Hey! must be the money! A payments primer

The Great Payments Shift

The terms and technology for buying and selling stuff in this Brave New World.

There’s a lot going on in the world of payments: new credit cards, Apple Pay, Google Wallet, chips, PINs, and on and on and on. You’ve heard about it, but there are enough jargon and acronyms involved to drive the savviest of technophiles crazy, though. No worries. We’re here to help.

Background

We’ve been using credit and debit cards with magnetic stripes on the back of them for about 40 years. It’s an old technology and it’s broken. The United States is pretty much the last major market to still use magnetic stripe cards. The rest of the world has moved on to chip cards. More on that later.

Why has (almost) everybody moved away from magnetic stripe cards? Fraud. Magnetic stripe cards are easy to clone/hack/steal. Canada lost CA$245 million to credit card fraud in 2008. Then, they switched to chip cards and by 2013 the fraud had dropped to CA$111 million—more than half. By comparison, The United States had $5.3 billion in credit card fraud in 2013 and it’s rising every year. Half of the world’s credit card fraud happens in the US but we only process a quarter of the credit card transactions. That’s a big problem, but there’s a solution: chips.

On Thursday, October 1, 2015, the United States will take it first major step in moving from the old magnetic stripe cards to the new chip cards (and other new technologies: mobile payments). That’s when the “Great Liability Shift of 2015” happens. More on that later, but let’s just say that the liability shift is what you call kind of a big deal, especially to merchants.

Let’s start this off with a little bit of vocab:

Glossary

Magnetic stripe cards are what you and I have in our wallets. The stripe on the back of our cards is pretty much just like the magnetic tape in an audio cassette of Michael Jackson’s Bad (which, incidentally, is his best album, but that’s a different blog post).

If you really like to nerd out, you’ll appreciate knowing that, just like a cassette, there’s a bunch of tiny flecks of iron oxide (rust) in that stripe. Your credit card number is encoded in those flecks of rust by making some flecks point up and some flecks point down. Whatever. If you don’t like to nerd out, you’ll want to know this: the data in the stripe is static.

The credit card number and other details don’t change and aren’t secure. I can steal that information with a $20 gadget I bought on eBay. Of course, I can also steal your information by taking a picture of your card with my phone or even (elementary-school-style) doing a rubbing of the numbers on the card with a piece of receipt paper and a pencil. But that’s old school; we’re talking about TECHNOLOGY here.

EMV – EMV stands for Europay-Mastercard-Visa. That’s the companies that formed a consortium to develop chip cards. But that doesn’t matter. “EMV” technology is a hard way of saying “chip” technology, so we’ll just call them chips.

Chip cards – This is a “chip.” You’ve seen them and you might have them:

That little chip stores your credit card info in it, but it’s different from the stripe. The information in the card changes over time, so your “credit card number” changes every time you use your card, and when you use your card the payment terminal checks the chip’s information with your bank’s computer to make sure it’s legit.

Dork time: Not only does the information change all the time, but it’s encrypted. If the information in the chip reads “123ABC,” the information read from the chip (and transmitted to your bank) might read something like “AB765F7a6dC66D81AEB” and only your bank has the “encryption key” to read that junk. Once it translates the code it checks to see if it’s right. If it is, the bank sends a thumbs up back to the credit card terminal and your transaction goes through and now you own a new pair of pants. Disclaimer and Debbie Downer: no encryption is perfect; everything can eventually be hacked. But in the case of these chips, it’s really hard and really time-consuming to hack it. Thus, it’s much safer.

These chips require that the card be “plunged” into the credit card terminal. It’s not wireless like NFC (See below). The use of the chip is accompanied by the customer scrawling a signature or entering a PIN (Personal Identification Number). More on that later.  This is how you plunge a chip card:

Chip transactions can be authorized with either a signature or a PIN. The US will be using chip-and-signature for a while before moving to chip-and-PIN because we’re more used to signatures. Making a chip-and-PIN credit card transaction is just like making a debit transaction, so it won’t big deal.

Fun fact: Chip-and-pin is also better. If I got my hands on your credit card I could use it and sign your name. Or Michael Jackson’s name. Or even “XOXO.” I do this all the time with my mom’s card when she asks me to do some shopping. It doesn’t matter what I sign because odds are that literally no one will ever look at that signature. Big companies don’t check signatures because it’s cheaper to just eat fraudulent charges than it is to pay people to manually check the validity of signatures.

