How You'll Pay
Which of the competing electronic-payment devices will we choose?
To catch the future of payment schemes, go underground. Beneath the streets of the nation’s capital, more than 60 percent of peak-time riders on the Metro (Washington, DC’s subway network) have switched from magnetic-stripe tickets to “smart cards” embedded with memory chips and radio transponders. Riders can load as much as $200 into their SmarTrip cards at a kiosk or over the Internet. Antennae built into subway turnstiles pick up radio signals from the cards and convert them into streams of bits that denote the embarkation point and subtract money from the card’s memory. Similar systems are being planned for other U.S. cities, and next year London will adopt these newfangled fare cards for its famous double-decker buses and massive Underground subway network.
But the ultimate destiny of such electronic-payment devices goes way beyond multibillion-dollar public-transit projects. Smart cards and rival gadgets are rapidly evolving into technology platforms that could trigger changes in everything from urban commerce and suburban shopping sprees to national security. Commuters could eventually use such devices not only to buy coffee and newspapers, but also to store bus transfers, hold medical records and drug prescriptions, download coupons, and redeem tickets to museums and sporting events. “The current thrust is to reduce or eliminate the cash handled by these fare collection systems,” says David de Kozan, vice president of market planning and support at San Diego-based Cubic Transportation Systems, which supplies cards and readers to the Washington and London transit networks. “But the technology can also provide other tools. You could rent out spaces on the card for different applications.”
And so the competition to produce and popularize the most secure, the most convenient, and the most versatile high-tech payment system is heating up. One contestant in this race is indeed the smart card, which incorporates not only a memory chip but also a microprocessor. Touted for more than a decade and already popular in Europe, the cards have yet to make it big in the United States, Washington’s Metro notwithstanding. Meanwhile, radio wave transponder tags that supply identification data, as well as coin-size microprocessors that store security codes and encrypted money are gaining ground.
The merchants, banks, and device manufacturers that figure out and deliver what people want from these technologies stand to reap a rich bounty of profits and transaction fees on the $5.7 trillion in annual credit- and debit-card purchasing worldwide-not to mention tens of billions of dollars more in the market for secure identification, subway payment, and other applications.
It won’t be easy. Credit card companies and banks have long pined for a large-scale rollout of microchip-based payment devices mainly because storing customers’ identity data on chips has proved a more secure and reliable way to prevent fraud than encoding data on a traditional magnetic stripe. And because consumers are not liable for transactions conducted using their stolen identities, merchants and banks eat the estimated $4 billion in annual losses. In high-profile tests-most notably Visa’s trial at the 1996 Olympic Games in Atlanta and a 1998 Citibank and Chase Manhattan experiment on Manhattan’s Upper West Side-stored-value smart cards have been resounding flops. Not only that, the costs of implementing a new system are formidable. Diana Knox, senior vice president of emerging channels at Visa U.S.A., estimates that it would cost $11 billion to replace magnetic-stripe cards and upgrade U.S. authorization terminals and networks. “The infrastructure hurdles are enormous, and there isn’t much money in processing small transactions,” Knox says.
That is why smart cards have for years been a technology in search of compelling applications. Yet it is a quest that is quickly gaining new urgency-and not just beneath the streets of Washington and London. Retailers such as Target Stores are introducing smart cards that can receive and redeem digital coupons and other incentives. And over the next few years, the credit card industry will mandate that many European, Asian, and Latin American countries replace magnetic-stripe credit cards with smart cards. Toni Merschen, senior vice president for chip and mobile commerce at MasterCard International’s laboratory in Waterloo, Belgium, says, “We have a big global migration ahead of us.”
The potential of the smart card to handle many different applications has revived hopes for making the technology as commonplace in the United States as it is becoming overseas. Advances in the technology itself are driving the possibilities in the marketplace. Three years ago smart cards boasted the processing power of a 1980 Apple II computer; today’s versions are approaching the level of a 386-class PC, circa 1990. Most smart cards can hold 32 kilobytes of data, and their embedded microprocessors can execute simple application programs stored in 64 kilobytes of flash memory.
That’s enough computing power to run multiple payment, customer loyalty, health-care, and security applications on a single card. “It is essentially a PC without the keyboard or display,” says Neville Pattinson, director of business development for New York Citybased SchlumbergerSema, a top maker of microprocessor cards. The cost has dropped below $5 apiece for quantities of thousands, and smart cards with the power of a Pentium-class PC are within reach this decade, he says.
Perhaps the biggest push for smart cards is coming from large organizations that want them for their employees. In one of the largest smart-card rollouts under way, the U.S. Department of Defense is issuing a Common Access Card to every member of the armed services. Each card includes a photograph and a microchip that authenticates identity whenever the card holder enters an agency facility or logs onto its computer network. The card will also encrypt and decode employees’ e-mail. More than a million of these cards have been deployed, and the department plans to issue the cards to all its 3.5 million officers, service members, and civilian employees within the next year.
