set up a merchant account at an acquiring bank; in effect, the end-merchants piggy-back off the merchant account of the aggregator which becomes merchant-of-record. This aggregation model, where transactions from a number of different merchants are funneled through a single merchant account, did not exist before the mid-1990s and has catalyzed a wave of innovation.
PayPal, founded in 1998, built its business on merchant aggregation by offering a simple on-boarding process (enable a pay-with-PayPal button on a web-site) and simple rate structure (now, for transactions over $10, 2.9% of value plus 30 cents). Since then other aggregators have evolved with different business models and merchant value propositions. The best-known of these is Square (found in 2009) which gained traction when, responding to the potential for mobile payments in July 2011, Visa extended the aggregation model to from e-commerce only to face-to-face transactions. Like PayPal in e-commerce, Square offered micro-merchants the opportunity to accept payment cards easily (just buy a dongle for your phone or tablet) and with a simple rate structure (typically 2.9% of the transaction value plus 30 cents).
Beyond the ease of on-boarding for payment card acceptance, the increasing appeal of aggregators to merchants is the bundling of marketing and payments services; this has led to a number of aggregator start-ups in industry verticals including Uber (connecting taxis and limousine-drivers to passengers), Airbnb (connecting landlords with tenants), WyzAnt.com (connecting tutors and students). Other aggregators have explored different business models including LevelUp (which allows merchants to send offers and coupons to wallet-holding customers over Facebook) and Stripe which is an aggregator-of-aggregators in that it offers API’s to aggregators, including Lyft, so that they can easily incorporate payments functionality into web-sites and mobile applications. These aggregators are not acquiring processors but rather contract with acquiring processors so that Uber, for example, uses VNTV.
Beyond signing up merchants at attractive rates, the first key to the economics of aggregators is to manage fraud and chargebacks. For example, if a chargeback (i.e. disputed transaction) is found in favor of the cardholder, the merchant must return funds and, if this does not occur, the aggregator is liable (and then the acquiring processor and then finally, as underwriter of last resort, the acquiring bank). Chargeback costs are very high in the micro-merchant segment because of high churn and fraud, and were a challenge for PayPal in its early years. PayPal has developed its fraud risk management technology, and does not serve micro-merchants exclusively, so that the loss rate now stands at a manageable 0.3% of value (see Exhibit 2). This opens up a healthy spread between the “take rate” (what PayPal charges the merchant) and costs including “transaction expense” (what PayPal pays its acquiring processor, to the networks, and as interchange to issuing banks) and the “loss rate”.
The second key for aggregator economics is to manage the funding mix so as to lower interchange (which accounts for over 80% of the transaction expense). If consumers exclusively used credit cards in their PayPal wallets, for example, the transaction expense would be closer to the 2% average interchange rate on these cards. In practice, while credit cards can be used to fund purchases, they cannot be used to establish a prepaid balance which must be done from a bank account (electronically over the ACH network) at near-zero cost to PayPal. Shifting the funding mix from credit cards to ACH-accessed bank accounts lowers PayPal’s transaction expense.
Exhibit 2: Payment Volumes and Economics for PayPal
We do not believe more recent aggregators, including Square, are making an adequate spread from the base payments utility in the micro-merchant segment. Fraud costs will likely be meaningfully higher than at PayPal and more recent aggregators do not have the scale to negotiate as aggressively with Visa and MasterCard as PayPal has done to drive down fees. Instead, aggregators are relying on premium pricing which is linked to their marketing value-add. For example, Uber charges drivers 20% of the fare and, in addition to a typical base 2% fee, Level Up charges merchants 25% of the payment when a customer redeems an offer from the merchant that LevelUp has distributed through Facebook or otherwise.
Indeed, LevelUp is losing money on the base payments utility since its pays 2.5-5% for credit card transactions according to marketing manager Matt Kiernan; in other words, the payments utility is a loss-leader for the digital marketing programs. To begin to address this, LevelUp is looking to encourage customers to fund their purchases not with a credit card but with a debit card where the cost to LevelUp is lower at 1.5-2% (even with the Durbin cap on debit interchange). LevelUp acknowledges that this will mean overcoming the rewards-driven preference among many customers for funding with a credit card, and handles this by alerting consumers to the amount of credit card rewards they have earned and offering bigger merchant-sourced rewards if they switch to a debit card.
The economics works because merchants are willing to pay meaningfully more for payment products that are integrated with marketing campaigns driving incremental business and where the reward is associated with the merchant brand than for payment products that are table-stakes for doing business and where the reward is associated with a bank brand. Indeed, the difference is potentially very large: for 2009, for example, AXP estimated that US marketing and advertising spend available for new digital solutions was $364bn compared to US consumer credit/charge card revenue pools of $144bn (see Exhibit 3). Last year (at October’s Money2020 conference), Ed Labry of First Data offered a similar analysis in spoken remarks estimating the digital marketing opportunity at $500bn compared to his $30bn estimate for the revenue pool to merchant acquirers.
