I didn’t leave my heart in San Francisco…

…but something far more valuable. So for this post to make sense, you ought to read my last 2 posts, about my experience of using my credit card in the US. The first talked about the customer experience, and how varied it was. Some of the quirks were allegedly to improve security, yet offered no perceivable additional security. When asked, the retailers I spoke to saw EMV as offering no better security and a worse customer experience. The second was noting that many of the threads around card fraud led to the US – either cards being skimmed there, or card details from around the world ending up in the US, where just the mag stripe is required. Saturday morning I got a call on my mobile. I’ll write another post later about this and how banks tell you to be careful about highly professional looking phishing scams… and then contact you in ways that look like amateur phishing scams! The point of the call was… to say my cards details have being skimmed as they assumed I hadn’t spent a lot of money in person at an art shop in India. Actually, given I had been using my PIN in a terminal 5 miles from house, in a shop I go in most Saturdays about 20mins before that transaction, I was rather shocked by the fact that they’d authorised it anyway even it was highly unlikely it was me. And guess what? “have you had to swipe your card recently? That’s probably where they got the details” Yes, reader – in almost all certainly, stolen whilst I was in the US. If only they had full EMV, then this almost certainly wouldn’t have happened.

What do we want? EMV! Where do we want it? Over there!

In my last post, I talked about the experience of using my credit card in the US, and how just inconsistent it feels. Some of it was undoubtedly tied to security – using photo ID or entering zip codes – though I’m far from convinced that they provided any security at all. In some conversations we’ve had, there has been a feeling that US fraud is actually manageable at an industry level – a belief that they are in line or better than in many other countries. Yet the recent figures from Nilson seem to paint a very different picture. Whilst accounting for 21.4% or $6.187 trillion of total volume last year, the US accounted for 48.2% or $7.86 billion of gross losses worldwide on plastic cards. Zil has – and will! – discuss the implementation of EMV at length with anyone, so I won’t discuss that here. What struck me was how ineffective the checks were currently. As a consumer (rather than a payments geek) it struck me:
  • Asking for zip code as authorisation seems pointless – if I’ve stolen a purse or wallet with cards in, I’m likely to have either the zip code already or have enough info to find it within seconds on the internet
  • Asking for a signature, yet not even checking it seems odd. Perhaps I have an honest face or perhaps the risk didn’t warrant the effort
  • Photo ID, at least for non-US, seems pointless. How many people can spot fake ID, or know what a, say, Latvian national ID card looks like?
Another thought that strikes me is that the figures probably hide some other issues too. Traditionally, a third of UK card fraud takes place overseas (in 2014, £150m of £479m). And given that most other countries have EMV, of that, the majority takes place in the US – it has been ranked the country with the highest losses every year for as long as I can find records for. I suspect the figure above does not include this. The volume of fraud then that could be cut by EMV in the US would seem to be even higher. Whilst I know it’s not that simple, the US “accounts” for over 5% of UK card fraud. Full EMV in the US wouldn’t reduced this to zero – but equally, even if it halved it in the top 10 countries which lose most to the US, the reduction in fraud would easily be in excess of £100m a year. Visitors to the US aren’t just wanting the experience to improve, they’re wanting to stop paying for fraud that takes place in the US as well.  

