The Green Sheet Online Edition
December 22, 2014 • Issue 14:12:02
Mobile leads 2014 payments parade
The story of payments 2014 is an exciting one. Big retailer data breaches continued to dominate the news. A new tech-driven business model is shaking up traditional payments. And China's e-commerce retail giant Alibaba Group Holding Ltd. enjoyed a record-breaking debut in the United States. But arguably the biggest news in payments involved Apple Inc.'s leap into the mobile wallet space with the launch of its near field communication-based Apple Pay.
Apple's September release of Apple Pay came with the tech giant's bold prediction that its mobile payment scheme would revolutionize the way consumers pay for purchases – not just in-store, but anywhere. The reason for Apple's confidence stems from the ease of use of Apple Pay from a consumer standpoint and the security of the scheme that drew praise from issuing banks in the one area that matters from a business standpoint – discounted transaction pricing.
It is Apple Pay's robust security that suggests to banks that Apple Pay transactions are more secure than those of any other mobile wallet in the marketplace. Apple Pay utilizes biometric thumbprint authentication and dynamic tokenization of payment data, along with the security of customer data stored on the hard-to-hack secure element embedded in iPhones.
No other mobile wallet scheme offers this level of security. It is the reason why issuers cut a sweetheart deal with Apple for discounted per-transaction costs. If Apple Pay transactions are more fraud proof, that means banks will incur fewer fraud losses on the back end. The result is that Apple Pay transactions qualify more or less for the card brands' card-present interchange rate, which is cheaper than the more fraud-challenged card-not-present transactions.
This is all shop talk for the simple fact that Apple seems to have cracked the long-sought business model for mobile wallet payments, when its rivals, like Google Wallet and Softcard, have been struggling to gain traction in the marketplace, despite the widely held belief that the future of in-store payments is, in fact, mobile.
MCX underscores Apple
More evidence that Apple has hit on the right combination of cool consumer gadgetry and back-end security to ignite mobile in-store payments comes from a move by the Merchant Customer Exchange, the mobile wallet enterprise backed by mega retailers like Wal-Mart Stores Inc. and Target Corp. MCX, which operates the CurrentC mobile wallet, reminded two of its partners, drugstore chains CVS pharmacy and Rite Aid, that they were contractually barred from accepting mobile wallet transactions that are not CurrentC.
The firm reminder was clearly aimed at inhibiting Apple Pay from gaining traction at retailers in the MCX network. When Apple Pay is seen as such a significant threat to a competitor as large and potentially influential as MCX that it would stifle competition (even if it was legally within its rights to do so), the rest of the industry takes notice that Apple Pay might have "legs."
Commenting on this issue and other noteworthy happenings in the mobile wallet space, Aite Group LLC Analyst Nathalie Reinelt said in a late October blog, "Who knew we worked in such an exciting industry?"
Choke hold on the street
Indeed. It does seem that excitement in the industry has grown in recent years as payments has become a more mainstream topic of conversation. However, along with a greater awareness of payments comes a greater level of scrutiny and outside interference. That reality is no more evident than in the federal government's controversial Operation Choke Point program.
Certainly, the industry needs, and at least grudgingly welcomes, regulation. But when the federal government allegedly starts picking winners and losers based on political bias, as apparently is the case with Operation Choke Point, the very foundation of private enterprise is suddenly in jeopardy.
Operation Choke Point was launched in the spring of 2013 by the U.S. Department of Justice but gained national attention only in 2014. The program is designed to effectively snuff out certain types of businesses deemed high risk, or otherwise objectionable to federal regulators, by denying those businesses the ability to process transactions electronically.
The DOJ "chokes off" this access by forcing payment processors to terminate relationships with those businesses – such as gun shops, coin dealers, check cashing establishments and payday lenders – or face serious repercussions.
According to a report released in May 2014 by the House Committee on Oversight and Government Reform, the program subpoenaed 50 banks and payment processors in the first nine months of its operation to coerce them into severing their relationships with businesses that may be politically incorrect within the halls of power, but are legal nonetheless.
Predictably, the banking community was not pleased. In an April 2014 letter to the DOJ and members of Congress, the Independent Community Bankers of America said Operation Choke Point is bad policy. "While preventing fraud is a top concern for community banks, it needs to be balanced with ensuring that businesses and consumers that operate in accordance with applicable laws can still access payment systems," wrote ICBA President and Chief Executive Officer Camden R. Fine.
In May 2014, the House Committee on Oversight and Government Reform headed by Rep. Darrell Issa, R-Calif., released a report, The Department of Justice's "Operation Choke Point": Illegally Choking Off Legitimate Businesses?, which characterized the program as a strong-arm tactic against financial service providers: comply or else.