Exhibit 3: The Digital Marketing Opportunity as Reported by AXP
Source: AXP Financial Community Meeting August 2011
Breaking the Cartels: From Visa Aggregation to Authentication
Visa and MasterCard enacted rules allowing aggregators (so allowing transactions from multiple merchants to be funneled through the single merchant account of the aggregator) to extend the acceptance footprint to smaller merchants who, faced with the compliance and credit checks involved in establishing their own merchant account at an acquiring bank, might have chosen not to accept credit cards. Given the wave of innovation in payment aggregators, particularly directed at merchant who have not traditionally accepted credit cards (such as tutors at Wyzant, drivers at Uber, landlords at Airbnb etc), the strategy has been successful. However, it is not without risks for the networks and bank partners particularly as the online aggregators such as PayPal look to take advantage of consumer use of mobile phone to extend their models to physical point-of-sale (POS):
- First, it is clear that payments and marketing are converging linked by the valuable data on consumer shopping habits generated in the payments system. One of the effects of an aggregator (whether it is a transaction aggregator as in the case of the SBUX card and mobile app or a merchant aggregator as in the case of PayPal, for example) is that Visa and MasterCard do not see the end-payments transaction, but only the aggregate funding transactions. This limits their ability to understand customer shopping habits and hence support partners in digital marketing initiatives. Indeed, in April, MA announced a staged digital wallet operator fee (SDWO) that is assessed on large “merchant-of-record” aggregators unless they pass through the underlying by-merchant transaction data; in other words, MA is willing to pay for the data (albeit off an increased price point). The fee does not apply to e-commerce transactions, but only POS initiatives and it is not clear whether it will apply to cross-network wallets (where, for example, an MA card is used as a funding source in a wallet such as Serve or V.me with a different acceptance brand).
- Second, as illustrated by efforts to encourage consumers to fund with ACH-accessed bank accounts (for prepaid balances in the case of PayPal) or debit (for extra rewards in the case of LevelUp), aggregators have different economic incentives than the branded networks and particularly from their bank issuer-partners (who prefer the interchange on Visa and MasterCard transactions over the zero-interchange ACH network). This is bad enough in the e-commerce environment but bank concern has increased at the prospect of the online aggregators taking advantage of the shift to mobile payments to extend their models to physical point-of-sale of the aggregator model. In March last year, for example, MasterCard’s president of US markets, Chris McWilton, commented as follows: “PayPal rides for free on the back of other business models. So they ride on the back of the networks for a card-funded transaction. They ride on the back of ACH, which is owned by the banks, and I think they’ve got to be cautious that they don’t get too big and start making people wake up and say wait-a-minute, I’m actually losing business here because of your moving into the physical space. And, by the way, you’ve been able to ride for free on the back of the networks and the back of the ACH system – time out here”
We have discussed the first issue around the convergence of payments and marketing, and now turn to the second issue of transaction routing. The traditional card model relies on bank issuers using card rewards to encourage consumers to prefer payment methods that are high-cost to merchants. However, the economics of merchants themselves, and particular of merchant aggregators, depend on low-cost transaction routing. A critical question in the payments industry, therefore, is around control of the routing decision with advantage to the entity authenticating the customer. Ross Anderson of the Kansas City Fed (who, payments consultant Tom Noyes reports as saying memorably “if you solve authentication everything else is paperwork”) cites in a recent paper the example of how Sofort has lowered merchant costs in Germany by taking control of authentication. An online shopper enters bank information (account details and a PIN) on the Sofort web-site and, after confirming these with the bank, Sofort checks the available balance and uses funds-transfer functionality to pay for the purchase. Mr. Anderson notes: “Sofort is doing a middleman attack on her [the customer’s] bank account in order to deprive the bank of transaction fees. The merchant pays 75 basis points plus 10 cents/transaction rather than 250 or more for online credit card payments. Analysts estimate that Sofort had 1.2bn euros of the 20bn euro market for online payments in 2009.
Of course, the use of “token” information (in the above case the bank log-in information) as a stand-in for card account information is common in the US as well with all non-bank digital wallets (including PayPal, Google Wallet, V.me, pay-with-Amazon, pay-with-iTunes, SBUX) requiring the consumer to open an account and then using the associated log-in credentials to provide authentication and as a substitute or token for the card account information. Acting in this role of “token vault” (as entities matching tokens to underlying card account information are called), gives these payment providers the opportunity to shape consumer preferences around how transactions are funded. Some have taken a more aggressive approach to this than others. For example, SBUX does not even provide the option of ACH funding, LevelUp creates incentives for consumers to use debit cards, and PayPal does not allow credit-card funding of prepaid balances.
