|
Choosing the right acceptance technology is central to any merchant payments strategy. It has major implications for the cost of scaling up the acceptance network, usability and adoption by customers, and the features and capabilities the technology can support.
First, it is worth considering if there is an acceptance technology that already dominates the market; you may be able to piggyback on it. Piggybacking on an acceptance technology that is already widely used could save significant initial set-up and learning costs. On the other hand, introducing a new acceptance technology can sometimes yield significant advantages, such as when Square revolutionized the card-acquiring space with its cheap mobile magstripe readers. If there isn’t a dominant acceptance technology already in place, the provider has an opportunity to effectively define the standard and thus gain a first-mover advantage.
There are several issues that providers should consider when evaluating different acceptance technologies, each of which has advantages and disadvantages. The main considerations include:
- Minimum requirements in terms of devices and backend infrastructure needed.
- Costs for establishing the acceptance points, which are typically borne by the provider or the merchant (rather than the consumer).
- User experience in terms of complexity, the amount of information that needs to be entered and by whom, and speed at the till.
- Security with regard to fraud.
- Interoperability, meaning how easy it is to harmonize across providers.
When considering these issues, providers should remember to take a long-term view of infrastructure and systems, while they also prioritize initial uptake. With regard to user experience, familiarity with processes and interfaces will organically facilitate better experiences over time. Moreover, clunky low-end devices will soon be replaced by sleeker, newer machines, and connectivity and speed will likely improve. A certain level of failed or erroneous transactions is expected in the beginning but will soon diminish as users gain experience.
However, to drive uptake at the outset, solutions that require the merchant (rather than customers) to enter transaction details tend to be easier because merchants tend to do more transactions (and hence get more practice) while also being keener to make the transaction work. The acceptance technologies explored here allow for this dynamic, with the exception of merchant-side static QR (quick response) and merchant-side passive NFC (near-field communications).
When considering security, providers should remember that various mechanisms can be layered onto these basic technologies. The acceptance technologies described here can be (and typically are) combined with (i) transaction authentication, typically via PIN code, and (ii) confirmation messages, typically via SMS or in-app prompt. Whether and how to implement these are up to the provider, subject to relevant regulation; they do not depend on the choice of acceptance technology. As such, PIN authentication can happen on the merchant device or on the customer device irrespective of the acceptance technology, even where transactions are initiated on a merchant device (e.g., a USSD session can be automatically initiated on the customer’s phone for safe and private entry of the PIN).
QR Codes
QR codes are matrix barcodes that contain information that consumers or merchants scan using the camera on their phone, thereby bridging physical retail and e-commerce.
QR codes often are presented on the merchant side, with customers scanning the code in a smartphone or feature phone app. But customer-side QR codes are also common: popular American apps like Starbucks and LevelUp let customers pay by presenting a QR code from the company app or prepaid cards, which the merchant scans. Chinese payments giants Alipay and WeChat Pay enable transactions in either direction, such that either merchant or customer can read the other’s QR code.
QR codes can be either static (i.e., the code always contains the same information, typically a merchant or customer account number) or dynamic (i.e., a different code is generated on the fly for each transaction).
Static QR Codes
Static QR codes can be very simple from a distribution standpoint: all a merchant needs is a printed image of the code that consumers scan using a payment app, or vice versa. Often, the customer scans the merchant’s QR code, enters the amount owed, and then enters her PIN to authorize the transaction. This is popular in India and China, for example, where a street vendor or market stall will prominently display a laminated card with the merchant’s QR code.
Requirements. While static QR codes are often associated with smartphones, they actually require only a feature phone (held by either merchant or customer) that is online and a QR code imprint, which can be printed onto virtually anything (stickers, posters, business cards, or websites).
Cost. Static QR codes can be one of the cheapest acceptance technologies to use because, if either merchant or customer already has a feature phone or better, no additional devices are required by the other party. This makes deployment cheaper and easier for acquirers. While the QR code cards or stickers do need be distributed, this is far cheaper than any of the acceptance devices required by other technologies.
