This is part 2 of a two-part series.
The payments landscape is being redrawn, thanks to innovations in contactless payments such as Apple Pay and effortless replenishment services such as Amazon Dash. Soon, “things” may be the focal point of consumer purchases of goods and services.
For merchant acquirers, this presents both a threat and an immense opportunity. As previously noted, we believe the Internet of Things and “contextual commerce” will play a large role in payments going forward. IoT payments can range from traditional payment apps, to near-field communications, sensors and tracking devices. In the future, acquirer systems should be able to accept payment from all of these sources and process them efficiently and securely under current regulatory standards (see Figure 1 for an illustration of the ideal payment value chain from the acquirer’s perspective).
Optimal Approach to IoT Adoption
Although we expect the technology to take shape quickly, the battlefield hasn’t been fully defined. Based on mounting research and emerging digital consumer trends, here’s our take on what acquirers will need to consider when enabling IoT-based payments:
Open APIs are required in order to read, send and access information among the connected devices and the server. By developing APIs for the IoT, acquirers will be able to process more transactions. And by integrating the entire range of IoT products and platforms via APIs, they will be able to generate additional revenue through subscription models.
When designing open APIs at all levels of the IoT ecosystem, acquirers will need to develop standardized formats for describing data generated by IoT devices, and enable integration of data originating from various domains and providers.
Forms of Payment
Payments will likely come in two forms:
From the consumer’s own IoT-enabled devices, whether browser- or app-based. These transactions will be treated as card not present (CNP) transactions, subject to compliance with relevant security regulations. IoT device manufacturers will need to make software- or hardware- level changes to enable payment and may be required to go through a compliance certification such as Visa Ready. Acquirers will develop payment APIs that merchants or app developers can embed in their platform, which will enable users to make payments from all of their IoT-based devices.
Payments from an acquirer-operated smart kiosk or vending machine. To support these transactions, acquirers will create a gateway to an API-based connector for payment hardware installed on the IoT device. This will require partnering with a hardware provider that can design an API to accept payments. Acquirers will also need to identify these transactions as separate IoT transactions for processing, billing, reporting, etc.
Account Setup and Maintenance
Merchants that choose to accept transactions from IoT-enabled devices will want to have this feature enabled for them. The service provider should indicate the subscription model and onboarding system, which requires capturing and passing on this information for subsequent processing (e.g., authorization, clearing, settlement).
Authentication, Authorization, Data Capture
Authorization data from gateway APIs for all IoT devices will need to be reformatted to industry-standard formats. This could involve additional data elements, depending on the compliance guidelines (e.g., EMV tokenization) and acquirer-specific reporting capability.
Interchange Fees and Compliance
Transactions originating from IoT devices will require acquirers to make changes to their back-office processing systems to comply with regulatory mandates covering IoT payments.
Dispute processing will be impacted by regulatory standards, which can change periodically. Acquirers need to continually update their systems to remain compliant.
Business Intelligence, Reporting, Analytics
Acquirers will need to employ analytics to generate actionable insights for merchants as a value-added service. IoT data can also be used for targeted marketing and promotions.
Merchants will likely have apprehensions and uncertainties during early IoT adoption. Acquirers should be prepared to teach merchants how to properly capture IoT-enabled transactions and comply with rules and regulations.
Back-end System Tweaks
Acquirers’ processes and back-end systems may not require major changes, since transactions generated from IoT devices should be treated like others. But acquirers will need to add data elements in order for IoT payments to comply with regulatory standards and support new revenue streams stemming from business intelligence and analytics insights.
The payments world already has a robust set of controls that can be plugged into any transactional scenario; the key issue revolves around connecting those devices to payment gateways.
The IoT poses some real risks to consumer privacy, including greater security exposures due to data-sharing across all connected devices, and the potential for adverse consequences resulting from the unexpected use of consumer data. Merchant acquirers and other payments players must take necessary measures to ensure consumer confidentiality and security.
With rising data storage and data management requirements, as well as security and privacy vulnerabilities, the role of IT administrators will greatly evolve in the coming years. Rather than using centralized storage, organizations may need to store IoT data on distributed servers, and then extract relevant data to a central site for downstream processing.
The IoT will provide a much-needed boost to traditional payment players and acquirers — allowing them to win and retain customers as well as counter threats posed by non-traditional, nimble-footed fintech competitors. Merchant acquirers will need to set their sights on developing APIs and tools that support new and innovative modes of payments, and provide customers with a rich, consistent omnichannel experience.
To learn more, please read Part 1 of this series, see our white paper The Internet of Things: A Prime Opportunity for Merchant Acquirers or visit our IoT Practice website.