The Green Sheet Online Edition
October 11, 2010 • Issue 10:10:01
Proximity payments, a BIG issue
We face many pressing issues these days, and one of them has to do with how to conduct payments in mobile and card-not-present environments. Currently, there is no clear winning solution for proximity payments.
Everyone seems to think the future of money is mobile, and buyers will want to pay from any connected device. In August 2010, Intuit Inc. revealed an all-in-one product that enables small businesses to easily process credit card payments via the Apple Inc. iPhone. It integrates Intuit's GoPayment credit card processing app and quick-to-activate merchant account with a credit card reader designed by California-based mophie.
Merchants can buy this solution at Apple retail stores or on Apple.com. Intuit said it can have a merchant up and running in 15 minutes, and (wouldn't you just know it), it's compatible with QuickBooks for Mac. The mophie device is a clip-on card reader, and the data is encrypted immediately by Intuit. Buyers authorize payments by signing their name on the iPhone touch screen, and merchants can send them email or text receipts.
What do you think Intuit is charging the merchant for this? How about $179? The GoPayment fee, including the merchant account, costs $13 a month, plus a discount rate ranging from 1.7 to 3.7 percent and a transaction fee of 30 to 34 cents. Interestingly, there are no long-term contracts, cancellation, gateway or setup fees.
$1 billion-plus in m-payments to secure
There has been a lot of posturing in this space. For instance, PayPal Inc. has been investing in mobile payments for five years and has seen traction only in the last year. But this year the company expects to reach 5 million active users and do over $500 million in volume.
PayPal's parent company, eBay Inc., predicts $1.5 billion in mobile payments for 2010 (check this out at www.ebay.com/mobile). eBay expects half of all Internet access will come from mobile devices in three years. PayPal recently partnered with Bling Nation, a company that uses stickers with contactless chips, to enable mobile payments. But PayPal is exploring other alternatives as well.
Today, to use online banking and make purchases over the web, buyers use passwords coupled with user IDs. This information resides in the browser of the bank's home banking portal or the merchant's processor. This is insanity.
Researchers at Georgia Tech Research Institute are now using off-the-shelf graphics-processing cards to crack passwords. They can break a seven-character password (what the Payment Card Industry [PCI] Data Security Standard [DSS] requires for retailers to protect stored payment card information) in less than a minute. Richard Boyd, one of the people on this team, calls passwords "hopelessly inadequate."
Card issuers in the United States have not yet embraced chip and PIN, or even mag stripe and PIN, technology. What kind of event will it take before it becomes obvious, not to the bean counters but to the internal and external auditors, that this is not a commercially reasonable business practice? After all, even the large breaches like those at TJX Companies Inc. and Heartland Payment Systems Inc. were not big enough to create a tipping point. What will it take?
Ironically, the cost of complying with the card brands' new PCI rules may prove to be the tipping point. This is because the card companies have added a "gotcha" to the requirements for merchants to be PCI certified. If a merchant "causes" a breach, that merchant has to indemnify the affected card issuers.
The potential liability here is almost incalculable, and it is not something merchants might insure against either. Why would a merchant agree to do this - basically guarantee issuers against a liability of the issuers' own making due to their steadfast refusal to replace an antiquated and unsecure product, the mag stripe card?
A strong case for hardware solutions
Up to now, there have been two viable solutions to this problem. My preference is the triple DES encrypted plug-in hardware device, with end-to-end encryption done at the mag head, as deployed by HomeATM. This is cheap, easy to deploy and effective. To quote Kaspersky, the fourth largest global anti-virus vendor and employer of 1,700, "They need to have these hardware IDs for everyone."
Kaspersky calls for mass adoption of peripheral card readers for all Internet banking users and believes banks could be big drivers for this kind of hardware. Perhaps it will take a massive infiltration, coupled with huge losses, for banks to adopt this.
The idea behind these devices is that physical countermeasures are much more difficult to infiltrate than software solutions. If banks eliminated typing passwords, it wouldn't matter if their customers fell for phishing attacks.
A phisher might ask an account holder to type his or her username and password. However, the individual would be immune from attack because, instead of typing anything, the customer would be using a card reader for genuine, two-factor, authenticated login. This is obvious, except perhaps to the banks with the largest home banking constituencies.
The appeal of software solutions
Issuers have been reluctant to deploy hardware, and some have focused on software solutions. The most successful vendor with a software-only solution is Acculynk. Fiserv Inc. has adopted Acculynk's software for its PIN debit platform. This is reminiscent of the Beta versus VHS situation: it isn't so much whether you have the best product; it's which of the other players adopts your solution and implements it.
In this respect, Fiserv is the 800-pound gorilla. It is the largest core processor for the banking system in the United States (with $4 billion in revenues, 16,000 clients, and 20,000 employees worldwide). Fiserv has its own ATM network, called ACCEL/Exchange, and last year, Fiserv chose Acculynk to offer PIN debit payments online for 2,500 of its bank clients.
Fiserv said the interface is easy to use and similar to PIN entry at the POS. It doesn't require registration or redirection to another website (which can lengthen the amount of time and increase the complexity of transactions). Consumers get an extra level of security for their transactions, using a PIN that they already know.
This is not as secure as a hardware device, but it is significantly cheaper to deploy. And when you want to provide a solution for client banks that serve millions of home banking customers, that's a consideration, at least in the short term.
A competing ATM network, STAR, recently launched a similar product called STAR CertiFlash. This is a PIN debit application that uses one-time card number technology. The technology is programmed onto a contactless chip that is embedded within a payment device. For each transaction, the chip encrypts and transmits a card number that is good for only a single use. What you might not notice from a cursory look at this is that all transactions must flow through First Data Corp., the manager of the unique number generator and the central intelligence in control of this end-to-end approach.
Now, what about the 25 percent of people who are unbanked? What about the people who just don't want to use a credit or debit card online because of security, privacy or budgeting concerns? Well, it turns out a company called Kwedit (yes, really) has a solution, called PayNearMe.
Kwedit has signed up 7-Eleven Inc., so any PayNearMe user has 5,800 locations to use for conducting transactions. Let's say you want to buy a train ticket. You call or go online and make a reservation, print out the purchase confirmation and take it to 7-Eleven. You give the 7-Eleven clerk cash for the purchase, and as soon as the cash drawer closes, you are issued your ticket. The transaction is teed up but doesn't happen until you are at 7-Eleven. When you have a nationwide distribution channel like 7-Eleven, you have gone a long ways toward "proof of concept."
Enter the 'beepcard' trio
Now for the ultimate solution from a firm called Dialware Ltd. Co. The solution has three components: a "beepcard," a soft reader and an authentication server. The beepcard looks like a regular credit card and serves as an authentication device.
The reader has software running on a user device. It receives an audio authentication message, decodes and analyzes it, and transmits it back to the authentication server. The encryption code changes, and no personal information is ever sent over a public network. Authentication tampering is virtually impossible.
This opens up another opportunity, because not only does it serve as a single sign-on for secure access, but it can also provide secure online "alternative" (not based on interchange) payments. This solution can address a wide range of issues, not just secure payments.
I see this as the real solution, particularly for large issuers. The added advantage is that merchants need only purchase a $100 contact device to interface with the phone to process transactions - no expensive terminals and printers. And salespeople can be out on the floor processing transactions for shoppers rather than herding them to cash registers at the front of the store. Watch this space for more news on this product.
Fortunately, in the world of payments, new and exciting opportunities continually present themselves, and it is a good time to be in this space. Fundamental changes are coming, but right now we don't know how it will all turn out. Stay tuned for further developments.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.