Dual Interface Construction

When we think about the migration to contactless or Dual Interface cards it is important to have a general understanding of what goes into creating the card and the constraints one has to think about, as they work with their marketing teams to design these cards.

The design of a payment card involves assembling multiple of PVC into a sandwich that will be bonded and then punched out to form the card body.

  • On the face of the card: a clear laminate to protect the surface
  • On the back a clear laminate with the magnetic stripe affixed to it

In the middle two printed sheets

  • The front
  • The back

In the middle of the card body, your manufacturer will need to insert an antenna.   The antenna is typically provided to the card manufacturer as an inlay, as seen on the left.  The inlay is a sheet of plastic with the copper antenna, sometimes aluminum embedded within.  The card manufacture will add this inlay into the middle of sandwich.

On the right is an example of a six layer card construction including one element as an example, a metal foil.  This has been included given it has an impact on the effectiveness of the radio signal.  More about this a little later.  Using pressure and heat, the layers of the sandwich are bonded together in a process called lamination.  The bonded sandwich is then run through a series of additional processes designed to create an ID-1 card as specified in the ISO 7810 specifications supplemented by the additional payment network requires, such as the signature panel and the hologram.

After quality inspection the next step is to mill and embedded chip into the card body and simultaneously assure a connection between the contacts on the back of the chip and the antenna.  There are various means of connecting the chip to the antenna.  These different methodologies for connecting the chip to the antenna is a specific skill and is the responsibility of your card manufacturer.  Look to your manufacturers to propose, construct and certify your card to your requirements and employing their unique processes, techniques and technologies.

One thing you will need to be aware of is how the use of the antenna affects the certification process.  It is important to understand that the combination of ink, materials and methods of construct means; each construction will need to go through a unique certification.  This need for certification is a result of the use of radio frequency to communicate between the card and the terminal.  Think of your cell phone when your inside a big building or within an elevator and how the conversation maybe disrupted.  It is this possibility of the radio signal to be disruption based on the materials employed and the method of construction.

When metal elements like metallic foils and layers are used in card construction, the challenge increases.  Eddy currents are emitted by the metal and will interfere with the level of power and quality of communications emanated by the antenna and radio in the POS  received by the antenna and the computer in the card.

So far we have spoken only of the hardware.  The chip in the card is a computer and needs an operating environment, application and data in-order to function.  The introduction of the contactless interface alters the operating environment, the payment applications and the data which is loaded into the card.  All of this impacts the card manufacturing and card personalization process.

 

Will the US truly embrace dual interface cards or is our phone the future

When the US decided to migrate to EMV, it took the safe course

When it was time to migrate to EMV here in the USA, both issuers and acquirers focused on addressing the market and the required technology, one step at a time.  They recognized the confusion created by the Durbin Amendment, the reality of the competitive US debit market, the complexity of the merchant environment and the legacy infrastructure underneath the American card payment system.  Unfortunately unlike in other parts of the world the American merchants tended to migration to  EMV in the following order credit & debit, Common AID, contactless (MSD mode), Mobile Pays and finally contactless (EMV mode).  This journey is still a long way from complete with less than 25% of the terminal base contactless enabled, let alone in EMV contactless mode.

The larger and most invested merchants also worried about the impact of sharing data with the likes of Amazon, Google and Apple.  The “honor all card” rule is also the “honor all wallet” requirement.  Wal-Mart, Target and Home Depot were clear, they did not intend to expose the NFC antenna to the various NFC Mobile Wallets.  Instead they are implementing solutions, post MCX, based on their mobile apps using QR codes and often times enabled to support frictionless payment.

We are now looking at the second wave of card issuance and Issuers are wondering what merchants will finally do about enabling contactless.    As the Issuers prepare to issue their cardholders with their second EMV enabled card they must also think about the future of the card in the context of the future of mobile payments.

Are the payment credentials carried in the mobile wallet the companion of the card
o
r
Is the card the companion (fallback) for the payment credential carried in mobile wallet / device

Or
Are we on a journey to a new paradigm

Where facial recognition, loyalty, geolocation
Enabled by the always connected devices

We surround ourselves with
Help merchants to focus on
the shopping experience

And
Turn the Payment into

A frictionless “thank you”

 

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together.  EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience.  then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments.  The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”.  In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database.  Does it include a what you know username, email address or phone number; maybe!  If it is simply the captured image or behavior, then it is a 1 to many match.  If it is with an identifier, it is classic authentication with a one to one match.

In the pure authentication space where the relying party simply want to know it is the person they registered.  Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices.  Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protectionthreat protectionidentity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

 

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Mobile Payment – Thoughts after listening

Thoughts resulting from The webinar Doug King of the Atlanta Federal Reserve gave on “Future Proofing Payments”

The long standing question of the future of Mobile Payments, again discussed and again similar conclusions.

  • Will the American market embrace the idea of mobile payments?
  • Is it a question of when or a question of why?
  • Why do emerging markets embrace new ways and mature markets resist?
  • Is it all about acceptance and the merchants investment in contactless reader capability?
  • Is it an all or nothing concern?
  • Could it be simply reality, as ling need our wallet with other cards e.g. our drivers license, why eliminate payment cards from the physical wallet?

Doug touched on all of these questions. He shared relevant statistics demonstrating the slow and possibly indistinguishable grow in usage of mobile wallets. He shared the success of several of the merchant proprietary mobile payment approaches.

