Merchants and terminals were a key focus at two major payments conferences this week: NACHA and CARTES. The issue of EMV in the U.S. and the high cost for merchants to replace their terminals was raised repeatedly.
Estimates for the cost of replacement in the U.S. market vary widely: we’ve heard numbers from $2 billion to as high as $11 billion. We’ve run the numbers at Glenbrook, and have our own opinions, but my key take-away from the conference is the fact that this isn’t just – or even mostly – about the numbers. The EMV terminalization question is hitting the merchant marketplace at the same time as a wide range of related, and arguably more strategic, questions.
As my colleague Jacqueline Chilton reported from CARTES, much of the merchant side is not happy about EMV. At the show, Mark Horwedel from the Merchant Advisory Group (MAG), David Mathews from the National Restaurant Association and Gray Taylor from the National Association of Convenience Stores (NACS) expressed their complete disdain for contact chip cards and their desire to skip over that approach to one based on smartphone and mobile technology. They are looking for more innovative approaches capable of providing stronger ROI for the merchants and convenience for the customer instead of the hardly cutting edge EMV scheme. Her favorite quote is: “If we tackle the bigger issue of identifying the individual (when using the mobile to access government resources and for all retail commerce), we would end up with a payments model that is free, open and ubiquitous.”
While “free” is an impossible hyperbole, merchant groups have glimpsed the potentially superior customer experience and lower costs smartphone-based transaction could provide for most retail commerce transactions. What could be better than having one’s customers pay for part of your infrastructure?
These merchants understand how important solid identity and attribute exchange mechanisms are to enable their desired future state.
Rather than unravel the conceptual hairball that is “identity” (there are almost as many interpretations as there are people), let’s consider the more tractable and still complex problem of the mobile device’s potential role in authentication.
Everyone agrees the smartphone is a rich potential source of explicit and implicit data “signals” for user authentication. Here’s a partial list of signals the smartphone can provide:
So, there are multiple signals to employ for authentication. An OS or app-level PIN (or both) or a biometric to unlock the device, or an app, can provide explicit signals for “what you know ” attributes. While the PIN is hardly fancy and is definitely static, it’s ability to deter lost/stolen and friendly fraud is well documented.
The majority of signals are implicit, feeding data into server-side, cloud based authentication processes to address the “what you have” question.
What’s the authentication value of all of this compared to presentment of a card at a POS terminal? I don’t have any numbers, but given the abundance of smartphone-derived signals, it’s reasonable to say that the two are, at least, equivalent.
That’s not to say that cards can’t play with mobile. For example, there are analytical approaches that combine card number behavior data with mobile sources that can improve card-based risk decisioning. Early Warning Systems, for example, has experimented with linking the debit card number presented at the POS with the location of the tower currently serving the mobile subscriber and card accountholder. The card is one token, the mobile device is another, each presented on a separate channel. It’s often possible to determine the POS terminal’s location to the zip code or state level. If the mobile phone and the card are being used in the same state, even that coarse correlation provides, according to Early Warning Systems, a strong positive indicator. But it’s hardly consistent. For those businesses that operate enterprise payment switches, the source POS terminal isn’t available for such a correlation test because all transactions are routed to the payment network through a central link.
Compared to the range of signals from the smartphone, there’s a paucity of data to use.
All of this is simply about presentment of user-provided (explicit) and device-generated (implicit) signals to the authentication process, the step that grants access to one or more online resources. During that step, signals are evaluated against the history of the particular device, how it’s been used to interact with the site, whether via a browser or an app, on a laptop, a table, or smartphone for measurement against past behavior.
Once authenticated, of course, there’s the world of server-side behavioral analytics to provide real-time assessment of transactional risk, the area Guardian Analytics addresses. Further context-specific authentication may be required when the user initiates a payment transaction. While analytics on the behavior of card numbers across channels improves fraud detection (CyberSource’s use of POS transaction data from Visa is another example of improvements to e-commerce risk scoring), the granularity of the user and device specific attributes generated via the mobile device should provide a strong alternative approach.
