The Future of How We Pay: What You Need to Know
How often do you think about the credit cards and debit cards in your pocket, or the banking app on your phone, and consider how they could be better — faster, more secure, and more convenient? Chances are, with names like Apple Pay and Square in the headlines, constant press over the latest security breach in a giant retailer’s point-of-sale system, or an upcoming shift to EMV technology in the news, you’ve given it at least a passing thought.
But the payments industry isn’t a tech topic that people follow with the same interest they have in the best new mobile apps, the latest patent Apple’s been granted, or the useful gadgets that are new to the market. So what do consumers need to know about where the payments industry is going? What are the problems with our current payment methods? What alternatives are available now, and what else will be available in the near future?
Are there new retail models that aren’t yet on the general consumer’s radar? Which innovations have proven successful, and which have yet to prove themselves? How soon will technology be able to replace your wallet? When will the average consumer think that technology can really replace their wallet? How will new payment methods improve security, and what can you do to protect your data? Read on to find the answers to all of these questions and more, and learn about the perspectives of the experts we interviewed on the present and future state of how we pay.
What changes is the payments industry undergoing right now?
Digital wallets are an established and resounding success, and consumers are beginning to become aware of mobile wallets and all of their options to make payments and purchases from their smartphones. Apple has announced its own mobile payments tool, Apple Pay, and added near-field communications technology to its newest iPhones and its first wearable, the Apple Watch. But one of the biggest changes expected to push the payments industry forward is actually a shift that’s born out of one of its biggest problems: the disturbing regularity with which large scale data breaches put consumers’ card data at risk at major U.S. retailers.
The data that we share when we swipe our credit cards or debit cards is so insecure because the U.S. is the last major market to hold on to the system of swiping a credit card at the retailer’s point-of-sale, or POS, system when we make a purchase. As The Wall Street Journal reports that nearly half of the world’s credit card fraud occurs in the U.S., even though the country accounts for only a quarter of all credit card transactions.
So by October 2015, retailers and card issuers will need to transition to a new technology, where a store’s POS system will read a microchip on your credit card, not a magnetic stripe. That means that consumers won’t swipe their cards anymore, but will instead insert the card into a slot where the machine can read the chip.
But more importantly, it means that the type of data breaches that have become all too common among big retailers will be much harder for people to hack. If retailers don’t switch to POS systems that accept EMV cards by October 2015, then it will be liable for fraudulent transactions if the customer has a chip and pin card. The idea of that liability shift is to get card issuers and retailers to invest in the move to the more-secure EMV system simultaneously.
Of all of the changes hitting the payments industry right now, the shift to chip and pin cards illustrates most clearly that one of the biggest ways that technology benefits the ways we pay is to help it become more secure (even though this particular standard is one that’s been available in Europe and Canada for years).
What do I need to know about digital wallets, mobile wallets, and mobile payments?
Simply put, a digital wallet enables you to pay securely online by linking your debit card or credit card data to your account. (Think PayPal, Amazon, Visa Checkout, or MasterCard MasterPass.) Mobile wallets are simply a mobile version of a digital wallet, and because they’re installed on your smartphone, you can take them with you to use when you’re shopping at brick-and-mortar stores.
I spoke with Nathalie Reinelt, an analyst at the Aite Group, to get her expert opinion on digital wallets and mobile payments, and how emerging technologies are going to affect the payments industry. She explained that mobile payment apps essentially bring the same convenience of the digital wallet you would use to complete transactions on your computer instead to the checkout lane. But she noted that all of the options for mobile payments are new, and haven’t yet reached critical mass — unlike digital wallets, which have already proven successful.
A big consideration for consumers weighing their options will be the availability of each service. As she points out, PayPal’s mobile payments app can only be used at PayPal merchants, and Apple Pay will be available only to consumers who purchase a new iPhone or an Apple Watch.
“Starbucks has been the poster child for a well executed mobile payment strategy for quite some time, for a number of reasons: they offer consumer rewards, they are platform agnostic (e.g. iOS and Android), and their barcode technology is accepted at nearly every Starbucks location. So, consumers will generally have the same user experience no matter which location they are transacting and Starbucks continues to reward consumers for their repeat business. While Starbucks is a very unique use case, because coffee shops see a lot more return foot-traffic than say an electronics store would, it still proves that consumers don’t necessarily need the technology to be complicated, it just needs to be consistent and worthwhile.”
