■ by Dave Fortney, Senior Vice President, National Unrecovered Financial Services

After many initial mobile payments “experiments,” the planets are starting to align with the recent launch of Apple Pay. Though significant changes in the payments ecosystem always take time, mobile payments have momentum and are poised for a major leap forward. I make this prediction with due hesitation, as much ink has been spilled over the past seven-plus years predicting the imminent rise of mobile payments. Yet, there’s a strong case that consumers and merchants are indeed ready to shift from plastic to mobile.

Challenges to financial institutions and their place in the system are coming on multiple fronts, and banks are meeting them by making significant investments in mobile payments. Many are developing their own mobile wallets while working to support the efforts of large technology companies like Apple and Google. Financial institutions are also playing an active and much-needed role in ensuring safety and soundness at the core of the mobile payment infrastructure.

Well-publicized data breaches have brought the need for greater security to the fore and have buttressed arguments in favor of replacing legacy magnetic stripe cards and swapping card numbers for tokens. For U.S. card issuers, a continued focus on long-term safety and security will be critical to the long-term viability of mobile payments.

The Allure of Mobile

In a very short period of time—the first iPhone was released in 2007—the popular culture of the United States has fundamentally changed in response to mobile access to email, texting, social networks, maps, music, video, information, and commerce. Mary Meeker noted, in the 2014 edition of her highly respected Internet Trends report, that the growth of smartphones over the past several years has outstripped that of any other technology (see Figure 1).1

Smartphones have changed what the average person expects to accomplish in a day by offering ways for us to relax, communicate, work, write, and even think. The devices never leave our side. Likewise, when we add payments to this intensely personal, constantly available, and powerful device, the nature of commerce will change profoundly. In the age of big data, the mobile device allows personalized marketing, tailored consumer experiences, and brand affinity in ways that were simply impossible a short time ago.

It’s no wonder that consumer technology companies, handset makers, payments networks, carriers, chipset makers, banks, app developers, and merchants all want a slice of the mobile payment pie. Some of the biggest names in corporate America have significant mobile payments aspirations, including Apple, Google, AT&T, Verizon, Walmart, Starbucks, and Amazon. Each of these players recognizes the potential of mobile wallets to change buying habits and forge new brand loyalties. More important, deploying a popular wallet provides the ability to act as a new “network” for both payment and related commerce initiatives.

Initial Successes and Failures

Interestingly enough, the payments themselves have not been the driving factor in initial mobile payments success stories. Uber, the much-lauded car service app, is a case in point. Consumers use Uber to virtually hail nearby cars, and after the ride, they thank the driver and get out of the car without an explicit payments interaction (see Figure 2). Uber uses a card on file to pay the driver. This payments disappearing act demonstrates the power of the mobile device to truly disrupt an industry. Uber is building a network of consumers and drivers so strong that it can charge 20 percent of the ride price for its share.2

With over 12 million users, and over 15 percent of U.S. revenues coming via mobile payments, many herald Starbucks as the biggest success story to date. Its simple barcode-based payment app combines closed-loop payments with Starbucks rewards to attract consumers who like the convenience as well as the ability to earn free coffee (see Figure 2). The stored-value payments capability could be extended to other merchants who want to share in the rewards or in the lower cost acceptance model, leveraging the valuable network of Starbucks consumers.

Like all industrial revolutions, mobile payments have had plenty of false starts and outright failures. For example, Google, PayPal, and Square have all deployed open-payment wallets, but none has gained traction with consumers, merchants, or banks. Google Wallet has seen multiple iterations, most recently utilizing a virtual Google prepaid MasterCard that fronts the transaction so that Google can gain access to the transaction data for deals and offers, while masking the consumer’s true payments card. PayPal’s mobile wallet, along with a branded PayPal card, attempts to expand PayPal’s online presence to point-of-sale by offering lower merchant acceptance costs. Square, which has found tremendous success mobile-enabling merchants, has been unable to parlay that success into a compelling consumer proposition and completely abandoned its initial Square Wallet product. Nevertheless, all three companies have demonstrated a commitment to dogged iterative innovation, and they will certainly be re-tooling their products in light of Apple Pay.

