Waving in Waitrose

Normal people don’t pay much attention to this sort of thing, but I was very interested to see a new sign outside my local Waitrose a few days ago…

Wave Wonga at Waitrose

I don’t ever remember seeing one of these signs before, but I was happy to see it all the same because thanks to COVID-19, people are discovering that using their mobile phone to pay for their weekly shop is pretty convenient (because the £45 limit does not apply, so you can pay for all of your shopping by mobile) and I doubt they’ll go back to cash. Barclaycard has just reported that more than 90 per cent of face-to-face transactions are now made using contactless (which increased by a quarter in 2019 compared with the year before).

So why is there no limit (well, £10,000 in Waitrose) on mobile payments? Well, it’s actually not a new development! As I wrote here back in 2016, when my colleagues at Consult Hyperion were advising a number of issuers and acquirers about high-value contactless payments and their implications at retail point-of-sale, “Waitrose takes contactless, and they’ve implemented in properly (with CDCVM)”.

If you are not familiar with CDCVM, here’s a quick primer on high-value contactless payments that I wrote a few years ago to explain how authentication options work with the contactless no-CVM (consumer verification method) limits. The no-CVM payment limit is for “tap and go” transactions where there is no PIN, signature or anything else required from the customers who are waving their cards over the contactless readers. This limit has just been raised from £30 to £45, which is why (I assume) that Waitrose had decided to put these signs outside the store.

The “Consumer Device Cardholder Verification Method” (CDCVM) is a type of CVM. CVM is, as I am sure you know, part of the EMV specifications, which allows for a number of different CVMs and any particular card will have the acceptable CVMs stored on it, in an order set by the bank that issued it.

CDCVM is the type of CVM that applies to transactions originating from a contactless device rather than a contactless card. Verification is used to evaluate whether the person waving the phone around to make a contactless transaction is in fact the legitimate user and affects where the liability lies for fraudulent transactions. It’s called device verification because the customer authenticates to their own device, not the reader in Waitrose. It’s not the point of this post, but frankly this is how everything should work in the future, since customers should never be required to authenticate themselves using any device that is not their own. Putting a PIN in your phone is better than putting a PIN into Waitrose’s terminal and not simply because you might catch a deadly disease from it.

When you have a device capable of implementing CDCVM, such as a phone with Apple Pay or Google Pay, then this is used as the CVM. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. In the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.

66B9D7E7 9A57 40D8 BD88 1919B9EA2D1E

What all this means is that the £45 limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Writing about this a few years ago, I noted more than once that consumers, as far as I could tell, needed the payments industry could do with some better communications around this sort of thing. Consumers are not aware of the high-value transaction capability of their devices, and if they were aware of these capabilities, they would have no way of knowing whether the retailer had implemented the necessary software change or not. So if I go to Tesco, for example, I would have no idea whether the limit is £45, £250 (which it is if I use the TescoPay app, plus extra Clubcard points) or whatever is for Apple Pay / Google Pay.

COVID is pushing us from contact to contact-free (via contactless), so now is a good time to follow Waitrose’s lead with clear messaging at POS to help consumers along on this journey.

Today we celebrate Saint Valentine, the patron saint of customer verification methods

It’s one of my favourite days of the year today! I am a payments romantic, so you will undoubtedly know why! Today across the civilised world, we celebrate Saint Valentine, the patron saint of customer verification methods (CVMs). We buy flowers and eat chocolates on this day every year cto commemorate the introduction of chip and PIN. Yes, chip and PIN was launched in the UK on 14th February 2006. 

Yes, it’s lovely St. Valentine’s Day. Was it really thirteen years ago? The beautiful day, the day unromantically dubbed “chip and PIN day”, when we stopped pretending that anyone was looking at cardholders’ signatures on the backs of cards and instead mechanised the “computer says no” alternative. It really was! Thirteen years!

We English, we love out heritage. We still write our laws on vellum, we still say “what an interesting idea” when somebody says something that is transparently insane and, for now at least, we still use cards to buy things in shops. We cling to tradition. And chip and PIN is a tradition. Or at least it was.

I’m sorry to say that in Merrie England, chip and PIN is on the wane. The majority of card transactions are contactless and, according to Worldpay (who should know), they have been for a few months now. Fraud is manageable because most transactions are authorised online now and would be whether we had chip and PIN or not. The offline PIN and “floor limit” world has gone. The world’s first optimised-for-offline payment system was launched after the world had already got online. This is why you see  Brian Rommele writing that “by the time the UK implemented chip & PIN, the base concept and much of the technology was already almost 40 years old”.

Early chip and PIN focus group.

It is time to remind people what Saint Valentine stood for and reiterate why we are using chip and PIN at all. In ancient times, when European retailers could not go online to verify PINs due to the anticompetitive pricing of the monopoly public telephone providers, it made sense to verify the PIN locally (ie, offline). But this is 2019. We have smart phones and laser beams and holiday snaps of Ultima Thule. We can probably think about verifying PINs online again, or even replacing PINs with fingerprints or DNA or whatever.

