skip to main content

Mobile Payments: A Primer

AcxiomApril 27, 2015

Mobile payments have become a hot topic among US retailers because of the high profile launch of Apple Pay and number of financial institutions that have signed up to support it. Apple has a history of upsetting existing supply chains.  It disintermediated record companies almost overnight when it launched iTunes, as one example.  In another case, it was the first company to convince mobile telephone providers to insert a third-party app store between them and their customers.  It was also the first to convince the carriers to share revenue for mobile apps with anyone other than a publisher.  The result in mobile was a power shift, turning Apple into a dominant player in the mobile business that has inserted itself between the cellular networks and their customers.  “He who enrolls, controls” is the saying.  In the case of mobile, people register with the carrier once, but they enroll and interact daily with Apple’s app store and iTunes.  Because of this, carriers worry that they are at risk of being relegated to becoming a “smart pipe”. To offset this, a few carriers have opened their own app stores in an attempt to wrest back control of the customer relationship.  However, the results have been disappointing at best.

Apple is now trying to use its dominant franchise in mobile to expand into, and create similar discontinuous change in, mobile payments.  Retailers have taken note and are concerned that they not follow their cellular brethren in losing control of their customers.  Apple Pay and the tokenized technology on which it is based, as well as the new tokenized EMV standard and other similar systems like MCX/CurrentC, Samsung Pay, Google Wallet or Paydient, are causing retailers to worry that they could be next.  They are equally concerned that, even if these third-party payment schemes do not disintermediate them, they will prevent them from connecting data about what their customers are buying to who they are, thus depriving the merchant of a rich source of data for creating custom offers, targeted marketing campaigns, and effective loyalty programs.

Taken By Tokens

Historically, US merchants have received a customer name, credit card number, billing address, CVV and expiration date from reading the mag stripe card at the point of sale (or via form submission online).  This worked well, but exposing the card information, both at the point of sale and in the merchant’s systems of record (called a “Card on File” status) left consumers and merchants vulnerable to costly security breaches, fraud, and loss of PII.

Apple Pay is one of several new forms of payment that attempt to improve the customer buying experience and reduce fraud by combining a relatively new technology called near field communications (NFC), biometrics, and what is known as a “tokenized” approach” to payments.  With Apple Pay, the consumer places their finger on the iPhone Touch ID to authenticate themselves with a fingerprint, without unlocking the phone or the app.  The buyer then places their phone over an NFC-enabled terminal to initiate the transaction.  This simple two-step system is more intuitive and more convenient for consumers, and has the perception of being more secure.

However, rather than receiving traditional magnetic stripe-based information from the customer, the merchant’s terminal and transaction systems receive a static token and a dynamic, one-time-use security code. The token is translated into a credit card number only when it reaches the payment network (e.g. Visa, Mastercard, Amex, etc.), meaning that only the bank which issued the card and the payment network have information about both the person and the transaction.  The result is that an in-store Apple Pay transaction “looks like” a cash transaction to a merchant.  They know that something was bought, but not by whom.  (This is not as true for online transactions, since many buyers are logged in, but we’ll save the intricacies of that for another post).  The merchant is left without the critical link they need between transactions and customer to serve them in the most fundamental way.

Not all the other tokenized payment options are this restrictive.  For example, Google Wallet, Paydient and MXC/CurrentC specifically do maintain the link between the customer account and the customer’s transactions.  EMV also allows for it.  But Apple Pay is getting a lot of press, support from financial institutions, and consumer consideration.  And given its large potential footprint (iPhone 6 and beyond), Apple Pay has a better likelihood of becoming a leading player in the space.  So it is the payment method causing the most questions from our customers.

Take Ceterus Tergum (Take Back the Customer)

However, things are nowhere near as bleak as they seem.  In the cellular analogy, Apple is the merchant.  It has access to all transaction information from the customer and does not share that with content providers.  Each developer, producer, musician or author knows who bought their products, but they do not know – and the cellular provider does not know – what an individual buys across the entire iTunes store.  Only Apple has access to that data, along with every click, tap, slide, and notification that occurs on the individual’s devices at a specific location at a given time.  It is appallingly easy to see why Apple has wrested control of the customer in that scenario.  They have the data to do so.

But it is different with Apple Pay.  Apple purposely does not collect transaction data that can be tied back to the customer, so by design it cannot have any better view to the customer than the merchant.  However, and just so we catch a subtlety, this does not mean that Apple can’t collect transaction data.  It only means that it does not use an account number or user id to convert that information to customer-specific transactions.  Apple contractually requires banks to share anonymized transactions with them for audit and reconciliation purposes.  How extensive that sharing requirement is, and under what circumstances it kicks in, is not clear.  Apple’s contracts with banks are incredibly strict.  Individuals who work on Apple Pay at financial institutions operate under extreme confidentiality agreements and one financial institution implementing Apple Pay is contractually bound not to discuss Apple Pay with any other financial institution.

That said, merchants do not lose control of their data to Apple and, in fact, can use a simple mechanic to connect Apple Pay transactions to their customer account at the point of sale.  This mechanic, by the way, was suggested to me by a sizable US merchant who is considering Apple Pay but has not yet implemented.  The first time a device/card combination is swiped at a particular merchant’s NFC terminal, the terminal can provide a message something like the following:

“As this is your first time using Apple Pay and CardName with us, we would like to link your existing rewards id to this device or automatically enroll you so that you can get special offers and other benefits from us as part of your Apple Pay experience.  If you would like to do so, please enter your phone number now and click OK. “

AC mobile payment promptSince the Apple Pay token is static, once the phone number is tied to the token, the token and all its transactions are tied to the customer account id.  The merchant only needs to ask the question again if and when the customer uses a different card on this device or the same card on a different Apple Pay device.

Some will argue that such an approach violates the whole concept of deidentifying the transaction and that consumers won’t participate.  I’ll argue, lacking other data but knowing how many customers are willing to trade off anonymity in return for a financial reward, that a large percentage of Apple Pay users will see this benefit as a fair trade for identifying themselves to the merchant.  Frankly, I actually doubt they’ll even perceive it as an issue in most cases.  Merchants they trust already know them.  At Safeway, I like it when the checkout clerk says, “Thank you Mr. Coleman.  You saved $12.65 today,” even though I know that Safeway just recorded every item I bought in excruciating detail.    So, in fact, if consumers don’t make the connection, they stand to lose benefits they are already receiving.

So merchants take a deep breath and relax.  The new mobile payments vehicles may cause you more effort to link transactions to your customer file, but the level of effort and expense will be relatively low, and the overall impact on your checkout experience from using Apple Pay will still be positive.  So go ahead: Take Ceterus Tergum.  Take you customer back.  You never really let them go.