"The initiative is predicated on the claim that providing normal banking services to certain merchants creates a 'reputational risk' sufficient to trigger a federal investigation," the report said. "Acting in coordination with Operation Choke Point, bank regulators labeled a wide range of lawful merchants as 'high-risk' – including coin dealers, firearms and ammunition sales, and short-term lending. Operation Choke Point effectively transformed this guidance into an implicit threat of a federal investigation."
The report also charged that the DOJ is aware its program is negatively affecting legitimate, legally operating businesses. "Internal memoranda on Operation Choke Point acknowledge the program's impact on legitimate merchants," the report said. "Senior officials informed Attorney General Eric Holder that as a consequence of Operation Choke Point, banks are exiting entire lines of business deemed 'high risk' by the government."
In July, the Electronic Transactions Association circulated a petition to encourage the payments industry to make its collective voice heard about the issue. And in October, Marsha Jones, President of the Third Party Payment Processors Association, made the important point that concerns about Operation Choke Point go well beyond mere politics, as the precedent set by the program could be exploited by whichever political party is in power.
"Today it's payday lenders and firearms-related businesses; tomorrow, it could be environmental and civil rights groups or family planning clinics," she said. "No one can predict who's next."
Onward to the cloud
Putting aside the specter of government overreach into the private sector, another important development in payments was the rapid rise of a new business model that is squeezing out the traditional service delivery model. In place of the POS terminal-based facilitation of payment processing comes the cloud-based provision of entire suites of business-related services. This change has been gaining momentum for years, but the growth of the independent software vendor (ISV) model, or some variant thereof, seemed to accelerate in 2014.
In May, Vantiv LLC acquired ISV Mercury Payment Systems LLC for $1.65 billion, adding to its previous purchase of another ISV vendor, Element Payment Services Inc. Another large acquirer, Global Payments Inc., has kept pace with Vantiv in the last couple of years, having purchased Accelerated Payment Technologies and Payment Processing Inc. The top 10 acquirers recognize that software-as-a-service (SaaS) tools can provide businesses soup-to-nuts solutions – everything from inventory management to payroll. Merchants see this functionality as a pivotal way to lower overhead and drive growth.
First Data Corp., the largest U.S. acquirer, has taken a different tack to break into the ISV market. First Data initially invested in an innovative new POS system called Clover Station, then acquired Clover outright. Through its POS terminal, Clover Station, retailers have access to hundreds of business-related apps that are designed specifically for individual types of merchants. Clover leverages the app development community to provide plug-and-play apps for Clover App Market.
But this is only one way the technology and payments worlds are increasingly interacting. One day, the two entities will converge and merge, and each will be so embedded in the other that most distinctions will vanish. Payments has always been technology driven, but has often lacked flexibility and innovation – attributes of the tech start-up culture.
The warning to traditional ISOs and merchant level salespeople (MLSs) is clear: jump on board the SaaS high-tech super-train or be left behind on the ZON Jr. horse-drawn carriage.
Genie of the IPO
Meanwhile, 2014 witnessed the share-busting entrance of Alibaba into the U.S. e-commerce space. The web giant went public on Sept. 19, when shares were traded at well over 30 percent higher than expected. When the dust settled on that eventful Friday, Alibaba's initial public offering (IPO) had become the biggest debut in the history of Wall Street.
The IPO ended up raising $21.8 billion, surpassing Visa Inc.'s IPO of $17.8 billion in 2008 and Facebook Inc.'s $16 billion in 2012. Images of Alibaba's high-profile founder Jack Ma basking in the glow of the windfall was akin to the storybook dreams of ambitious entrepreneurs all over the world.
Alibaba is likened to a hybrid of Amazon.com Inc., eBay Inc. and eBay-owned PayPal Inc., with a little Google Inc. added to the mix. Analysts predict that Alibaba will struggle to wrest market share away from Amazon or supplant Google's search engine dominance. However, the annual transaction volume that passes through Alibaba's retail websites reportedly surpasses the annual payment volumes of Amazon and eBay combined.
More specifically, Alibaba's proprietary payment engine Alipay might have a bigger impact on the U.S. payments market. Alipay has gone from processing an average of 800,000 transactions daily back in 2007 to 40 million daily transactions in 2010, according to Mercator Advisory Group research.
Alipay's natural rival in the United States is PayPal, and comparisons of the two are intriguing. Mercator said 62 percent of online consumers have PayPal accounts, with PayPal processing 8.8 million payments on an average day. Meanwhile, Alipay represents 50 percent of the China market, but daily processed 18 million mobile payments alone as of February 2014, Mercator reported.
Alibaba's IPO and the unleashing of its highly successful payment engine on the U.S. market may have played a role in eBay's decision to spin off PayPal in 2015. On Sept. 30, about a week-and-a-half after Alibaba's market debut, eBay said that spinning off PayPal into its own independent company would better position PayPal to take advantage of growth opportunities and compete in an ever more crowded and cutthroat marketplace.
