Month: July 2024

Barry Levett

CEO

According to Barclaycard contactless payments trends report 2024, over 93 per cent of sub-£100 transactions being completed across the UK last year were contactless. Some markets saw significant double digit growth in contactless payments in the last year. For example, the hotels, resorts and accommodation market saw 14.6 per cent growth in contactless transactions; while public transport contactless transactions volumes rose by 11.4 per cent. Take-aways and fast food transactions saw 14.9 per cent growth in the same 12 month period. The list goes on, and the volume of contactless transactions is only going one way.

Many of these transactions are enabled by the buyer’s smart phone – I’ll call this ‘m-commerce’.  Meanwhile, e-commerce penetration of total sales continues to grow rapidly as well. In the UK, 26.9 per cent of total retail sales were completed online in August 2023.

The rise of online spending is changing consumer habits. We are walking into less shops on the high street to do our purchasing. We are also not using physical banks or their ATMs nearly as much. Furthermore, particularly in younger age groups, people are not stepping out for the day with card-filled wallets at all! They want to load card details into an e-wallet such as Apple Pay and then use their smart phone or smart watch to pay. However, there are several card-related activities which still demand a trip to a shop or ATM. We think, these activities too can be carried out on the smart phone. Indeed, we are creating the technology solution for one issuer to enable this, today.

Let’s examine a couple of key examples of where card issuers are exploring ways to reduce friction still further right now:

Card activation

In the UK, we are all familiar with the card activation process right now. When you order a new debit or credit card, whether that be a replacement of an expired, damaged or compromised card; or after signing up with a new card issuer, you will increasingly receive that new card via the normal postal service.

However, that card then needs to be ‘activated’ by the person assigned to it, before they can use it to buy anything. Normally, that starts with calling or texting the number on the removable sticker placed across the front of the new card. At this point you will be able to use that new card to make an e-commerce payment within minutes.

Most card issuers also demand that to fully activate the card you have to take it to a merchant and buy something by sliding the new card into a payment terminal and putting your assigned PIN number in – thereby verifying you are the owner of that card. The alternative is to put that same card into an ATM, and again put the PIN number in to activate it.

Why is this process required? It’s a security measure: to activate the new card, the issuer must be sure that it has reached the intended recipient. The use of the correct PIN number proves that. Once the  issuer is able to verify that the card is in the right hands, they run a software ‘EMV script update’, normally via a payment terminal or ATM today, to fully activate that card for all digital transactions going forward.

Contactless transaction volume limits

Another problem is that some UK card issuers demand that as an additional security precaution, after a certain number of contactless card transactions, the physical card needs to be inserted into an ATM or POS terminal, at which time the card contactless counter is reset using EMV scripts. Normally, the card holder gets a prompt to insert their card into the terminal to complete a transaction – resetting that card’s transaction counter in the process.

This presents a real problem for someone using their card to tap in and out of the London Underground, for example. Most barriers don’t allow you to put the card into them to reset them. The customer is therefore forced to go to the ticket machine to buy a ticket. That’s inconvenient when you are in a hurry. With Mypinpad’s mobile solution, that card could be reset using the issuer’s mobile app rather than buying a physical travel ticket or going to a POS terminal.

EMV scripts in more detail

EMV scripts are stored, usually somewhere accessible to the system where a transaction is to be authorised. The script(s) will have a priority and must be applied in the order of the priority. The script(s) is added to the authorisation response and returned to the ATM or payments terminal device with the response. The terminal applies these scripts, in order if there are several, and completes the transaction. The scripts can be applied before completion of the transaction or after.

For example, Block Card or Block Application must be applied before completion; most others would be after completion. The result of the script processing and its success or not is then returned in the next transaction sent to the host. This response should be used to update the script management system and allow re-sending of scripts if this is needed.

The main EMV scripts used today are:

• Application Block and Unblock
• Card Block
• PIN Change or Unblock
• Update data, mainly increasing the LCOL (Lower Consecutive Offline Limit) and/or the UCOL (Upper Consecutive Offline Limit).