Since each of the mobile wallets currently available is limited in its implementation, the area is still in its infancy. As Yahoo News reported recently, market research firm eMarketer projects that a mainstream shift to mobile wallets is years away. The firm expects mobile wallet transactions to reach $27.47 billion in 2016, and then quadruple the following year to hit $118.01 billion in 2017. But the mobile payments platform unveiled last month by one Silicon Valley giant is expected jumpstart awareness, if not adoption, of mobile wallets among general consumers.
What’s up with Apple Pay?
With the usual fanfare that surrounds any Apple announcement large or small — and this was admittedly a pretty big one — the tech community reacted to the September unveiling of Apple Pay with excitement, optimism, and skepticism. Apple itself has high hopes for the mobile payments platform, with the company marketing the service as a replacement for your wallet, made possible with NFC capability that’s new to Apple’s lineup.
Reinelt wrote in a post on LinkedIn that both NFC payments and the secure enclave — which Apple dubbed the Secure Element — have been a part of mobile payments for quite some time. Softcard — founded by AT&T, T-Mobile, and Verizon — announced its NFC-based mobile payments app in 2010, and Google announced its NFC-based Google Wallet in 2010. “Neither of which garnered the same level of media frenzy that Apple did when it announced Apple Pay,” Reinelt points out. She explains that Apple’s real innovation with Apple Pay is the system’s status as the first deployment of issuer tokenization, a security framework that was introduced by EMVCo earlier this year to cover emerging payment methods.
The framework enables payment networks to provision tokens on behalf of issuers to be stored in the secure element on the iPhone 6 or iPhone 6 Plus. The system transfers a single-use digital token for the POS system tp decode using a shared secret, and the credit card data never leaves the secure element in the iPhone or Apple Watch. Reinelt explains that with the EMVCo framework, tokens are provisioned “at the point of capture,” when a card is added to Apple Pay.
That contrasts with merchant or acquirer tokenization, which tokenize the payment card data only after the transaction has taken place. With issuer tokenization, the merchant never sees the full card data, so it won’t be susceptible to breaches in the merchant’s platforms. Neither Apple nor merchants will collect data, and even if the NFC communication is exposed, the stolen data is worthless to hackers, making tokenization a pretty good way to keep consumers’ payment data safe.
Will tokenization become standard across the industry?
According to the heads of four major banks interviewed by The Daily Dot, it very well may. Randy Hopper, vice president of credit cards at Navy Federal, the U.S.’s largest credit union, says that tokenization could become a standard feature in banking, and told The Daily Dot:
“In the wake of all these large scale compromises [being hacked] — Target, Home Depot, UPS, among others — we want to devalue the payment information that is used to authenticate the payment experience in the environment today. Tokenization addresses all points of weakness across the payment system. We hope that this is a technology that proliferates over time, and I think Apple Pay is a great kickoff to making the payments system more secure from that perspective.”
Even though Apple Pay and its tokenization system are expected to be extremely secure, it’s impossible to rule out the possibility of some kind of hack or data breach (from a legal perspective, at least). So who would be responsible if hackers somehow accessed consumers’ payment data via Apple Pay? Among the banks that The Daily Dot spoke to, all said that the bank would be liable for Apple Pay purchases made with its credit or debit cards.
From banks’ perspective, tokenization provides enough security that it can offer the same protections that it does with a regular credit card. But again, while Apple Pay’s use of tokenization is a step forward for the industry and a big benefit to consumers willing to pay for a new iPhone or Apple Watch, it’s not a universal solution.
What about a universal mobile payments platform? When is that coming?
While many companies have aspired to build a mobile payments platform that would be adopted by a wide cross-section of consumers, there’s one group that might get a little closer to that goal than the rest. The Merchant Customer Exchange is expected to launch its CurrentC mobile wallet in 2015, with more than 110,000 retail locations of the many large retailers that back the network, such as Best Buy, Target, and Walmart.
The app will apply qualifying offers, rewards, and memberships, and offer payment options based on the accounts that are connected. CurrentC will be available as an Android and iOS app, and will reportedly use QR codes generated by the smartphone instead of the near field communication (or NFC) technology that powers Apple Pay and Google Wallet. Reinelt explains:
“Although MCX has been holding their cards very close to the vest, our understanding is that its yet to be released mobile payment solution, CurrentC, will be using QR code/barcode technology and incentivize consumers with offers and rewards. Given Starbucks’ success, this approach could very well resonate with consumers once MCX launches their app.”