Global acceptance doesn’t mean global experience

Zil wrote almost a year ago about his experience using a foreign card in the US. I’m just back from an extended stay in the US, and was really struck by how inconsistent the experience is for a consumer. Consider these variations I experienced, in just one day!
  • Check in at a hotel – swipe the card, pre-authorising a charge of $150 a day, no signature, no receipt
  • Pay at gas pump – different price for credit and cash, pre-authorised, required to enter zip code registered for card
  • Paying at till – card swiped, photo id, no signature, no receipt
  • Paying at till – card swiped, photo id, no signature, receipt only available by email
  • Paying at till – card swiped, no photo id, signature, standard receipt
  • Paying at table – card taken away out of sight, signature required, but no check on whether payment has been made before leaving the restaurant
And in no instance was the signature looked at, raising the question of what is the point of signing?! In one place I accidentally caught the enter button on the electronic pad before signing, and off it went, technically signed but with no signature – even that wasn’t challenged. Over the course of three weeks, there were several variations even on these options. Nor did they (arguably) relate to the cost or risk of the transaction – the lowest transaction (<$10) had the most thorough checks, but the restaurants (the most expensive, and where, ahem, you’re already in receipt of goods!) the least. To add to the confusion, it was almost funny to see the consternation that we split the bill with friends – x on this card, y on that please – something that is standard at least in the UK, but at least one restaurant claimed was both technically impossible and illegal. Compare this to the UK, and most other countries I travel to – you either tap (though rarely) or enter your pin, and in either case the card never leaves your sight. So – just two experiences arguably vs the US multitude. Being a geek (and with no shame, embarrassing my friends and family!), I asked, in just about the most unscientific survey ever, how they felt about EMV. Some hadn’t heard about it. Those who had felt it was going to put people off using cards because it was more difficult. To those of us in the rest of the world, this seems bizarre, particularly those of us who have gone through the experiences in the US. Then again, it’s understandable – human nature is often worried about any change and about the unknown. In addition to the messages about security benefits, we shouldn’t forget about the change management piece of the puzzle, and certainly not about taking the opportunity to see how the change could lead to improvements, particularly in customer experience.      

Another Look at the European Card Regulation Proposals

We already talked on this blog site about the latest proposals by the European Commission to regulate the cards business – see Gareth’s and my posts on this topic. However, I wanted to come back to a couple of points, namely:
  1. the decision to cap debit and credit interchange to 0.2% and 0.3% of the transaction amount respectively;
  2. the requirement to separate schemes from processing companies.

The Commission expects that the caps will cut total EU debit card fees from ~EUR4.8bn to EUR2.5bn and credit card fees from EUR5.7bn to EUR3.5bn. How big of a deal is it though? The answer is that the impact will vary hugely market-by-market. For example, in Germany average credit card rates stand at 1.8%, and given the country’s aversion to debt, most cardholders are “transactors”, i.e. usually pay their balances in full, so interchange is the main source of income for the issuers. Compare that to the UK where Visa’s credit card interchange rate for EMV cards is 0.77%, and while the number of “revolvers” (i.e. people who borrow on credit cards) and their outstanding balances have been declining, the revolvers still represent over 60% of all cardholders, making the issuers less reliant on interchange income.

For debit it gets even more interesting. While average debit card charges are 1.6% in Poland, many other countries already have low and flat (i.e. fixed irrespective of the amount) fees for their domestic debit transactions. For example, Visa dominates the debit market in the UK and its interchange fee for a debit transaction currently stands at £0.08. Given that the average UK debit card transaction is just over £45, it already works out as an effective rate of 0.18%, i.e. cheaper than the proposed cap. From Durbin experience in the US, the proposed fee ceiling quickly became effectively the floor as well, i.e. most transactions were priced at cap. If this were to happen in Europe, the fees on debit cards in many markets might actually increase! Of course, the EC hasn’t ruled out the possibility that it might decide to ban interchange fees on debit cards altogether, but we expect this to remain a prospect in the distant future.

The EC proposals also include a recommendation that ‘card schemes and the entities that process transactions’ be organizationally separated. It will be interesting to see the actual interpretation of this recommendation. A similar requirement is one of the fundamental tenets of the SEPA cards framework: “a scheme should implement a separation of SEPA card schemes’ brand governance and management from the operations that have to be performed by service providers and infrastructures without any possibility for cross-subsidisation.” Visa’s and MasterCard’s position has always been that they meet these requirements by not mandating their processing services and having separate pricing for scheme and processing services.

However, some commentators believe that this time the Commission might want to go further and impose legal separation of the schemes, processing assets and potentially even issuing and acquiring side of the business, which would have far reaching consequences to most players, from Visa/ MasterCard to American Express to local debit schemes to even banks. Given the lack of clarity in how this might be implemented so far, we expect a lot of lobbying on all sides in the coming months and years until the outcome is settled.