Chips are better than magnetic stripes, and the USA is in the process of moving to chips. But, of course, there’s more going on:

NFC stand for Near Field Communication. That’s a technology for sharing information between one thing and another wirelessly–without contact. Also known as “contactless payments” or “tap-to-pay.” So, you can pay for with an NFC card (or smart phone) by just holding the card (or phone) near the payment terminal.

If you like to nerd out, you’ll be interested in knowing that this works by induction. NFC payment terminals emit a small electromagnetic field around the terminal. When you hold an NFC-enabled card (or mobile phone) near the terminal, the field energizes the NFC chip in the card (or phone) and allows the chip to transmit your info wirelessly to the terminal without having a battery in the card.

This only works over a distance of a few inches, though. Notably, the “credit card information” is always-changing and encrypted just like the information in the chips we just talked about. It’s sort of like magic money.

Mobile payments are various ways that a customer for pay for something using their smart phone (or watch!). There have been mostly proprietary software solutions from companies like PayPal, Square, Starbucks, Subway, Flint, Domino’s, and the kitchen sink. People tried a ton of different ways to do mobile payments. That was fun for us nerds, but it was kind of a mess for everybody else, though. Now on the 6th day, Google and Apple (and PayPal, et. al.) are all converging on NFC technology, and thus that is the way of the future, and it is good.

Mobile payments based on NFC are as or more secure than a chip or NFC card payment. This is primarily because, with a smart phone, you can add more layers of security. Biometric authentication (ie, a fingerprint scan) replaces a PIN and things like tokenization make it even harder to steal payment data. It’s also really convenient.

Nerd term 1: Biometrics are unique physical, biological characteristics of a person that can verify that they are indeed who they say they are. One of the most common types of biometric authentication is the finger print. Iris scans, facial recognition, voice recognition, and even palm scans have been used as well. Fingerprint scanners have gotten good enough now, though, that they are becoming the dominant method.

Nerd term 2: Tokenization is a security feature you might have heard of when Apple Pay was launched. The technology has been around for a while, but Apple improved it a little and brought it to the big stage. The technology behind tokenization is a little complicated but, in short, the token is a unique, encrypted code that gets transferred over the wires when a payment is processed. Only the payment processor can verify that it’s correct and the data is useless if it’s stolen along the way. What all this boils down to is simple: tokenization is an extra layer of security that all happens in the background so you really don’t need to worry about it. Just be glad it’s there.

Why are mobile payments convenient? Almost all of your customers have a smart phone. Mobile payments are quicker than traditional ones because they dispense the whole card swipe/plunge interaction and you can even eliminate paper receipts. All of this, and more, matters because taking friction out of the payment process is critical to making money. Merchants should make paying for something so easy that it’s an afterthought and capitalize on impulse buying. Plus, security and fraud protection is important to everyone.

The liability shift is what’s driving all the change. Because fraud is so high in the US, the government, banks, and other interested parties all chipped in to help drive the adoption of chip (aka EMV) cards to cut down on fraud. The “liability” in this is all about who’s responsible for fraudulent charges, and the rules for that are changing on Thursday, October 1, 2015. Right now, if you sell pants to someone who’s using a fraudulent credit card, the bank eats the cost and you as a merchant aren’t liable. In October, however, merchants will become liable for some transactions. Here’s how: If a customer uses a chip card for a transaction and you swipe the magnetic stripe on that card, and then it turns out that the charge isn’t legit, you are liable for the cost and would have to pay it out. We don’t want that to happen.

What does it all mean?

What does all that mean? It means you probably need a new credit card terminal and you’ll want to go ahead and get in the habit of plunging cards instead of swiping them. When you go looking for a new payment terminal, be certain to ask for one that supports contactless payment standards as well as chip cards. You may want to specifically ask for confirmation that the terminal works with Apple Pay and Google Wallet, as those are the two largest players, potentially with Samsung joining them, and they will be for quite some time.

You can call your current credit card terminal provider or payment processor for more information. You can also check out options from Square, Clover, Shopify, and LightSpeed. Note that some of those providers don’t have mobile-payment-friendly hardware out yet, but have announced that it’s coming later this year. There will be many more options, too. Still, those companies offer great information on payments for small businesses, and were the source of much of the information in this post. Check ’em out.

See, you thought it would be complicated but you just didn’t give yourself enough credit.