Which leads me down the path of another question. What is the value proposition that will ignite the use of our phone and devices as carriers of our means of payment? The possibility to create value simply with a electronic wallet carrying only means of payment, does not create an exciting proposition.

Our mobile phones and connected devices provide us with such value

We have embraced dozens of apps. They help us to navigate, shop, explore, play and learn. Our phones are beginning to become security devices, taking advantage of sensors to integrate biometrics into how we access and authenticate ourselves as we browse and explore the ever increasing digital place we now call cyber space.

There is another phenomena emerging as a result of how we are transforming how we engage. Some called it the “Uberization” of payments, the ability to make payments frictionless. A change so profound we must stop and reflect and ponder what next.

I recognize there is a repetitive theme to my musing.

When physical world merchants fully embrace the concept of omni channel and build their virtual and physical experiences to complement and augment one another, then, with the ability to integrate payment seamlessly into the shopping experience a value proposition emerges.

What is EMVCo goal with the release of their SRC framework

October 2017 EMVCo published version 1.o of their Secure Remote Commerce Technical Framework.  Today I decided to read and appreciate what they are trying to accomplish and then consider how it ties into what I remember and think we need to do moving forward.

Clearly the challenge links back to the now infamous New Yorker Cartoon.  We have not successfully established a means of assuring the identity of an individual when presenting payment credentials (the PAN, Expiry date, name, billing address and CVV.  The first attempt, still not 100% implemented, was the introduction of CVV2, CVC2 or CID a 3 or 4 digit number printed on the back or the front of the payment card.

We then developed something called SET or Secure Electronic Transactions and unfortunately the payment networks were not willing to allow Bill Gates and Microsoft to earn 0.25% of every sale for every transaction secured by SET he proposed to build into Microsoft’s browser.  Without easy integration into the consumer browser, the challenges of integrating SET into the merchant web pages and the Issuer authorization systems caused this effort to fail the death of some many other noble but complicated attempts to create a means of digital authentication.

Next came 3D-Secure, a patented solution Visa developed.  It offered what was considered a reasonable solution to Cardholder authentication.  Unfortunately, given the state of HTML and the voracious use of pop-ups, the incremental friction, led to abandon shopping carts and consumer confusion.  Another aborted attempt at Internet fraud mitigation.

Yet 3D-Secure was not a total failure.  Many tried to enhance it, exploit it and avail themselves of the shift of liability back to the Issuer.  Encouraging consumer engagement and adoption was futile in some markets mandated and cumbersome in others.

Now let’s consider what EMVCo is attempting to do with their Secure Remote Commerce Technical Framework.  As I started to read, I ran into this:

“As remote commerce becomes increasingly targeted and susceptible to compromise, it is important to establish common specifications that protect and serve Consumers and merchants.”

Clearly the authors do not have institutional memory and cannot remember the various attempts alumni of these same organizations spent time on and encouraged many to invest in their implementing.  Clearly this lack of historic context will leave some pondering the purpose of this paper.

I then read this sentence and reflect back on a recent hearing on “Social Security Numbers Loss and Theft Prevention” in front of The House Ways and Means Subcommittee on Social Security

“Over time the Consumer has been trained to enter Payment Data and related checkout data anywhere, making it easy for bad actors to compromise data and then attempt fraud.”

Once again, I stand  troubled by how the Payment Data clearly printed on the face of the card and especially the PAN, 11-19 digits, designed to simply be an identifier, was converted into an authenticator.  Like the social security number, the drivers license number, the passport number and your library card number, the PAN and other “Payment Data” was never designed to be an authenticator.  It was meant to be data a merchant could freely record.

The secure features of the card now the EMV cryptographic techniques otherwise referred to as the Application Request Cryptogram “ARQC” were meant to offer the “What You Have”  factor in a multi-factor authentication scheme.

As I began to appreciate the scope of this document, the term “Consumer Device” becomes critical.  I began to wonder if a PC is a consumer device or if a consumer device is only something like a mobile phone, watch or other like appliance.  Fortunately, later in the document, the definition clears up any confusion created by the earlier use of this term..  This said, I then wonder about the difference between what they define as Cardholder Authentication and Consumer Verification?

After reading through all the definitions, I ponder why the authors had to change terminology?  Why could they not embrace known and recognized nomenclature.  Do we need a new vocabulary?

I wondered:

If this is another attempt to create a revenue stream for the payment networks?

Or, is this the effort of a “closed standards” body to reduce the potential value of the W3C WebPayments activity?

 In search of an answer to this last question, I found this discrete comment inside the SRC FAQ.

9. Are any other industry bodies working in this area?

EMV SRC is focused on providing consistency and security for card-based payments within remote payment environments.

EMVCo aims to work closely with industry participants such as W3C to capitalise on opportunities for alignment where appropriate.

Having read bits and pieces of this and the WebPayments efforts one does wonder what is EMVCo trying to do.  We shall see?

Why do we need Tokens and Tokenization

Recently I was directed to a link http://paymentsjournal.com/tokens-work-because/ and wanted to write the author Sarah Grotta.  As I wrote the message crystallized in my head and maybe as this prior post already discussed, this idea of tokenization made me cringe.

I contend that Tokens exist because we turned the PAN Personal  / Primary Account Number, like we turned the SSN Social Security Number, into an authenticator.  One can must ask the question.  How can a random value (an identifier) become an authenticator and remain secure?

EMV works because it renders the Card unique, hence addressing the question of counterfeit, by employing the first factor of the classic MFA Multi-Factor Authentication concept “What You Have”.  EMV defined a common set of secrets and digital credentials; securely stored in a Secure Element or Chip Card.