Smart phone in particular mean change and, as I have bored people on Twitter senseless by repeatedly tagging “#appandpay rather than #tapandpay”, this will take us forward to a new retail payment environment in which the retail payment experience will converge across channels to the app. As payments shift in-app so the whole dynamic of the industry will change. Introducing a new payment mechanism faces the well-known “two-sided market” problem: retailers won’t implement the new payment mechanism until lots of consumers use it, consumers won’t use it until they see lots of retailers accepting it. This gives EMV a huge lock-in, since the cost of adding new terminals is too great to justify speculative investment.

When you go in-app, however, the economics change vastly. For Tesco to accept DavePay in store is a big investment in terminals, staff training, management and so on. But for the Tesco app to accept DavePay is… nothing, really. Just a bit of software. However traditional we might be, the marginal cost of adding new payment mechanisms is falling (particularly direct-to-account mechanisms because of open banking) and our industry needs to think about what that means.

I’m not saying that cards and PINs are going to go away any time soon, but what I am saying is that it’s time to start thinking about what might come next. Right now, that looks like smartphones with biometric authentication, but who knows what technologies are lurking around to corner to link identification and continuous passive authentication to create an ambient payments environment in which cards (and for the matter, terminals) are present only in a very limited number of use cases.

We need to go cashless, not drift into cashlessness

Having just been to China for Money2020 and having experienced at first hand the operation of a cashless society, I’ve even thinking (again) about the design of cash-replacement payment systems for a range of perspectives, using China as a case study. The first point to make is that people in China are well aware of what happens to when society switches from anonymous cash to not-anonymous (I can’t think of a suitable antonym) electronic payments. As observed in the Financial Times, “that scale of data accumulation is beyond our imagination”. The Chinese woman making this comment (while observing that despite her concerns about privacy, mobile payments are too convenient to opt out of) goes on to say (somewhat poetically, in my opinion) that she cannot tell whether her compatriots are “constructing a futurist society or a cage for ourselves”

Not everyone in China is part of this revolution, of course. The World Bank Global Findex database, which measures financial inclusion, estimates that as of lat year some some 200 million Chinese rural citizens remain unbanked, or outside of the formal financial system. As in Sweden, the shift toward cashless is raising issues around exclusion and marginalisation.

There are, for example, supermarkets with different lanes for cash or cashless payments that act as physical manifestation of social stratification between, as Foreign Policy notes, the young and the old and between the urban middle class and those left behind (between, as David Goodhart would put it, the “anywhere” and the “somewheres”). I’ve written before that we will see the same in the UK as cash vanishes from middle class life to become the preserve of the rich and the poor who will use it for tax evasion and budgeting respectively. A “Which” survey found that over 75% of low-income households rely on cash, as well as over 80% of elderly households. The shift to cashless society must be planned to help these groups so that they share in the benefits of cashlessness.

Woking going cashless

Cash is vanishing even in Woking.

I think we should start to plan for this now. In China, as in Sweden (where the New York Times observes that “cash is disappearing in the country faster than anyone thought it would“), we are beginning to see what happens to societies that slide into cashlessness. I am against this. That is, I am in favour of cashlessness, but I am in favour of it as a policy decision by society that is implemented to meet society’s goals. I couldn’t disagree more with the Wall Street Journal’s view that the move to cashless society “should be left to technological advancement”. No, it should not. This is a matter of great importance and with significant implications for society. The strategy should therefore be set by society, not by technologists.

Now, clearly, technological advances deliver new possibilities to policymakers and it is good for technologists to explore these possibilities. But, as they say, just because something can be done does not mean it should be done. We need a proper debate and a regulatory envelope set out to move forward. I wonder if we might seize the opportunity and set down a technological marker for post-Brexit Britain by declaring that cash will be irrelevant in the UK in a a decade. That is, anyone who needs to pay for anything will be able to do so electronically and that anyone who does not want to pay electronically will be presented with a method for paying in cash, albeit one that they have to pay for like (like cheques).

This must mean that in parallel we must set a national goal to provide a free at the point of use electronic payments infrastructure for everyone. Otherwise we’ll end up where they are in America, where jurisdictions are trying to ban cashlessness (and thus keep the cost of the payment system high, especially for the poor) in the name of social justice. In New York, Congressman Ritchie Torres has put forward proposals to force businesses to accept cash and called them a a “new frontier” of anti-discrimination law that is needed to prevent a “gentrification of the marketplace”. Similarly, as the Washington Post reports, lawmakers in the nation’s capital have introduced a similar bill. A council member there said that by refusing cash businesses are “effectively telling lower-income and younger patrons that they are not welcome”. Maybe, but if so it’s only because those demographics don’t spend enough to provide the margin needed to cover the cost of cash.

It’s time to start thinking about what the requirements for that infrastructure are and consulting consumer organisations, businesses and government departments on their needs. We need to make a cashless Britain, not simply allow a cashless Britain.