Understandably, banks are concerned at having their payment cards wrapped in a third-party authentication environment (even if that third-party underwrites the fraud risk) given the incentives of the third-party, around transaction routing and data-sharing for example, may not align with their own. There is therefore a behind-the-scenes struggle occurring between banks, networks, merchants, and intermediaries (including merchant aggregators) over who authenticates the customer. For example:
- Banks: In February, JPM announced (at its investor day) a pay-with-Chase product for online shopping where consumers will authenticate by entering their Chase account log-in credentials; in Canada this is the standard consumer authentication approach for online transactions on the Interac network.
- Merchants: A key motivation for the merchant payment consortium MCX, beyond controlling and protecting payments data, is to manage customer authentication through merchant-provided cards so as to direct transaction routing away from high-interchange networks towards ACH and a custom-version of PayNet operated by FIS.
- Intermediaries: Apple has indicated its interest in extending pay-with-iTunes from in-app and in-Apple-store purchases to the broader payments landscape, particularly mobile. Management has reported on its 600mm credit cards on file (giving it a strong hand as a token vault) and presumably would authenticate customers with their iTunes log-in bolstered by a fingerprint. CEO Tim Cook comments that “mobile payments are an area we have been intrigued with and it was one of the thoughts behind Touch ID”. More generally, biometric tokens (as opposed to knowledge-based tokens such as a PIN) provide an opportunity for intermediaries to disrupt the authentication market by offering a convenience appeal to consumers; pay-with-Square, for example, uses a cashier’s ability to match your passport-like photo in the Square app to your face in person, and voice-authentication is on the horizon with Nuance promoting “my voice is my password”.
Security and Commercial Crosswinds in Dynamic Tokenization
The irony of pay-with-Chase is that the token being used (the bank account log-in) is potentially more valuable to a thief than the card account information it is replacing. The risk will no doubt be managed with encryption, but it illustrates that the promulgation and adoption of new technologies, however presented, has as much to do with the commercial incentives of individual participants as system-wide integrity. An example of this is provided by Visa’s insistence on promoting chip-and-signature in the transition to EMV cards, as opposed to the international standard of chip-and-PIN which is in place because, for obvious reasons, PIN authentication is more secure than signature authentication: specifically, global card fraud rates associated with signature authentication are 6 cents per $1000 of transaction volume versus 1.1 cent for PIN authentication.
Visa argues that many small merchants do not have PIN pads but this minimizes the network’s influence; after all, through liability-shift, Visa is encouraging merchants to install EMV-compliant POS terminals at a total cost to merchants of an estimated $8-10 billion; given this upgrade cycle, it is hard to believe the marginal cost of installing PIN pads would not produce a strong return on investment for the system as a whole. However, Visa has its shareholders to consider as well as system-wide integrity and, in particular, the revenues generated from network-level fraud management services; these become less valuable as the potential for system fraud declines. Indeed, in an environment more tilted to PIN authentication, it is likely that, with less need to rely on network-level fraud protection, more banks would follow the example of Chase (whose size allows investment in fraud management capabilities are at least equal to those at Visa) in demanding that transactions be routed direct from processors (based on the bank identification number) and not “switched” over the Visa/MasterCard networks. As Ross Anderson notes “it is quite normal for firms competing in two-sided markets to offer insecure products in the race for market share and then lock things down later”.
The interplay of commercial and security drivers is also playing out in industry adoption of dynamic tokenization, particularly given the Target breach of data on mag-stripe cards announced in December. There are broader issues at play than security alone as payments industry consultant, Steve Mott, comments: “the stakes [around tokenization] couldn’t be higher; the solution that’s finally adopted will define the next generation of card payments and the terms of engagement for both legacy providers and new digital giants alike – notably rules and rates.” The security backdrop is as follows.
Chip-cards conforming to the EMV protocol, along with encryption, are being promoted as a solution to the vulnerability to data-theft of mag-stripe cards, but they are a partial fix at best. For one thing, even under the EMV standard, unencrypted account information gets into the POS and other merchant systems and so would likely not alone have prevented the data-breach at Target: “EMV would not alone have prevented the theft of card information in recent data breaches because it relies on merchants receiving and processing the same static account numbers in use today” testified David Fortney of TCH to Congress in March. However, if chip cards are combined with tokenization, which prevents payment-account credentials from getting into merchant systems, then the data-breach risks are mitigated if not eliminated altogether.