PIN number changes

So, if you want to change your PIN number – you really only have one place to go to do that today – your nearest ATM. However, what if you could activate your new card or change your PIN via your bank’s mobile app?

Mypinpad is already working with one issuer to enable both new card activation and PIN number changes via their mobile banking app. We can do it because not only do we have the right security credentials, as certified by a security lab, but we also develop and certify our own kernels.   With this capability we can provide issuer scripting over contactless to allow, for example, a card activation or PIN number change.

Why is this likely to be useful now? Essentially, consumer behaviour studies on payments suggest that any barriers to getting live with a new card reduce its usage and therefore transaction volumes. We have all been issued with a new card which we have failed to activate immediately. We’ve just put it in our ‘valuables drawer’ and told ourselves we’ll activate it later…and then simply forgot to do so.

It is becoming increasingly clear that to drive up adoption of e-commerce and m-commerce, card issuers need to reduce the barriers to using their cards as much as possible – while at the same time continually strengthening the ‘card rails’ that I wrote about in my last article. Balancing iterative improvement of the user experience and reducing barriers to transacting, with keeping the consumer safe and their money secure remains just that – a balancing act for card issuers and paytech innovators alike.

Mypinpad has recently started working with one card issuer to implement card issuer ‘EMV script updates’ to enable new card activation and PIN changes to be completed on customers’ own devices via that issuer’s mobile apps. It seems likely that more will follow as barriers to online transacting continue to fall.

Barry Levett

CEO

This month I decided to take a look at threats to the card issuers’ dominance of the payments landscape and explore why the numbers of transactions underpinned by card rails still continues to rise.

Global rise of digital wallets

Anyone in the payments world cannot fail to spot the rise of digital wallet-based paying. In the UK alone in 2023 £72.5 billion of leisure, retail and hospitality spending went through digital wallets. E-wallets now account for 17 per cent of UK transactions in these markets and rising. According to Retail Economics by 2033 e-wallets’ share of UK transactions will more than double to 39.7 per cent, or £210 billion.

Transaction volume of M-Pesa – one of the largest mobile money e-wallet services in Africa – has also seen unrelenting growth in recent years and is now responsible for 26 billion transactions (in the year to 31 March 2023). M-Pesa, which is run by Vodafone and Kenyan telecommunications provider Safaricom, provides payment and financial services even if a customer has no access to a bank account or smart phone. Payments can be completed on a feature phone using the messaging protocol USSD (Unstructured Supplementary Service Data).

Perhaps the most successful adoption growth curve for e-wallets has been in China which seemed to skip an evolutionary payments step by moving from cash dominated transacting straight to rapid and enthusiastic e-wallet adoption. In 2023, wallet offerings Alipay and WeChat Pay dominated the Chinese digital payments market – nearly 90 per cent of China’s online payment users used one or other of these platforms in the last 12 months.

Then there is the rise of the ‘super apps’ like Grab which are a strong competitor to Uber throughout South East Asia. Grab offers GrabPay which is its own wallet offering for buying Grab rides, take away food deliveries and more. GrabPay reported revenue of $653 million in the fourth quarter of 2023 as this NASDAQ-listed business continues to grow like topsy. GrabPay is now the most popular e-wallet where I live in Singapore – it has a 35.3 per cent market share here.

Account-to-Account payments also on the rise

Account-to-Account (A2A) payments are another growing area which, on the face of it, seem to threaten the dominance of card-based paying. A2A systems offer to move money directly from a payer’s bank account to a payee’s bank account without the need for intermediaries, such as credit or debit cards.

However, for retail transactions there are currently limited options for using A2A payments. Some providers have started offering A2A payment systems for some online stores. This has been helped by the introduction of open banking, which allows people and businesses to link their accounts with a third party offering payment services – providing a secure and cost-effective open banking can facilitate account-to-account payments for retail transactions and compete with card systems. These A2A offerings are multi-bank and in some cases they identify the bank account for receipt of the money via a mobile phone number rather than the account itself (which often remains hidden from the payer). This feels like an additional layer of security there.

However, as of today, if it turns out you have paid the wrong person – perhaps you got one digit wrong in the mobile number or you were scammed – you cannot reverse or nullify a A2A transaction. You can go to your bank and ask for them to work with the payee to recover the money. However, if he or she has already spent it then there is no simple protocol for redress.

In A2A, unwinding a transaction cannot be assured, unlike for card rails-based payments which have built in protocols for cancelling or even reversing a transaction before any money moves – either for a technical reason (e.g. the network went down midway through), or by the merchant to correct an error by the merchant, such as mistyping the transaction value.

Closed loop versus open loop payments

Closed loop e-wallets enable you to move money from one e-wallet to another. However, they offer clear limitations when it comes to transacting across country borders (in Europe, Asia and elsewhere). This is because closed loop operators tend to be nationally orientated, rather than global. The standards and communications protocols they use for transacting very often do not work as soon as you cross a border or move to a different mobile operator.

By contrast, GrabPay (like the majority of e-wallet market players today) relies on linkage to your credit or debit card for top ups prior to payments. In the jargon, it is an open loop e-wallet. According to recent market data, open-loop e-wallets account for approximately 60 per cent of the total e-wallet market in terms of both active wallets and volume of transactions. Apple Pay and Google Pay are the largest players in the open-loop e-wallet market, accounting for about 20 per cent and 30 per cent respectively in terms of active wallets and volume of transactions.

So, in fact six out of every 10 digital wallet-initiated transactions are enabled by card rails in the background and use the payments infrastructure that is regulated by the Payment Card Industry Data Security Standard (PCI-DSS) and secured using EMV, the ubiquitous payment method based on a technical standard for smart payment cards, payment terminals and ATMs which can accept them.

Card based transactions and card numbers are also continuing to grow rapidly

Herein lies a clue to the continue inexorable rise in the use of card-based payments even as e-wallet transacting sees major growth. The card issuers enable a big piece of the e-wallet market as well!

It perhaps explains why approximately 5.3 billion active credit cards and over 12 billion debit cards were in circulation worldwide by the end of last year – and these number just keep on rising! The monthly total value of transactions on UK-issued debit and credit cards increased by 13 per cent in the last year – rising from £73.9 million in January 2022 to £83.5 billion in January 2023. Globally, some 70 per cent of the $1.3 trillion of transactions in 2023 were still made using credit and debit cards, or cheques.

7 reasons why credit and debit card transacting is still growing strongly

1.Card Rails (the technology behind card transactions) is natively open loop:

In other words, if you have an AMEX, Discover, Mastercard or VISA debit or credit card you know you have the means to make payments all over the world, regardless of the consumer or merchant’s business or personal bank account and regardless of where that bank is based.

2. Customer experience is uniform

The customer experience, when paying with a debit or credit card, is uniform all over the world. So, even if the POS terminal is giving instructions in German or Chinese, most consumers can navigate pre-authorisation, tap to pay and/or PIN entry payment, often with the additional option to pay in the local currency or your home country’s currency, without even referring back to the merchant. The screens and layouts are extremely familiar, even if the language is not.

3. Card transactions are ubiquitous, versatile and extensible

It is worth remembering that pre-paid cards, as well as Mastercard, AMEX, Discover and VISA debit and credit cards, all run on the same card rails.

Even country-specific cards like Elo in Brazil, EFTPOS in Australia, and Rupay in India are built upon EMV standards developed decades ago. Mypinpad supports and enables transactions using all these cards and many more national players many of you will not have heard of. Card rails are ubiquitous and are in wide use globally.

4. Card rails has proven massive scalability and resilience

I gave you the numbers of debit and credit cards in use around the world. It is anticipated that before the end of this decade there is likely to rise further to more than 20 billion. That’ll be 2.5 bank cards for every man, woman and child on earth today. VISA and Mastercard are processing thousands of transactions every second of every day. The processing of these transactions is naturally distributed. All the issuers are effectively bearing the load together and contributing towards the maintenance of high levels of resilience in the global system. One issuer in one country may go down for a time but it never brings the whole system down.

However, if you have all your travel money stored in your e-wallet and that wallet’s technology platform fails, you have a big problem. By contrast, if your Mastercard debit card fails while you are trying to pay for your hotel bill abroad, you can always pull out a second card, perhaps a VISA credit card, and pay the bill with that.

5. New chip-based cards have tightened security at the hardware level

Chips on bank cards have very secure and widely understood rules which govern the interactions with those chips at a hardware level. Any security system which has a hardware as well as a software element to it, is always going to be more secure than a software-only solution.

Cards’ chip technology offers an additional authentication and encryption layer. The largest security element is that it ensures that it has not been cloned. It verifies that it is the original card and that the person using it is authorised to use it, whether authenticated via a PIN or not. Much like a well specified safe, if you attempt to break into that chip (to get into the keys inside it), you will destroy the card – making it impossible to read successfully.

6. Liability is well understood

When doing a card present transaction (i.e. using the physical card), the bearer of the liability and risk of fraud is well understood and agreed between all the parties involved, be they acquiring banks or issuers in various countries or national regulators.  If you do a chip-and-PIN transaction, liability passes to the cardholder for example, while in other cases the merchant carries that fraud risk.  Knowing who is liable when and where is vital especially with cross-border transactions.

7. Multi-layered payment terminal security

Even Mypinpad, which is a SoftPOS solution, uses the hardware security standard provided by both PCI and EMV for processing payments via terminals. So called PCI-PTS rules govern these terminal security requirements and ensure that this hardware is secure. EMV meanwhile certifies that vendors of all new payment terminals are interacting with all available cards in conformance with strict security standards at the hardware level.

There are three different levels to EMV certification to consider. Level 1 covers interaction with the chip and ensuring the NFC capability is working properly for tap to pay. Level 2 covers certification of the embedded logic kernels. For example, Mypinpad builds contactless kernels which have to pass EMV Level 2 Certification before being offered to our customers. Level 3 covers how the terminals interact with the network and that is done per scheme. Each issuer has slightly different requirements at this level. We build kernels for multiple schemes including the international ones (Visa, Mastercard, Amex etc) as well as local schemes (Rupay, EFTPOS, Elo etc).

Card rails – which is the umbrella term for all this EMV and PCI-regulated security technology – is the pre-requisite. So, all terminals must be set up in a prescribed and highly secure manner. That’s why what we do is so difficult: we have to comply with multiple layers of security and compliance standards whilst also ensuring the customer experience remains familiar and easy wherever you are in the world. The trick is to do the application of card rails security systems very efficiently in order to avoid compromising customer experience.

SoftPOS built on card rails ensures seamless & ubiquitous user experience globally

In summary, we’ve analysed that the hardware and software-based security standards governed by PCI and, in some cases certified by EMV, collectively called ‘card rails’; provide an exceptionally mature, multi-layered security infrastructure designed to protect both customers and merchants alike. That infrastructure enables us all to transact in a seamless and increasingly contactless manner in the blink of an eye, while giving us the peace of mind that if something goes wrong we can get our money back and start again.

Card rails provide the security standards upon which SoftPOS providers like Mypinpad must enable that rapid, familiar and frictionless customer experience when consumers reach a merchant’s card terminal. It is our job to make sure that there is no faffing, no fiddling with your mobile device and no delay in completing every digital transaction. User experience at the terminal, increasingly enabled by a personal mobile device, is at the heart of card schemes’ continued and growing appeal.

We’ve learnt that the world has spoken and open loop payment systems are what consumers want, whether that’s via physical cards, or open-loop e-wallets which still rely on card rails.