Looking Back to the Future of Merchant Payment Systems

A delapidated and well worn out blue cash register

In 1849, the French writer Jean-Baptiste Alphonse Karr wrote “plus ça change, plus c’est la même chose “: the more things change, the more they stay the same …

How do Retailers get paid?

Retailers essentially exchange goods and services for cash, unless they are in the business of giving credit, but that would be the subject of a different post.

Some merchants prefer cash, some believe that it’s cheaper than the alternatives and some believe that cash can hide what’s really going on from the taxman.

For now, let’s begin with Retailers, or merchants, getting paid in cash. That’s how it used to be … and the nature of cash puts the payment “experience” under the direct control and management of the merchant.

Payment Cards are more Convenient

There is a cost to the Retailer associated with taking card payments, and there is also a cost to the retailer associated with taking cash. The actual costs vary and can depend on many factors, but cards are undoubtedly more convenient.

Not only that but removing the physical spending restriction imposed by the amount of cash in your pocket increases a merchant’s opportunities for selling you more.

Convenience is a Complex Trade-off

One thing that stays the same is that consumers will always tend towards the simple life … eventually. It took a long time for shoppers to accept the Debit Card, longer for them to accept Contactless Payments and a global pandemic to elevate mobile payments to the mainstream.

I don’t believe that we will see the end of cash, but I have only used an ATM three times in the last two years!

But convenience for the consumer does not necessarily mean the same for the Retailer.

Accepting cards needs a card acceptance infrastructure, which in the early days (after vouchers) meant a stand-alone terminal like the Fortonic F75 or the Racal Cardmate II.

Its image is etched in my mind, but look as I might, I could find no picture of a Fortronic F75.

In those early days, the Merchant would ring the purchase into the Till and then take the payment separately using the Terminal, then they would hand over the goods. The two independent actions would be manually reconciled in the background at some point in the future, following the conclusion of the settlement process.

As merchant systems evolved, so the Till and Terminal functions were combined and whilst it’s true that the complexity of merchant systems increased to reflect the growing trend for customer convenience, it’s also true that the complexity was manageable.

Managing the New Complexities

Merchants were learning the processes of non-cash payment acceptance, first with credit card vouchers and then with the new-fangled electronic POS terminals that could also authorise online, and they were also learning how to manage the offline settlement processes.

The processes involved were logical and easy to follow. POS transactions were authorised using essentially the same information as required by the voucher and were then completed and settled according to the results of an authorisation request. Where a transaction was authorised online, which wasn’t the case for every transaction, the settlement file would also contain the authorisation code.

As merchant systems developed, so the functions of the Till and the Terminal were combined, which provided opportunities for the development of Value-Added Services.  Retailers began to recognise that shopping habits could be tracked using payment card numbers, and then Tesco invented the Clubcard.

I know that the Clubcard number isn’t strictly speaking a payment card number, but the principle is the same and Tesco Bank did issue Credit Cards where the PAN doubled as the Clubcard number. Tesco was able to combine the basket data with the payment data and use the information created to develop marketing strategies for the benefit of the consumer … and Tesco.

The development of the marketing and transaction-related opportunities were possible because the associated transaction and basket data fell under the control of the merchant and as it was all in the clear, the information could be read easily.

The clever people developing the Value-Added Services could see first-hand the stuff they were working with.

What changed for the Merchants?

Fraud associated with payment cards was on the increase, essentially because of the relative ease with which magstripe cards could be copied. The introduction of Chip and PIN was holding it back, but the fact remained that e-commerce was growing significantly and was also under attack.

Applying EMV principles to e-commerce was not possible at the time … but also, applying EMV principles to US card transactions was not happening! The US pushed back against the introduction of chip cards and opted instead for the PCI-DSS as a means of frustrating the widespread funding of terrorist activities.

For the merchants, this meant introducing a level of cryptography across the card payment functions, separating payment functions from retailer core business and engaging in onerous and expensive audit processes and procedures across the breadth of the operation.

Two things then happened:

  • Merchants lost control over their processes as payment services were outsourced,
  • Information that was used to develop value-added services was hidden from view.

The sheer complexity of the newly introduced and mandated security processes pushed the ability to comply with the new card payment rules outside the capabilities of most retailers.

Retailer Retrospective

As long as merchants were able to use information that they could see, read and understand, they could manage the software, the hardware and the integrations as part of the process of doing business. Payment processing might not have been retail “core business” but it was very much closely related to “core business” … and the act of paying was (and still is!) the one activity in the whole of the end-to-end purchase process where interaction between merchant and customer could be guaranteed.

The potential for developing value-added services in this space was established because of the merchant’s ability to interact directly with the card payment process and given time, the retail point of sale could have been turned from a cost centre into a profit centre.

But all of this was taken away.

No Alternative for the Merchant

The upgrade to Chip and PIN needed merchant systems to be upgraded to accommodate the additional data requirements of the chip technology. But whilst it was true that the merchant upgrade was necessary, it was also true that it added value to the merchant’s business.

If the merchant community had only been required to implement Chip and PIN, the development trajectory they were on could and would have continued. The card transactions were secure even though the transaction data was visible, and this was because all the necessary security was in the chip and the reader. The value of EMV was in the fact that the transaction data had no value!

Everything else worked pretty much as it had always worked.

However, the newly implemented secure payment systems were to be replaced with newer, even more secure systems. The impact was that merchants that had been reasonably comfortable operating payment systems with Chip and PIN quickly found themselves out of their depth when faced with having to implement a whole layer of secure cryptography.

Very quickly, merchant payment systems became difficult for merchants to implement, expensive for them to operate and they returned very little benefit. Not surprisingly, merchants began to outsource their payment services.

Cryptography definitely wasn’t core business; merchants were not cryptography experts and so they really had no alternative.

The Impact of Outsourcing the Payment

Outsourcing the payment function meant that retailers were better able to service their customers and free to develop their core business, or so they were told by the payment service provider salespeople.

The reality was that retailers were forced to give up the control of one of the key elements of their business: the payment. The final leg of the retail journey was now completed when a customer paid using payment services provided by another company.

The consequences may not have been clear at the time, and why would they be? The relationship between payments and value-added services hadn’t been established.

So … the separation of payment systems from retail systems solved the immediate problem but at the same time, it stifled innovation.

Outsourcing the payment was necessary at the time because of the complexities that PCI-DSS had added to the processes. One thing is for sure, the situation is not going to change whilst merchants are unable to manage and control their own payment processes.

The more things change …

Control of payment processing shifted to third party payment service providers because the non-payment overheads were just too much. The requirement for end-to-end cryptographic security, for example, wasn’t going to be going away anytime soon.

Before PCI-DSS, a merchant could pick and choose the best merchant acquirer for the job, and even switch between them according to circumstance. Whilst this wasn’t exactly simple, it was possible … and it was under the control of the merchant.

What the merchants need is for someone else to do the heavy lifting, leaving them with the job of managing the relationship with the acquirers, just like they used to.

A growing number of organisations are already addressing the root cause of the problem and developing service models where the heavy lifting cryptographic processes, and other non-payment overheads, are hidden. The merchant sees only the “connection” to the acquirer and can pick and choose according to business needs.

This isn’t the end of the story, and I believe that we have just turned an important page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.