How’s this for a breaking development in the world of mobile payments?
The Clearing House will announce today that it will launch and operate an open platform that will make mobile payments more secure by changing how cardholder data is transmitted and stored. Called “Secure Cloud,” this platform will tokenize cardholder data behind a bank’s firewall once a bank customer has registered her mobile wallet with that issuer.
The theory of the case here is two-fold. First, issuers are the ones left holding the bag (and paying for it) when there is a data breach so they have a huge incentive to reduce that risk. Second, banks have already invested zillions of dollars into making their firewalls safe and secure, so why not leverage those investments and the capabilities offered by new technologies?
Secure Cloud will launch in pilot mode later this year with an acquirer, a couple of issuers and a third party wallet. It’s expected that the reduction in fraud and card lifecycle management costs will cover what it will take to operate the platform.
I bet you have a couple of questions, starting with, “who’s The Clearing House?”
Well, it’s not a startup! In fact, it’s the complete opposite.
Established in 1853, The Clearing House (TCH) is the oldest banking association and payments company in the United States. Association is a payments vocabulary word that has gone by the wayside in the wake of the Visa and MasterCard’s IPOs, but in this context, it means that TCH is owned by commercial banks. And, not just any commercial banks, but the big ones – like the ones that collectively hold half of the deposits in the U.S. Member banks include: Banco Santander, Bank of America, The Bank of New York Mellon, BB&T, Capital One, Citibank, Comerica, Deutsche Bank, HSBC, JPMorgan Chase, KeyBank, PNC, RBS Citizens, TD Bank, UBS, U.S. Bank, Union Bank and Wells Fargo. (City National, Fifth Third Bank, First Citizens and M&T are not owners but have a shared board seat.) TCH provides payment, clearing, and settlement services on behalf of those banks that power about half of the ACH, funds-transfer, and check-image payments made in the U.S.
In order to continue to deliver on its claim of being the oldest payments company in the U.S., THC needed to make itself relevant in a payments world that, moving forward, will be dominated by cloud-based, non-plastic and non-check payment methods.
The idea for Secure Cloud was born about a year and a half ago at a meeting of TCH member banks. The topic of conversation was the explosive proliferation of “live” payment credentials that everyone felt compromised the “safety and soundness” of consumer payments transactions, and was a universal problem. The evolution of the payments industry from physical to online to now mobile and who knows what in the future means that there is now and will be much more customer data across many more channels vulnerable to a breach. And breaches are costly, not only in the real dollars that banks shell out in the event of one, but in the reputational hit that everyone takes when something like that happens. Breaches – or the fear of one – also stymie innovation. When consumers aren’t sure that new ways of transacting will keep their information secure, they’ll play it safe by just saying “no.” In fact, “security” is cited as the number one reason that most consumers say they won’t or haven’t tried mobile payments.
The Secure Cloud infrastructure works like this: a consumer has a mobile wallet of some kind, perhaps from her issuer (not likely now) or from a third party such as PayPal or LevelUp (probably more likely now). She registers that wallet and the cards attached to that wallet with her issuer, provided that those cards are supported by the Secure Cloud platform. As part of the registration process, the wallet receives a dynamic token from the issuer. When she uses her wallet to transact at a merchant, the Secure Cloud platform acts as a “thin switch” which routes that transaction to the issuer’s secure vault – which sits behind the bank’s firewall – to access her account information. That issuer receives the dynamic token and maps it to the true card/account information, which is routed through the switch back to the acquirer for routing and clearing/settlement through the card networks. If the merchant already accepts an existing cloud-based mobile wallet solution, it has nothing to do at the POS in order to leverage Secure Cloud’s capabilities. And, everybody in the ecosystem gets the same data that they have access to now, but card numbers aren’t part of data set passed around in cyberspace. So, there are two big “so what’s” here. One is that cardholder data stays behind the bank firewall, under the control of the issuer instead of the acquirer, where gazillions of other cardholder data is stored. Two, the secret sauce here is that this is one platform and an open standard available for all to leverage. Since issuers are the ones in the payments ecosystem that have always invested in fraud and security, they are now invested in and part of one open platform that enables a more secure solution for everyone, certainly one that is more cost efficient and effective.
As I was being briefed on Secure Cloud, a couple of thoughts ran through my head.
First, what took this so long?! I’m only half joking. A very interesting and recent American Banker reputational survey suggested that consumers don’t really want their banks to be innovators, but they do trust them to keep their account information and money safe. Secure Cloud seems like just the kind of thing that banks should be doing to keep customers feeling that way, and to ignite innovation for their customers and perhaps even accelerate it for the sector overall. If third party wallets can leverage this sort of “payments account credentialing,” then wallet providers or acquirers won’t have to build these sorts of things into their solutions – saving everyone a lot of time and money. It could also potentially make banks a more valuable distribution channel for innovation, versus having to develop their own stuff from scratch. We have all seen the power of enabling platforms in igniting innovation and this could be one to do that at the same time it helps stimulate consumer confidence in cloud-based mobile payments solutions.
Second, this sort of suggests that NFC is dying on the vine. Although the people I spoke with at the TCH didn’t say this, I concluded that the decision to invest in such a platform means that finally, finally, the banks have come around to the notion that the cloud rules, baby. Secure Cloud also sort of does rain a bit on the First Data TSM parade that promised a similar thing using NFC. But, I for one, say three cheers for the cloud and let’s move on.
Third, cloud-based mobile solutions accrue a lot of interesting possibilities to the issuer that, in such a scenario, could use tokens to do a lot of things besides protect customer data, like “switch” the rails on the back-end once transaction data is passed, for example. Having such an option available to issuers could open up a lot of interesting possibilities if used appropriately. TCH vehemently denies that Secure Cloud is designed in any way to do this, but hey, the game it is a’changin’ in payments-land, and I say never say never.
And, finally, if 22 member banks – the big guys – all standardize on this way of mobile payments, transacting with TCH as the “light switch” and ACH as its underlying payments rail, well, hmm. Could we be looking at yet another new network in the making down the road that runs on ACH? TCH vehemently denies this too, and for sure a whole heck of a lot would have to change within the ACH system to make it a viable alternative. But as I said before, never say never. It really is possible that one day, yes, even the good old USA might have as good an interbank money transfer system as oh, say, Portugal or almost any other country in Europe.
Do I think that Secure Cloud will make it easier for banks to ignite their own digital wallets? I really don’t. Merchants would still have to agree to accept those wallets and I still don’t see the use case for consumers to have as many digital wallets as they have cards in their leather ones. So, what will make or break Secure Cloud as a breakthrough platform is the ease with which they enable third party wallets, like the PayPal’s and LevelUp’s and (gasp) Apple, if it ever gets into the game, etc. to leverage their platform. And if the consumer experience, and merchant and wallet provider data access offered by those third party wallets, remain unchanged. When banks come together to solve a common problem, the impact can be powerful, e.g. bank ATM networks, and stimulate lots of great things. If concerns over whose wallets are getting registered trump the universal problem set of restoring the “safety and soundness” of mobile/digital payments transacting, then, I’m afraid, this will all be for naught.