We here in the United States decided not to implement the second factor, the Personal Identification Number or PIN, for a variety of reasons. Hence, why Lost and Stolen remains an issue or weakness in the American Card Payment environment.

Biometrics are emerging and could solve for the assurance of cardholder presence.  The challenge is how to effectively (cost and convenience) locate the biometric sensor and facilitate the matching of the sensors output to the persons registered biometric.  Let alone, how does one make sure the right persons biometric was registered and associated with the device.

In the mail order / telephone order, now cyberspace, we did not replicate merchant authentication, the first factor – “What You Have. The card, once was secured with things like the magnetic stripe, using CVV1, the Hologram and the other physical features.  We simply shifted the liability to the merchant and called it a “card not present” transaction.

People can claim all sorts of goodness because of tokenization.  They can talk about how the EMVCo’s tokenization framework describes the use of tokens in device and domain specific scenarios.  All of this, an issuer, could have done; if they, like some did, simply issued another number, a PAN, to the wife, bracelet, watch, ring or whatever other permutation they deemed appropriate.  They can talk about dynamic data.  yet what they often forget to include when they use the words “Dynamic Data” they are really talking about a cryptographic value as described in EMVCo Book 2.

Yes, this does mean the question of how the PAN and its digital credentials get deployed; has to be addressed.  This said, GSMA with EPC did offer some thoughts, last decade, when they described the Trusted Service Manager

Instead handset oligopolies replaced the MNO with the their Mobile Pay wallets.  They working with the Payment Networks and focused on control and the creation of income.  They, as monopolist will, have created barriers, restricting others from offering comparable services.  The TSP now becomes this restrictive service that guarantees the power of companies like Apple and Google, supported by their friends, the payment network operators.

The original article also spoke of the PAR; another data element merchants, processors and the industry, will have to invest in supporting.

I ask the question.

If we had assured the authentication and verification of every payment transaction
Using Multi-Factor Authentication
Why did we need to turn the PAN into a dynamic value? 

My contention, simply use the appropriate level of  cryptography.

If the Issuer or their processor is in control and understands basic EMV and Cryptography, then securing the PAN is not an issue.

Consider household financial management.  If each member of a household has a unique PAN; budget, tax preparation and understanding who spent what where is a lot easier.  The husband,wife and children should have their own unique PAN, stored in the clear in their devices and on their card.

The real requirement, my personal devices, including my payment card, simply need to be linked to one PAN their Personal Account Number, associated with the individual.  The PAN Sequence number could easily allows each device to be uniquely identified, if necessary.  The card and devices becomes the carrier of your identifier.  A thing that can be authentication as something you have.

Here is where the second factor comes in.  Is the person presenting the PAN the rightful and authorized individual? All this required, is assurance to the shareholders that the presentment of the PAN is a unique and authorized event.  This is best achieve by using either something you know or something you are to bind the individual to the instrument carrying the Identifier.

Yes, a bit of friction to assure the  consumer they are securely paying for what they want to buy

Since the World Wide Web came of age and merchants saw its potential.  The question of how to secure the Card Not Present space, this question of cardholder presence, has not been properly addressed.  Visa and MasterCard (when they were not for profit associations) created the utility of the Card Verification Result CVV2, CID or CVC2 which would be printed on  on the card and not part of the magnetic stripe, the problem the bad guys could still steal the card or get hte card number and capture CVV2..  MasterCard and Visa then created SET, 3D-Secure and now, as for profit owners of EMVCo, are proposing, maybe even will mandate, the industry implement EMV 3D-Secure.

Each, an attempt to provide some means of Authentication and Verification.

Each introducing a level of friction as a means of security.

This is the problem.  The market did not start by emphasizing the need for security by educating the consumer.  The industry needed to help the consumer understand they should care and want to securely pay for what they intend to buy.

Instead:

  • The Zero Liability Policy was adopted.
  • The merchant was more than happy to sustain a degree of lose (fraud) in exchange for sales and profits.

The result, as all anticipated would happen, was blissfully ignored and eventually they cried out about.

Fraud migrated to the weakest point
Just like water finds its way to the lowest point. 

EMV, introduced in the Face to Face card present environment, pushing the bad guys: be they criminals, state actors and terrorists to find alternate another channels for their financial gain.

EMV and now the recently published WebAuthN and FIDO specifications create effective mechanisms for Consumer Authentication.

Let us please remember – the PAN, a user name, your social security number or your email address are excellent Identifiers.  They should not be authenticators and they are not a means of “Identification”.

Let us also remember, the term Identification means that one is assured of the irrefutability of identity.

The big question:

  • Why did we have to get rid of or replace the PAN?
  • Why did we and continue to need to invent and invest in all this addition overhead?
  • Why did we not simply address authentication?

Some will argue the challenge of using the PIN or a Password, as a means of Verification, is because it is to hard to remember. Especially, if each password people use to access website, services, building, has to be unique.  Some will argue imposing friction to add security is not convenient.  Others will remind us that security is and has been a necessity since the beginning of time.

Why didn’t we when we created this great new digital shopping mall?

Bottom line each of the devices used to present or acquire the PAN, must be capable of authenticating the identity of the authorized presenter, in both the physical and virtual world.

At least these are the views of someone who believe history provides a baseline for tomorrow and tomorrow must be designed as a function of where you want to be, knowing where things came from.

