What have we learned about NFC recently?

[Dave Birch] I've been looking at some NFC-related business cases for customers in different countries and noticing -- without giving away anything confidential -- how different they are: some are focussed on retail, some on transit, some on operators etc. Yet they are all founded on what I think is a reasonable consensus on the narrative to date: that is, customers like NFC (a lot), operators aren't sure how to cash in and banks aren't sure whether the operators are on their side or not. One thing they all agree on though is that handset availability shapes the critical path. This is because it seems highly unlikely that consumers will hammer down the doors of mobile phone shops to get NFC handsets to use for boring things like payments. Once they have the handsets I'm sure they will use them for payments, but payments isn't interesting enough to drive them down to the mall. What consumers will want NFC for is the simple stuff -- smart posters, exchanging numbers, that sort of thing -- and (in certain urban markets) for transit.

Yet while some commentators (eg, me) bemoan the lack of handsets -- largely a reflection of the convoluted standardisation process around the location of the "secure element" in the mobile handset (ie, on the SIM or not) -- there are big banks out there who are making big bets...

 

Citigroup Inc. has an NFC mobile phone under development that it plans to brand with the Citi logo according to a lab report filed with the U.S. Federal Communications Commission. The report clearly shows the Citi logo on the front of the tiny handset. Citi has been rumored to be considering issuing or distributing a branded phone to customers.

[From CardForum | CITIGROUP DEVELOPING A CITI-BRANDED NFC MOBILE PHONE]

Frankly, I'm not sure if I believe this to be the winning strategy, but I'm not an expert on Citi's markets and I'm sure they are. Personally, I don't want a Barclays phone: I want my Barclaycard OnePulse to be loaded to whichever phone takes my fancy (I'm currently very happy with my N82, thanks). It seems to me further confirmation that the move to NFC is gathering momentum despite the natural reaction to early hype. Yes, there won't be as many handsets out there as quickly as people hoped, but still as James van Dyke of Javelin Strategy put it

 

[I] find myself wondering how long it will be before we all start to turn in our personal carrion-enclosed container o’ credit, debit and identification cards for a chip-enabled mobile payment device.

[From Javelin Strategy and Research » When too tired to be coherent, use props]

Eat up

[Dave Birch] I have the results of another interoperability test for you. Yesterday I used my UK Barclaycard OnePulse in a contactless terminal at a coffee shop in Singapore and not only did it work perfectly, it was very fast and very convenient. More, please! My expectations have been raised to the point where I was really disappointed that Ben & Jerry's didn't take contactless and I was forced to resort boring old-fashioned cash. The coffee shop was the textbook case for the cash-replacement low-value contactless transaction: why can't more of the coffee shops in London have it? Oh, wait...

Yet another dumb headline about contactless card security

[Dave Birch] I had a few e-mails from people about the story in Engadget that was titled "RFID cards hacked easily with $8 reader"...

the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay

[From RFID credit cards easily hacked with $8 reader - Engadget]

The actual title should have been "Well-designed American Express contactless cards work exactly according to specification and non-hacking non-exploit does not actually result in losses to either cardholder, retailers or American Express themselves". Anyway, the reason I got a few e-mails was because people wanted to know where to get these $8 readers. I just checked on eBay (US) and the cheapest pre-owned contactless terminal I could find was over $60. The video actually shows him using a Vivotech Vivopay 5000 (which is a couple of hundred quid in the UK), so if this guy really can get them for $8 he'll make far more money from reselling the terminals than he will from "hacking" ExpressPay cards.

Mirek Kula, MPay

[Dave Birch] Mirek Kula is the Director of International Business Development for MPay, based in Poland. One of the co-founders of the company, Mirek comes from a transaction processing background. In this podcast, he explains the MPay proposition and explains how it has learned from past attempts to create m-payment systems for developing economies.

Price point

[Dave Birch] At the New Payment Channels conference in London, Julian Niblett gave a presentation about contactless from the major retailer perspective. He is head of cash for Boots, one of the U.K.'s largest retailers. They are a good case study, I think, because there are parts of their operation where contactless would work, but other parts where it would not. Therefore, they have to develop a sophisticated strategy and understand carefully where to make investment.