As discussed, the essence of tokenization is to replace the primary account number (PAN) against which a payment-card transaction is settled with proxy data or a “token” whether a web-account log-in (as with PayPal or pay-with-Amazon), a bank account log-in (as with pay-with-Chase), a face (as in pay-with-Square) or a fingerprint (if there is pay-with-iTunes on your TouchID-equipped mobile phone). In fact, the number on your credit card is already a token (since it is not the PAN), but it does not contribute materially to fraud mitigation since it is statically matched to your PAN. It simply means that, if a card is lost or stolen, it can be cancelled and a replacement re-issued with a different embossed number; this new card number is matched to the PAN which itself does not need to be changed (although it sometimes is as an additional measure of protection).
The common element of the above tokenization examples is that the token is used in all transactions and is statically matched to your PAN (through a card-on-file in the case of the merchant aggregators). The security
weakness of this is evident: if the token (such as your PayPal log-in) is lost or stolen, a thief can potentially access your PAN. Greater fraud mitigation can be achieved with dynamic (as opposed to static) tokenization where, for example, following an approved transaction-authorization request, an issuer provides a number that is used, just like current card numbers, to settle the transaction and is then, unlike current card numbers, destroyed (so that the next transaction uses a different token). Obviously, this is not possible where the token can only be stored on a mag-stripe, but dynamic tokens are possible if storage is provided by a chip (whether in a card, phone, or computer) which is IP-connected. Then, in response to an approved authorization request, the bank (or possibly network) sends a token from the cloud to the chip, and this is passed via the payment device to the POS, used by the merchant to settle the transaction, and finally invalidated. In practice, banks may choose not to use one-time only tokens (in case, for example, the payment device loses IP-connection) but rather tokens that are valid for a week or valid only online or however the fraud system chooses to optimize; the point is that, unlike a static card number on a mag-stripe, the life and scope of dynamic tokens can be controlled.
The security advantage of dynamic tokenization is that static card credentials never enter the POS or merchant system, and so cannot be accessed from these (which, as an important benefit to merchants, renders largely obsolete the costly standard payment card industry “PCI” compliance infrastructure intended to ensure merchants handle sensitive account data in a secure fashion). If payments data are fraudulently removed from the merchant system, they are worthless since the tokens are expired. The commercial advantage to banks and networks of dynamic tokenization is that it undercuts the security case of PayPal and other intermediaries who are looking to gain control of transaction routing by appealing to consumers on the basis of secure authentication alone.
Going forward, for example, computers could come equipped (or accessorize-able) with chip-card readers and NFC radios so that consumers purchase goods online (by slotting a card in a chip-reader of using tap ‘n’ pay with an NFC-enabled ‘phone) in just the same way as they do at physical point-of-sale. The challenge, then, for PayPal is not so much to stimulate adoption of its mobile wallet as point-of-sale (through convenience advantages such as skip-the-line or pay-ahead, for example) as to protect its core online franchise; after all, a key consumer case for PayPal, that it is not necessary to enter card credentials on merchant web-sites, is true for all credit cards on appropriately-equipped computers. In fact, EMV implementation in the US will be compatible with Bluetooth and Android’s host card emulation or “HCE” protocol (effectively creating a secure element in the cloud) so recent computers may not even need chip-card readers or NFC radio accessories; Bluetooth will do.
- ISVs bundle payments services in an SaaS format with other business management applications including customer-relationship and inventory management)
- In 2011, VARs and ISVs generated 15% of new merchant accounts up from 11% in 2009 and versus 32% from direct sales forces and 21% from independent sales organizations (ISOs); they were projected to account for 24% in 2013.
- MPS is the prospective ticker for Mercury Payment Systems which, last month, filed an S-1 registration; technically, MPS is an ISO for GPN which has responsibility for clearance with financial underwriting from WFC. MPS has announced that it will begin to take some processing in-house and so will become a processor in its own right.
- In a tokenized payment system, the card account information is replaced by substitute information (i.e. a “token”) with limited life and application (and so less value if stolen than the account information itself).
- A VAR relationship is characterized by a referral process where, in the example cited, FITB refers the acquiring business of a merchant client to VNTV who enters into a processing contract and pays referral commissions to FITB. In a third-party processing relationship, such as between BAC and TSS, BAC does not refer the merchant to GPN but rather enters into a processing contract with the merchant and outsources some or all of the contracted activities to GPN.
- EMV stands for “Europay, MasterCard, and Visa” and is the global standard for chip-enabled payment cards
- This “BIN routing” requires a connection between the acquiring processor and the issuing bank which already exists at Chase for those merchants whose acquiring processor is the Chase-owned Paymentech. The large banks already have the technological capability, through the clearXchagne network founded by JPM, BAC, and WFC (and currently used to support P2P payments) to extend BIN routing on any POS transaction there is a clearXchange member acting as the acquiring processor and a (possibly different) clearXchange member acting as the issuer.