 

Of NFC, Mobile and History

Today I read Karen Augustine’s  Mobile Payments Use in the U.S. Lags

As I read and reflected on what Karen wrote, I reflected on my experiences as a sagged payment consultant and executive, with international experience.

What I see is an issue of legacy and muscle memory – setting a pattern for the future.  Said another way – our history defines the boundaries of our future.

Asia did not have electronic payments.  I am sure did not want to embrace the globally dominate American solution.  Therefore, they had the opportunity to start fresh.  It is very much like what Spain went through, went they moved from cash to electronic card-based payments.  They bypassed the check.

Her article brings back memories of life in Belgium in the 90’s.  Writing a check was a rare occurrence.  Direct debit mandates, a MisterCash card and a Eurocard was all we needed to buy and enjoy life.  Electronic payments was the norm, paper checks were a rare oddity and cash, well yes there was a very present grey economy.

Here in the USA we developed our payment systems off the back of regional or state banks with acceptance networks limited to a local domain.  Moving to a national system required early adoption of a common national currency.  We then went on to replace IOUs with paper checks and store cards with credit cards.  In time we enhances the ACH system and developed support for remote deposit and check capture.

Why do we need to move the card into the wallet?  Why change habits that are comfortable and work?  Most of us drive to shop and therefore must have our drivers license.  We must carry a physical document with us.  We simply carry two or more ID-1 sized cards.

You make the statement and was once again reminded of times past.

“… universal mobile wallets and more often driven from merchant based applications that often incorporate loyalty and rewards, which to date still remain nascent in universal mobile wallets.

When I produced this rendering, back in 1996, I was on stage talking about a world where leather and technology converged.  I imaged Bluetooth, NFC, secure elements, GPS and our various credentials converging into this personal device.  Those credentials grouped into: travel, identity, membership, loyalty and payments; easy to find and present.

When contactless payments were  introduced, in 2004, by Visa’s with PayWave and MasterCard’s PayPass; I argued why contactless cards – how can the issuer afford the extra dollar per card (cost of the antenna and inlay) and the merchant the extra 60 dollars to enable the NFC reader?  The way Issuer income works, “Interchange”, the consumer would need to spend more on that issuer’s card.  For the merchant to justify the necessary POS investment, meant the retailer believed the consumers would spend more, because it was “easier”.  Was Tap To Pay going to make me spend more.  Maybe for small ticket purchases, I may use cash less; but at the merchants expense!  We argued the cost of cash was more than the Merchant Discount.  Some agreed.  Many wondered what the blank are they trying to sell us!

Around the same time America was exploring this contactless experience, the European Payment Council and GSMA debated and ultimately offered an approach for mobile card based contactless payments https://www.europeanpaymentscouncil.eu/sites/default/files/KB/files/EPC220-08-EPC-GSMA-TSM-WP-V1.pdf .  Handset manufactures like Nokia had already added NFC Antenna’s to their mobile phones and mobile network operators, the MNO, saw the SIM as the secure element capable of holding payment credentials.

Some tried, the Trusted Service Manager as a service was developed and deployed.  The challenge, the economics of the model.  In this case the MNO saw revenue and wanted to charge fees to load the payment credential into the phone and better yet charge rent to store these payment cards in our phones.  Again I ask the question, by changing the way we pay, do I cause us to want to spend more? I think not!

Maybe some would argue, with  a credit card people am able to buy things today that they cannot afford.  Let them end up in debt.  This is true.  But then is debt  at 18% a good thing?  Europeans simply decided to establish a line of credit, as a feature of a Current Account, at reasonable interest rates.

We could go on and talk about how Apple saw the possibility of a 0.15% income stream from ApplePay based mobile payments and how the EMVCo tokenization framework evolved to support their desire to protect the Apple Brand.

What is clear, we could solve George’s problem and replace his Full Grain Vegetable Tanned Cow Leather leather wallet with a Mobile Wallet managed by Apple, Google, Samsung or …

Or, we could think about the consumer and what they really want?

As your article made clear, and so many others have shared, Asia leaped forward.  Be it AliPay or WeChat, the device, the mobile phone, became the consumers wallet, their method of engaging, shopping, learning and exploring.

We need to accept to simply replace what we are comfortable with, with something new; which does not enhance our experience, is simply not worth it!

Many of us, like Karen, would argue the experience of shopping is what the mobile phone can enhance and let the act of payment become the afterthought.  A simple click to say – yes, I agree to pay.

Amazon got it right with One Click.  Others, as the patent expires, are embracing the same technique to simplify payment to a friction-less act of satisfaction.  When my favorite stores offer me an mobile app designed to enhance my shopping experience, to thrill me with offers and entice me with things I want; then yes I will become more loyal, I will shop at their store more frequently and maybe even buy a few things I did not intend to buy.

Many years ago while attending conference of groceries  in Abu Dhabi – one of the speakers share an experience.  when that supermarket executive instructed each store to put the beer across from the diapers, the intended result occurred.  The husband, sent to get the diapers, ended up buying  a six pack too.

Maybe, like this experience reveals, if we focus on the consumer experience and on delighting them.  They will embrace change.

If there is no value why should we?

Years ago I prepared and published an idea.  I called it Cando.  I was still committed to the idea of the mobile wallet.  I was an early adopter of the smart phone and saw its potential.

 

Cando

Payment Card Construct and Dual Interface Deployment

Payment Card Construction

The discussion focused on the construction of the sandwich. Four layers. Clear front laminate to protect the ink, front with the banks design and brand logo, back with the banks back design and a clear laminate with the magnetic stripe integrated into it.

