Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
February 27, 2017
Wouldn't It Be Nice to Tap and Pay?
In the mid-2000s, after setting up a new checking account following a move, I received a debit card that, in addition to the magnetic stripe, had contactless functionality. I remember thinking how "cool" this feature would be, not having to swipe the magnetic stripe but simply tapping the card on the point-of-sale (POS) terminal. However, I quickly became disappointed, as I couldn't use the tap functionality in most places that I shopped. In the few places that did allow for taps, I don't recall the tap ever working properly. After a few months, I never attempted to tap it again and reverted to the traditional swipe.
Fast forward to 2017, and contactless card usage is surging in the United Kingdom, Australia, and Canada while remaining all but nonexistent in the United States. In November 2016, contactless cards accounted for nearly 25 percent of all card payments in the United Kingdom, up from 11 percent since November 2015. In Australia, Visa reported that 75 percent of face-to-face transactions over their network happen via their contactless solution. And in Canada, 99 percent of Mastercard's consumer credit cards are contactless-enabled. A 2016 report found that Canadian consumers were frustrated by merchants that didn't accept contactless payments. All of these countries have also gone through a migration of their payments cards to EMV chip cards. Did the United States miss a great opportunity when chip cards replaced the magnetic-stripe-only payment cards?
Interestingly, in these markets where contactless card adoption rates are surging, contactless cards are leading the contactless payment push ahead of mobile payments. In the United States, we are heading in the opposite direction, with mobile contactless attempting, and struggling, to get traction. No doubt, mobile is the more challenging environment, with a variety of form factors (iPhone, GalaxyS7, Pixel, and more), different ways that the form factor can interact with the POS terminal (such as near-field communication, magnetic source transmission, and barcode), and a variety of different wallets compatible with the different form factors. With a contactless card, you get one form factor—a card—and one method of contactless interaction. (Multiple-interface cards can still be swiped or dipped at the POS.)
I am convinced that the investments made in mobile contactless to this point are one of several factors holding up this country's transition to a contactless card environment. Consumers are confused by the experience and merchants and issuers are struggling with the wide range of options to consider, such as which wallets to enable and which technologies to support. Contactless cards have the ability to create a ubiquitous experience for both consumers and merchants. And this writer believes that a payment experience can't get any easier than a tap of the card.
It's hard for me to believe that it has been 20 years since I received my keychain Speedpass fob. I have positive memories of the simple and seamless transactions that I experienced when purchasing gas by touching the contactless fob to the gas pump reader. Unfortunately, I moved to a location with very few stations that accepted my fob. I always wished that I could have a similar experience for other purchases. Contactless cards allow for that and in a much easier and simpler fashion than my mobile phone allows. So can we get on with contactless cards? I am ready to tap and pay everywhere. Are you?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 19, 2016
Mobile Wallets: Is This the Year?
In our 2015 year-end retrospective post, we commented on the slow pace of adoption of mobile payments despite the introduction of several major mobile wallets. While some consumer research continues to point to widespread consumer usage of mobile wallets in the coming years, we have seen similar projections from past research fail to materialize.
So what have been the major barriers to adopting mobile wallets? And for those who have adopted them, what functions are the most important? As I have noted before, I am a firm believer in former Intel CEO Andrew Grove's 10X rule: a new technology experience must be at least 10 times better than the previous method to achieve widespread consumer adoption and usage. A number of different elements—speed, cost, convenience, personalized experience, ease of use, and so on—can all contribute to achieve that 10X factor. Another critical element is the consumer's trust in the security of the wallet to ensure that payment credentials and transaction information will not be compromised in some way. The market research and strategy firm Chadwick Martin Bailey (CMB) conducted mobile wallet research in March–April 2015 on a nationally representative sample of smartphone owners and specifically asked mobile wallet nonusers what were their particular security concerns. As the chart shows, identity theft and the interception of personal information during the transaction were the top two reasons given.
The tokenization of payment credentials goes a long way to providing a higher level of security, but a major educational effort is required to relay this knowledge to consumers to increase their level of confidence. The CMB study found that 58 percent of nonusers would be somewhat or extremely likely to use a wallet if tokenization of their payment account information were performed.
But is it enough to convince consumers that mobile payments are more secure to significantly speed up adoption and usage? Mobile wallet proponents have been saying for years that the mobile wallet must deliver more than just a payment function, that it should include incorporate loyalty, couponing, identification, or other functions.
So if the desired end state is known, why is it taking so long for the mobile wallet providers to achieve that winning solution? The retailer consortium MCX is going into its fourth year of development and has just recently begun a pilot program of its CurrentC wallet in the Columbus, Ohio, market. Two of MCX's owners and major U.S. retailers, Walmart and Target, have announced in the last couple of months their plans to develop and operate their own mobile wallet. While these companies still profess their support of the MCX program, have they concluded that a common mobile wallet solution among competing retailers doesn't meet all their specific needs? Or is it a desire to offer their customers a wider choice of shopping experience options and differentiate their experience? Or is it another reason altogether? Only time will tell.
So do you believe that 2016 will be the year of the mobile wallet? Let us know what you think.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 9, 2012
Can clouds and contactless chips coexist?