Telcos’ and Retailers’ Entry into Payments

The disruptive potential of mobile payments is not lost on major telecommunications companies and retailers; each of these industries has formed joint ventures to pursue mobile payments ecosystems that place their respective industries at the center. Softcard, recently rebranded from its unfortunate ISIS branding, is a joint venture of AT&T, Verizon, and T-Mobile announced in 2010 (see Figure 3). Softcard recently launched its model with a carrier-branded wallet app preloaded on smartphones, with the card provisioning process involving a fee to issuers. Due in part to the complexity and friction in its model, Softcard has witnessed tepid adoption by banks, and undisclosed consumer usage figures are presumed to be low.

Merchant Customer Exchange is a joint venture of 60-plus major retailers announced in 2012, and its product is expected to launch with a set of retailers later this year (see Figure 3). MCX’s ambitions extend beyond the mobile wallet to the payments network; MCX will be introducing a new network, branded CurrentC, bypassing traditional card networks and restricting consumers to store-branded cards, ACH/DDA payments, and perhaps one or two open-loop cards. The goal is to steer consumers into the merchant-preferred payment option, as well as to provide a platform for merchant offers that monetize valuable SKU-level data.

Achieving Scale

With false starts from the likes of Google and PayPal, unrealized ambitions of telcos and merchants, and lack of significant traction for dozens of startups, it is tempting to conclude that mobile payments will never take hold.

I am much more optimistic and submit that the actual lesson is that, with the needs to carefully balance customer and merchant value propositions and to win support from incumbents, payments is an enormously difficult market in which to achieve scale. Network effects require new entrants to address the classic two-sided market conundrum by simultaneously solving for consumer and merchant adoption. Ignition strategies are especially important, including how to attract an initial set of merchants in order to be relevant to consumers, while simultaneously attracting the initial consumers to incent merchants to invest resources in a new checkout option. Not to despair, however, as there are encouraging signs that both merchants and consumers are ready, and that standards such as Near Field Communications and tokenization will facilitate moving mobile payments to the mainstream.

The Resurgence of NFC

Near Field Communications (NFC) is a set of standards for mobile devices to establish radio communications to other devices in close proximity. NFC includes a contactless payments protocol and was first included in a commercially available mobile phone in 2006 by Nokia. It did not meet with much success and, combined with several other stalls, NFC had picked up the nickname “Not For Commerce.” The more recent inclusion of NFC capabilities in major smartphones such as Android and now iPhone 6 greatly increases the likelihood of consumer adoption. On the merchant enablement side, recent card data breaches have reinvigorated the U.S. adoption of EMV chip cards and terminals. EMV standards work in harmony with NFC, with NFC payments capabilities included in EMV-enabled point-of-sale terminals. This combination of consumer and merchant enablement represents a dramatic resurgence for NFC.

Despite this promising turn of events, there are still obstacles in the path to broad NFC adoption. Some retailers are turning off NFC capabilities in EMV point-of-sale systems, perhaps to steer customers to the MCX wallet, which reportedly will use QR codes for payment initiation. In smartphones, NFC capabilities are either under the control of the carrier (citing security concerns) or the device maker, in the case of Apple. In the most recent Android operating system, KitKat, a new capability called Host Card Emulation was introduced to open up NFC payments. This development is widely predicted to be a significant enabler for mobile payments, including bank-branded wallets, for Android devices. To address the security concerns, HCE payments will leverage tokenization rather than relying on live customer payment credentials.

It remains to be seen whether consumers care whether point-of-sale systems use NFC vs. QR or barcodes. Arguably NFC is much more convenient, with just a fingerprint touch and tap, than QR or barcodes that require an app. On the other hand, an app could provide a richer experience for the shopper by providing deals, offers, and other extras. Note that some are pursuing a multi-pronged approach. For instance, Apple included NFC in the iPhone 6 while continuing to pursue Bluetooth low energy and Wi-Fi approaches that could enrich the customer experience without requiring close proximity.

Safety & Soundness

Since news of the Target card heist in December 2013, the vulnerability of the magnetic stripe system to organized cybercrime has shaken consumer confidence. The banking and retail industry is responding with an acceleration of EMV rollouts, with Aite predicting that 70 percent of credit cards and 41 percent of debit cards will contain a chip by December 2015.3 EMV will vastly increase the security of plastic cards at point-of-sale, but it does not directly address the risks of using live customer payment credentials in e-commerce or mobile payments. In fact, experience around the globe suggests that EMV rollouts lead to increases in fraud in the less secure online channel.

