Least cost routing, the siren song of network tokenization, and the future of debit card payments
Imagine, for a moment, that it’s October 3rd, 2022 and you’re Patrick Collison:
It’s a Monday, so naturally you’re knee-deep in Chapter VII of Book III of Montaigne’s Complete Essays, ‘Of the Inconvenience of Greatness’. Your alarm goes off. It’s 4:50 PM ET and you have a Board meeting in 10 minutes. En route to the conference room, one of your top lieutenants hands you a summary of the updated Federal Reserve Board guidance to Regulation II. You’re half-heartedly skimming through and then suddenly, something in the memo catches your eye. You do a double take just as you step through the glass doors into the conference room. Everyone’s already gathered and looking up at you, but you realize there’s no time for pleasantries or roll call today. You open instead with a startling call to action: “Let’s call our friends at 200 West St. We need to acquire SHAZAM.”
None of this actually transpired of course. But perhaps it should have?
Skipping Ahead to the Good Stuff
There’s a unique moment of opportunity right now with trillions of dollars worth of debit card payments volume up for grabs, and for the first time in a long time, it’s not obvious that the establishment is going to successfully keep the invaders at bay. Where regulators, merchants, and regional debit networks were banking on ‘least-cost routing’ to increase competition, Visa and Mastercard were seemingly already two steps ahead with ‘network tokenization’. But as crafty as the global network giants are, this round seems to have gone to the challengers and this creates some powerful knock-on effects for players across the card payments ecosystem.
It’s banal to reintroduce and summarize the Durbin Amendment at this point, so we won’t do that. Similarly, most fintech and payments geeks are already familiar with the aforementioned Regulation II ruling, which will come into effect this July (2023), so let’s not spend time restating the facts here either. In a sentence: this will force issuers to provide routing choice of at least two unaffiliated networks for card-not-present (CNP) debit transactions where previously, they were only expected to do so for card-present (CP) debit transactions. Instead:
- Let’s set the stage by quickly covering Signature vs. PIN debit networks, including some context on market structure and potential savings for merchants from online debit routing.
- With that out of the way, we can unpack ‘Network tokenization’ — the ultimate siren song of Visa and Mastercard — and discuss why it was an unsuccessful strategy to stave off competition.
- Lastly, we can unpack why large merchants and the old school merchant acquiring giants are the big winners here.
Let’s dive in.
Visa’s Alt. Rock Cousins
We’re all familiar with Visa and Mastercard. These are the main ‘signature debit’ networks. Transactions over the signature debit networks are generally processed without the need for a PIN to be keyed in, and historically required a physical signature to accompany the card swipe.
These are also often called ‘dual-message’ networks, because transactions are processed over their rails in distinct authorization events, and subsequent clearing/settlement events. The authorization is effectively an approval and guarantee from the issuing bank that they will honor the transaction, typically by placing a hold on the funds in the cardholder’s account for the appropriate amount.
There are also a whole host of regional debit networks, or “alternative networks”’, which aren’t as recognizable to the general public: STAR, Accel, Pulse, SHAZAM, NYCE, Culiance, Interlink, Maestro, etc. “Regional”’ because they don’t have global ubiquity like Visa and Mastercard. You may have noticed some of their logos at the ATM but it’s not likely that you paid them much mind.
They’re also often referred to as “single message”’ or “PIN Debit”’ networks because the authorization and clearing/settlement data are contained in one, single message when payments are processed over these networks. Also, because historically (in a traditional commerce world), a cardholder would enter a PIN at the point-of-sale (POS) to verify/authenticate the transaction.
More recently, many of these regional debit networks have developed PINless capabilities to adapt for an increasingly online world, but the old nomenclature has proven sticky. As far as I can tell, STAR, Accel, NYCE, Maestro, Interlink, SHAZAM, and Pulse can all support PINless debit. So if a merchant wanted to route a CNP transaction from a Visa/Mastercard branded debit card on a regional debit network instead to save money on payment processing fees, they could do so on any transaction where the card was co-branded with at least one of these networks as the “unaffiliated secondary network” that the issuer was required to include on the back of the card.
Here’s a breakdown of the different debit card networks in the US. And to make the story spicier, let’s call out who actually owns the PIN debit networks (more on why this matters in the last section):
Redbridge Debt & Treasury Advisory (2021) provides this incredibly helpful market share data on the PIN debit networks:
Card-present dollar volume:
- 47% — Interlink
- 25% — STAR
- 13% — Maestro
- 12% — PIN Authorized Visa Debit
- 3% — All other networks
Card-not-present dollar volume:
- 60% — STAR
- 20% — Pulse
- 15% — NYCE
- 5% — Accel
While these are mostly just extraneous details for consumers (who tend not to care which network their payments are being processed through behind the scenes), they can make a world of difference to merchants and merchant acquirers.