The Latest Assaults on Card Fees

I said last year that I can’t really take a summer vacation – too many things seem to happen in payments while I am away. This year was no different with many interesting stories to catch up with from new chiefs at MCX and Visa Europe to PayPal trying out check-in payments in the UK to the latest announcements from Isis (I will try to review those in a separate blog.) However, two big news items really caught my eye, both to do with further assaults by regulators on card interchange fees. As Gareth already described in his blog, the European Commission confirmed its intentions to cap interchange fees across Europe to 0.2% for debit and 0.3% for credit. The enactment is expected to take one to three years for European Parliamentary approval and approval by a majority of EU member states. Caps will start applying to cross-border transactions two months after final approval and for domestic transactions after 24 months, so some of the caps could be introduced as early as late 2014. If and when this happens, it will have major repercussions to the industry – the banks will have to seriously question the viability of offering credit cards, are likely to be more open to experimenting with non card-based solutions (e.g. bank account), yet the merchants incentives to accept anything other than cards and card-based solutions would be seriously diminished, dampening the prospects of innovation and start-ups. If the EC announcement was expected, the news from the US was anything but. While the industry was still getting to grips with the aftermath of Durbin amendment, the District Court Judge Richard Leon threw out the $0.21 debit interchange fee cap set by the Federal Reserve and suggested that the Fed should review and lower the cap further. If the cap went down to $0.12 or even lower, the banks would stand to lose another $4bn or more in revenue. The Judge’s decision also appears to impose more routing requirements than the Fed’s ruling did, which even in the original implementation turned out to be a big stumbling block for EMV. What will this latest turn of events do for EMV prospects in the US? If there is one thing certain is that it will only create more uncertainty for the industry, making the original dates for the liability shift even more difficult to achieve.

Of Eggs and Omelets – Interchange Legislation Recipe for Disaster?

On Wednesday, July 24th, the European Commission will publish 2 widely anticipated documents. The first is the PSD II, updating the existing PSD (Payment Services Directive). The second is a new piece of proposed legislation around interchange. Interchange in Europe has long been an area of focus for the Commission, with over 30 significant investigations in the last 15 years at either country or European level. Many of these have been very public and, perhaps “personal”, with Visa and MasterCard receiving the majority of the attention. The interchange regulation therefore is  anticipated with some trepidation as the Commission is seeking to draw a line under the investigations once and for all. Last week, the FT ran article based on a leaked copy of a draft of the proposal. That draft contained a range of issues, but those that have grabbed the biggest share of attention are:
  • Domestic interchange rates for debit and credit to be capped at 0.2% and 0.3% respectively
  • Legal separation of schemes/networks and processors
A third, but now discounted element, was a belief that these rules also applied to 3-party schemes such as Amex. So what does this mean? Firstly, the devil will be in the detail. Those of us who’ve been round the block a few times will know that drafts usually get amended before publishing – the last draft of the New Legal Framework (the original name for the PSD) had over 200 amendments between draft and final version. Many of those changes were very minor, but when every word is poured over, those differences can be very important. Secondly, these are proposals for legislation. Based on the gestation time of the PSD, even with the political will to drive this through, this will take at least 5 years to come into force, and will not be exactly as published on Wednesday. If anything, this is probably the only thing that is certain in the whole process! Some potentially significant impacts A sweeping statement (because rates vary by country, category and negotiation), but my first back of the envelope estimate suggests that the majority of the credit card volume in Europe is currently at higher rates than the proposed cap. I also believe that there are significant numbers of debit cards subject to higher rates as well – the FT suggests that debit card interchange in Poland, for example, is 1.6%. When banks are already struggling with the economics of the card already, this may result in consumers paying more having a card, and potentially, using the card. At first glance, this may seem fair – the people who use it, pay for it. But what the proposal does not seem to allow for is the fact that it’s highly unlikely that the merchants will pass on those savings, plus there seems to be a suggestion that surcharging may be allowed. The customer could potentially lose out 3 times over. That in turn creates a “ripple” effect. Banks may not offer cards to everyone and/or customers may not use the cards. After all, these are choices both parties make. At the same time, the economics of cards may have changed sufficiently that existing national debit card schemes decide to call it a day, and the economics of cards today had already killed off any chance of a home-grown debit card scheme. What we may find is that there is a move away from cards, to other payment types. As debit cards are seen as a form of electronic cash, cash is a likely winner, almost certainly not what the regulator wanted. And in certain countries, such as France, by focusing the legislation on cards, not interchange more broadly, we’ll see further growth in payment types where there are greater levels of interchange, such as cheques. Additionally, card issuers may focus on corporates going forward. Not only do they currently have greater levels of interchange already, they are not subject to the legislative proposals, plus they have much lower levels of fraud than consumer cards. In short, more money and for less risk.   Whilst I understand that the regulator wants to improve transparency for consumers, and to provide them with a better deal, I feel that this legislation is more likely to make things worse, not better. Whilst, as the saying goes, you have to break some eggs to make an omelet, the regulator would seem more interested in the egg breaking rather than a successful recipe. A great chef doesn’t use a recipe, and is willing to experiment and take risks. I think this is shaping up more for a recipe for disaster.

