This post has some notes on competitors to Bitcoin in the mobile payments space, specifically Square, SumUp, iZettle and Payleven. All of these companies provide dongles that plug into a phone via their headphone jacks and act as credit card readers.
The pitch: anyone who has the dongle can then receive card payments.
Do these systems have the potential to finally replace cash and thus undermine some of the advantages Bitcoin has?
MARKET PLAYERSSquare (website: squareup.com) is a silicon valley company named after the square shape of its dongle. I believe it pioneered the "plug into the headphone jack" idea and the dongle is free to users. They can do it so cheaply because all the dongle does is act as a tape head that plugs right into the phone, which then acts like a casette tape player to read the data on the magstripe. Square has also pioneered some other neat ideas, like interaction-free payment: when the merchant is trusted, they simply see your name and face on their screen and can push it to charge. Your mobile app accepts whatever payment they request on the assumption that they won't abuse it.
Square charges 2.75%. It is at present limited to the USA.
iZettle and
SumUp are European clones of Square, that use larger readers into which you physically insert the card. Both SumUp and iZettle have launched in a handful of EU countries. SumUp also charges 2.75% and iZettles fees vary by country. You have to wait either two weeks to cash out, or until you have at least 40 pounds ($65) on your account. You can receive up to 100 pounds before needing to go through KYC. Again the readers are free.
At first glance these services appear to solve one of the key problems the credit card system has that keeps cash alive - that accepting card payments is very difficult. Whilst the 2.75% fee may seem to make it uncompetitive with cash, it's easy to forget that accepting cash has costs for any non-trivial business too (need to own a cash register, pay for all the physical handling, go to the bank to deposit the cash, etc). So it may be the case that people are willing to pay the card fees to avoid the need to handle cash, if only the excessive setup costs were eliminated.
However, closer examination reveals that these schemes all have serious problems independent of fee size. They can be summed up as security and interoperability issues.
- Square by the nature of its technology is limited to parts of the world where magstripes are still in use. The reader can be free because it's very simple: just a reader head and headphone jack, 1980s technology. That technique simply doesn't work where EMV has been widely deployed (most countries outside the USA).
Squares geographic limitations will be revisited later in this post.
- iZettle and SumUp claim to be EMV compliant and to use the chips in cards. At first this sounds right, the readers are much bigger and you insert your card into them as you would with a regular reader. But in fact they don't do EMV properly. If you dig in, you'll find that these systems expected users to authenticate transactions with signatures drawn on the screen using their finger, not by typing in their PIN numbers. Both services tell their users to check that the signature matches that on the card manually.
The EMV standard allows for fallbacks to signature authentication. It's designed for rare cases where the chip or reader has broken. Merchants that seem to systematically be doing signature authentications get flagged and told to fix their readers, users whose cards are systematically failing get given new ones.
By deliberately and systematically using signature verification, these companies were playing with fire. And as you might expect, Visa Europe revoked iZettle.
Because there's no way for their reader devices to do PIN authenticated payments, both companies have come up with a cumbersome workaround for Visa cards. When paying, you have to type your phone number into the sellers device, receive an SMS with a URL in it, and then go ahead and type your card number into the web form that loads. In effect, you're simply doing an online payment. You won't find any mention of this in their marketing materials, no surprise.
I think it goes without saying that any "solution" that converts card-present transactions into simply filling out your card details on an online form is a non-starter, not only because it's so inconvenient but also because you lose the shielding from payment fraud that PIN authenticated card-present transactions give you.
One company,
Payleven, has little coverage but has approached this problem in the right way, by developing
an EMV compatible card reader device that talks to a phone via Bluetooth. This means they can process payments in Europe without payment fraud risk and without getting revoked by the card networks. It's not clear to me whether their readers are significantly cheaper or easier to obtain than existing reader devices, which are basically special purpose mobile phones with secure hardware that cost around $500-$600.
Given the difficulty dedicated companies have had doing purely mobile payments in Europe, unless Square can come up with some unlikely or special deal, they're going to encounter the same intractable problems.
EMV IN THE USAThis leads to the question of why
the USA is so far behind Europe in payment card security. Though EMV has been deployed for years across many different countries, deployment in the US has barely begun. The answer may lie in the structure of the card industry. It's tempting to think of VISA as a single company. In fact, Visa Inc in the USA is an entirely different entity to Visa Europe. In the US Visa Inc. is a public company like any other, whilst Visa Europe is a company owned by its member organizations. They cross-license the brand and other IP but are otherwise independently managed. This different ownership structure changes the incentives for tackling card fraud. Also, in Europe Visa and MasterCard have a duopoly with Visa dominating, whereas in the USA the market is more splintered.
A different reason may be history. I've found no data to support this, but I've seen repeated references to EMV being developed in response to a huge Europe-specific spike in card skimming and cloning after the fall of the Iron Curtain in the 90s.
Nevertheless, US deployment of EMV is starting now and it appears Visa is optimistic about the deployment timeframes, with 2015 being pencilled in as the date for liability switch. I'm skeptical about that myself, but we'll see. Adoption may be simplified by
the extraordinary claim from Visa USA that EMV doesn't mean PIN authentication because "online transactions don't need them" and that offline transactions are unnecessary so support can be dropped - to compare, all online transactions in Europe are PIN verified as a measure against theft/mugging and about 7% of transactions are offline. Why are they doing that? Differing interchange fees may be the reason, or a fear that consumers will reject the user experience change of using PINs.
Probably Square launched in the nick of time and it's now obtained sufficient critical mass that the card networks won't be able to roll out a more secure system that would invalidate it. How they plan to "square this circle" will be fascinating to watch.
COMPARISON WITH BITCOINCompared to this mess, Bitcoin looks good:
- No hardware dongles. A camera is sufficient.
- Bitcoin can do offline transactions. If the buyer is offline and the seller has a connection, Bluetooth can be used to transfer the transaction (we prototyped this on Android in Berlin and it worked fine). If both are offline, the parties can still trade if the buyer is trusted, so a temporary loss of internet access doesn't result in business coming to a dead stop. And the same sorts of secure chips EMV uses can be applied to Bitcoin to allow untrusted fully offline trades, should that ever be in demand.
- Security measures are not mandated from the top but decided by individual users according to their personal preferences and risk tolerances. That bypasses the whole argument around PIN vs signature.
- EMV was developed in the early 90s, before online shopping became prevalent. Amazingly it still has no support for doing internet transactions! Banks have extended the system to do online authentication for e-banking, but that was never made available to merchants. In contrast, Bitcoin seamlessly does person to person and remote transactions with no difference.
The biggest problems are the ones we already know about - awareness, acceptance by large merchants and difficulty of obtaining Bitcoins using payments from the existing infrastructure.