Their average transaction size is under £10, but that disguises a wide range range (from, say, cosmetics to snacks). So it's not a simple case of converting big stores or small stores, high street or out of town. Within a store, some departments might benefit but in other departments it would be a waste of money. But how confusing would it be for customers to try and figure out where they could use contactless or not? And how much would it cost to train staff to handle customers properly in these circumstances.

The key figure that Julian gave that will be of interest to people here was that Boots banks £2.5 billion in cash every year and it costs them £1.5 million whereas they bank £2 billion in card transactions and it costs them £14 million. Hence he asks, quite reasonably from his point of view, why cards (that should be electronic and efficient) cost ten times as much as cash. He also gave an excellent insight into the way that retailers think when he said, and I quote, "we've had our fingers burned with chip and PIN". I'm going to do what I can to persuade Julian to make a Digital Money podcast to explore his perspective further.

The bond that fell to Earth

[Dave Birch] This isn't really about payments, but about the monetisation of intellectual property, which is a topic that will appear in the future of payments for sure. Anyway,

When the back catalogue of David Bowie was offered on Wall Street, the $55 million deal for future royalties on classics like The Man Who Sold The World was hailed as a new form of intellectual property securitisation and the idea of artists raising funds secured by future royalties of their work became known as Pullman Bonds, named after the banker David Pullman who drove the Bowie deal. Now, however, citing weak sales of recorded music and a downgrade to an unnamed company guarantor, Moody's Investors Service downgraded the Bowie bonds. They have gone from an A3 rating to Baa3 – one notch above junk status.

[From Bowie bonds nearing junk status | OUT-LAW.COM]

Well, his bonds may be junk but his music isn't: Aladdin Sane was the first album I ever purchased with my own money! Whenever I've seen David Bowie interviewed on TV, he's always come across as smart. I can remember him talking about music becoming a utility, like water, and he'd obviously formulated a strategy for the future of music well ahead of record companies or, for that matter, investment bankers. Having seen the writing on the wall for the artificially high price of recorded music, Bowie decided against the "farmers path" (of demanding government support to keep prices high) and instead went down the "market path" (of selling an asset with a declining future to bankers). Good for him.

Dutch lessons

[Dave Birch] I saw a presentation in Amsterdam about an NFC pilot going on in the C1000 supermarket chain (check out this video) with real consumers.

 

One hundred consumers who shop at the C1000 grocery store in Molenaarsgraaf, the Netherlands, have begun paying for transactions with mobile phones equipped with Near Field Communications (NFC) RFID chips. The group is participating in a six-month pilot conducted by Schuitema, the nation's second largest retail chain,

[From RFID Journal - - RFID (Radio Frequency Identification) Technology News & Features]

Well, the pilot is now complete and the results are in. The guy from the retailer who was presenting said that he was extremely surprised because he had "never, never" seen such a positive results from consumers and that they never had a single technical problem in six months. Wow.

The market research contained, I think, an interesting nugget of information that will be grit in the oyster of someone's business plan. It turned out that the service was a fantastic success with the customers, and 49% of them said that if the service were offered then they would buy a new handset to get it! More than half, and I suspect this is the important figure at the current state of evolution, said that they would switch operators to get an NFC service. Overall, there was a something like 90% approval rating for the service.

Yet, when pressed on costs, 78% of those consumers said they would not use their NFC payment "card" if they had to pay more than they do for using their existing payment card. Just to reiterate: they would be happy to spend money on buying a new phone, but not on a paying a bank a little more.

UK Card Fraud - gosh, shock, horror

We’re told that fraud migrates - push it down here and it goes up over there.  The introduction of Chip & PIN in the UK has squeezed out counterfeit, lost & stolen, and mail interception fraud.  This is countered by a rise in card-not-present fraud and overseas use of skimmed cards is on the up.  This trend has been clear over the last few years.  The net result is that overall UK card payment fraud has been flat at £400-450 million for 2001 to 2006.

The release of the latest UK card fraud statistics for 2007, by APACS, the UK payment clearing association, has created headlines.  It’s up 25% to £535m, they scream.  A quick glance reveals the usual trends, but chip & PIN in the UK has reduced fraud as much as it can whilst the CNP and overseas fraud continue to grow apace.  Hence the overall rise.