To enhance design additional layers may be added, such a metal foil.

These four sheets are then bonded together, at 120 degrees, in sheets of 21, 36 or 48 or other various sheet sizes. Next step punch out cards, add hologram and signature panel.

For a standard EMV card the next phase is to mill and embed the module with the chip inside. Last, the manufacturer typically loads the O/S & EMV application into the integrated circuit card.

When we move to dual interface caed, this process is modified to add an inlay, with the antenna embedded within. This inlay is inserted in the middle of the sandwich and during the embedded process the contacts exposed on the base of the module are connected to the antenna in the inlay.

Next step, personalization, when the appropriate data is loaded into the chip, along with the encoding of the magnetic strip and printing and/or embossing of the cardholders, name, expiry date, cvv2 and other information onto the card.

Contactless or Not That is a Question

Contactless NFC acceptance and dual interface issuance is all about the chicken and the egg. Who will go first? The merchant or the issuer? Each need each other. Both are wondering about the incremental value.

  • Faster transactions – Yes
  • Less cash – maybe
  • More revenue – good question!
In other parts of the world, transit and their choice of contactless, as the right answer to a more efficient fare collection solution is driving conversion. In other, markets a group decision to adopt or a desire to find the next great thing drives the market. Here in the USA, we have a less than successful history of contactless. Let’s not forget PayPass and PayWave, it was tried the middle of the last decade, to little or no success.
We have Google and the FinTech world looking to mobile payments as the next great adventure. Merchants, like Wal-Mart, are resisting NFC acceptance given their own plans for QR based wallets and desire to limit the sharing of data with competitors.

Given these questions and observations, one can only wonder.

Financial Trade Groups Write to House Leaders in Support of Data Breach Notification Bill

https://bankingjournal.aba.com/2018/02/financial-trade-groups-write-to-house-leaders-in-support-of-data-breach-notification-bill/

 The American Bankers Association and six other financial trade organizations wrote to House leaders today underscoring the need for businesses across all industries to be held to the same data protection and breach notification standards currently adhered to by regulated financial institutions.

The associations expressed support for draft legislation released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) that would create a level playing field of nationally consistent data protection standards and post-breach notification requirements. This bill would not create duplicative standards for financial institutions which are already subject to robust standards, but rather extend similar expectations to other sectors that handle consumer data.

“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” the groups wrote.

The draft bill contains a provision that recognizes the existing, effective regulatory framework for covered financial sector entities.  While the provision was intended to prevent banks and credit unions from being subject to duplicative notification requirements, it has been the target of recent negative campaigns circulated by the National Retail Federation and the Retail Industry Leaders Association, which incorrectly suggested that banks do not notify customers of breaches on their computer systems and   The ads from the retailer groups also mischaracterize and exaggerate the share of data breaches occurring at banks and credit unions while omitting their members’ (higher) share of data breaches.

The financial trades refuted the notification assertion, noting that “banks and credit unions have long been subject to rigorous data protection and breach notification practices for financial institutions to follow,” and that in the event of a data breach, banks and credit unions work continuously to communicate with customers, reissue cards and enact measures to mitigate the effects of fraud. They added, however, that “no solution will work unless everyone has an obligation to take these steps.” For more information, contact ABA’s Jess Sharp.

Words all bound to who we claim to be – How do we identify ourselves on the Internet or in Cyberspace?

Identifier – Something you create or are provided to digitally identify yourselves. Identifiers are things like an alias, user name, email address are examples.

Identity – This is who we are or wish to represent ourselves to be. These are attributes and information about: where we live, who we work for, which banks we have relationships with, who our friends are, which clubs we belong to, our certified skills, what schools we graduated from, which country(s) we are citizens of, our LinkedIn profile, Our Twitter handle, our Facebook identifier, our phone number … .  It is the sum of the attributes we can and will share with others, be they individuals, governments, entities or organizations; as we establish relationships and prove to them who and often what we are.

Authentication – The method we employ to assure that you, based on the identifier presented, are who we (the relying parties) thinks you are.  You are the person the relying party accepted when you registered that Identifier as how you would digitally identify yourself.  By itself the method of authentication should not allow another party to be able to determine anything about your identity.  Privacy is the goal.  FIDO Alliance and W3C have defined standards to support authentication.

Verification – The process of confirming that the secret or biometric match the secret or biometric that where originally registered to that Identifier.

Identification – A means of authentication that is bound to your identity.  A EMV payment instrument “Chip and PIN”a PIV card, an electronic passport, a membership card, a drivers license, a national ID are all forms of identification  issued by a party that should be trusted to have performed a proof of the individuals Identity, based on a defined and often published criteria.

This particular word, for many, has an alternate meaning.  In the biometric community they see Identification as the ability to use a biometric to determine ones Identity.  This is achieved by performing a one (the person present) to many match (persons registered).  The goal is the same, bind Identity to the mean of Authentication by using the Biometric as the Identifier.

Proof – The method a relying party or an individual uses to validate your claim of a specific Identity.  In many cases this is achieved by relying on knowledge of another party.  The relying party accepts the due diligence to proof your claimed identity was done to their satisfaction by another party.  This other party is often referred to as a Trusted party.  This effort to proof the identity of an individual is linked to words and acronyms like KYC “Know Your Customer”, ID&V “Identity and Verification” and Self Sovereign Identity.  We classically assume that documents provided by a Government e.g. drivers License and Passports are a solid proof of the claims asserted on those same documents.

