Change in the payments industry is almost literally afoot, as new technologies make it easier and safer for customers to purchase goods and services with their smartphones or tablet computers. The total value of global payments via mobile devices in 2014 was $507 billion, up nearly 40% from the prior year, according to Juniper Research. Average transaction sizes over tablets are already exceeding those over desktop PCs in many markets, Juniper notes.
In the United States, total mobile payments — comprising in-person payments, remote purchases, and peer-to-peer transfers — will nearly triple in five years, from $52 billion in 2014 to $142 billion in 2019, forecasts Forrester Research. The in-person portion will rise from $3.7 billion to $34 billion, Forrester estimates. (To put these numbers in perspective, total retail sales in the U.S. were $4.5 trillion in 2013, according to the Commerce Department.)
“Although the landscape of mobile payment providers is in an ongoing state of flux, the ecosystem and mobile capabilities are maturing and consumer and merchant adoption is accelerating,” writes Forrester analyst Denee Carrington. Over the next five years, consumers will undergo a “mobile mind shift,” Carrington predicts: the more they rely on their phones in their everyday lives, the more they will expect that they can use them to obtain whatever they need, wherever they are.
Retailers are beginning to meet those expectations, installing point-of-sale technology that enables customers to pay with a touch or wave of their phone. Meanwhile, smaller companies are investigating the use of mobile payments for business-to-business transactions.
This is not to imply that adopting mobile payments is worry-free. While mobile technology offers opportunities to deliver better payment experiences for consumers and businesses, it also presents challenges in terms of making sure data is secure, says Troy Leach, chief technology officer of the PCI Security Standards Council, an open forum responsible for developing payment card security standards.
Waving or Tapping
One of the most visible trends in the market is the adoption of near-field communication as the wireless standard for mobile proximity payments (those made by waving or tapping a mobile device at a register). Both Google and Samsung have announced NFC-driven payment capabilities, says Thad Peterson, senior analyst at consulting firm Aite Group. “The challenge with NFC is now on the merchant side, as the number of active NFC terminals is still low,” Peterson says. According to Pricewaterhouse-Coopers, fewer than 3% of merchants currently support NFC payments on their point-of sale systems.
A key driver of NFC will be the emergence of EMV (short for Europay, MasterCard, and Visa), a global authentication standard for the interoperation of chip-embedded payment cards and point-of-sale terminals. EMV technology has already been in use for years, particularly in Europe.
“The rollout of EMV within the U.S. has paved the way for widespread mobile payments capabilities with the deployment and current or future enablement of ‘contactless’ transactions,” says Andrew Luca, co-leader of the U.S. payments practice at PwC. The October 1, 2015, deadline for EMV chip card compliance will likely expand the number of compatible terminals, as merchants upgrade to newer systems, he says.
Another driver of NFC is the rapid expansion of in-app payment capabilities, which enable mobile consumers to make a purchase without exiting a given app. “That might actually be a bigger deal in the short term,” Peterson says. “Apple is moving to expand the Apple Pay capability to iTunes and the app store, and it’s likely that consumer adoption will be rapid, since it’s a much simpler way to buy stuff. Google launched Android Pay to help to do the same with Google Play.”
Mobile on the Move
One company that’s moving aggressively into mobile payments is Firehouse Subs, which recently rolled out Apple Pay in all 871 of its restaurants nationwide. Each restaurant “is ready to accept all types of customer contactless payments using NFC technology,” says Firehouse CFO Vince Burchianti.
The mobile payment transactions are conducted through Verifone terminals that are fully integrated into the company’s POS hardware.
“Firehouse Subs has been watching this new payment technology ever since Google Wallet was released four years ago,” Burchianti says. In 2013, when three mobile phone carriers — AT&T Mobility, T-Mobile USA, and Verizon Wireless — formed a company called Softcard for mobile payments, Firehouse Subs began offering the new payment form to customers in its locations.
With its payment hardware in place, Firehouse Subs is able to accept Apple Pay, Google Wallet, and possibly Samsung’s new mobile payment platform, Samsung Pay. Also, by adding the new payment hardware, the company will be ready to accept EMV technology by the October deadline.
“The best benefit is convenience to our customers,” Burchianti says. “To ensure our guests have the best customer experience, I want our customers to have as many payment-type choices as possible. If paying by phone makes them happy, we are ready to accept their payment.”
Although much of the adoption of mobile payment technology is in consumer-facing industries, experts say it has a place in the business-to-business market as well.
“I strongly believe mobile payments are not just restricted to the B2C space,” says Thomas Husson, vice president and analyst at Forrester Research. “Plenty of opportunities will emerge in the B2B space too,” he says, particularly among smaller companies.
“In the case of large corporates, it’s unlikely that we will see mobile payments playing a significant role in the near future,” Husson says. Existing tender types and controls fill the bill for what this segment of commercial transactions is seeking. But in the case of small and midsize businesses, “the behavior is often more similar to that of a B2C transaction,” Luca says. “As such, we would expect that B2C solutions will be expanded to support this segment.”
The McKinley Cos., whose subsidiaries provide material handling equipment, retail store maintenance services, and home elevators and accessibility equipment, has accepted mobile payments for both B2B and B2C customers for more than two years, according to CFO Kevin Rusin. All of McKinley’s field technicians, installers, and sales team are equipped with iPads or iPhones, and all the devices have a mobile payments app from Wells Fargo, called Commercial Electronic Office Portal.
