[This post originally appeared on forbes.com here: http://www.forbes.com/sites/bruceupbin/2013/02/15/tokenization-and-the-collapse-of-the-credit-card-payment-model/]
It’s been a fascinating couple of weeks in the token world. We have Monopoly’s decision to replace the iron with a cat, based on a poll launched on their Facebook page. Feels like selection bias to me; is anyone surprised that the population of people who are fans of board games on Facebook also like cats?
More germane to my obsession with payments was the announcement that Braintree re-launched Venmo as a cardholder side multi-merchant tokenization system. I realize that’s a mouthful, but here’s what it means:
- Braintree provides payment acceptance to many (most?) of the most popular online and mobile merchants, like Uber, Fab, HotelTonight, LevelUp, etc.
- Because all of these merchants have huge mobile traffic, they encourage users to “vault” (ie, store) their credit card information with them, so when they return they can check out with one click (or in the case of Uber, no clicks.) In actuality, all of these payment card details are vaulted at Braintree.
- Braintree has convinced at least some of these merchants to contribute their users, on an opt-in basis, to a consortium, such that if I am an Uber customer, and I show up to HotelTonight for the first time, Braintree recognizes me and asks me if I want to use the credentials I’ve already stored with Uber to check out with HotelTonight.
- Braintree has 35MM credit cards vaulted … maybe 20% of the adult US population, and probably 100% of the early and mid adopters in this country.
- The reason this works, from a security perspective, is the data on the device you are using. Because they fingerprint your phone (or PC), and require a password, they have the classic “something you have” and “something you know” security formulation nailed. In the mobile use case, they also have fraud sensitive data like location; if anything I think this will be a more secure transaction than a typical e-commerce situation (more on that later.)
In the real world, the concept of a token generally refers to the act of substituting something simple and convenient for something more cumbersome or complicated. Think of the utility of a subway token in preference to cash, or (as in Monopoly), how much easier it is to move a game piece around a board than your physical self. In the payments world, tokens have traditionally been used to enhance information security. Tokenization* is a system where you substitute a proxy set of identifying information for the real payment card data, so that merchants don’t have to handle this sensitive and regulated data and it isn’t exposed more than necessary. This original logic for tokenization (keeping merchants free from hosting payments data) has been taken to the next level by Braintree … the same idea is now being used to make the payment experience quicker and easier, through their consortium model (“if you’ve paid anywhere else, you can pay here, too.)
The important irony here, which is also true of Square’s tokenization strategy (Square Wallet, where you the Wallet serves as a “token” to mask the underlying payment card credentials), is that the tokens being used are actually more authentic than the underlying “real” identity. Historically and generally, tokens are nonsense strings of characters, designed to abstract away from and hide the true goodies, your credit card number. But consider the token that Braintree is using: the fingerprint of your device plus your location plus a password. And Square? They use a picture of your face. What’s more real, a 16 digit number or a picture of your face? Remember, the purpose of the payments query that a merchant initiates when you try to pay for something, whether on-line or in-store, is authentication, ie, are you actually you? This gets done through the inherently flawed mechanism of merely checking that the card that has been presented (or typed in) is actually valid. What Braintree and Square have done is create self-authenticating tokens in a natively multi-merchant construct, and that is a frigging big deal.
The current retail payments industry rests on what is called the four party payment model. The four parties in question are: 1)cardholder, 2)cardholder’s bank, 3)merchant and 4)merchant’s processor/bank (known as the merchant acquirer). When the cardholder swipes their card at a merchant, the card and transaction data flow through the merchant acquirer to the cardholder’s bank, which confirms that the cardholder is authorized to make the transaction. This structure was invented and is perpetuated by Visa and Mastercard, who serve as the information switches between the four parties.
They’ve never been linked, that I’ve read, but I think it’s more than a coincidence that Visa was founded shortly after the interstate highway system. Before Visa, non-cash transactions were done using store credit … because most merchants knew most of their customers before the 1950s, you didn’t need elaborate authentication schemes. After the 1950s, Americans grew far more mobile, and store credit became less practical; hence Visa and Mastercard emerged, to enable transactions between strangers. If you’ve ever used Square Wallet, you’ll know what I’m talking about here: it feels like the 1940s. When your face pops up on the retailer’s point of sales system, and the clerk calls you by name, you are no longer a stranger. I’ve yet to have the pleasure, but I’m certain that when I show up on OpenTable and am greeted by name and asked if I want to check out with my Uber credentials, I will also feel warmly recognized.
This is horribly threatening for all of the incumbent players in the four party model: traditional acquirers, issuer and the networks. Plain vanilla merchant acquirers will struggle to compete with Braintree online and Square offline as their tokenized user bases grow (NB: Square is actually well behind Braintree on this front and we’ll see how they do; IRL is harder than online.) The issuers lose their ability to differentiate. Once tokenized and hidden, any given card product is far more vulnerable to being displaced, as the issuers have already learned from PayPal. How do you stay “top of wallet” when there is no real wallet? As for the networks, their demise is harder to articulate. Visa and Mastercard are fortresses, growing 20% per year like clockwork, despite the law of large numbers. I will leave it at this: in a world where everyone is known, there is no need for an omniscient middleman. That feels like a scary fact for the networks.
*Per usual in these blog posts, I’m sure there is a specific definition of tokenization that I’m getting wrong.