How technical standards promote innovation

2023-01-27

There is little doubt that the most ubiquitous payment method used online is the credit card (and increasingly variations of this in the form of debit cards, prepaid cards and others).

Sure, there are jurisdictions where local alternatives are strong competitors (or even dominate the local market) but its fair to say that the global card schemes are the kings of international consumer payments (and in recent times have begun to eat into the business payments market too).

But what made card payments so successful as a method of making payments online?

Cards, around for decades and certainly pre-dating the Internet, were clearly not designed for online payments. As I‘ve said before, the user experience of paying online with a card is still, after decades of use and refinement, pretty terrible. (I actually said, ”it sucks”, but I have friends in the industry that suggested I was being unnecessarily mean.)

My theory on the success of card payments is simple:

Despite the fact that the user experience of online card payments sucks, it is, and always has been, consistent.

Users love consistency. As a cardholder, it doesn’t matter what badge you have on your card, or what bank it was issued by, whenever you pay with a card, the experience is the same: enter a card number that matches a standard format, an expiry date, and a card-verification value (CVV).

Behavioural economists will tell you that one of the most powerful forces impacting behaviour are habits, formed through repetition and positive association. We've got a new puppy at home and I've been exercising this theory a lot lately trying to get Archie to sit (and stop eating the kids toys). It's pretty incredible how fast that association forms between the command, the response, and the treat he gets for doing the right thing. For consumers, that dopamine hit when the website says the payment was successful, is more than enough to entrench the card payments habit.

The consistency of the card payment user experience is thanks to technical standards that were universally adopted by all of the schemes, creating a solid foundation for interoperability in the user experience. Crucially, these didn’t encroach on the competitive space between the schemes. In other words, the power of commercial incentives drove competition and innovation and funded the massive marketing budgets of the schemes and banks to get more card users while simultaneously interoperability lowered the barriers to customer acquisition and conversion for everyone.

The fact that banks could be participants in multiple schemes with minimal technical or operational changes also helped to dispel fears of lock-in to a single scheme, which further stimulated competition and innovation between the schemes.

What started with the standardisation of the card number through ISO/IEC 7812 (first published in the mid-1980s) evolved to include the standardisation of the entire data set captured at the point of interaction, driven by the data elements of another technical standard, ISO 8583, the standard for data transmission within the networks.

Nowhere else has the phrase “a rising tide lifts all ships” been more applicable. I’m not intimately familiar with the specifics of how this played out but clearly, there were some very smart people working within the schemes that recognised the value of interoperability and a consistent user experience.

So much so, that by the late 1990s, as the dotcom boom surged, the major networks got together and formed their own technical standards body called EMVCo. Self-described as “a global technical body [that] collaborates with industry stakeholders to develop technical specifications and programmes that any party can use to design payment products that will work seamlessly and securely worldwide”, EMVCo has been responsible for most of the innovation in the card payments industry since. This includes a swathe of technologies covering everything from chip-and-PIN, contactless payments, QR-code payments and risk-based authorization (3D Secure).

EMVCo is not a payment scheme. It is just an industry body that publishes technical standards.

Each of the major global brands such as VISA and Mastercard, as well as the smaller regional schemes such as Bancomat or Verve, run their own networks and define their own scheme rules but all of these are implementations of the technical standards that ensure interoperability at the point of interaction, where it matters most for a consistent user experience.

Contrast this with the, mostly failed outside of the EU, IBAN (International Bank Account Number) standard. Imagine if every bank in the world, irrespective of the networks or correspondents it was connected to, issued their customers a standard IBAN that was understood by every other bank in the world. We’d likely have a consistent global bank-to-bank payments experience that would rival card payments.

The power of technical standards to create fertile ground for competition and innovation are evident in the explosion of cloud technologies too. While there are multiple, highly-competitive cloud providers, shared standards like Kubernetes and OCI create a rich ecosystem of businesses that build for the “cloud” rather than just for a single-provider.

But evolution of the shared technical standards needs to keep pace with the pace of the industry or the standards become a dead weight rather than an enabler. Challengers leverage their existing distribution channels (large user bases) to try and compete with the network effects of the interoperable ecosystem. If the incumbents haven’t been able to innovate in the interoperability domain (due to outdated standards) they generally risk being disrupted. Apple and Google, leveraging their mobile platform penetration to disrupt consumer payments with their platform wallets, is a perfect example of this phenomenon playing out.