User experience. QR codes are simple to use because one side of the transaction (customer or merchant) only has to show their code while the other takes a picture of it with their phone, which they typically already know how to do. Time at till is usually moderate: customers or merchants must typically unlock their phone, open the appropriate app, hold the phone still to scan the QR code, input the amount, and authenticate the transaction. QR readers on phones can occasionally be slow and difficult to use, especially on feature phones, which also may also not support the payment app, or where connectivity is slow and may be affected by lighting conditions. Also, while static QR codes automatically present the right account number, the payment amount still has to be input manually, which may be prone to error.
Security. Static QR codes are vulnerable to fraud, even when combined with transaction authentication via PIN code and confirmation via SMS because anyone can generate and display a QR code. On the merchant side, fraudsters in China recently pasted their own codes over the merchants’ codes to direct payment to the wrong accounts. On the customer side, fraudsters can transact against someone else’s account by taking a photo or screenshot of the person’s QR code. Chinese regulators have responded to such risks by introducing caps on transactions made using static QR codes. Although no such caps apply to dynamic QR transactions, security for these transactions can be enhanced by using electronic signatures that are cryptographically verified by trusted parties.
Interoperability. QR codes are not inherently interoperable, and several standards for them exist. For example, India has aligned around a single QR code standard; the Chinese government is working on standardization; and EMV, the card payments standards body, has defined its own QR code standards. Providers should conform with a well-known standard in generating QR codes so that customers and merchants with different devices and apps can use the system seamlessly.
Other considerations—omnichannel. Static QR codes are a particularly versatile form of acceptance technology in that they can be displayed in several different ways, ranging from stickers and cards, to posters and billboards, to newspapers and TV screens, to websites and social media channels, and so forth. This enables all kinds of payment use cases, such as making a donation to a charitable cause by scanning the QR code in a TV ad, that may not be possible with other acceptance technologies. It also enables a more seamless blending of marketing and sales efforts by letting people use their wallet app both to access information about a product (e.g., by scanning a QR code on a billboard which opens the product website) and buying it (e.g., by using the QR code to pay for the product in a store). Providers can use these data to help them create entirely new tools to analyze their marketing effectiveness and to integrate loyalty rewards and other incentives (e.g., giving people who have scanned an ad a small discount on their purchase).
Other considerations—replication. Static QR codes can easily be copied and shared, which can have both positive and negative applications. For instance, merchants can share their QR codes over a messaging service to allow customers to pay remotely, perhaps to prepay part of an order or to repay a store credit. On the other hand, fraudsters could similarly circulate their own QR codes and masquerade as legitimate businesses.
Dynamic QR Codes
Dynamic QR codes are different for every transaction. They are generated in real time by one device and read by the other device at the moment of payment. Most often, the customer uses the merchant’s interface or app to place an order, which generates a transaction-specific QR code. The customer then presents this code to pick up her order in store. This type of QR code requires more expensive hardware—a smartphone, tablet, or computer to generate the code—than a static code, but has some benefits over a static code. It enables transaction-specific information to be exchanged and loyalty programs to be automated, which allows for easier and richer transactions. For example, a merchant can integrate the amount to pay or other relevant information directly in the QR code itself or integrate the customer’s payment information into the app’s functionality, saving the customer the trouble (and potential error) of entering the data and providing useful contextual information like an itemized bill. These data can be useful to customers who want to review the accuracy of a transaction, for example, and they also can be used to analyze spending or to provide other services that add value for customers.
As opposed to static QR codes, which can be equally effective on both sides of the transaction, dynamic QR codes are most commonly used on the merchant side, especially when they are linked to a till system (whether integrated into the payments app or a standalone physical till) from which the transaction amount is automatically calculated.
Requirements. Since dynamic QR codes must be generated and then read, both the customer and the merchant must have a QR-capable device and be online. At least one of the devices must be a smartphone or other device capable of computing and displaying the code.
Cost. Because of hardware requirements, providers opting for dynamic QR codes will need to ensure that their merchants’ devices are able to generate and display the QR codes. While increasing numbers of merchants, even those in low-income countries, do have smartphones, providers going this route may still need to offer smartphone loans and/or subsidies to ensure ubiquity.