In a digital world this is the most important element of a how we as people, entities, governments and corporations can be assured that you are who we believe you to be.

I am once again am reminded of the 1994 New Yorker Cartoon

Europe Led the way with EMV yet Europe appears to prefer cash

Europeans still love paying cash even if they don’t know it

Interesting to reflect on how much we allow Europe to lead as we think about EMV and the technology we use to secure our payment cards.  Maybe American’s need to embrace and take over the management of these key standards that drive an economy.

Thinking about cards

In 1991 I had to learn the difference between million dollar transactions and hundred dollar transactions. As I came to explain, when telling my life story, I had to shift my thinking from 100 transactions at a million to 1,000,000 for a hundred. This transition took me from capital markets to payment cards.

Today, I wonder about the future of the ID-1 based payment card? A piece of plastic 3 3/8 x 2 1/8 with rounded corners.

In another blog I spoke of how this ID-1 object became a token responsible to act as the first factor, something you have. Printed, encoded and embossed characteristics were the security features. Today, with EMV as the global standard for payment CARD security; cryptography and the “secure element” replace those physical security with digitally mastered circuitry embedded inside something capable of protecting those secrets cryptography requires. We digitized the payment card. What we now must do is shift our vocabulary to tokens and credentials.

We need to embrace a new way of speaking we need to think about our “Payment Credentials”.

Today, we now tap our phone to pay, we use our phone to browse the internet, we shop & book tickets with apps and we listen to music & watch movies all from this device we apparently use, thousands of times a day. For those of us who remember computers that filled floors, we now are capable of buying more powerful computers, similar in size to those same cards. Think about the Raspberry Pi, a computer almost as small as a card, not quite! Yet!

The embedded secure element integrated inside our payment cards are being integrated into phones, bracelets, rings and things. The question; will they replace the card we are now comfortable with? Yes – maybe? Will we embrace these objects as the new carriers of our payment credentials? Many hope so.

In oder to think about the probability of cards disappearing, one must begin by think about the number of cards now in circulation. In round numbers we can think about 1.2 billion debit and credit cards, 300 million prepaid cards and 300 million retail branded cards. In round numbers, 1.8 billion payment cards. We next must think about our population and how many people now carry cards – 115 million households and 242 million Americans over the age of 16, according to a recent census. We now has a numerator and a set of denominators.

The question then becomes, how many payment cards does an American want to carry and how many payment credentials will an American end up having.

I would argue a debit card and a credit card is all we need to carry in our leather wallet, purse or pockets. Those other payment credentials can easily be accessed from wallets in the cloud or in our digital objects.

Merchants can integrate payment capabilities and focus on factoring their consumer receivables, behind relationships designed to service, thrill and sell. In an App and API enables economy, cards become a burden as the experience becomes the essential component of our lives.

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference.  Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution.  ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

  • Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
  • Growth in fraud in online payments is typically a result of the deployment of EMV.
  • As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
  • What is context? Our digital footprint as we go through our daily lives.
  • The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
  • It is all about acquiring data and building a profile, your context.
  • What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

  • Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
  • The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
  • The fear of who is able to access the vast array of data available through these connected devices.
  • Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
  • In the world of IoT who will define the security requirements and who shall pay becomes the key question.
  • We should consider using Common Criteria as a baseline for the security of IoT devices.
  • Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

  • Changing our top of wallet card is not something we are driven to do.
  • So many sites drive to Card on File
  • The objects will end up with an embedded payment within
  • There is a hierarchy of needs
  • BASIC WANTS & NEEDS

  • MASS & PERMITTED RECOMMENDATION

  • SOCIAL & RELEVANT 1REFERRALS

  • ON-BEHALF

    As he speaks of On-behalf a document produced back in 1996 must be found

  • Will the IoT evolution increase consumption, Maybe?

Wearables 101

  • What is the connectivity
  • Where are the credentials stored
  • Is it a configurable device relative to which credentials
  • Types
  • Contactless cards and devices
    The mobile ecosystem introduces the token requestor

    A solid overview of the world of tokenization

  • The tap experience with a wearable is an interesting design experience.
  • A wearable is smaller and much more personal.
  • As seen from the payment networks
  • Like a card
  • Mobile device (secure element)
  • HCE
  • Wearable are in market today
  • Wearable are in market today

Risk Based Payment Security

  • Beth took a walk through the history of payment acceptance
  • The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
  • Risk is or was always about the balance between security and convenience.
  • Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
  • The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
  • Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
  • We need to agree on a common set of security values not necessarily on a common standard.
  • When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
  • Security must be designed in from the beginning.

The day came to a close.

Tokenization and the search for Identification and Authentication

These two words began to fascinate me as I began to understand the value of cryptography while working through the goals we established when developing EMV and attempted to secure the payment credentials when used on the Internet.

With EMV we were trying to address the challenge of the fraud (an issuer cost) resulting from the ease of counterfeiting the token of the token which was a token of a token already.

This last broken token is the magnetic stripe on the payment card.

The payment card, in and of itself, is a token. An instrument imbued with physical security features e.g. the hologram and signature panel. Security features the merchant is supposed to check when attempting to allow a buyer, the consumer, to use the payment credential associated with the card to make payment for good and services.

The PAN is just a unique number, another token. This unique number is simply the index, The identifier within the payment credentials, which associates the payment with the underlining source of funds.

The source of funds, the PAN or Token pointing to, is then either a line of credit, prepaid balance or bank account.

The card, the hologram, the magnetic stripe and the printed security features and the PAN had reached the end of their useful life, as security features or tokens. The criminal knew how to compromise the card and associated static data.