Prompted in part by the security concerns that crystallized after September 11, other government agencies are following suit. The Aviation and Transportation Security Act and other recent legislation mandate that the Department of Transportation, the Border Patrol, and other agencies investigate a universal worker-identification device that would hold biometric data such as fingerprints and digital “faceprints.” The devices would be automatically monitored at checkpoints or spot-checked by roving security officials. Workers may need the cards to log onto agency and airport computer networks, as well as to gain physical entry into facilities. “Post-September 11, there are secure-identification projects going on all around the world,” says Ed MacBeth, senior vice president of marketing at ActivCard, a Fremont, CA, company that is supplying software for the Defense Department’s card. “The card has to be smart enough to identify the user,” MacBeth says. “It’s no longer good enough just to flash a photo ID.”
Although government agencies are rolling out the largest number of cards, the technology is turning up at major corporations, as well as college campuses and other large institutions. Hewlett-Packard, Microsoft, and Sun Microsystems are all issuing cards to tens of thousands of employees for building access and for logging into their corporate computer networks. Some employers are enhancing cards with such applications as electronic-cash accounts that can be used at their company cafeterias. Managing the cards is getting so complicated that companies are contracting the work out to banks.
Paying by Waving
But are smart cards too smart for their own good? Developers of technologies that compete with smart cards argue that it’s precisely the complexity of those cards that will spell their doom in the marketplace. For such everyday applications as buying gasoline, smart cards may be impractical: they require new equipment and authorization procedures. “We’ve been hearing the pitch about smart cards for 10 years,” says Joe Giordano, a business development vice president at ExxonMobil. “But there isn’t a need for the technology unless it has a real benefit for the consumer.”
That’s what prompted Giordano to develop an alternative technology for streamlining the purchase of gasoline. Brainstorming on an airplane trip nearly 10 years ago, he sketched a simple payment idea on some cocktail napkins on his tray table. He envisioned a toe-size device that would hang on a key chain. “It needed to be durable, reliable, simple, and lightweight,” Giordano recalls thinking at the time. Wave it in front of a gas pump, and a customer’s identification code would be picked up from the device’s built-in radio transponder. A customer would no longer have to find her wallet, pull out her credit card, and swipe it through a reader. Before Giordano got off the plane, he had even come up with a name for this device: Speedpass.
Giordano successfully sold the idea in a series of corporate strategy meetings. Nearly six million people now use the Speedpass, and the payment system has been installed at more than 7,500 Exxon and Mobil service stations. Unlike the smart card, Speedpass has no onboard computer chip or memory. It consists of a radio transponder programmed to transmit a digital code that identifies its user. A radio receiver inside the gas pump constantly scouts the immediate airwaves for the presence of a Speedpass, and when it finds one, it simply picks up the code numbers that authorize payment from the customer’s credit card. (Similar radio tags are embedded in the FastLane, FasTrak, and E-Zpass units millions of U.S. motorists use to pay highway tolls.)
ExxonMobil is now taking this simple message to other retailers. Giordano, currently vice president of the company’s Speedpass Network unit, is signing deals with fast-food restaurants and grocery stores. The Speedpass is being tested in Chicago-area McDonald’s restaurants and at Stop and Shop supermarkets around Boston. At a McDonald’s restaurant, the reader is incorporated into the drive-through order box. At Stop and Shop, Speedpass readers are built into automatic teller machines in special checkout lanes. In addition, Giordano has signed a deal with Timex to build the devices into watches that will be available in 2003. The goal, he says, is to make Speedpass a “ubiquitous form of customer ID and payment.”
The wild card in the electronic-payment competition against smart cards comes in a smaller package. The iButton-a 16-millimeter diameter steel canister containing a microchip-has advantages over both technologies. The iButtons, made by Dallas Semiconductor, are activated when they are placed in contact with a receptor pad on, say, a vending machine. As soon as it touches the pad, the iButton transmits data directly to the chip inside the receptor. The device can be made into a ring, worn on a necklace, or built into a wide array of garments, says Dallas Semiconductor vice president Michael Bolan, iButton’s coinventor.
Unlike a Speedpass, which stores nothing but the user’s identification code, an iButton can hold electronic cash, coupons, and other data. In that sense, it does resemble a smart card, but Dallas Semiconductor claims that the steel button is more rugged than the plastic card. And cheaper, too: Bolan says that his company supplies the devices for less than $1 each in large quantities. By contrast, SchlumbergerSema’s Pattinson confirms that smart cards typically cost at least $4 each.