Mobile wallets have started to make their way into the market this year. Inevitably, industry stakeholders are joining opposing camps on the technology that these wallets use to keep payment information and other personal data safe and secure: contactless chips or cloud-based technology. The chips are embedded in a mobile handset that communicates with a terminal via near field communication (NFC), while the cloud-based technology involves an application downloaded to the mobile handset.
If the critical mass necessary for the successful adoption of a payment system relies on acceptance interoperability and technical standardization, can these two solutions coexist in a future mobile payments system? Or will technology debates threaten near-term interoperability and consumer adoption?
The first generation of mobile wallet trials such as Isis and Google are using contactless NFC technology. This is not surprising as early discussions found consensus on the need to move as an industry to NFC for mobile payments. In fact, as my coauthors and I noted in our 2011 paper, "Mobile Payments in the United States: Mapping out the Road Ahead," one of the key tenets agreed upon at the time by industry stakeholders for a safe and secure mobile payments system was the use of contactless NFC technology.
However, since that time, new mobile providers have been rolling out wallets that do not use NFC. Instead, they rely on store payment credentials in remotely based servers, more commonly referred to as the "cloud." The PayPal wallet, for example, leverages consumers' existing PayPal accounts where payment credentials are stored.
Benefits and challenges
Numerous complex variables are at play in the debate on NFC versus the cloud. A recently published TSYS whitepaper authored by Scot Yarbrough and Simon Taylor, "The Future of Payments: Is it in the Cloud or NFC?," provides a comprehensive explanation of the benefits and the challenges that opposing business models face.
The authors summarize the case for NFC by noting that it is backed by the major card networks and offers the capability to store and send information other than payment, such as contacts and videos. The case for payments in the cloud has a supply-side incentive in that the infrastructure costs are much lower for the merchants at the point of sale.
Both systems face challenges, of course, as evidenced by the current low adoption levels for any particular wallet. The TSYS authors note that cloud technology payments may offer so many different choices, "how many ways to pay will the consumer want to learn and adopt, especially when he or she can simply reach into their pocket, pull out their credit or debit card and pay?"
They also note that NFC is also not without flaws. Building consumer experience will require compelling value propositions to encourage new payment behaviors. Further, the complexity of the ecosystem to manage the payment credentials in the chip inside the mobile device among various players in the business model creates economic challenges as well.
In the near term, cloud-based solutions will likely disrupt the payments landscape as merchants look to manage their share of the infrastructure investment for new payments. As wallet providers identify efficiencies and optimal security propositions for data residence and transit, it is possible that hybrid business models will emerge. Finally, the TSYS authors aptly note that future game changers will likely alter the current argument completely. Will merchant investment costs matter in a future where the mobile handset is also the merchant's acceptance terminal?
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 27, 2012
QR codes versus NFC: Cheaper, but worth the risk?
In recent years, we've seen discussions on the value and viability of near-field communications (NFC) apps morph from the hypothetical to some actual real-life deployments. Google has rolled out an NFC mobile wallet, and others are on their way for trial rollouts, as we discussed in last week's post. As this burgeoning industry takes shape and the costs and barriers become more apparent, some interim and quite disruptive technological alternatives are gaining attention—namely QR (short for "quick response") codes. In fact, many merchants today are touting QR codes as the near-term alternative to a more costly deployment of contact and contactless chip-based payments using NFC and EMV interoperability and security technology standards. They are touting these QR codes despite the superior security that chip technology affords. These discussions beg the question: are short-term economic gains realized from less costly QR code technology adoption at the expense of payment security?
How do QR codes work?
QR codes are a two-dimensional form of barcode whose contents can be decoded electronically at high speed. QR code use exploded in 2011, and telephonic technology has expanded to support their application for storing all kinds of data, including URLs. As a result, consumers are increasingly using QR codes to access magazines and newspapers on the Internet and to find online product reviews by scanning price tags. The camera in a smartphone captures the picture of the QR code, and then decoding software helps the phone connect to a website or a file download.
QR codes and malware
Unfortunately, there is no way to visually discern whether the data contained in the QR code will direct the user to a malicious website or application. Infected QR code problems are just beginning to emerge because most people simply don't know the best way to protect their mobile device. According to Marian Merritt, a Norton online safety advocate, "fewer than 5 percent of people have got some form of security on their mobile devices." 2011 in particular witnessed an upsurge in hackers using QR codes as a means of transmitting mobile viruses in Russia. According to a recent report by AVG Technologies, scanning a QR code and executing its hidden applications on a mobile device is akin to "running an unknown executable on your computer." Mobile-related hacking events are expected to rise in 2012 with the advent of more advanced QR code-enabled mobile applications.
Should economy trump security?
QR codes fulfill a wide range of functionalities, but should they be used for payments? Starbucks has realized considerable success with its QR code-based mobile payment app with millions of transactions since it launched one year ago, and merchants are receptive to a more affordable point-of-sale payment acceptance system generally.
The risk of fraud in micropayments and closed-loop payment systems—such as the QR code prepaid business model that Starbucks uses for a cup of coffee—may not be as significant as for larger, open-loop transactions. Ultimately, QR codes may play a viable role in some smaller, and less risky, payment applications. Payments industry participants should carefully consider the ramifications of a strategy that expands their use more generally in lieu of NFC-enabled payments.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum