The Mobile Payment Conundrums: To Chip, To Store, To Bank?

Written by Evan Schuman
October 1st, 2009

The payment strategy struggles for Mobile-Commerce continue, with retail IT execs seeing the phone as a future “Get Out Of Interchange Jail Free” card in an elaborate game of Card Brand Payment Monopoly. Some see future secure chip-integrated phones as the answer, a way that moves payments away from Visa and MasterCard and permits a secure way to tap directly into a consumer’s bank account.

But retailers pursuing such a strategy might quickly discover that, with payment, when one door closes another opens—and it’s likely a trapdoor beneath your feet. For example, a secure route to bank accounts may indeed sidestep most—if not all—card fees for those mobile transactions. But it would also remove the liability shield that the brands’ zero-liability programs offer.

That’s potentially huge. Zero-liability programs are what have made massive data breaches at TJX and Hannaford—along with their less-publicized co-victims, including 7-Eleven, BJ’s Wholesale Club, Boston Market, Sports Authority, Dave & Buster’s, Target, J.C. Penney, Office Max, Barnes & Noble, Sports Authority, Forever 21 and DSW—impressively survivable; mainly because consumers suffered virtually no losses. That made customer abandonment non-existent, which preserved revenue and kept Wall Street happy. And in the absence of losses, class-action lawsuits against those retailers go virtually nowhere.

But if a major data breach hit a retailer and it allowed direct access to its customers’ bank accounts, a radically different result would be likely. The worst-case scenario is that customer bank accounts could be wiped out, with a mildly better case scenario being that their balances are only drained enough to bounce a bunch of checks. The prospect of losing an overwhelming majority of those customers is quite real. And then everything else dominos through, starting with plunging revenue as other consumers stay away and followed by a frowning stock market and class-action lawsuits that have a much better chance of being successful.

Still, interchange fee avoidance is tempting. Typical mobile purchases are likely to fall under the highest rate of card not present. But so many factors are unknown. What if the mobile purchase is consummated in-store? Will that make a rate difference? What if consumers buy—or are given by a retail chain—their own card swipes? What if banks approve those personal card swipes? Will that make phone purchases immune from CNP charges?

Phones that ship with payment chips embedded are still several years away—one Fortune 500 retail CIO said last week that his team is projecting three to five years away—and so much in payment and security can change in that time.

But Visa, MasterCard, American Express and the others have a lot at stake here, and it’s unlikely they’d surrender interchange without a huge fight. Even if you assume a very robust M-Commerce market five years from now—a truly viable assumption—there is still likely to be a huge (and most likely still dominant) in-store and E-Commerce space. That’s a pretty big bat for the card brands to use to pressure retailers to not push too hard on mobile.

Even worse, the telecom carriers and the phone hardware manufacturers are going to be pushing for lots of ways to make their money, too. It’s not out of the question that retailers could face the wrath of banks and brands but still manage to get out of mobile interchange costs, only to discover that the card payments were simply replaced with carrier payments. Would a chain rather be at the mercy of the humanitarians at AT&T or Visa? Now there’s a choice that’s just ripe for a week of sweat-soaked nightmares.


4 Comments | Read The Mobile Payment Conundrums: To Chip, To Store, To Bank?

  1. Sid Sidner Says:

    This is a great dose of reality. There is a reason that interchange fees are what they are – they’re worth it.

    Now, before you grab me and drag me around behind a car bumper, let me explain. A merchant may argue about whether merchant interchange fees are too high, but the value is not zero.

    First and foremost, your consumer’s demand it. Some merchants are willing to not accept payment cards, but most have decided that such a position just isn’t tenetable. Like it or not, the Brands have convinced consumers that they just can’t live without their {credit, debit, prepaid, payroll, loyalty, gift} cards, through a combination of convenience and incentives, like points.

    Second, a merchant doesn’t have to run their own credit program, like in the old days. These credit programs weren’t free.

    Third, in our global economy, I can travel to another country on pleasure or business, walk into a Starbucks, and use my local banks payment card, and do business. Remember traveler checks? Remember getting mugged in a back alley with a fat wad of cash in your pocket? Other forms of payment have a cost, too.

    I don’t want to sound like a shill for the Brands, but we must always remember that a payment card is both a technology and a way of doing business. It has value. The big question is, how much value?, and how is that value negotiated among issuers, consumers, merchants, acquirers and the networks?

    Ah, therein lies the rub…

  2. Dan Stiel Says:

    First, I’m not sure merchants want to get out of interchange costs. Merchants just want some sanity in the interchange pricing schemes.

    Yes, data security is paramount in M-commerce. The bad guys are out there and they want to steal your money. Anyone dealing with data has got to outsmart them. The opportunity for M-commerce is to build an entirely new encryption and authentication model that makes PCI look like the lock on your high school gym locker.

    If “zero-liability” promises for the consumer is the issue, then an examination of ACH regs and card network chargeback policies should put consumers (and retailers) worries at ease. Or, in other words, merchants and consumers are fundamentally no better – or worse – under either scenario.

    There is nothing stopping retailers using ACH to handle payments from offering their own “zero-liability” promise. Insuring against that risk is certainly cheaper than the fudge-factor built into interchange fees for zero-liability. Fraud is still just a few basis points of card volume, even for the data-compromised. With enhanced data security and authentication, it can remain low, if not go lower. Reg. E certainly applies in most ACH transactions.

    Under today’s network/PCI rules, the networks and their bank partners agressively seek damages from data-breached retailers. Merchants worried about the liability will be courted by well-capitalized insurance companies and merchant processors who would be happy to manage that risk on behalf of merchants for premiums that are a fraction of current interchange costs.

    If someone makes an “unauthorized” withdrawal from your bank account, the bank will make you whole. The law demands it, not the credit card networks. The Originating Deposit Financial Institution is the one who is on the hook for allowing an unscrupulous operator to conduct unauthorized ACH transactions.

    All ACH transactions between Originators and Receivers must be backed by valid authorizations. Authorization requirements differ for the various ACH transactions. While a verbal or other non-written form of authorization is permitted for consumer credit transactions, a written authorization form provides proper authorization for consumer debits. This authorization must be readily identifiable as a debit authorization, the terms must be clearly stated and procedures for revoking authorization must be explained. The authorization may specify that transactions will be for a fixed or variable amount.

    Of course, if you’re dumb enough to “give” permission to access your bank account to a scam-artist operating out of a third-world country or your neighbor’s kitchen, you may still be on the hook. Network rules operate the same way.

    Whether the loss is from a stolen account number because of a data breach at your neighborhood grocery store or because your next door neighbor’s kid bought “do-it-yourself” bank check stock from Office Depot, ACH regs do a reasonably good job at protecting consumers – and merchants.

  3. Evan Schuman Says:

    Editor’s Note: Dan, please allow me to clarify a point you addressed. You said “If someone makes an “unauthorized” withdrawal from your bank account, the bank will make you whole. The law demands it, not the credit card networks.” That’s very true. But they will EVENTUALLY reimburse the consumer. What happens to all of the bounced checks in the meantime? All of the insurance premiums and mortgages that can’t be paid in that meantime?
    If there is a credit card breach, the pain to the consumer can be minimized. If it hits the bank account, it’s a very different and more damaging situation. If the credit card bank needs two weeks to get a credit issued for a fraudulent charge, no problem. If the bank needs two weeks to replenish a bank account, it could be a huge problem.

  4. Howard Falcon Says:

    Interchange is not the issue it is the cost related to interchange. The banks and card associations are always looking for ways to make money and in the issueing of cards there is significant leway. Lets take MasterCard as an example. They must have 15 different World Cards and each may have up to 3 – 5 interchange levels. Now Why do they need to have so many card types and interchange levels? What is happening is that they come out with a new card and interchange set the pricing the same as another card for 6 months and change it. How many interchange levels are required. We now have over 400 of them. In regards to fraud and the cost of interchange, most fraud occurs from restaurants, yes more than internet transactions, yet restaurants get one of the lowest interchange rates. Try and prove that a corporate card / business card has more fraud per use than a generic card, don’t believe it. Anyone that loves the interchange system in its present form is definately a bank.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.