Mobile payments, and why you should care about CurrentC
If you’re at all interested in mobile technology, there’s a good chance you’ve seen an article recently about CurrentC. These posts typically carry a theme along the lines of “Apple Pay blocked by CVS” and there’s very little information outside of these brief details. It’s not hard to guess why this happens — mobile payments in context are complex and boring. It’s not information that can be distilled into 300 words, and to compensate for this the narrative changes to reflect some kind of war happening in mobile payments, and this huge corporate overmind is sweeping aside these other mobile payment options in exchange for this option that they control. The truth is, there’s a whole lot more to this story. In order to help make sense of everything that is happening with mobile payments, Chris Sewell and I will attempt to thoroughly break down each of the current offerings and explain both why there is never going to be a single major mobile payment service and why you cannot simply will the offerings you don’t like away.
The folks at Apple have put their usual polish on an existing technology, making it possible for anyone with an iPhone 6 or iPhone 6 Plus to take the Passbook app and use it to pay for things through the power of NFC. Users can just tap their phone to an NFC terminal, tap card they want to pay with, press their finger to the TouchID fingerprint sensor (or enter a passcode), and the transaction is complete. It’s simple, fast, and like all things Apple it is visually appealing.
Apple Pay works through a secure element between the NFC chip and the rest of the phone. That secure element stores a dynamic security code that is generated specifically for this transaction. At the end of the transaction the only thing the retailer has is enough payment data to process this one time transaction and, of course, the list of things you just purchased. The information shown to the retailer is provided through Apple Pay, and is not the same as the information that would be provided if you had swiped your card. Apple Pay never gives your credit card information to the vendor accepting your payment, and the transaction data that leaves from the secure element is different every time thanks to the dynamic security codes Apple uses. This means that, even if a credit card breach happened through a retailer you regularly shop at, your payment information would be perfectly safe. Meanwhile the only data Apple gets out of the transaction is that you’ve sent money to a specific retailer, and even then Apple is not aware of the transaction details.
On the transaction side of things, Apple takes a .15% cut of the entire transaction as a sort of processing fee. This Apple Pay fee is on top of the processing fee charged by the credit card processors themselves, and the retailers who support Apple Pay are footing the bill. To help mitigate these fees, Apple has partnered with several banks to offer lower transaction fees to these same retailers when processing Apple Pay payments. It’s not clear whether or not the lowered fee and Apple’s fee cancels each other out in every case, so there could be cases where some Apple Pay transactions are more expensive to retailer than others. Additionally, Apple splits some of the liability with the banks when an Apple Pay transaction happens, should there ever be concerns with fraud or double transactions.
Folks eager to try their hands at tapping an iPhone to a payment terminal were happy to hear that Apple Pay launched with support at 220,000 locations, thanks to Apple’s decision to make sure the service played nice with existing infrastructure. On top of the relationships Apple secured, like Disney, the tech works with Visa PayWave, Mastercard PayPass, and American Express ExpressPay. As a result, Apple Pay saw more than one million card activations within 72 hours of launch and is now hands down the most popular mobile payment solution in the US.
Yeah, I know. Google has offered the ability to pay for things through NFC ever since 2011. Android fans love to remind everyone that Google had this feature first, but the truth is despite that three year head start Google Wallet has yet to take off. There’s a few reasons for this, not the least of which is straight up hubris on Google’s part, but the most important thing to focus on is that Wallet is available and works very well now on phones running Android version 4.4 or higher, which is about 25% of all Android phones.
In its current form, Google Wallet allows you to add just about anything to the app and use it at a form of payment. Where Apple Pay is currently limited to a handful of credit cards and debit cards, Google Wallet currently allows almost every debit card, as well as gift cards and even a couple of loyalty cards. Google doesn’t have any Wallet-only terminals anywhere, either. Instead, you have access to any Mastercard PayPass and Visa PayWave. Unlike Apple Pay, Google Wallet does not currently work at American Express ExpressPay terminals.
The NFC payment system being used on Google Wallet is fundamentally different from Apple Pay in one key way. Google uses Host-based Card Emulation instead of a secure hardware element. Google’s method ensures that Wallet can be used even when the hardware manufacturer chooses not to include a secure physical element by creating a virtual credit card to process the transaction. The payment information is never stored anywhere else on the phone, and when you want to access your payment information in order to make a payment you have to enter in the four-digit pin that the user creates during setup. When the transaction is complete at the register, it is actually Google who has paid for whatever you just bought. Google acts as an intermediary, who then turns around and bills whatever payment method you just used.
It’s worth pointing out that users who have gained root access to Android can bypass the need for a pin, which creates a particularly nasty vulnerability for those users. It’s relatively difficult for this to happen without the user being aware of it, but not 100% impossible. In most cases, understanding that this is already a small subset of Wallet users to begin with, the user is aware that this vulnerability has been created.
