As the saying goes, you can’t know where you’re going until you know where you’ve been. With that in mind, we’ve prepared an overview of key trends and happenings in the merchant acquiring space during 2016.
Visa Inc.’s notice in early December that it was buying ecommerce payment authentication firm CardinalCommerce was the latest in a string of mergers and acquisitions that are reshaping the competitive playing field. Visa officials said CardinalCommerce, as a subsidiary of Visa, will accelerate the industry’s move to greater reliance on digital commerce. The combination of technologies and expertise will expand the scope and quality of real-time predictive risk scoring for merchants and issuers, while providing more secure, seamless consumer experiences, Visa said.
Mastercard, meanwhile, purchased a majority position in VocaLink Holdings Ltd., an international payment provider created by a group of large U.K. banks. The $920 million Mastercard shelled out gives the card company a 92.4 percent ownership stake in VocaLink, which helped build and operates several real-time payment networks, including the U.K.’s Faster Payments Scheme. Before the purchase, VocaLink had been selected by The Clearing House, a consortium of large U.S. banks, to provide switch technology to support a new real-time payment network TCH is building.
There were several notable acquisitions by leading acquirers this year as well. The first was the acquisition of TransFirst Holdings LLC by Total System Services Inc. (TSYS), for $2.35 billion, disclosed in January. That came on the heels of news that leading acquirer Global Payments Inc. was paying $4.3 billion to acquire rival Heartland Payment Systems Inc. More recently, Vantiv Inc. revealed a planned acquisition of Moneris USA, at a cost of $425 million.
One consistent theme in the evolution of payments is that speed and convenience count for a lot. So it should come as little surprise that mobile commerce and mobile payments have been hot-button issues for several years.
In 2016, mobile commerce made significant advances, as increasing numbers of shoppers took to their smartphones and tablets to comparison shop and, in some cases, to actually make purchases. BI Intelligence expects U.S. mobile commerce to total $79 billion this year, or about 20.6 percent of all ecommerce. By 2020, mobile will account for 45 percent of all U.S. ecommerce, totaling $284 billion in sales, the firm predicted.
The Federal Reserve reported in March that 24 percent of adult Americans used mobile devices to make payments in 2015. Bill payments were most popular, with 65 percent using their mobiles to pay bills. Digital content and brick-and-mortar purchases came in second and third, with 42 percent and 33 percent, respectively.
Meanwhile, a recent report from eMarketing Inc. revealed that just 19.4 percent of smartphone owners in the United States had used their devices in the previous six months to make payments. “Despite double-digit growth this year and next, Americans’ use of mobile wallets like Apple Pay, Android Pay and Samsung Pay, as well as branded apps that include mobile wallets like the Starbucks app, Walmart Pay and CVS Pay, will not reach mass adoption in the foreseeable future,” eMarketing wrote.
One reason for slow adoption is a shortage of POS devices programmed to support near field communication (NFC). Support for NFC, the underlying technology for tap-and-go payments, has been built into the latest generation of POS devices: EMV-compliant terminals.
Meanwhile, CurrenC, a mobile payment initiative launched by a group of large retailers (known as MCX for Merchant Customer Exchange) that leveraged quick response codes instead of NFC was scuttled in June.
Progress with EMV, PCI
Security always has been an important consideration for card payments. So when the card brands turned their collective attention to implementing EMV (Europay, Mastercard and Visa), an industrial strength security protocol, it seemed as though the Payment Card Industry (PCI) Data Security Standard (DSS) might assume diminished importance. It has become abundantly clear, however, that is not the case.
For starters, EMV implementation is far from universal at merchant checkouts. The Strawhecker Group reported 44 percent of U.S. card-accepting merchants have EMV-compliant terminals, but only 29 percent were being used to run EMV transactions as of September. However, EMV is intended to protect against counterfeit card fraud, and according to a July report from Auriemma Consulting Group, counterfeit card fraud was down 18 percent in the first quarter of 2016, the lowest level since 2013.
Under a plan put forth by the card brands, most merchants were supposed to be up and running with EMV terminals by October 2015 or risk liability for fraud perpetrated with counterfeit cards. Petroleum dealers were given until October 2017 to implement EMV security on automated outdoor pumps. On December 1, though, Visa and Mastercard extended the compliance deadline for automated fuel dispensers (AFDs) to October 2020, noting the upgrade for AFDs is more complicated than had originally been expected.
Whereas EMV is about protecting against fraudulent transactions, the PCI DSS addresses basic security requirements for storing, processing and transmitting cardholder data. As recent reports suggest purloined card data remains a hot commodity with fraudsters. The website Krebs on Security reported in August that hundreds of computers at software giant Oracle Corp. had been breached, including computer systems used by businesses with Oracle’s Micros POS systems. Additionally, several individual retailers also reported card breaches this year, including Eddie Bauer, Wendy’s and Cicis.
But data breaches are not just a large retailer problem. Vantiv LLC stated its research suggests 80 percent of card breaches involve small retailers. The result: 60 percent of those shops shutter their doors within six months of being breached, according to Vantiv.
