The Green Sheet Online Edition
December 27, 2010 • Issue 10:12:02
Payments 2010: Fast forward to the future
Don't look now, but 2010 is just about over. And it's been a year like no other. Twenty-ten may well go down in history as the year the industry got serious about mobile contactless payments. Seemingly not a week went by at The Green Sheet that yet another mobile payment development didn't cross our desks. From partnerships to pilots, enabling the mobile wallet was all the rage.
In one week alone, two announcements seemed to crystallize the outlines of a complicated narrative that has only begun. In the middle of November, the partnership for an entirely new mobile payments network was unveiled. Called ISIS, the new network brings together three mobile telecommunication carriers, an issuing bank and Discover Financial Services.
The other announcement involved a pilot among Visa, two mobile payment technology companies, an issuer and a prepaid card processor that revolves around a portable, near field communication (NFC) technology-enabled microSD card that slips into the memory slot of smart phones and renders them contactless payment devices, regardless of carrier or (most) smart phone models.
Industry insiders say the ISIS initiative is designed to concentrate mobile payments (and its revenue potential) under the control of the telecoms. On the other hand, the NFC pilot - with the portability and device agnostic capabilities of the microSD chip a chief hallmark - attempts to skirt the telecoms and device manufacturers in favor of the global Visa brand and its entrenched, robust, all pervasive network.
Which business model will prevail in the end? No one can say. Device manufacturers like Apple Inc. and operating system designers like Google Inc. will reportedly make their plays for dominance in the mobile payment sweepstakes. Perhaps the model that wins out will be an as yet unforeseen combination of various elements and players.
But it is a story that ISOs and merchant level salespeople (MLSs) should pay close attention to. Mobile marketing and upgrading merchants to NFC-enabled terminals may be opportunities to explore if the long-touted mobile wallet revolution actually hits.
Congress takes action
While payment businesses of all stripes have demonstrated the foresight and grit to survive and even thrive in the ongoing lackluster economy, the industry overall has faced unprecedented federal regulation, the consequences of which may not be known for years.
Passage of what came to be called The Dodd-Frank Wall Street Reform and Consumer Protection Act was one of the biggest stories of 2010. It gained momentum in Congress because of the financial upheaval of the past three years on Wall Street and a host of other factors that led to economic turmoil.
The payments industry was hit with the inclusion in the bill of debit card interchange regulation introduced through an amendment sponsored by Sen. Richard J. Durbin, D-Ill. Merchants had been complaining for years about the high cost of interchange. Bills designed to regulate it had failed previously, but now, despite the lobbying efforts of the Electronic Transactions Association, among others, the Durbin Amendment made the final cut, which passed into law on July 21.
The amendment gives the Federal Reserve the power to cap interchange rates on debit card purchases at a level the Fed deems proportionate to the costs of processing those transactions. But many wonder how the Fed can make that calculation when, as the ETA pointed out, it doesn't understand how the industry works. Regardless, the regulations are scheduled to take effect July 2011.
The prepaid card sector also got dinged by the Durbin Amendment, with the ever popular closed-loop, retailer-specific gift card the main target. The new regulations constrain gift card providers on what fees they can charge and what expiration dates they can impose.
But the open-loop, reloadable prepaid card product was spared from the amendment, as it was successfully argued by the Network Branded Prepaid Card Association, and others, that regulation of this rapidly growing and evolving segment would harm the very consumers the bill was attempting to protect - the so-called unbanked and underbanked.
Another aspect of the new law that does not enthuse payment professionals is the formation of the Consumer Financial Protection Agency. The CFPA, which also has a July 2011 launch date, will apparently regulate financial products offered to consumers. The ETA noted that the Federal Trade Commission already does that. What is more, the case can be made that the industry has yet another powerful regulating body in the combined rules and regulations of Visa Inc. and MasterCard Worldwide.
With the Federal Reserve, the CFPA, the FTC and the card brands themselves all having authority over the industry, one may wonder, How many regulators will it now take to install a card reader?
Fine-tuning data security
Of course, it's news whenever the PCI Security Standards Council (PCI SSC) makes changes to the standards that govern how electronic transactions are secured. Experts agree the Payment Card Industry (PCI) Data Security Standard (DSS) is now a well established, maturing set of protocols and best practices. Therefore, the changes made to it in 2010 were viewed as significant.
In June, the council issued version 3.0 of the PIN Transaction Security requirements, covering POS terminal and card reader hardware. Then in October it released versions 2.0 of the overarching PCI DSS and of the standard that deals specifically with terminal software requirements - the Payment Application DSS.
The PCI SSC also endeavored to streamline the entire compliance process so that the various deadlines built into the evaluation and implementation of the three standards fall on the same timeline. Furthermore, that timeline was extended from a two-year to a three-year lifecycle to give merchants more time to digest this compliance smorgasbord.
ISOs and MLSs might find the process akin to getting children to eat Brussels sprouts, but a card brand levied fine is a dish no one wants to be served. Besides, PCI and other data security measures appear to be making a difference: in 2010 no major processors or merchants experienced headline-grabbing breaches (as of this writing).