As we entered the 90’s, the card as the carrier of the payment credential, with those physical security features, was longer a means of Authentication. These layers of authentication had been compromised. In other words the token was broken!

To address this concern, in 1993 the founders of EMV embraced the chip card and its Cryptographic capabilities. In particular, the use of symmetric and asymmetric algorithms to provide a new set of tokens the merchants (asymmetric) and Issuer (symmetric) could use to Authenticate the unique carrier of the payment credential – the token – the chip card.

On the Internet the challenge is different. The physical features of the card are not easily accessible, hence useless. In 1993, when WWW became the thing of conferences, everyone said lets think of the internet in the same way we allow merchants to sell stuff via mail and telephone. Everyone simply decided and agreed to exploit the acceptance rules agreed on for those other virtual environment, the phone and the mail.

Bottom line, in the world of mail order / telephone order and now a browser; merchant simply agrees to accept the cost of fraud, given the CARD is NOT PRESENT. Worse still how do they prove the right cardholder in present?. For the merchant, given the potential of the Internet, it is was a small price to pay.

Everyone simply accepted that be capturing the data embossed on the front (PAN, expiry date and cardholder name) and the CVV printed on the back of the card and, in some cases, using the power of AVS “Address Verification Service” a modicum of security could be factored in. At least for a time!

SET “Secure Electronic Transactions”, a cryptographic mechanism Visa and MasterCard cooked up, was developed circa 1995-1996 and deployment was attempted. The challenge, the limitations of the then deployed technologies and the inability to provide a reasonably convenient user interface. The problem begins with loading payment credentials into the browser and more importantly figuring out how to use them when shopping.

A set of great ideas foiled by convenience.

Next came 3D-Secure, an invention of Visa. This time the idea was to exploit the power of passwords and secret questions to authenticate the user.

Nice idea, well thought out; but, unfortunately not designed with the consumer in mind.

Another feeble failed attempt to develop a mechanism to authenticate the buyer. Or better put, solve the dilemma the New Yorker so aptly described

“On the Internet nobody knows your a dog”.

All this begs the question – how will we secure payments on the Internet?

3D-Secure 2.0, maybe? Or maybe W3C and the FIDO Alliance have the answer in what is called WebAuthN.

To address this question we must begin by defining the problem.

When we think about payments and we think about shopping on the internet it is all about someone or something {read issuer} agreeing that the consumer will make good on the promise to pay and therefore the issuer is willing to guarantee payment towards the merchant. The challenge, how do we confirm it is the legitimate person seeking to pay with their means of payment.

In other spheres of endeavour it’s about granting access to someplace or some website. In the physical world we have a key that we can insert into the lock or a security device {card} we can insert or tap on a reader programmed to recognize our credential and allow us access.

On the Internet the use of a physical card with physical security features, numbers, letters and a magnetic stripe was not feasible. Instead, we ended up employing user names and passwords. The user name – a unique identifier and the password, a secret, support the identification of the person using the browser or connected device, from somewhere out there.

If we could each create and remember complex secrets, these cumbersome things call passwords. And, more importantly, never share them with nefarious individuals seeking to take advantage of our naiveté. All would be at peace in the world of security and convenience. The problem is expecting you and I to remember the myriad of complex passwords and not get tricked into sharing our secrets.

Is there an answer, I believe so and at Money 2020 October 25 we will be discussing this very topic. Wednesday Morning at 8:30 in the Titian room at The Venetian in Las Vegas on Level 2, join us as we discuss Identity is Fundamental: What You Need to Know About Identity & The Future of Money.

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.

In the News as the Vice President of Oberthur Technologies

Oberthur Technology seeks to educate and support the migration to EMV

 

 

An Interview with George Peabody of Glenbrook

 

 

From a merchant perspective Oberthur offers thoughts for consideration

 

Healthcare is in need of secure authentication an Interview with Karen Webster

 

 

An Article published by Pymnts.com as we consider the last days before the migration

 

 

Digital Identity is what we require to secure our world an interview with Karen Webster

 

 

W3C and the WebCrypto Working group considering payments and Same Origin Policy

 

 

Why EMV and Why Now with Pymtns.com

 

 

A Founders of EMV’s view of the US migration to EMV

 

 

Understanding EMV in Our Digital Future an interview with Karen Webster

 

 

Counting Down to the migration to EMV

 

 

The ABCs of EMV

 

 

An interview with the Atlanta Constitution

 

Interchange fact, fiction and myths

Interchange a word that describes a method that allows cars and truck to move from one road to another. Interchange a
word that describes the exchange of ideas or data between two or more individuals. Interchange a fee paid to an Issuer of a payment card.

It is this third definition that this blog will explore.  A fee or income paid to an Issuer of a payment card.

Some would call it a tax on merchants.  Merchants who wish to sell products and services to individuals and corporations who wish to pay with moneys loaned to them by a financial institution (credit card) or held on deposit by a financial institution (debit card and pre-paid card). Wikipedia offers the following; Http://en.wikipedia.org/wiki/Interchange_fee.  To add to this sound Wikipedia definition, I offer a little story of how Interchange was described to me was a way of helping people appreciate the way interchange has changed over the years.

In 1991 I joined EPSS, a technology company then owned by Eurocard International (50%), Eurocheque International (35%) and MasterCard International (15%). EPSS or European Payment System Services ran and managed a set of technologies designed to support the authorization, clearing and settlement of payment transactions initiated by a payment card being presented to a merchant. We supported both credit and debit card transaction and would when they emerged also supported pre-paid card transactions.