In April, the PCI Security Standards Council released PCI DSS 3.2. A key change: mandating multifactor authentication for any organization with access to credit and debit card data, a requirement that previously applied only to those remotely accessing data. In July, the council provided a new set of compliance resources designed specifically for small businesses. The new Guide to Safe Payments, available on the PCI SSC website, aims to make the requirements (which are laden with legalese and technical jargon) easier to comprehend. Acquirers and their partners were encouraged to download, brand and distribute the guide to their small business customers.
“PCI compliance is important to everyone in the payment processing industry,” said Cleveland Brown, co-founder and CEO of Payscout Inc., echoing the sentiments of acquirers and ISOs alike. Not everyone in the merchant community accepts this premise, however. The National Retail Federation in June asked the Federal Trade Commission to investigate the PCI SSC. It argued that because it is controlled by Visa, Mastercard, American Express Co., Discover Financial Services and JCB International Co. Ltd., the council doesn’t qualify as a legitimate standards-setting body. (Standards-setting groups are typically independent panels with members representing end-user, as well as technology companies and other service providers.)
The FTC had previously stated it was undertaking a study of the PCI DSS, and that it had issued orders to nine providers of PCI security assessments, requesting information on everything from hiring practices to details about audit policies and procedures. The council said in a statement to The Green Sheet at the time that the NRF’s assertions were “unfounded” and that the PCI DSS has been having a “productive dialogue” with the FTC.
Continuing legal woes
Leading retailers – including Wal-Mart Stores Inc. and Home Depot Inc. – filed lawsuits against Mastercard and Visa this year asserting their right to mandate PIN authorization for EMV cards. Visa and Mastercard do not require PIN-authorization for EMV cards, although PIN is generally accepted as being superior to signature authorization. The retailers maintain that Visa and Mastercard are promoting chip-and-signature transactions to generate higher interchange.
The National ATM Council Inc. and a group of independent ATM operators, meanwhile, got the green light to press ahead on a lawsuit originally filed in 2011, asserting the way Mastercard, Visa and card-issuing banks set ATM network access fees is anti-competitive. The U.S. Supreme Court in November sent it back to the Federal District Court for the District of Columbia for reconsideration. That court had ruled in 2012 that the suit lacked legal merit.
That wasn’t the only payment card case to make its way to the Supreme Court this year. In September, the High Court agreed to consider the validity of a New York state law barring retailers there from surcharging consumers for using credit cards instead of cash. New York is one of 10 states that ban surcharging credit card payments, although discounts for cash payments are permissible. Retailers found in violation can be assessed hefty fines. Retailers argue these laws violate their rights to free speech and due process.
Perhaps the biggest news from the courts this year, however, was the U.S. Appeals Court decision overturning the $7.25 billion out-of-court settlement that Visa and Mastercard reached with millions of merchants in a case that challenged the card companies’ interchange-setting and anti-steering rules. The decision reignites the battle over credit card interchange and could lead to new legislative efforts to curb interchange as happened under Dodd-Frank.
Law enforcement and regulators have been turning up the heat on acquirers and their partners. In February, Vantiv reported it would no longer service firms in the daily fantasy sports business, in response to several state attorneys general issuing cease-and-desist orders to companies behind the games. The states assert such games amount to illegal gambling.
Most major regulatory news came from the Consumer Financial Protection Bureau, which wields significant authority over bank and nonbank financial services providers. In March, the CFPB slapped a $100,000 fine on the payment network Dwolla Inc. for misleading consumers about its data security practices. It was the first action taken by the agency regarding data security.
In June, the CFPB filed a lawsuit against Intercept Corp., alleging the payment processing company ignored the activities of clients initiating fraudulent activity. “Companies cannot turn a blind eye to wrongdoing when they process payments from consumer banking accounts on behalf of clients who are breaking the law,” CFPB Director Richard Cordray said at the time.
The biggest news out of the CFPB this year, though, was its creation of new regulations for prepaid debit cards. The new rules amend several existing federal regulations (for example, those covering truth-in-lending and electronic payments), applying the consumer protections in those regulations to prepaid debit cards. The new rules, for example, address disclosure statements, error resolution, standardized agreements, limited liability for unauthorized transactions, and overdrafts. The overdraft rules set out requirements for underwriting, statement issuing, fee setting and cooling off periods.
The CFPB itself has come under fire from lawmakers. A bipartisan bill introduced in Congress would change the structure of the CFPB so it is ruled by a five-member panel (as the FTC is) instead of by a lone director. Rumored planned efforts to roll back the Dodd-Frank Act could also impact the federal consumer watchdog agency, which is a product of that legislation.
Merchant acquiring is a business facing continuous change with the emergence of new players, technologies, rules and business models. To survive and prosper in this environment, ISOs and merchant level salespeople are finding they must change as well.
“The way acquirers sell, the way merchants buy, the technology at the POS, the needs merchants have and the offerings acquirers put forward – it is unmistakable there is a fundamental change underway,” Marc Abbey, Managing Partner at First Annapolis Consulting, wrote in a recent article for the firm’s Navigator newsletter.
This is not necessarily bad news. “That’s how you get creative, how you keep everyone on their toes,” said Donna Embry, Senior Vice President at Payment Alliance International.