So, where is this fraud coming from?  It may be a blip - it hit £500m in 2004, for example.  Or perhaps fraud is migrating from elsewhere.  What happens to VAT carousel fraud when it is squeezed, for example?  [VAT carousel fraud is a peculiar wealth support mechanism dreamed up by the EU that costs UK taxpayer £8.4bn a year.]

What can be done to stem this rise?  CNP fraud is being tackled by 3-D Secure (branded Verified by Visa and SecureCode).  To stem skimmed card fraud overseas and skim & PIN fraud (whereby fake magnetic stripe cards are used with a captured PIN to withdraw cash at ATM), UK banks have gone so far – by introducing ICVV and declining technical fallback at ATM.

But they could go further.  Why not an opt-in for all but the most frequent travellers whereby my card is automatically declined for all overseas (non-chip & PIN) payments and cash withdrawals?  Before I go on holiday, I tell the bank where I’m going and for how long.  It’s easy to implement and easy for the cardholder.  Mandate 3-D Secure?

Sadly, inconveniencing the cardholder gets in the way and we can't possibly have that.  And fraud is still only ~0.1% of total card spending.  So, perhaps it’s not such a big issue for the banks, anyway.  Afterall, card fraud was projected to be £1bn by 2010 were it not for Chip & PIN.

Realistic dynamics of contactless

[Dave Birch] In a recent post, Aneace observes that if improved speed is the key merchant benefit of contactless (which I'm not sure about: as discussed before, it's one of a portfolio of benefits) then the use of magnetic stripe cards under $25 (ie, with no signature required) undermines the business case:

Contactless has always been positioned on one single merchant benefit: speed. So waiving the signature for transactions under $25 just kills contactless.

[From Waiving signatures for small purchases torpedoes contactless]

This is true to some extent. But it's really only true in the U.S., where all transactions are online, and in comparison to similar card transactions. In chip environments, an offline chip-based transaction is going to take a couple of hundred milliseconds. Contactless is very fast, remember, partly because of the technology's heritage in the transit world, where it is turning full circle: transit companies don't really want to run ticketing operations at all, so they would be more than happy to have "pay at gate" where bank and other payment cards are used to enter/exit the transit system. This is why pilots and trials in this direction are useful indicators of the way the payment environment might develop. For example,

MasterCard is teaming with The Port Authority of New York and New Jersey and NJ Transit for the eight month trial, which is set to kick off in early 2009. Customers will be able to pay fares on buses and trains between New York City and New Jersey by tapping their contactless device at turnstiles and on fare boxes.

[From Finextra: NY commuters to trial contactless payments on buses and trains]

In the non-transit environment, or I should say non-"closed" environment, the only way to get 200ms transactions is to go offline. But even then, while you're standing around waiting 10 minutes for your latte, 200ms may be neither here nor there! So in most markets (ie, markets where not all the transactions are online), contactless products will run adequately fast and are a better option than no-signature stripe cards because of the improved security.

M-Pound?

[Dave Birch] I was in a discussion the other day -- the circumstances aren't relevant -- when one of the participants (from a regulatory background) suggested that "third world" payment schemes (such as our very favourite mobile payment scheme, Vodafone's M-PESA) might actually be suitable for places in U.K. where people lack access to conventional financial services. So might Vodafone be prepared to try M-PESA out in a lawless wasteland, where life expectancy is 54 and falling (in Iraq, it's 67), where 170 gangs roam the mean streets and where a quarter of a million children are living in poverty? No, they're not ready for Glasgow yet, so they're going to Kabul...

Afghanistan GSM network operator, Roshan is to launch a mobile payments service, based on Vodafone's M-PESA service. The service, branded M-Paisa, is a mobile technology platform that provides financial services for those without access to banking and aims to facilitate economic activity in the region.

[From Vodafone Launches Mobile Payments in Afghanistan]

I'm sure this will be the first of many launches. The M-PESA model works, the technology works and the business works, so I'm sure it's going to go from strength to strength, especially given the size of the potential opportunity.

Mobile transactions carried out by 612 million mobile phone users will generate $587 billion by 2011, according to 'Mobile Financial Services: Banking & payment markets 2007-2011', a report released by Juniper Research on 30 January.