On the transaction side of things, Google does not charge retailers anything extra for using Wallet as a payment mechanism. As is almost always the case with Google, what you get instead is location specific advertising. Google stores your loyalty card data and uses that to point out applicable retail locations you frequent. Location settings can be disabled, but are on and actively reporting back to Google by default when you make a purchase.
Softcard Wallet (formerly Isis Wallet)
During the infancy of Google Wallet, there was a lot of back and forth about carriers blocking the Wallet app on Android phones that were currently being used on AT&T, T-Mobile, and Verizon Wireless. One of the major criticisms of Wallet at the time was the lack of a secure element to securely store data, and that was one of the big reasons used to defend the blocking of Google Wallet. While this conversation was happening, these same three carriers announced a mobile payment collaboration called Isis Wallet. That app has been rebranded to Softcard, and is now an NFC payment solution just like Apple Pay and Google Wallet.
While Apple Pay and Google Wallet utilize an NFC chip that is embedded in the phone itself, Softcard originally relied on an NFC chip and secure element that was embedded in a SIM card. These special SIM cards can only be provided by the carrier, the logic being that they could be used on anything running the Softcard app. Currently Softcard works with a handful of Android devices as long as you request the special SIM card for your phone.
Softcard users can load credit cards from American Express, Chase, Wells Fargo or an American Express Serve pre-paid account. If you have none of those and would still like to use Softcard, you can load money directly into Softcard with an unsupported credit card, bank account, or debit card. Users enter in a pin before tapping the phone to a payment pad, and the app generated a unique transaction ID to feed the retailer. Like Apple Pay, when the transaction is complete the retailer only has the information from that unique ID. Softcard uses Discover for their end of the transaction process, and they are the only mobile payment solution with an agreement through Discover.
The Softcard app has its own form of loyalty card storage, and uses this information to provide special offers and coupons. These offers are provided through the app, and in most cases allow you to simply approach the register and have a barcode scanned before completing your purchase with a tap to the transaction pad. Softcard does not track purchases, but through the loyalty card storage a offer system are able to create special promotions with select retailers.
Given the apparent scale of apps like Apple Pay and Google Wallet, it may seem odd to include Starbucks in a list of major mobile payment solutions. The truth is, through the Starbucks app more than five million transactions happen every week. The Starbucks app is responsible for 15% of the transactions seen inside of this coffee chain, and that has everything to do with the app being functional in 18,000 locations across 50 countries. This app may not be replacing your entire wallet anytime soon, but it would be foolish to dismiss Starbucks in this list.
Instead of relying on NFC, Starbucks has been using a barcode system for their transactions. Users add their payment cards to their Starbucks account, and the barcode is scanned instead of the card being swiped. Your cards are never stored on the phone you are using for the transaction, which can be an iPhone, Android Phone, and Windows Phone. Additionally, you can use just about anything as a form of payment when loading data into your account.
More than just paying for your coffee at the register, the Starbucks app has expended to being used for tipping the staff as well as pre-ordering and pre-paying for your beverage before you even arrive at the shop. The benefit to Starbucks is obvious, as it allows the company to provide users with targeted coupons and ensure each customer is a satisfied repeat customer.
There currently exists a retail collective called the Merchant Customer Exchange, or MCX for short. This collective consists of over 70 major retail companies, including names like Wal-Mart, Target, Best Buy, Shell Oil, Sears, Publix, and so many more. MCX has created a payment solution that eliminates credit card transaction fees from the equation, and that payment solution is called CurrentC.
In its current form, CurrentC is an app that generates a QR Code on your phone in order to complete a transaction. After loading payment information into the app, CurrentC requires users to scan a QR Code at the register. After scanning that code, the app generates its own QR Code for the register to scan. None of the user’s payment data is transferred, it’s just a series of randomly generated number that act like a handshake. The payment then happens elsewhere through a service called Paydient. In theory, this handshake prevents sensitive information from being intercepted and makes the transaction secure.
Rather than loading existing credit cards or debit cards into CurrentC, users are required to attach their bank accounts directly to the app. This process is essentially an ACH Payment, which means every transaction is an authorization to debit directly from the customer’s checking or saving account. There are future plans to support certain kinds of gift cards in CurrentC, as well as vendor bank accounts. For the uninitiated, vendor bank accounts are what happens when you have enough rewards through a vendor to merit a loyalty credit card but either do not want or lack sufficient credit to maintain a loyalty credit card.
One of the fascinating parts of CurrentC is how the payment process will actually happen in most cases. With every other mobile payment app, you have to open that specific payment app and go through the process of completing a transaction. Because almost all of the MCX partners have their own loyalty/rewards app in the Apple App Store and Google Play Store, CurrentC has been designed to simply integrate into many of these apps. This means many users will not need to leave the app that is already selling them a product through coupons or rewards, and instead will be able to just initiate the primary QR Code scan from within the loyalty/rewards app.