CurrentC will work with most existing point of sale systems — plus consumers’ smartphones — and will use a token to complete transactions, instead of passing actual card data between the user, the merchant, and the financial institution. The app is also passcode protected, and every transaction is guarded by a paycode that’s unique to each purchase. Additionally, consumers’ information is stored in MCX’s “highly encrypted” cloud, not on their smartphones.
Are there other retail models and payment methods we haven’t discussed?
You would think that between online transactions and in-store transactions, everyone in the payments industry would have enough to keep track of. But there’s another option to watch, and it combines the two to offer consumers and retailers options for what marketers call “omnichannel” commerce. As USA TODAY reports, more and more consumers and retailers have embraced omnichannel retail, as shoppers become comfortable researching products and making purchases using a combination of devices, online platforms, and brick-and-mortar stores.
More than two-thirds of shoppers can be considered omnichannel consumers, and online shopping is projected to play an increasingly important role not only in the way that consumers make their purchases, but also in the way that they plan what purchases they’re going to make. Retailers are poised to take advantage of that shift. Staples has rolled out a program that offers same-day in-store pickup for online orders, and stores like Target and Walmart already offer in-store pickup options for online orders.
I spoke to Gregg Aamoth, former vice president of customer marketing systems and privacy officer for Macy’s and co-founder of a new venture called POPcodes — a company that will take omnichannel retail a step further and create a better experience both for consumers and retailers. POPcodes is launching a system that separates the payment and redemption parts of a transaction to enable consumers to find and purchase products online, and then pick them up in-store. Aamoth explains the rationale:
“We really think that consumers like shopping online. They like looking at things online, and they love buying things in store. If we can help them and the retailer with a quick and easy and safe way to do something online and finish it in store, I think it’s going to be a win for those parties.”
When retailers configure its online systems to work with the POPcodes system, customers will be able to make a purchase online and pick up their merchandise in a local brick-and-mortar store. But unlike many systems that already allow consumers to reserve a purchase online, POPcodes won’t require users to swipe their debit card or credit card in store. Instead, they’ll pay online through the secure and encrypted transaction system that retailers already have in place. Aamoth explains:
“And then from that point, from when you hit ‘enter’ through the whole authorization process, your credit card data is protected by that encryption. We make it easy for consumers to buy online, and benefit from that secure authorization process, and pick up their purchases in-store using their phone number instead of the credit card.”
He notes that online transaction systems use HTTPS, so that the browser encrypts the data and the process has end-to-end encryption built in. After the secure payment is completed, consumers will see a screen that asks if they’d like to create a proof of purchase (hence the POP in POPcodes). They’ll enter their phone number on that screen, receive a passcode for security purposes, and then reply to a text message — a process that will seem familiar to those who use security features like Apple’s two-factor authentication.
When they go to the store to pick up their purchase, the same payment terminal where the credit card would have been swiped will enable them to enter their phone number and passcode. Details of what they’ve bought get sent to the retailer for proof of purchase, and they don’t need their credit card to prove what they’ve paid for, so they avoid the risks inherent with swiping a card with the retailer’s POS system. That leads us to the biggest question of all: the security of the data that consumers share when they make a purchase.
Why are security breaches so common?
As we noted in our discussion of why the U.S. is finally migrating to EMV technology, hackers target U.S. retailers’ systems because it’s easy to hack. But why, exactly, are systems that rely on swiping a card so vulnerable? It all comes down to when your credit card data is and isn’t encrypted, and how well retailers’ systems are able to protect themselves.
As Aamoth breaks it down, you can think of POS systems as specialized personal computers. Malware, like the software behind the data breaches that have affected various retailers — including the software that caused the Target or Home Depot breaches, or more recently the Backoff malware that compromised Dairy Queen’s systems — takes advantage of the inner workings of operating system and utilities used to maintain them. Malware uses remote admin systems to redirect data that’s going through the POS outside, to the hacker’s “playground.”
Aamoth characterizes Backoff, for example, as “another strain of the hundreds of millions of viruses out there,” one that’s specifically focused on point of sale systems and “taking advantage of the fact that on many POS systems, credit card data is collected in an unencrypted way.” He explains that when credit card data moves from the device where the card is swiped to the POS system, it’s not yet encrypted. It’s not until after it’s been transported to the POS that it gets encrypted, and then sent to the financial system for the authorization to take place.