[From E-COMLAW.COM]

This is a colossal market, whichever way you look at it. And a great many of these potential users are people who are excluded from conventional banking and payment networks, so the impact of the mobile is very transformational.

Dave Parratt, MTN Mobile Money

[Dave Birch] Dave Parratt is with MTN Mobile Money in South Africa, and as such is in the forefront of the mobile revolution in developing markets. Working out how banks and operators should co-operate and compete in this kind of environment is a fascinating challenge. In this podcast, Dave talks about the South African environment and Mobile Money's experiences. You'll enjoy, as I did, hearing about the challenges to launching new mobile-based products in such a different environment. I apologise for the poor sound quality (someone decided to start drilling next door to us!).

Another perspective on chip & PIN fraud in the UK

[David Griffiths]  I think it's all good and proper that academics at world class universities have our (and I speak now as a punter) best wishes at heart, and I am grateful to the BBC for bringing it it, once again, to everyone's attention.  Taxes and licence fees well spent.  I only wish that the spin revolved around reality rather than headlines!   

Once again Ross Anderson has got the BBC all excited.  If there was real hole in Chip and PIN, the boffins at Cambridge would have spotted it, and the the BBC could then really get excited.  The reality is that Professor Ross Anderson has huge technical resources at hand, is surrounded by some very clever people, but they haven't cracked the system - not even com close.  They have, as we were told, found some vulnerabilities, but they have not found any that the banks were not aware of.

Christmas Cards

According to APACS, the UK banking association, spending on plastic cards during the last Christmas period – December 2007 – was £32.2billion, up 4% on a year earlier.

If you take inflation into account – the UK Retail Price Index over the same period is also around 4% – then the trend for overall card use, in real terms, is flat.

Delving into the figures some more and we see the familiar trend is there – spending on debit cards is up nearly 7% and spending on credit cards fell.  (Quite why anyone would use a debit card in preference to a credit card is beyond me, but more later.)

From other APACS data, we know the general trend for the credit card business – usage/spend peaked in 2004 and has been in gentle decline ever since.  Credit card issuers must be morphing the business plan into a survival plan.

For a prolific user of credit cards, such as myself, it’s great.  I’m being tempted by all sorts of fabulous 0% offers, free air miles, and the like.  So, the industry is now fighting for my business – does that means margins will get squeezed too?

Perhaps the industry will consolidate, make efficiencies and protect profits that way?  Barclaycard recently purchased Goldfish for £35million (a rather poor ROI for Discover, by the way).  Perhaps we’ll just end up with a few super-size issuers?

There may be hope in new technology, such as contactless.  It’s new business, i.e. cash displacement.  But, it takes a lot of coffees and newspapers to match the average credit card transaction of over £60.  Smaller margins on smaller transactions?

Two-thirds of retail spend over Christmas was on cards, four per cent on cheques (oh yes, cheques!) and the remaining 30% (ish) for cash, beads and bartering.

So, I’m a credit card issuer.  Should I start a war on cash, tempt the credit unworthy or try to convert the unbanked?

Well, twice as much was spent on debit cards than credit cards.  Debit card users aren’t afraid of plastic but they get little protection – and a sixth of the retail card spend at Christmas was online.  Surely it’s got to be easier to tempt debit card users with the security of credit card purchases?

In February, I added up how much I would have spent on a contactless card if acceptance were ubiquitous.  I reckon it was about £400 – double what I expected.  If it were on my NFC mobile phone I would have used it in the pub, too.  But I might also want protection since I’ve read those scare stories in the press recently – I’ll use a contactless credit card product every time.

So, it’s not all gloom in credit card land.  New technology, new channels and targeting products to exploit the protection afforded consumers will help.  In the meantime, I’m trying to work out what I’ll buy using my credit card in the TV.

Out of touch

[Dave Birch] I ought to be relatively easy to move ATM functionality to mobile phones, with the obvious exception of cash withdrawal. Why bother? Well, I read in the FT (25th February, page 12) that there are 2.4 billion visits to ATMs in Spain every and that a third of them do not involve withdrawing cash, which is why one of the banks in Spain in launching a mobile banking service to allow people to do ATM stuff (pay bills, mobile top-up, mini-statements, that sort of thing) on the handset. I was wondering if I would use such a function, and I'm not so sure.