For decades the consistent user experience of card payments helped to entrench the user behaviour of paying with a card, but now a superior user experience through digital wallets is available and it comes from closed loop systems. Because these new systems offer no interoperability, competition is a zero-sum game and everyone is fighting to win.

While it feels like a win for consumers too (the wallets deliver a better user experience), in the long term, closed-loop solutions are very very bad for consumers, and the ecosystem around them.

Online merchants must already contend with a plethora of payment methods in different jurisdictions, each one occupying more space in an already crowded payment page. Apple Pay and Google Pay and Samsung Pay and Amazon Pay and the many others are now each competing for space in the consumers payment journey.

In the absence of an interoperable user experience to invoke any of them, merchants must choose to either inflict a choice overload on their customers or simply limit the choices to the most popular wallets. The end result of this feedback loop is obvious, a duopoly or even a monopoly on consumer payments by closed-loop systems who then have the leverage to charge whatever they like and take more and more control over the entire user journey. Take a look at the mobile app store ecosystems and the lawsuits that are unfolding there to get a preview of how that unfolds.

To counter this, banks, fintechs and schemes need a new technical standard for the Internet-era that offers a consistent user experience, but one that competes with the platform-native wallets.

EMVCo have a solution but unfortunately it has a few key design flaws.

The solution is called Secure Remote Commerce (SRC) and it manifests to end-users as a payment method called “Click to Pay”. It’s a well designed and thoroughly thought-through system, but for two major failings (IMHO), the interoperability domain is not really open to new schemes and the standard isn’t really well suited to non-card payment methods. (I know not everyone will agree with me on those statements but let’s explore quickly).

When the card standards were first adopted decades ago, the networks would have been small scrappy organisations fighting to get user-adoption of this new payment method and convince banks to become participants in their schemes. (Dee Hock’s book about the start of VISA is essential reading for anyone in fintech).

The technical standards that underpinned card payments back then had no non-technical barriers to entry. Anyone could adopt the standards and build a scheme without needing to join an industry association or sign-up to an exclusive scheme of schemes.

In contrast, the SRC user experience assumes that a complex arrangement of participants (including the “SRC Systems”, i.e. the existing schemes) are already tightly integrated and legally bound together.

Instead of creating a purely technical standard with an interoperability domain that promotes new entrants, competition and innovation, SRC attempts to further entrench the existing schemes as the foundation of the standard. And, while I’ve been told that non-card schemes could play the role of an SRC System, the way the literature reads makes it hard to believe that’s a design goal.

The world of global payments has changed a lot since the early days of ISO 8583 with the advent of real-time push schemes like Zelle, and the proliferation of pay-by-bank solutions based on open banking. If EMVCo provided a genuinely neutral technical standard for a consistent user experience across both the card schemes and these new payment rails they would have a strong chance of competing with the distribution power of the platform wallets.

Instead of “Digital Card Facilitators” and “SRC Initiators” the standard should simply define a new, Internet-native payment instrument rooted in the worlds most ubiquitous interoperability domain, the Web. Not mobile phone numbers, not email addresses, something that an issuer has the agency to issue themselves.

It’s the Internet-era and domain names are the new BIN ranges. Payment pointers are the new neutral technical standard that incredible, and yet consistent, user experiences can be built on for any scheme.

SRC is not a white elephant though. There has been some great work done to figure out federation of identity and data exchange which could still prove invaluable, but a tweak to the “front-end” to leverage payment pointers instead of a DCFs and SRCIs (jargon alert 🚨) could make SRC the killer standard it aims to be.

It will take some strong will-power from the big schemes to admit that they can’t take on big-tech alone but unless they embrace a solution that, once again, lifts all ships they will likely find that they slowly get squeezed out, not only by the FAANGs but also by the new schemes that are cropping up all over the world.

We’re looking forward to show-casing what’s possible with payment pointers when our own wallet launches soon (you can join the waitlist here). If you’re a scheme, bank or fintech interested in issuing or accepting payment pointers too, get in touch, let’s work together on a neutral technical standard that keeps the tide rising.