User experience. As in the case of static QR codes, dynamic QR codes are simple to use because one side of the transaction (customer or merchant) only has to show their code while the other takes a picture of it with their phone, which they typically already know how to do. Time at till is usually low because dynamic QR codes embed information on both account and amount, meaning there are fewer pieces of information to be entered manually. In a typical implementation, the customer only needs to open the app, hold the phone steady to scan the QR code, and authenticate the transaction. QR code readers on phones can occasionally be slow and difficult to use, especially on feature phones (which may also not support the payment app) or where internet connectivity is slow. However, dynamic QR codes typically are not affected by lighting conditions because they are presented on a backlit screen.
Security. Dynamic QR codes can be more secure than static QR codes because they can use encryption and timestamps, which prevent them from being copied. Card or account numbers may also be tokenized (i.e., replaced with a different temporary number) to protect sensitive information. Moreover, the fact that dynamic QR codes are always presented on a device screen makes them more difficult to meddle with than static QR codes, which may just be displayed on a piece of paper.
Interoperability. Like static QR codes, dynamic QR codes are not inherently interoperable, and numerous standards for them exist (see above discussion on static QR code standards). The one advantage of dynamic QR codes is that the standard can be changed easily through software updates, whereas altering the standard for static QR codes involves recalling and replacing all the old QR stickers, cards, posters, and so forth, already in circulation.
Other considerations—rich data. Dynamic QR codes can be used to communicate information beyond the payment amount itself for marketing and customer relationship management, such as itemized bills and loyalty programs. Such data can also be used by account providers or aggregators to enhance their categorization, analysis, and presentation of transaction data to the end customer.
Other considerations—omnichannel. Dynamic QR codes are not quite as versatile as their static counterpart because they require a digital device with a screen to compute and present the code. However, it can be a powerful bridge between the online and offline retail spaces—e-commerce websites can use dynamic QR codes to let customers pay with the same digital wallet they use for physical merchant payments. Even without a merchant payments push, dynamic QR codes may be the simplest way for digital wallet providers to integrate with third-party online vendors and create a seamless experience for customers who buy things online with their digital wallet.
Other considerations—replication. Unlike static QR codes, dynamic QR codes cannot be permanently copied and shared because the code for each transaction is different. Once generated, however, a dynamic QR code can still be shared and used, for example, as a voucher or prepaid amount that a family member or household staff can draw down to buy things within a limited monetary amount and perhaps a limited time.
NFC
NFC is a radio communication standard that allows two devices to communicate with each other when they are in close proximity. It is akin to Bluetooth or WiFi but has far shorter range, which requires devices to be held close together. NFC devices can be either active or passive. Active devices can compute, send, and read information over the NFC channel. Passive devices contain static information, such as account numbers, that an active device can read, but cannot themselves read information from others. To update the information on a passive device, an active device with the requisite permissions is needed to edit or overwrite the data.
A transaction requires at least one party to have an active NFC device, while the other party has either a passive or an active device. Much like dynamic QR codes, the connection between two active NFC devices allows for richer, more secure, and more sophisticated transactions to take place because each device can both send and receive information in the course of the transaction. But conversely, much like static QR codes, passive NFC devices are far cheaper to buy and distribute, and as a result will make more sense to consider for most digital financial services (DFS) providers despite the limitations of such “passive connections.”
Typically, NFC for merchant payments in many markets is through passive connections, where the merchant has an NFC reader (point-of-sale [POS] device or smartphone) and the consumer has an NFC device such as a sticker, a card, or even a wearable like an armband with an embedded NFC chip. In developed markets, although NFC cards and wearables are used, active connections are increasingly the norm as the prevalence of high-end smartphones and watches with embedded NFC grows. Apple Pay, Google Pay, and Samsung Pay use this technology.
Requirements. It seems unlikely that DFS providers in developing economies will have a significant number of customers who have NFC hardware in the near future, given the high cost of such devices. Hence, this discussion focuses primarily on deploying NFC with passive connections. In this model, the merchant requires an active, connected NFC device, while the customer needs only a passive device like a sticker, card, or wearable.