Organized cybercrime has become so sophisticated that continuing to proliferate consumer card numbers in both mobile wallets and for online transactions is simply not viable. With the advent of mobile payments, it is time to rethink the way we secure transactions. The most obvious place to start is with the smartphone itself. An iPhone 5 has 240,000 times the computing power of the Voyager 1 spacecraft, which represented the height of sophistication when launched in 1977.4 The iPhone 5 is also faster than Apple’s best PowerBooks released in 2005. This much horsepower allows for advanced cryptography, device authentication, and special-purpose antennas, sensors and hardware for determining location, storing payment credentials, and using biometrics to authenticate authorized cardholders. There are multiple ways to tackle multi-factor authentication since the phone itself contains multiple unique IDs. Consumers can use their fingerprints and, if needed, a PIN or password. The phone provides options for security that simply didn’t exist previously.

To address the proliferation of live customer credentials, a technology called “tokenization” shows great promise. Tokens involve a simple mechanism replacing sensitive card data with a string of digits that can be used to initiate a particular payment transaction, but cannot be reused if intercepted by a cybercriminal in transit or stolen from the device using malware.

By rendering the payment information useless, tokens deter fraud before it happens. The process is seamless to the consumer as the process happens automatically and behind-the-scenes. Even the lifecycle management is handled by the digital wallet app, so nuisances such as card number reissues and expiration date changes are avoided. Even if a mobile device is reported stolen, the token can be replaced without consumer impact. Everything happens in the background.

Issuing a payments token is tightly coupled to a card issuer’s process of authenticating and authorizing a cardholder. Think of it as the digital equivalent of activating a physical card. Once the customer is authenticated, the token is provisioned to the digital wallet, with the customer’s true account information behind bank firewalls in a token “vault.”

National Unrecovered Financial Services, along with our banks, has played a leading role in the development of payment tokenization. Beginning in 2013, NURFS operated the first successful end-to-end tokenization pilot and announced the first token standards in an effort to catalyze market adoption. The standards work continues in 2014 with major card networks embracing tokenization and mobile wallets such as Apple Pay beginning to embrace the technology.

Work still remains, however, as the standards are not fully settled, need to be open and secure, and need to allow for competition and innovation.

What Happens Next?

Security is undoubtedly a balancing act that pits additional verification against consumer experience. One positive of tokenization is its near invisibility to the consumer. This is a critical point, because even the most minor annoyances can make a consumer abandon a mobile transaction in preference of a good old-fashioned card swipe. The great consumer adoption fallacy is that consumers will use mobile payments simply because they’re new and cool. The opposite is more likely true; tech enthusiasts aside, most consumers are resistant to change and will only accept it if given a compelling reason. Consider it the human equivalent to Newton’s first law of motion: an object at rest tends to stay at rest unless acted upon by an outside force.

What can apply enough force to push a consumer into trying a mobile transaction? Deals, offers, status, convenience, or tailored recommendations can all provide impetus for the consumer to give the new payment method a try. But once the consumer is in the process of initiating a transaction, very little friction is tolerable. As Uber demonstrates, removing the friction altogether is best.

So what is next? Here are some predictions and open questions that would be a worthy subject of a follow-up article in twelve months’ time:

• Apple Pay will prove to be a terrific consumer experience, and will gain adoption by bank issuers. Will Apple’s consumer enthusiasm be able to attract the adoption of large retailers?
• Google and Samsung will respond by deploying an integrated NFC payments capability using tokenization and a fingerprint reader directly into the device/operating system without a separate “Wallet” app. Will the lack of coordination between operating system, hardware, and carriers hinder the Android smartphone being competitive with Apple Pay?
• MCX will launch the CurrentC network with 60+ national merchants. Will it be successful in garnering consumer adoption for a wallet that restricts payment decisions?
• Initial rollouts of tokenization will further prove the security and utility of the technology. Will standards get settled in an open manner, allowing wide adoption and competition? ■