In its announcement, eBay said PayPal is the leading payment processor for business-to-consumer exports for Chinese merchants. As much as Alibaba is interested in the U.S. market, U.S. companies like eBay and PayPal recognize tremendous growth opportunities in China and other developing markets.
Mobile wallet developments and Alibaba added a healthy level of diversity to the "same old, same old" coming from the data breach sphere. Every recent year can be termed the "Year of the Big Breach," since breaches continue to get bigger and bigger, and more frequent. Retailers' networks seem to be under constant attack by increasingly sophisticated and dangerous gangs of cyberthieves.
2013 closed with the inauspicious Target Corp. breach, through which 40 million customer accounts were hacked over that holiday shopping season. 2014 began with the disclosure of a breach at Neimen Marcus in January that was very similar to the Target breach. In April, Michaels Stores Inc. came forward with another one. In June, restaurant chain P.F. Chang's China Bistro Inc. disclosed a breach, followed by Goodwill Industries International Inc. in July. JPMorgan Chase & Co. and The Home Depot U.S.A. Inc. announced breaches in August and September, respectively.
But those were only the biggest, headline-grabbing breaches. According to the Privacy Rights Clearinghouse database, 2014 breaches also occurred at Sony Pictures, Staples Inc., Sears Holdings Corp. (K-Mart), AT&T, Albertson's LLC, Apple, Boeing, Lockheed Martin, eBay, AOL, and the American Express Co. But that cross-section of U.S. companies is only among those that reported breaches. Data security experts believe the majority of breaches, mostly at small businesses (and encompassing relatively small amounts of data), are never reported.
Of the big 2014 breaches, the P.F. Chang's and JPMorgan compromises were particularly revealing of the strange new world being created by cybercrime. In the case of P.F. Chang's, the Chinese food purveyor resorted to old-school, 1970's-style card imprinters, also known as knucklebusters, to accept card payments while it figured out the extent of its breach. The move was instructive of how complicated electronic payment systems have become; their very complexity gives rise to vulnerabilities that fraudsters are only too happy to exploit.
As for the JPMorgan compromise, news updates on the status of the investigation into it continued to evolve. First it came out that the JPMorgan breach may have targeted a few other big banks. Then it was reported that the hack may have targeted 13 other financial institutions as well.
The source of the attack apparently remains unknown, but JPMorgan stated that customer information pertaining to 76 million households and 7 million small businesses was compromised in the breach, although the data affected was limited to names, addresses, phone numbers, and email addresses, and did not include financial account details.
Meanwhile, the Home Depot breach reportedly affected 53 million customer accounts. Like the Target breach, where an HVAC vendor was the source of the compromise, the nexus of the Home Depot intrusion centered on an undisclosed third-party vendor with access to the company's networks. Fraudsters have a number of ways at their disposal to gain access; they can pose as workers on a cleaning crew or simply steal the administrative credentials of that vendor.
Security firm Trustwave has published alarming statistics on how easy it is for fraudsters to figure out those credentials. Out of a sample size of over 625,000 passwords it collected through penetration testing it conducted on businesses' security networks in 2013, Trustwave was able to crack over half of the passwords within minutes, and almost 92 percent of them within one month.
Trustwave also found that the most common password is Password1, followed by Hello123, and maybe the worst password of all time – password. It seems no amount of security can overcome an information technology professional or network administrator too lazy or indifferent to implement strong, complex passwords.
The future is green
Finally, Paul H. Green, payments industry pioneer and founder of The Green Sheet Inc., sold the business in July to Kate Gillespie, who was the company's Chief Operating Officer and General Manager. Green is considered the architect of the ISO enterprise model in the late 1970s and, with American Marketing Corp. (AMCOR), became the first ISO in the 1980s to crack an annual $1 billion in transaction processing volume.
Green launched The Green Sheet in 1983 as a photocopied newsletter for AMCOR's business partners. Over 30 years later, The Green Sheet magazine and website comprise the leading source of news and street-level intelligence for the payments industry, with a specific focus on the ISO and MLS community.
As the owner, President and Chief Executive Officer of The Green Sheet Inc., Kate Gillespie is now part of a growing number of women who have taken leadership roles in American business, either as corporate executives or as independent entrepreneurs. As Gillespie knows, with change comes opportunity, and she is dedicated to continuing to help ISOs and MLSs navigate the profound changes taking place in the industry.
With hard work and a little luck, 20 years from now The Green Sheet will still be on the front lines, providing education and guidance for a thriving and deeply committed community of payment professionals, including the new breed of the "feet on the street," whatever shape that new breed might take.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.