Cost: For active NFC connections, merchants must have a reader, either a high-end smartphone with an NFC chip or a specialized POS device. Given that the cost of an NFC-enabled POS device typically starts at around $50, it can be very costly to establish an acquiring network. Often this cost would be borne by a provider looking to quickly establish as broad a network of acceptance points as possible. It is also possible to imagine schemes where merchants pay off the cost of the device over time, though that may lessen its appeal to merchants. On the customer side, providers must purchase and store the passive NFC devices and distribute them to each merchant payments customer, which, in most countries, number in the millions. Hence even though the individual cost of NFC-enabled tags can be as little as $0.01 when bought in large quantities, the total expenditure is significant and is not likely to be something that providers can pass on to customers.
User experience. NFC’s primary advantage is how easy and fast it is to use. The merchant inputs the transaction information, and the consumer only has to wave their tag, card, or wearable in front of the merchant’s reader to register the payment. This makes things very simple for customers, compared to other phone-based solutions where customers often need to operate an app or navigate a menu themselves. Time at till is usually excellent: once the merchant has entered the amount (which sometimes is automatically generated from till software), the customer taps her NFC tag on the reader, and then authenticates the transaction.
Security. The short range of NFC technology makes it inherently more difficult for fraudsters to intercept transactions. NFC devices can also use encryption to create secure channels impervious to eavesdropping and other vulnerabilities. In some markets where regulations allow it, providers waive the requirement for PIN or other authentication for transactions below a certain amount to make payments for coffee, subway, or similar payments quick and frictionless. Technically, this is also possible with other acceptance technologies, but in practice, examples are few. This may be because the low friction in NFC transactions makes it particularly relevant for use cases where speed at till matters greatly, and hence it makes sense to try to reduce it even further by waiving authentication.
Interoperability. There is no universal standard for NFC communication, and various countries and entities have established their own. India, for example, has developed a single NFC standard. The card payment standards body EMV also has provided NFC standards.
Magstripe and EMV Cards
Payment cards, like the mainstream credit and debit cards issued by banks, typically use magnetic stripes and/or smart chips embedded on a plastic card to hold key customer account information. The card is inserted into a POS device operated by the merchant. The customer must authenticate either through the POS device or by signing a manual receipt.
Requirements. Merchants must have a POS device that is connected via internet or a landline telephone. Consumers need carry only the plastic card and don’t require a phone, unless a phone-based authentication of the transaction is required. Although this type of authentication is not typical among bank cards, it could very well be used by mobile payments providers to standardize authentication processes across form factors.
Cost. Historically, card POS devices have been very expensive--in the order of $500 per unit. However, prices have come down significantly in recent years thanks to the entry of Chinese manufacturers. You can now get EMV-compliant POS devices for under $70. Typically, this cost ends up falling on the merchant, although banks will often finance the device over time or rent them to the merchant. On the customer side, cards must also be purchased (prices start at $0.01 each) and distributed at considerable cost, though again part or all of the cost is sometimes passed on to customers. In developed markets, smartphone dongles like those used by Square, iZettle, and PayPal have reduced the need for expensive POS devices and have substantially expanded the ability of payments providers to acquire smaller merchants with less turnover. These options are not yet available in most developing markets.
User experience. Cards tend to be one of the simpler acceptance technologies for customers, including inexperienced ones, to use. The process can be as simple as the customer handing her card to the merchant, who actually uses the card with the reader, and then authenticating the transaction. This approach makes things very easy for customers compared to other phone-based solutions where customers often need to operate an app or navigate a menu themselves. Time at till is typically moderate. Merchants must input the amount, swipe the card, wait for a connection, and obtain a signature or PIN from the customer. Delays are usually caused by slow communication of the device with the network.
Security. Security levels are high, especially when combined with a PIN or phone-based authentication. However, the long experience of worldwide card use has created various well-known types of fraud, especially where the customers hand their cards to the merchant, who may even enter their PIN for them.
Interoperability. In principle, magstripe and EMV cards are interoperable because they operate on the same basic technical standards. That said, most bank cards today use one of the major card networks (Visa, Mastercard, Amex, Discover, Union Pay, Ru-Pay), which by design do not interoperate. This lack of interoperability is the result of a business-level choice, not the underlying technology itself.
