POINT OF PAY PTY LTD
A.B.N 38 109 933 520
35 Connell Road, Oakleigh VIC 3166 AUSTRALIA
Ph: +61 3 9569 9711 Fax: +61 3 9569 9211
25 August 2011
Dr Chris Kent
Head of Payments Policy Department
Reserve Bank of Australia
GPO Box 3947
SYDNEY NSW 2001
By email pysubmissions@rba.gov.au
Dear Dr Kent
Re Strategic Review of Innovation in the Payments System
I refer to the above referenced review paper released for consultation on 30 June 2011. Point of
Pay Limited (Point of Pay) appreciates the opportunity to respond to the Consultation Document.
We understand that our submission will be published on the Reserve Bank of Australia web site,
and we look forward to meeting with you and your staff to discuss it at your convenience.
As an organisation seeking to provide significant innovation for consumers, merchants and banks in
securing online payments in the Australian market, Point of Pay keenly awaits the outcomes of this
consultation process.
It is our submission that there has been little innovation applied to providing a secure process for
making online payments since merchants first offered goods and services on the internet.
As an industry, we have failed to address the issue of technologies and regimes, regulatory and
otherwise, to effectively support security online and are leaving consumers and merchants with few
options in a rapidly growing, increasingly exposed, payments channel.
It is not surprising that this lack of attention to the specific needs of the online community for
better security mechanisms has elicited participant behaviour such as higher merchant surcharges
for online transactions. As noted by Peter Mair in his submission to the Bank’s Review of Card
Surcharging Consultation Document, dated 17 June 2011, “the consultation paper did not seem to
recognise adequately retailers’ very real residual risks with card-not-present transactions – a risk
that could presumably be reduced if the card scheme promoters developed more secure
communication protocols.”
If security in the online channel was of little concern to payment system users this inactivity may be
excused. However when the risk of fraud has been, and after 15 years remains, the number one
concern consumers have in making payments online then we, as an industry, have failed them in
our duty of care.
From the Results of the Reserve Bank of Australia’s 2010 Consumer Payments Use Study June 2011
we note (from page 24) that “the major deterrents to the use (or further use) of online payments are
similar, regardless of whether the consumer is a frequent or infrequent user of online payments. In
either case, fraud risk is the biggest concern. The need for increased privacy is also viewed as being
a quite important impediment across all payment types for consumers who do not make many
payments online. Therefore, overall, the results are suggestive of some need for further security
innovation in the online payments market.”
Point of Pay has created a technology solution to the online fraud problem which allows consumers
to make “card present” transactions using their domestic eftpos cards (both debit and credit) online
with minimal change to current infrastructure, merchant systems and business models. It is in the
process of deploying its network in the Australasian market. Further information is attached.
In light of this we submit our views to Issues 14, 17, 36, 48 and 50 from the Consultation Document,
as follows.
Issue 14 - Could a new decision-making body with broad representation of payments system
participants, service providers and end-users provide a better strategic focus for the payments
system, taking adequate account of costs and the public interest?
Our view is unequivocally, yes. We believe that the convergence of online and mobile shopping
with traditional in-store “retailing” is well underway and there needs to be a forum in which all
those involved can participate. While APCA, through CECS, provides structure and process for the
eftpos and ATM security regimes these elements of the online channel are too wide open, lacking
coordination and meaningful consultation. Put simply, in the online payments space as an industry
and as a country, we are currently “takers” not “makers” of our own destiny.
Issue 17 - Could formalisation of a broader mandate for APCA, coupled with broader
representation, provide better industry-wide outcomes?
We believe APCA should have a broader mandate to be involved in the online channel as they are in
the other CECS channels today.
Issue 36 - To what extent will systems already under development or discussion address issues
related to the timeliness of (online) payments? What gaps will remain?
If you take the point of view, as we do, that the convergence of online, mobile and in-store security
and payment technologies is inevitable, indeed already upon us, then there really is little choice but
to create systems that use the same issuance and acceptance infrastructures and business models
and can be deployed now.
To bring this capability to market today will require secure hardware in the consumer’s hands. So
be it. For years many organisations, including banks, have provided their customers and employees
with hardware based tokens to provide functions such as two factor authentication capabilities.
How much harder to deploy a fully certified acceptance technology?
The risk of being able to reach critical mass in terms of consumer and merchant uptake is therefore
firmly in the hands of the deployer.
However, as noted in the Consultation Document there appears to be a ready market for use of this
type of technology with BPay and the Direct Entry system. We are confident offering “eftpos
online” would be welcomed by consumers and merchants alike especially if it were accompanied
with the same immediacy and irrevocability of payment.
In terms of a supportive regulatory environment we note the emergence in the US of measures by
the Federal Reserve Board and the Federal Financial Institutions Examination Council (FFIEC) aimed
at strengthening the online security proposition in that country.
On June 28, 2011, the FFIEC issued a supplement to the Authentication in an Internet Banking
Environment guidance, issued in October 2005. “The purpose of the supplement is to reinforce the
risk-management framework regarding customer authentication, layered security, and other
controls in the increasingly hostile online environment.”
On June 29, 2011 “the Federal Reserve Board alongside its final rule establishing standards for debit
card interchange fees and prohibiting network exclusivity arrangements and routing restrictions
approved an interim final rule that allows for an upward adjustment of no more than 1 cent to an
issuer's debit card interchange fee if the issuer develops and implements policies and procedures
reasonably designed to achieve the fraud-prevention standards set out in the interim final rule. If an
issuer meets these standards and wishes to receive the adjustment, it must certify its eligibility to
receive the adjustment to the payment card networks in which it participates.”
While these initiatives stress the need for performing risk assessments, implementing effective
strategies for mitigating identified risks, and raising customer awareness of potential risks, they do
not endorse any specific technology for doing so.
We feel there is merit in examining these measures and the drivers behind them in an effort to
assess the applicability for similar initiatives in support of Australia’s online community.
Issue 48 - To what extent are other standards, such as device standards, an impediment to
competition and innovation? Is this justified?
In our view the stronger the security environment we can create online the better. If we can build
device, and other, standards that support users online and encourage them to transact in this way
then surely they are justified.
What we appear to have done in the online market is not to adopt any standards at all, forcing
participants to introduce, and in many cases mandate their own regimes that work well for them
and not so well for others.
And we wonder why consumers are confused about the state of online security.
In-store we force customers to use a terminal and card/PIN and this in an environment where they
can actually see the merchant and touch the goods they are buying.
Whereas in the online space we ask them to accept that the merchant is who they purport to be
and then have them enter their card details with varying methods, using the same “secure”
acceptance instrument, ie: their browser, that they use to access Twitter or Facebook.
On top of that the merchant is expected to trust all this, safe in the knowledge that sometime after
180 days he will finally know whether he has sold the goods or not.
We believe that not having standards in the online payment space is an impediment to common
sense.
Issue 50 - Is there a case for greater industry co-operation on the setting of security standards for
retail payments? If so, how should this be achieved?
Yes. We are certain it would not be difficult to gain support from consumer and small business
representative bodies, banks, corporate merchants and systems vendors for such co-operation.
Thank you again for the opportunity to contribute to this consultation process. We would be
pleased to meet with you to discuss any aspect of this Submission and request that you contact me
directly should you wish to do so.
Sincerely
H Daniel Elbaum
Chairman & CEO