On the transaction side, since the vendor is also the payment authorization system, you are giving all of your information to whoever you are buying something from. As a user, you have already provided a great deal of data through the loyalty/rewards app. On top of this, CurrentC needs an immense amount of personal data just to access your bank account. This includes your physical address, social security number, and everything attached to your bank account. On top of this, the CurrentC app requests that you grant it access to a ton of information on your phone. This includes health data and location data. Again, since in this situation the vendor you are buying from is also the payment system, you are handing all of this information over to the companies you are buying things from through CurrentC.
“No one likes CurrentC, so why is this a problem?”
Most folks in the tech community heard about CurrentC recently, when it became clear that at least two vendors that previously accepted NFC payments stopped. Rite-Aid and CVS shut off NFC entirely just days after Apple Pay was launched, and it became clear that these two companies belonged to a group that was preparing a competing product for release. While the timing is certainly curious, the truth is this was already going to happen at Rite-Aid and CVS. It’s going to happen at a lot of other places as well.
Every company in MCX wants to be there, and they want CurrentC to be a big deal. Just to have someone from MCX come to your business and pitch the invitation to MCX, there’s a $30,000 fee. Each of the charter members paid $1 Million to join, and currently the fees for other retailers are anywhere from $250k to $500k. These companies sign a three year deal to be a part of MCX, with a one year grace period that lets them back out. In many cases, that one year grace period has either already expired or is coming up on the deadline quickly. These are all companies that firmly believe in the mission statement, and paid for the privilege.
What’s the mission statement? Well, for CurrentC, it’s all about trying to eliminate credit card processing fees. This is about 110,000 retail locations that take over $1 trillion in payments wanting to keep that sliver off the top Visa and Mastercard keep taking with every swipe. None of these companies like paying that credit card fee, Wal-Mart least of all, especially after turning down a $5.4 billion settlement with Visa and Mastercard back in 2012. With Wal-Mart as a figurehead for MCX, it’s not hard to see why CurrentC is such a big deal to this group.
It’s easy to be dismissive of something like CurentC if you’re a tech savvy user who is interested in things like Apple Pay and Google Wallet, but dismissing this mobile payment effort isn’t going to make this app go away. As you can see, this has almost nothing to do with MCX building a competitor to Apple Pay or Google Wallet. As far as MCX is concerned, both of these payment services are an extension of the issues the group has with the credit card companies. The scale of what CurrentC was built for is much larger than Google or Apple, as difficult as that may be to frame and understand.
A fantastic list of what not to do, followed by how you can help.
As news hit the Internet about Apple Pay being blocked, users have scrambled to respond to CurrentC in the only ways they know how. It started with rage posts on social networks, followed by this odd sort of mutual patting on the back as Android and iOS fans worked together to “teach CurrentC a lesson”. Since that happened, everything from petitions on WhiteHouse.gov to thousands of 1-Star reviews on the Google Play Store and Apple App Store for the CurrentC app coupled with scathing reviews of the app that none of these people had ever used started to filter in from everywhere. Since most users will be using CurrentC through vendor loyalty apps and not through the core CurrentC app, this effort was just about as useful as the White House petition. But hey, iOS and Android fans agreed on something, even if they weren’t totally sure what exactly they were agreeing on due to the volume of misinformation out there.
The truth is, CurrentC is actually going to be incredibly convenient for the average consumer. After attaching their account to the service, users will be able to quickly pay for things through the apps they are already using. Remember, these aren’t just normal payment apps. These are loyalty and rewards apps, and any US citizen who has ever been shopping in a grocery store anywhere will tell you that Americans absolutely love loyalty and rewards programs. We happily shovel over tons of information about ourselves every day in order to get $.20 off half a pound of bacon, and in app form these vendors are able to offer promotions and coupons in real time. CurrentC is not likely to start out with the kind of explosive popularity that Apple Pay enjoyed, but simply by existing in these apps the service will grow at a steady and constant rate. The folks inside MCX know this, because that’s what has happened with things like loyalty credit cards. This is “even better” because it just plugs right into your bank account and gives you all of those same rewards. What convenience-focused consumer wouldn’t jump all over that?
Much like everything else security and personal data focused, the only way to ensure users are less likely to sign up for CurrentC, and please carefully read where I said “less likely” and not “defeat”, is through education. Major retailers all over the world want to slurp up all of your personal information, use it to create incredibly targeted ad campaigns, and with any luck use your desire to get $.50 off your next cup of coffee to dramatically decrease the amount they pay each year to companies like Visa and Mastercard. There’s absolutely nothing stopping these companies from selling your data to the highest bidder, and because they have the ability to shut down competing services with the flip of a switch it’s not going to be easy to enjoy an alternative mobile payment solution through many of these retailers.
CurrentC is obnoxious at worst, but truly dangerous to consumers at best. There’s no amount of angrily shouting on the Internet that will make this service go away, because in those situations the people who would be listening aren’t the target market. Unlike most new technologies, CurrentC doesn’t need the adoption of techy early adopters. It just needs to demonstrate convenience to get the attention needed to take off. Educate the people around you about keeping personal data safe, and make it clear that CurrentC is the exact opposite of keeping your personal data safe.