The app allows McKinley employees to quickly scan and deposit checks from the field, says Rusin. “There is no need to drive to a branch or send the check back to our corporate office to eventually be deposited,” he says. This eliminates the potential for lost checks and decreasing accounts receivable, and allows McKinley to provide better service.
“If I have 100 employees in the field and each of them collects one check a week, driving to a branch and completing the deposit would be at least 30 minutes of their day,” Rusin says. “That is 50 man-hours a week in lost productivity.”
McKinley is awaiting new technologies for chip and PIN cards that can be used with an iPad and iPhone, Rusin says. “Once those become mainstream we will deploy those as well,” he says.
McKinley has also started to look at Apple Pay as a form of payment. “I believe it is critical for any business to accept any form of mobile payment possible,” Rusin says.
Security and Challanges
Mobile payments have some downsides and challenges, experts say. “On the B2C side, adopting a mobile payment strategy requires agreement and commitment across a range of stakeholders within a merchant’s organization, because the implementation impacts so many factors that are essential to their operating model,” Luca says.
Considerations include everything from customer experience and sales lift to hardware upgrade costs and data protection safeguards, Luca says. “Given these and many other factors, the decision to green-light a mobile payments strategy is often made at the highest levels of an organization.”
Perhaps the biggest concern is ensuring that all transaction data is safe from cyberattackers. “A key security issue is, who has access to the cardholder data, and how a merchant responsible for protecting that data knows who may also have access,” says Leach of the PCI Security Standards Council. The key is to understand how to protect cardholder data on a device throughout the life of that information, and make sure the information is transmitted to the intended entity, he says.
“Smartphones provide many new capabilities, but also new threats that do not exist with traditional payment acceptance,” Leach says. “We must always remember to protect the confidentiality of the data.”
The PCI Council has been focused on creating ways to eliminate static data from being exposed in consumer-grade devices, with such technologies as tokenization, encryption prior to entry into the mobile phone, and other techniques to simplify the process and minimize the risk at the same time.
A major challenge is the fragmentation of the overall payment solution and who is accountable for the security, Leach says. “For instance, there is the mobile application developer, mobile network operator, mobile device manufacturer, OS developer, and chip developer, who all have an effect on the security of the overall solution,” he says.
Security with mobile payments can be complex because most of the key aspects of a transaction are outside the control of the company performing the transaction, adds PwC’s Luca.
“For the parts that are ‘controllable,’ similar controls will be necessary to protect mobile transaction data as are currently used for regular transactions,” Luca says. “That’s particularly true as most variations of mobile payments are using existing underlying payment systems.”
Existing controls such as the PCI standards would come into play to support these solutions, Luca says. “It’s important to note that with at least some of the solutions, these controls are less necessary given that the account number that’s stored on the device is specific to that device and not usable on other devices,” he says. “However, with that said, crime is a business and criminals will find a way to exploit solutions for their gain.”
Another concern that merchants need to be aware of is how they are collecting and using any type of personally identifiable information, says Luca.
“Data related to the transaction is rapidly becoming more valuable than the transaction itself,” he says. “As this continues, more and more data will be collected. These developments are in advance of regulation, and merchants will need to carefully protect the data that they are collecting.”
Industry efforts are under way to try to bolster payments security. The PCI Council has a dedicated mobile task force made up of industry players that works with other standards bodies, vendors, banks and processors to promote the development of secure devices by providing guidance on what’s needed.
“For example, when it comes to using mobile devices as point of sale terminals in place of hardware terminals specifically, the council has developed best practices for businesses on accepting mobile payments with a smartphone or tablet,” Leach says.
Will security threats get worse and more sophisticated as mobile payment becomes more common? “Cybercrime adapts to the prevailing technology and, of course, to where the money is,” Leach says. “So yes, the threat level and sophistication of attacks is likely to increase. [That’s] why we should be as innovative in payments as we are with new mobile technology developments.”
The various efforts under way to bolster security and make it easier for companies and consumers to conduct transactions with devices will only help fuel the growth of a mobile payments trend that’s now well under way.
Ultimately, the value of mobile wallets like Apple Pay and Google Wallet will go well beyond payments, experts say. Husson of Forrester Research says mobile wallets will morph into rich marketing platforms over the next five years. By aggregating offerings, loyalty points, coupons, and product information from multiple brands on top of faster and more-convenient payments, mobile wallets allow marketers to extend the brand, improve conversion rates, and drive traffic and sales, Husson says.
Consumers, particularly in the U.S., are interested in accessing all these types of services in a mobile wallet, Forrester noted in a research report on the market released in February. For example, 57% of 3,553 U.S. online adult smartphone users surveyed were interested in having access to loyalty program points and rewards within a mobile wallet.
So far, however, only 14% of marketers and digital business executives surveyed by Forrester have used or are using digital mobile wallets. These are mostly retailers, such as Bloomingdale’s, McDonald’s, and Sears, but they also include airline companies. Still, many more companies are planning to add mobile wallets to their marketing strategies as well as add related marketing tactics such as push notifications and beacon marketing, according to Forrester.
Bob Violino is a freelance writer based in Massapequa Park, New York.