The Start of the Surcharging Era?

Do you feel annoyed when having decided what to buy, you get to the checkout only to find out that the price has increased because the merchant slapped an extra fee for paying by card? I know, I do. The card networks know that as well, which is why they have been insisting on a “no surcharge” rule – i.e. that the customer price should not be discriminated based on the choice of their payment method. The same product should cost the same irrespective of whether the customer chose to pay by credit card, debit card, check or cash. The rule has not always been observed in practice, particularly in many European markets, sometimes against explicit regulations of card schemes. The European budget airlines are notorious for charging hefty fees (way above any conceivable processing costs or interchange) for the privilege of paying by card, whilst typically the only way to buy a ticket is online and the only way to pay is by card – a practice that attracted widespread criticism from consumer groups and other industry bodies. Surcharging is more prevalent online, although my local deli shop charges me £0.35 if I pay by card (debit or credit.) Many merchants in Denmark also surcharge. However, the US merchants have so far been prohibited from surcharging. The first blow to the “same prices” principle in the US came from Durbin amendment, which stipulated that the merchants could discount for cash or debit card purchases. Then, as a result of the credit card settlement, the US merchants got permission from the card networks to surcharge consumers using a credit card from January 27, 2013. It will be interesting to see how many merchants do take up on their new right to surcharge. 10 of the US States limit surcharging by law: California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma and Texas, so a large national chain operating across multiple states, may not be able to surcharge anyway. To avoid a “free for all” situation, sensibly, the card networks introduced rules for how surcharging should be implemented in practice, such as asking the merchants to notify the networks of their plans to surcharge 30 days in advance, requiring to clearly post signs in the stores to inform customers, and defining the surcharging limits. It remains to be seen how many merchants decide that surcharging is “worth the trouble.” Representatives from the National Retail Federation, retail trade association, were quoted this week saying that “while there conceivably could be exceptions, merchants in general have no intention of surcharging.” That may be true. What did surprise me was another statement from NRF: “The lawsuit sought to bring down swipe fees and the prices paid by consumers, not to increase prices. The card companies’ new surcharging proposal runs 180 degrees counter to the intent of the lawsuit.” Now, I may have missed something, but I always thought that it was the merchants themselves who have long lobbied for their right to surcharge. Now that the settlement is in place, they seem to be implying that it’s the card networks who are forcing the surcharging on merchants. Are the networks “damned if they do, and damned if they don’t?”  

Some Facts About Data Breach at Global Payments

Last Friday, the press began reporting about a major data breach at Global Payments, a large US card processor. As always in the early stages of such events, there were plenty of rumours and speculation with various sources reporting stolen card numbers to be as low as 50,000 or as high as 10 million. This morning, as I write this, Global Payments is holding a conference call to provide us all with more information. So, this is what we have directly from the company:
  • Up to 1.5m cards records “may” have been affected;
  • The incident is contained to North America only;
  • Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
  • Visa removed Global Payments from a PCI compliance list;
  • The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
  • Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
  • Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today: http://www.2012infosecurityupdate.com/
The trading of Global Payments shares was suspended on Friday and the full impact on the company remains to be difficult to estimate at this stage. However, the executives on the call remained positive and stressed that the company:
  • Continues to process all card transactions, including Visa;
  • Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
  • Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
  • Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
  • Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
Data breaches are unpleasant, dangerous and costly. They are also a fact of life. In our most recent payment trends report, we called retail payments security as an important focus area for 2012. As commerce environment gets more complex (online, offline, mobile, etc.) and as access points to payments proliferate, security issues are only getting more complex. What are your thoughts on how best to ensure payments security in the digital age?