As part of the settlement process we calculated and assured acquirers (merchant bank service provider) were paid, less interchange and scheme fees, for those payment card transactions they had submitted on behalf of the merchants they serviced. Therefore understanding and assuring the accuracy of these calculations were essential to assuring the successful operation of those systems we managed.

In the first few weeks of starting, general counsel sat me down and described Interchange. What I learned is that on a biannual basis we hired a consulting firm, Edgar Dunn; to conduct an anonymous survey of the member organizations, the banks that issued credit cards.  Their role was to ascertain what it cost the issuers to support the processing of payment card transactions.  Three elements were key to these calculations:

  • Cost of Carry – The interest charge or income the bank had to pay or forego in order to to fund payment card transactions conducted on the credit cards they issued to their customers.  This cost was calculated based on the reality that the issuing bank paid to payment network (MasterCard, Eurocard or Eurocheque) either immediately or within a few days of submission; and, the  fact that credit
    card charges are billed to the cardholder periodically.  This time between paying the merchant and the card holder paying their credti cards bill was assumed to be about 45 days.
  • Systems costs – The depreciation of assets and cost of operation of the systems necessary to process these payment card transactions.  These systems included those that authorize, in real time, payment card transactions and receive, each evening, the clearing transactions and reconcile the moneys the Issuer had to settle, daily, with the payment network.
  • Fraud costs – The loses the issuing bank incurred for payment card transactions where the consumer claimed they did not recognize the charge and the merchant proved that they had accepted the card and followed all the rules and procedures associated with the acceptance of that brand of payment card.

Our consultant then would amalgamate all the data they collected from the issuing members and submit a recommendation of what interchange should be for the next two years.  These recommendations recognized that interchange must vary based on two key characteristic:

  1. Location of Merchant and home country of cardholder
    1. Global
    2. Regional
    3. Domestic
  2. Nature of transaction
    1. Card present and electronically read
    2. Card present and paper voucher with card imprint
    3. Card Not Present (mail order telephone order and in time eCommerce)

We then discussed how the Issuer earned income from payment cards.  I learned; yes for those efficient issuers there were profits, whereas for inefficient issuer they might actual lose money. Bottom line the calculation was designed not to create profits.  It was designed to cover cost.

Management then took these recommendations to their board to seek approval.  At this stage the boards where a balance view with both the issuing and acquirering institutions represented.  Unlike today when it is fundamentally the Issuers that sit on these boards.

In 2002 I joined Visa and again was asked to visit with general counsel to make sure I understood what interchange was.  My first statement was that I understood and explained what I had been taught all those years ago.  I was informed that although I understood the foundation, things had changed.  Two additional components had been added to the calculation and moreover instead of being limited to a few easy to understand categories, the structure of interchange has been MADE complex.

While it still was calculated through the use of anonymous survey of issuers, interchange now included:

  • Rewards – this was meant to cover the cost of the reward programs Issuers used to entice cardholders to adopt a particular card product.
  • A Reasonable Profit

As to the characteristics used to identify what interchange fee would be earned by the issuer, the original two categories of transaction location and the presence of the card continued.  Yet now to complication matters  two new ones were added:

  1. Type of card – In order to justify the addition of the cost of rewards into the formula the payment network attempted to sell merchants
    on the idea that corporate cards and premium “Gold” cards where used by people or organizations who would be more loyal, spend more hence more valuable customers for the merchant.
  2. Merchant size and category – This distinction was driven by the reality that certain merchant categories are prone to fraud.  But more importantly, certain merchant segments where essential to the expansion of card usage and were known to sue or complain about the cost of interchange.

Interchange had morphed from a cost recovery mechanism to a complex formula that takes into consideration the complexity of the payment ecosystem and a source of revenue  to financial institutions.

With all this change there are also challenges.  With only two global “4 party” payment brands (Visa and MasterCard) regulators, merchants and politicians seek to manage and control interchange.  Words like monopolistic powers are used to describe the way interchange is calculated.   Therefore you find lobbyist speaking on behalf of merchants, arguing these fees create excessive profits for the issuer.  You here people complaining that the fees and the rules not allowing them to charge consumers for the use of these more expensive payment products, ends up that interchange simply gets embedded into the cost of sale and cash paying customers are seen to be subsidizing card paying customer.

As a prime example Wal-Mart and a consortium of merchants, banded together and successfully won an argument against both Visa and MasterCard. They argued that interchange associated with debit cards processed through the credit card networks should not be the same as credit card interchange given that the cost of carry was near euro.  When all was said and done  3 billion dollar was paid by the payment networks to the merchants and their lawyers.

The Australian Central Bank also decided to regulate interchange, although the benefit a reduction in the price did not occur thus the perceived benefit to the consumer was not achieved.  Currently the European Union continues to evaluate interchange with the argument that domestic and regional interchange must be the same and that monopolistic powers are used to manage interchange.

Here in the United States Senator Durbin succeeds in imposing significant change to debit interchange.

Interchange will continue to be scrutinizes.  My hope, let us return to original definition of interchange and focus on being a mechanism designed to simply cover the issuers’ cost of processing payment transaction and offer a reasonable profit for their efforts.

Let the issuer earn the core of their income through revolving Interest charges, annual card fees and other services paid for by their customer the Cardholder.  Why should the merchant subsidize the rewards offered to entice cardholders to take an issuers product without also garnering a demonstrable increase in sales?