In addition, because the iButton isn’t a major-brand credit card, there are no transaction fees, which range from two to six percent of every MasterCard, Visa, or American Express payment. The iButton’s chief drawback is that, unlike other payment technologies, it adheres to no recognized standard: it stores and communicates data in a proprietary format.
In iButton’s most extensive installation so far, it serves as a subway pass in Istanbul, Turkey. Riders entering the station simply touch their buttons to a reader, which deducts the payment from electronic cash stored on the button. Five million people now use the so-called Istanbul Purse, which is also gaining acceptance as a form of payment among the city’s merchants.
All told, according to Dallas Semiconductor, there are more than 65 million iButtons in use worldwide. That includes large installations in parking meters in Brazil and Argentina, gas stations in Moscow and Mexico City, bus terminals in China, hospitals in Switzerland, apartment buildings in Korea, and vending machines in Canada.
One application should drive that number even higher. Dean Kamen, inventor of the self-balancing Segway electric scooter, which is expected to hit the market in 2003, has selected the iButton as the Segway’s all-purpose starter key and security device. To activate the vehicle, the user touches the steel canister, mounted on a key-size piece of plastic, against small metal contacts on the handlebar. The Segway owner can program the chip with a variety of access features, including top speed and steering sensitivity. Companies with Segway fleets can use that ability to control their users’ driving behavior.
Although most Americans have yet to encounter any of these portable payment and identification devices, the technologies are proliferating throughout the rest of the world. Smart cards were introduced more than a decade ago, and in the past few years they have gained real momentum; more than 685 million smart cards were shipped last year alone, 60 percent of them going to Europe and 30 percent to Asia, according to Gartner Group, a market research firm in Stamford, CT. “My colleagues from the States think it’s hilarious,” says Clare Hirst, a London-based analyst with Gartner. “They come over here and say, you’ve got chip cards for everything.’”
Most of the smart cards in Europe are postage stamp-size SIMs, or subscriber identity modules, that give a mobile- phone owner the option of requiring a password for placing calls. These cards, which large numbers of Europeans have been using for a decade, not only store identity data but also hold phone numbers, address lists, and other personal information. Users can pop their cards into new phones, retain all their collected data, and begin charging calls to their own accounts. Due to the far lower incidence of telephone fraud in the United States, U.S. phone companies have been policing scams only after they have happened. Thus, Americans are just starting to gain experience with chip card technology already familiar to Europeans.
Europeans have deep-seated reasons for their devotion to stopping fraud and their rapid adoption of smart cards. Because government-owned telecommunications companies have precluded a competitive business environment in Europe, even local calls are expensive. “There is no such thing as a free local call in Europe,” says Pattinson, of SchlumbergerSema. To reduce telecommunications costs, European merchants process credit card transactions in batches rather than individually in real time, the standard practice in the United States. By the time European merchants check authorization, the thieves have made their getaway. It’s simple for store clerks and waiters to “clone” credit cards: they quickly skim the data from magnetic-stripe credit cards and transfer the information to new cards for use somewhere else. This procedure makes it easier for thieves using stolen or cloned cards.
Smart cards go a long way toward thwarting such popular crimes, and they save European retailers a bundle: because the money is in memory, there is no need for costly phone-based verification. Before the introduction of smart cards in Europe, card cloning and theft resulted in fraud rates as much as 10 times higher than those in the United States, says MasterCard’s Merschen. Key features of today’s smart cards were invented in France in the mid-1970s to combat this very problem. “It’s easy to hack into a card with a mag stripe,” says Peter Buhler, manager of IBM’s Secure Systems Research Group in Zrich, Switzerland. “Smart card chips are resistant to tampering.”
Europe is now going one step further. The Europay-MasterCard-Visa global consortium, or EMV, has set a series of deadlines by which all banks in Europe and many parts of Asia and Latin America must issue smart cards to their customers. By 2005 the switch to smart cards should be complete in many countries. Though its edict lacks the force of law, the consortium can use strong financial incentives and punishments to impose nearly universal acceptance. “EMV has said it will no longer absorb the cost of fraud in those regions,” says Gartner’s Hirst. “So if they don’t comply, the banks and merchants will have to take on the cost of the fraud themselves.”
This liability transfer is “the ultimate enforcement measure,” says Visa’s Knox, who notes that there will be “real financial consequences for those who fail to adopt smart cards.” The cost of moving so many banks and merchants to smart cards is expected to total billions of dollars, but in much of the world, the antifraud benefit is expected to justify the expense, she says. In the United States, however, where fraud rates are so much lower, the savings reaped from reducing fraud would not justify a comparable action, Knox adds.
Yet the United States could very well be forced to join the global conversion, Gartner’s Hirst predicts. “If fraud isn’t as easy in other regions, the crime will shift to the U.S.,” she says, “or it will look high in comparison.” ActivCard’s MacBeth agrees. “If the rest of the world deploys smart cards, and that eliminates much of the fraud elsewhere,” he says, “the criminals will focus on the United States, and we could become the last bastion of magnetic-stripe fraud.” This, he says, would force the United States to replace its infrastructure. “We wouldn’t have much of a choice.”