The Battle For Transaction Rewards

Last week Zil Bareisis posted a great blog entry regarding American Express’ Tweet Your Way to Savings Program. It’s a mighty interesting concept and provides quick cash back rewards to cardholders. It raises a few relevant questions for me:
  1. Are social rewards a passing fad? While this Amex/Twitter hookup received a fair bit of attention is it going to stick? It reminds me of a SPG promo announced about a year ago that offered 250 Starwood points for every Foursquare checkin during a hotel stay. Being a regular traveller, I tried this a few times and received some bonus points. I’ve since totally forgotten about it, and I am a points junkie! I don’t have any hard stats but I’d wager that usage of this promo has dropped off. Will the Amex/Twitter offers follow the same fate? There are hard dollars and a larger number of merchants involved here (see list of Twitter offers here) so it’s a tad different.
  2. Do social rewards increase brand loyalty? Everyone likes a good deal these days but how much loyalty is this actually creating? Would you, for example, switch to McDonald’s from Burger King in order to cash in? Would this create additional loyalty towards Burger King?
  3. Will social rewards drive folks to regularly transact using Amex cards (over another payments vehicle)? There is a battle brewing between merchant rewards online banking solutions and American Express. As Zil noted, there are quite a number of vendors in this space. Cardlytics in particular has been successful at penetrating the large bank market and has also formed partnerships to deploy via Intuit and Fiserv. The Amex/Twitter program is a direct attack against online banking merchant rewards. It’s but a blow in what is going to be a drawn out battle to own the transaction.

There are lots of questions for the moment and not a lot of answers given the immaturity of this space. I welcome your thoughts and comments.

Holiday Cheers for Consumers from the UK Treasury

Just before the country stopped to celebrate Christmas, the UK Treasury announced that the government plans to ban the ‘excessive’ fees for card payments before the end of 2012. Essentially, this is the ban for card surcharging, i.e. fees that get added to the transaction if the person chooses to pay by card. Unfortunately, in Europe surcharging is quite widespread. When I was regularly travelling to Denmark, I used to pay a fee for pretty much all card transcations. Here in England, consumers rarely get charged by brick-and-mortar retailers, but are quite often hit by charges from online merchants, especially the airlines and various ticketing agencies. As a consumer, I find it really annoying, as these fees are not made transparent until late in the checkout process. So, you think you are getting a good price, only to find out that you’ve been slammed with an extra fee just to pay by card. The surcharges have already come under scrutiny. Earlier this year, Which?, a consumer group, complained about the surcharges which prompted an investigation by the Office of Fair Trading (OFT). The European Union also has approved the new rules giving the European shoppers more rights when returning goods or paying by card, but the rules are unlikely to be implemented until 2014. So, the latest announcement by the UK Treasury expected to come into force by the end of 2012 is a welcome step towards limiting surcharging and increasing price transparency. It will be interesting to see how this will be implemented – what level will be deemed as “excessive”, how the compliance will be monitored and how any breaches will be penalised. There is a clear difference between a small mom-and-pop store charging £0.35 to recoup their additional cost of a card transaction and the likes of Ryanair, a so-called “budget” airline, charging £12 per person for booking a return flight. The other question, of course, is that of the alternatives – at a physical store, I can perhaps pay cash to avoid card fees, whereas online, the card is often the only payment method available. The Office of Fair Trading report has been arguing that the fees should not be applied to at least debit cards, as they represent the equivalent of cash in the digital world. The Treasury’s proposal seems to go one step further and limit the fees to credit cards as well. Will it reduce the ultimate price consumers have to pay? Possibly not, as the retailers can easily just add the today’s fees to tomorrow’s prices. Yet, it would be a big improvement, as consumers could more easily shop around and compare prices knowing that they wouldn’t be charged for the privilege of parting with their money. Given the background of all the gloomy reports about recession, rising unemployment and other bad news, the Treasury announcement should bring the holiday cheers to the UK consumers.