While the window of time where the data is not encrypted is small, malicious software and the hackers behind it are still able to exploit it. “Until the U.S. retail and banking system goes chip and pin, this risk is going to remain.” While scares have catalyzed regulatory bodies, and legislation currently in place says that banking and retail systems must implement chip and pin technology, your data is at risk when you swipe a magnetic stripe card at a U.S. retailer.
How can retailers protect your data?
To retailers looking to protect themselves and their customers against malware scares and vulnerabilities, Aamoth says that his number one recommendation — “and that’s a fairly costly one,” he notes — is to use end-to-end encryption. In making that recommendation, Aamoth is advocating the same thing the regulatory bodies that oversee the payments industry have: implementing end-to-end encryption would require a transition to chip-and-pin cards and the systems that can process them. Since the technology embeds a microprocessor chip in a regular bank or credit card to store cardholder data, it keeps that data more secure than it would be on a magnetic stripe card.
Aamoth says that the next best alternative is to “very aggressively and frequently run the latest virus protection software on your system, and make that part of the day.” But even when retailers proactively update its software on each of its hundreds or thousands of point of sale devices, it still has the inherent flaw of virus detection software to contend with: the software is “always playing catchup,” where the software maker needs to find malware, and figure out how to identify and remove it. Aamoth points out that there is always a window where a virus or other malicious software could be running on a system — a window when “even the latest and greatest version of the virus software won’t be able to detect it.”
Aamoth also advocates the POPcodes’ approach of enabling customers to complete a secure transaction online and avoid swiping their cards with POS systems where their card data may be unencrypted, if only for a brief window. POPcodes is currently in beta, and Aamoth expects it to be available early in 2015. (He’ll be speaking more about the company at Money 2020 in November, where he hopes to “raise some eyebrows and gain some awareness.”) Merchants won’t need to change its systems to benefit from POPcodes, because POPcodes is able to connect to its existing online e-commerce systems and complete the transaction online without using customers’ credit card data.
What can you do to protect yourself?
If recent headlines haven’t made it clear enough, the point of sale systems that most retailers use are not very good at keeping consumers’ data safe. It’s important for consumers to know the risks, know how the system works, and know how much of your data is being exposed.
Aamoth notes that, “The consumer has the right to ask the retailer what they’ve done to secure their point of sale system … It’s something that retailers typically haven’t shared a lot of information on, but I think consumers should have the right to ask. The person at the checkout counter doesn’t know much, typically, about all the things happening behind the scenes.”
He notes that his credit card information was exposed during the Home Depot breach, and given the size of the exposure of the Backoff malware and other breaches, “lots of people should be concerned” and watching their credit card activity. He warns consumers that, “Be aware of how your information is being used, and where it’s going.”
If you suspect that your data has been compromised, he explains that one way to spot that something’s amiss is to check your credit card for very small charges — typically a one-cent charge — that hackers place on a credit card to see if it’s live before they make a purchase with it. Small charges like these are a good indication that a card has been compromised. Consumers can also ask their credit card issuer to give them a cad with a chip in it, but at many retailers in the U.S., the machine might not accept the chip, and they’ll need to swipe the card anyway — which defeats the purpose of obtaining a more secure card.
For consumers evaluating which digital wallets and mobile payments systems they want to use, the same warning to know how the system works and where your data is going applies. It’s also important to realize that most digital and mobile payments aren’t about replacing your credit card, they’re just giving you a different way to use it. As Reinelt explains it:
“It’s really all about convenience. Digital wallets are merely an extension of traditional forms of payments, not an alternative. Many platforms like to use the buzzword ‘disruptive,’ but the reality is that nearly all digital wallets and mobile payment apps use a credit or debit card as the funding source. All these product are doing, is streamlining the checkout process for consumers and merchants alike.”
From tech-enabled innovations that are merely meant to create an easier online checkout process to those that enable you to make purchases with your smartphone to those that look to enhance the security that protects your data — or products that look to do all of the above — it’s an exciting time for companies that are redesigning the payments process.
For many consumers, these products won’t replace their wallets anytime soon. But for those who are enthusiastic about trying the latest tech, and willing to work out the gaps and imperfections themselves, an entire new array of options are opening up. With innovation speeding up, more convenient, secure, and easier ways to pay are in our future — and that future isn’t very far away.