Shopping’s Next Wave
Or the current infrastructure could be bypassed altogether. In the future, portable computing devices and smart cards will become one and the same, perhaps lessening the importance of stationary card readers. Diana Knox of Visa says the credit card networks are already experimenting with smart card capabilities in cell phones and handheld computers. Long-advertised scenarios in which a cell phone user zaps money through the air to a vending machine or to a friend’s cell phone will become commonplace, she predicts. “At the end of the day,” she says, “it’s not about the devices as much as it is the payment network. Visa can be inside the phone or inside a personal digital assistant.”
That might be wishful thinking. As PayPal, the online payments pioneer, has shown in the fast-growing market for person-to-person payments over the Internet, cost and complexity must be much lower before consumers will accept the technology (see “Digital Cash Payoff,” TR December 2001). In eBay auctions, PayPal introduced the ability to transfer cash to anyone with an e-mail address. Thus online sellers could accept money from far-flung strangers without opening expensive Visa and MasterCard merchant accounts. Once PayPal struck the right formula, millions of users flocked to the system, providing the critical mass of success that led to eBay’s $1.5 billion acquisition of PayPal in October.
Such rapid market acceptance helps explain why so much energy is now being channeled into finding plausible applications for new payment technologies and why the SmarTrip system in Washington’s Metro is considered such an important market test. Another key trial is under way at Target Stores, the third largest U.S. retailer. Target is issuing microprocessor-equipped Visa smart cards to its customers. Checkout lanes with smart-card readers will be programmed to monitor purchasing patterns and load coupons, promotional offers, and loyalty incentives into each card’s 16 kilobytes of memory. To better integrate Internet commerce with what happens in its stores, Target is giving free smart-card readers to shoppers, who plug the devices into their home PCs to access a special Web site. Eventually, customers will be able to download electronic coupons and receive new offers. “This is the first test of its kind in the world,” says Visa’s Knox. “Many merchants are cautiously watching what is happening at Target.”
The next wave of applications is bound to bring more creative ideas, says Ted Selker, who heads the MIT Media Lab’s context-aware computing group. His experiments have included putting chips in clothing, furniture, and other everyday items. Selker foresees a day when airport shops will target smart-card holders in the vicinity with wireless transmissions that promote discounts on everything from T-shirts to books and backpacks. Another possibility: as a customer approaches a rack of clothing in a store, wireless readers in the clothes hangers glean his size information from the smart card in his wallet, causing lights on the hangers of outfits that are his size to flash. Selker says the goal isn’t so much to wow as to figure out “how do you add functions that can simplify people’s lives?”
In the meantime, payment devices will assuredly proliferate-to the point that the average person might carry four or five variations of smart cards. No single technology will likely dominate; rather, radio tags, chip buttons, and smart cards will catch on wherever their qualities are best suited. A person might have an iButton for secure access to her apartment building, a Speedpass to buy gasoline and convenience store items, a smart card for riding the subway and storing tickets to events around town, a multiapplication card for corporate access and health-care data, and even a cell phone with a smart chip that can transfer money to the phone of a friend.
Just don’t be too surprised to find that your digital fingerprints are floating through the air along with your money. As the payment technologies take off, you’ll be able to do just about anything with your smart card or Speedpass or iButton. And then you’ll be asking whether you can do anything without them.
Digital Payment’s Big Three MAKERS APPLICATIONS STORED INFORMATION DEVICE TALKS TO READER READER TALKS TO NETWORK SchlumbergerSema
(New York, NY)
program at Target Stores
Personal-identification data; programs that formulate special offers, discounts, and loyalty certificates Device talks to reader
Swiped through a checkout counter reader, a card’s embedded microprocessor communicates via its gold-plated contact pad.
Transactions are authorized via data lines, and purchasing information used to formulate loyalty offers is uploaded to the store’s database.
(Gemenos, France) ExxonMobil Speedpass Network
(Fairfax, VA) McDonald’s drive-through service Customer’s identification code A radio transmitter inside the McDonald’s order box signals
a nearby Speedpass transponder to emit its unique identification code. The unique code and purchase amount are sent over the standard credit-card authorization network. Dallas
(Dallas, TX) Canadian vending machines Digital-cash accounts When an iButton is touched to a vending machine’s receptor, the sale is debited from the chip’s memory. The self-contained system does not communicate with any network.
Segway starter key
Vehicle identification data and codes for controlling top speed and steering sensitivity Touching the Segway key to the receptor on the handlebar identifies the driver and adjusts the vehicle’s settings. The self-contained system does not communicate with any network.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today