Tuesday, October 13, 2009

Indian Payments Card market analysis

In recent times, mention of the Indian economy evokes images of growth, opportunities and a new gold rush. However, when it comes to electronic payments systems, India is yet to break out. Payment card volume in India is a fraction of that of Singapore (KPMG Report). Let's take a look at the 2008-09 (April 08 - March 09) statistics


A few observations on the above stats:
  • Though debit cards have higher circulation (as they double as ATM cards as well), their usage is significantly lower (even by India's standards) [less than 1 transaction per card per year!]
  • Credit card transaction volumes are low ($52 per year per card). Coming out of the 2008 market downturn, credit card companies are flying to quality. They are trimming credit limits, canceling cards with minimal usage... Nothing new to the western world, but a new trend in the wild swinging Indian market.
  • Though the above numbers are small, the market is growing at a CAGR of over 30%. In 2020 the market size will be ... ;-)
Turning our sights to the online commerce world, the stats are similar. Online commerce is trending at about USD 3 billion a year (US market of $300B). Typically, ecommerce is 10-15% of the total retail payments card market. However, you will notice that in the Indian payments card market, the ecommerce market is over 20% the size of the retail market. A phenomenon that can be attributed to the cash-dominant brick-n-mortar retail economy (with a sizable parallel counterpart).

With regard to payment card fraud, I do not have data on fraud rates at brick-n-mortar stores (contribution of relevant data is appreciated). According to Al Cameron, Payments Fraud/Loss Prevention Specialist, online payment fraud rates (Card-Not-Present / CNP fraud) is around 3oo bps (US is at 140 bps, and UK at 100 bps).

Even though the Indian ecommerce market is in its infancy, security concerns during online payments are cited as among the top-5 barriers to faster growth. Regulatory authorities in India (RBI) mandated 2FA (Two factor authentication) for online payments from Aug 1, 2009. Going by UK's experience (where CNP fraud dropped for the first time during the first half of 2009) of CNP fraud reducing due to deployment of 2FA, India might also experience a similar benefit. This could help bring more users to the world of online commerce (grow the pie), as well as, increase the bottom line of online merchants and card issuers.

I have not been able to get any data on the benefits expected by the Indian regulators after the implementation of their mandate. If any of you have access to this data, please do share it. I shall post it here and acknowledge your contribution.

Thursday, October 1, 2009

If the US does not go down the EMV road...

The debate over whether US should deploy EMV infrastructure or not has been intensifying of late. Some estimate the cost of deploying EMV in the US at $30B. Ms Baxley, retail payments management consultant, observed that Javelin Strategy estimates US EMV transition at a lower $5.5B. She also noted that, in lieu of EMV, leveraging contactless cards and readers [presently being deployed in the US] would adequately meet the payment card security needs while costing significantly less (even lesser than Javelin's estimates). As you might recall, contactless infrastructure being deployed in the US is based on Mag Stripe Data (MSD) fortified with dynamic CVx (in effect making a payment card number a one-time use card number). Please note that in this post, when I refer to US contactless cards/readers, I am referring to MSD with dynamic CVx (dCVx)

Debating card security aspects between EMV and US Contactless is an enticing topic, which can be set aside for another day and another blog.

Assuming that the US heads down the Contactlesspath (a significant leap of faith) as a means to enhance security of payment cards, let us look at the implications to the card payment infrastructure by fast forwarding to 2015 when US has transitioned to the brave new world.

  • Cards: Cards would have to support both EMV applet and Contactless applets. Obviously, the cards would have to support both contact and contactless interfaces. Would we still need support for mag stripe on cards, for those still in the 20th century?
  • POS infrastructure: Contactless readers supporting both US implementation and the EMV implementation would be necessary. Would US merchants need to offer support for EMV contact feature? Would ROW (Rest of the World) merchants need to support US contactless feature?
  • Who is going to pay for retrofitting the global POS infrastructure to support both EMV and US Contactless.
  • User Education: ROW consumers will have been educated (hundreds of millions of dollars of expense) of how and where to use contact EMV contact and contactless cards. It would be a very interesting consumer education experience and an expensive customer support issue of educating consumers, when they travel, about when and where contact cards are acceptable.
When you look at this picture, don't you long for the good-old-days of magnetic stripe cards, when one size fit all.

One of the lessons emerging from EMV deployments in Europe is that legacy support features (mag stripe on EMV cards) opens a large back door for fraudsters to take advantage of. As EMV cards reduced mail non-receipt, lost/stolen card, and counterfeit card fraud, online fraud and fraud abroad ballooned up. Card Issuers migrating to EMV were hoping for for 30% annual reduction in fraud, but realized only 10% reductions (APACS data), thereby significantly reducing ROI.

There are no silver bullets. However these are things that keep us awake at night.

As we look at the emerging economies of the world, payments card security is not a bottom-line issue (reducing fraud) but a top-line issue which communicates trust and security thereby bringing in large sections of population into the non-cash payments world, thereby growing the pie for all.

Where do you think that the payment card industry needs to be in the G-20 countries by 2015?