While EMV injects dynamic data into the payment message (as well as clear text PANs), it is an otherwise mostly static, single purpose platform. Compare that to the mobile device, which combines static data (SIM serial number, etc.) with recognizable configuration profiles for device fingerprinting, context-specific dynamic data such as location plus application-specific PIN or biometric entry. And that all happens before the payment transaction takes place.
Now that my panegyric to abundant signals is complete, it has to be placed against the reality of authentication today where context-specific authentication, based on issuer-based tokens, prevails. The proposition of a single general-purpose approach along NSTIC lines is both arguably desirable and at least a decade away. Today, relying parties like financial institutions and enterprises get to decide what customer attributes they need to conduct business. They set the attribute “Ts and Cs” that must be followed to establish transactional trust. These well-defined business relationships, supported by years of tested contract law, work very well; they just need far better support for digital transaction security.
Nok Nok Labs is a new entrant to help manage the complexity of merging mobile device signals with existing authentication methods. It is a member of the FIDO Alliance, a group that announced this week that Google has joined PayPal, Lenovo, and a range of firms to establish a more flexible authentication methodology to replace our reliance on the hopelessly insecure and unmanageable user ID and password mechanism. Google’s presence validates the approach if not the company’s firm commitment to its success.
A Bank Strategy Malaise?
At NACHA, a sense of malaise and frustration was present. Having survived the collapse of 2008 and 2009, there was some expectation that new initiatives would help focus bank tech development and strengthen product lines if not generate a flowering of innovation. But that hasn’t happened beyond the blossoming of remote deposit capture, a remarkable step in the automation of one of our oldest payment vehicles. Predictably, mobile has taken its rightful place as a new channel but it hasn’t inflamed banker imaginations as it has developers in most other sectors of the economy. P2P payments continue to struggle with expanding network reach and consumer footprint.
EMV hasn’t generated excitement either. Other than nascent EMV card issuance into the small base of international travelers (only 20% of Americans hold passports), financial institutions are hardly rushing to deploy.
Bigger Questions for Financial Institutions
The EMV business case, and the role of the financial institution, could be strengthened if FIs looked to use their cards in adjacent contexts for authentication purposes. Canadian banks are participating in this adjacent context approach because there’s a revenue opportunity. SecureKey’s Canadian pilots let consumers use their bank-issued cards as strong tokens for access to government websites. The FIs get paid. If nothing else, as we transact digitally even more, the use of a bank card for adjacent applications is, at least, a branding opportunity but it may be an economic one as well.
Do financial institutions want to become simple account custodians who leave innovation and branding to others? In the prepaid world, that’s already the case where they function as BIN sponsors and risk managers. Financial institutions bailed out of the direct merchant acquiring business years ago. And look who hasn’t joined the FIDO Alliance: financial institutions. While Nok Nok Labs was present at NACHA, their audience was a small subset of attendees, one they and their FIDO Alliance confreres will spend a long time educating.
There are plenty of “ya-buts” here, not the least of which is privacy. Smartphone security is another as mobile malware ramps up. Strong opt-in and butt-out policies address the first. Layered security addresses the second and these authentication approaches add a strong new set of layers.
But the question of FI interest in authentication—as a new revenue source, a branding opportunity, and a value-add to cardholders—needs answering. Internet disintermediation is at work. There is still plenty of opportunity for customer-facing innovation that includes information about money as well as the ability to transact. Consumers want it to come from their financial institutions.
Authentication is one path financial institutions could take to create convenience for cardholders and new revenues that leverage KYC data assets and card issuing experience.
If they don’t, via this authentication path, financial institutions could see online brands insert themselves more firmly between the customer and the institution. A Google, Facebook or PayPal sign-on profile, augmented by smartphone-based signals, could nudge the bank into the tight corner of a custodial role over customer account numbers.
It’s hard to upsell from there.