However, as any security expert will tell you, no organization can afford complacency. And it is important to note where fraudsters focused their efforts in 2010.
It was the year that "fraud-as-a-service" entered the payment lexicon, as the online black market for stolen account numbers adopted cloud-based, software-as-a-service tools to expand their illicit world into a virtual bazaar of fraud techniques and services.
The Green Sheet also reported that the rocky economy may have forced a rise in "inside jobs," involving employees and contractors impelled by financial distress to use their insider access to exploit vulnerabilities in payment systems and commit fraud.
All the standard skimming, phishing, SMSishing, whaling and SQL injecting strategies were alive and well. And it seemed that card-not-present, web-based fraud was on the rise globally as the presence of chip and PIN technology foiled brick-and-mortar fraud efforts. Alas, chip and PIN is not widely used in the United States, where an increase in card-present fraud has been predicted.
It became evident in 2010 that the largest retailers are succeeding in securing their systems. Security experts believe the weakest link in the payment chain is now the small and midsize merchant group - where the fraud fight must now be stepped up.
The effect of outside forces on the industry was another thread running through 2010. Added to the overall economic conditions, the long arm of the Fed and the threat of fraud, singular events such as the April explosion at BP's Deepwater Horizon oil rig that caused countless barrels of black crude to gusher forth from the broken well on the sea floor of the Gulf of Mexico made it clear that this year would be a roller coaster ride.
The Gulf incident had a profound impact on the economy of the area. Tourists who typically flocked to coast beaches shied away until the oil was contained, causing significant losses for merchants involved in the region's hospitality industry. Some ISOs that service the area suffered as well, but they did their utmost to accommodate their clients' changing needs, including temporarily lowering fees for struggling merchants or waiving penalties for businesses forced to close processing accounts abruptly due to the crisis.
An entirely different kind of event occurred in early December. Supporters of the whistleblower website WikiLeaks launched distributed denial of service attacks against payment companies that had cut off service to WikiLeaks. The cyber attacks caused the websites of Visa, MasterCard and PayPal Inc. to go down. But the outages were brief.
The waning year also had its share of strategic acquisitions. Topping the list was Visa's $2 billion purchase of e-commerce processor and fraud management firm CyberSource Corp. in May. Reportedly, CyberSource processes about 25 percent of all e-commerce dollars in the United States and is the owner of payment gateway Authorize.Net.
Industry pundits viewed the move as a signal by Visa of the growing importance of the online channel as a revenue driver. In CyberSource's merchant portfolio are two giants of the online realm: Google Inc. and Facebook Inc.
Then, in September, news broke that POS terminal manufacturer VeriFone Inc. sought to purchase one of its two rivals, Hypercom Corp. The offer was initially spurned by Hypercom's shareholders; $283 million was reportedly too low. But an agreement was struck in November for the purchase to go forward, at a price of approximately $485 million. The move will likely strengthen VeriFone's position, as its primary international competitor in payment terminal manufacturing and distribution will now be Ingenico.
VeriFone also expanded its mobile payment footprint by acquiring mobile POS terminal maker Way Systems Inc. for $6 million upfront and up to $3 million more in earnouts. As The Green Sheet reported, the purchase added 25,000 mobile merchants to VeriFone's portfolio and opened up opportunities for ISOs to board on-the-go merchants historically resistant to dedicated (and stationary) POS terminals.
December, meanwhile, saw MasterCard wade deeper into the prepaid sphere with its purchase of Travelex's prepaid card program management operations for $458 million, with an additional $55 million in potential earnouts. Travelex's award-winning flagship program is the Cash Passport card, which allows travelers to lock-in exchange rates when the cards are loaded. The acquisition is yet another sign that prepaid cards are becoming as important to the card brands as credit and debit cards.
Also in December, the Federal Reserve released its latest study on U.S. consumer payment habits, which indicated electronic payments accounted for more than three-quarters of all noncash payments in 2009.
According to the Fed, U.S. consumers made 84.5 billion electronic payments in 2009 and wrote about 24.4 billion checks; the electronic share of noncash payments grew 9.3 percent between 2006 and 2009, while the number of checks paid by banks fell 7.2 percent. So, we can close 2010 knowing that the electronic share of the payment pie is likely to continue its growth.
Another positive takeaway from 2010 is the fact that so many in the industry worked together to defend the payment turf. There has been a deepening realization that competition must be tempered with cooperation up and down the value chain to ensure the industry remains stable and strong moving forward.
From card brands and banks, to acquirers, processors, and software and equipment manufacturers, to ISOs and MLSs, everyone has a stake in shaping the industry, and thereby defining it. The alternative is to allow circumstances, man-made or otherwise, to gain control. And any self-respecting payment pro knows there's no value proposition in that.
No matter how you look at it, 2010 was a year to be remembered, and a reminder that we are fortunate to be working in a most exciting industry.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.