Other considerations. Because cards are not necessarily tied to an individual via a mobile number or smartphone app, they are often used for low-value prepaid accounts such as gift cards, which can, for example, be used by other family members, given to friends, or mailed to relatives. However, this is equally possible with NFC tags or wearables as well as with QR codes.
USSD/STK
USSD (unstructured supplementary service data) is a common technology for communication between GSM handsets and mobile network operator back-end computer systems. It can be used on any phone, including the most basic or feature phone. While SMS messages are separate from one another, USSD establishes an ongoing session between the mobile and the base station, allowing for continuous exchange between the two sides in a “conversation.”
STK (SIM toolkit) is a set of commands programmed into a SIM card that enables simple applications to be run directly from the SIM regardless of the type, make, or model of phone used. STK is often used in conjunction with SMS as the network communications channel, but it can also be used in conjunction with USSD.
Requirements. Customers and merchants must have a cellphone with a working GSM connection. The phone can be a basic phone; a feature phone or smartphone is not required.
Costs. USSD is among the easiest and most affordable technologies to deploy, particularly for mobile network operators, because there are no additional merchant or customer hardware requirements apart from mobile phones. No additional devices, placards, displays, or tags are needed. DFS providers who are not themselves mobile network operators will need to negotiate pricing for the USSD access. Because this is typically charged on a per-session basis, it becomes a variable cost that starts off low and scales up only in proportion to transaction volumes.
User experience. The main challenge with USSD as a technology for merchant payments acceptances is that it is slow and cumbersome. Speed at till is slow because either the customer or merchant must unlock the phone, dial a USSD short code, and then navigate multiple levels of a terse text-based menu that is often not user friendly. Timeouts and broken sessions that require restarting the transaction are fairly common. The implementation of STK, which provides a friendlier menu structure, even on basic phones, can make the process somewhat smoother.
The burden of entering the transaction information often falls on the customer, which due to the above issues can create significant friction, particularly for new users who are unfamiliar with the menu. This presents a major potential obstacle to uptake. Providers considering the use of customer-side USSD should decide on it only after extensive user testing and careful deliberation about the pros and cons.
- One way to mitigate these challenges is to have the merchant initiate the transaction and enter the relevant data as a request for payment that is then approved by the customer. Since merchants have a stronger stake in the transaction—wanting to get paid and serving the next customer—and will typically conduct far more transactions than the average user, they will learn to navigate the menu more quickly, reducing the friction. If combined with PIN authentication pushed to the customer’s phone—sometimes called a merchant-initiated request to pay—such a solution is arguably the best way to strip friction and frustration out of the process while minimizing fraud risk.
- USSD is more cumbersome for merchants who receive little information—possibly receiving a text with only the transaction number and amount—and need to reconcile that with their billing systems. App-based merchant solutions using other acceptance technologies can provide richer data and value-added services like aggregation and analytics for merchants.
Security. USSD operates within the secure network of the cellphone operator, and messages are not stored on the customer’s phone or at the service center, making it less vulnerable than, say, SMS. A single session is established between the mobile and the server, and the message is encrypted at the USSD gateway. However, the data carried within the communication channel are not necessarily encrypted, which means that when merchant payments providers are also mobile network operators, they may be vulnerable to attacks from within.
Other considerations. In countries where USSD-based services are already common, particularly those where mobile money is already prevalent and leveraging USSD, this technology can be seen as the easiest way forward because much of the information and communication infrastructure are already in place and people know how to use the technology. However, the user experience shortcomings are very real and have hampered the uptake of mobile merchant payments even in mature mobile money markets. Providers should therefore carefully consider the pros and cons of all the acceptance technologies outlined above to identify the one best suited for their particular market, business model, and investment appetite.
1 In the payments world, a dynamic QR code indicates a unique code that is generated for individual transactions. However, in the tech world, a dynamic QR code generally means a code that is editable and allows for the landing site to change. In this case, the QR image stays the same, but where it goes can be changed behind the scenes.
This article is part of the Merchant Payments Collection. View the full online resource. |