To put it plainly: A ‘Signature Debit’ transaction can practically only go over Visa and Mastercard’s branded networks — so they face no real competition. A ‘PIN/PINless’ debit transaction however, could be handled by STAR, Accel, NYCE, Maestro, Interlink, SHAZAM, Pulse, etc. As a result, there is significant competition for PIN/PINless debit — leading to lower rates and fees for merchants. And merchants absolutely hate paying fees to accept payments.
The Fed reports on the Average Debit Card Interchange Fee by Payment Card Network and you’ll notice the stark difference between the Visa/Mastercard fees and the PIN debit (single-message) networks’ fees.
- Overall (including card-present and not-present, including Durbin-exempt and covered), the average interchange fee for dual-message is $0.39 vs $0.25 for single-message.
- For Durbin-exempt transactions, the delta is even more material, with the average interchange fee for dual-message at $0.64 vs. $0.27 for single-message.
Alas, this doesn’t tell us the full story because depending on any given merchant’s volume mix (card-present vs. card-not-present; average transaction size; geography, etc.), the effective take rate with any of these networks could vary materially from the national averages. Also, all of these networks play intricate and well-thought-out incentive games such that the effective price can vary quite a bit from the publicly listed price. But for all these caveats, the Fed’s data is still pretty darn reliable and is built off an extremely large data set.
CMSPI further estimates that merchants currently pay an average of $0.92 per transaction in interchange and network fees for CNP transactions to accept Durbin-exempt Debit. They estimate that merchants could save ~25% on their interchange and assessment fees through CNP PINless debit transaction routing, for a total of at least $3B in estimated savings for ecommerce merchants collectively.
So no matter which way you try to dice it, the takeaway is still pretty clear: retailers have a massive opportunity to save money if they figure out how to intelligently route their payment transactions on these PIN debit rails.
Anti-regulatory Tactics Masquerading as Data Security
So merchants will start routing all their online debit payments to the regional networks, right?
Well, Visa and Mastercard are no dummies. They’ve both been playing strategy games nearly flawlessly for over 5 decades. They saw this unfolding years ago so they sang a siren song by the name of ‘tokenization’ and pushed it straight through to the Top 40.
A brief primer on network tokenization
Network tokenization refers to solutions offered by Visa (Visa Token Service (VTS)) and separately also by Mastercard (Mastercard Digital Enablement Service (MDES)). Tokenization is simply a process that replaces a card’s primary account number (PAN) — the 16-digit number on the plastic card — and other sensitive card details with a unique identifier, or “token” provisioned and managed by the card network.
Sidenote: Network tokens are different from payment gateway/acquirer tokens, which merchants also often use.
- Acquirer level tokenization, which is typically provided by an ecommerce merchant’s payments processor — your standard Adyen, Stripe, Braintree, Cybersource, etc. — also protects the card data from being compromised at the merchant level.
- But network tokens go one level beyond: network tokens provide increased security through the use of cryptograms, such that each token is unique to the specific transactional context (unique to a specific combination of PAN, device/channel, and merchant). So where gateway/acquirer tokens are theoretically decipherable and can be used by sophisticated bad actors to exploit cardholders/merchants, network tokens are specific to domains, making the lives of fraudsters harder.
Bankrate (2019) found that 6 in 10 US cardholders have saved their card numbers online or in mobile apps. Merchants in turn like to have cards saved on file to reduce friction during checkout, and to charge customers for repeat transactions and subscriptions. So on the surface, network tokenization is a highly compelling solution since it helps to accomplish these things while simultaneously limiting merchant exposure to sensitive card information, thereby protecting both the cardholder and the merchant from potential data breaches. But security is just the hook. Visa and Mastercard sought to make network tokenization so tempting that they also offered a host of other neat benefits for merchants who used it:
- Card on File (COF) updater: Network tokens are set up in such a way that even if the underlying card is lost/expired/replaced/reissued due to fraud, the merchant will still be able to run transactions against that cardholder’s account using the network token saved on file. This results in a dramatic reduction in card declines for merchants who may otherwise be holding expired card details. Stripe (Feb. 2023) reports that a staggering 40% of cardholders had to replace their card in 2022 because of the card expiring, getting lost, or being compromised by fraud. Most cardholders forget to update their card on file details with merchants when this happens.
- Reduced fraud: Since stolen network tokens are effectively useless outside of the highly-specific payment context they were set for, the incidence/likelihood of fraudsters initiating transactions under false pretenses drops dramatically. This increased trust means that issuers approve more transactions, and that merchants can more confidently fulfill orders, increasing their sales. Visa proudly notes that North American merchants who implement network tokens can expect a 26% reduction in fraud rates and a 2.1% average lift in authorization rates. Particularly for smaller ecommerce retailers, the savings from reduced fraud here can be game-changing. In fact, in the case of certain digital wallet transactions (Apple Pay, Google Pay), network tokenization also makes you eligible for liability shift to the issuer, allowing merchants to feel even more secure about chargeback risks.
- Incentives: As a merchant you might notice that Visa and Mastercard charge slightly lower assessment fees on network tokenized vs non-tokenized transactions that run on their rails. This can be material — potentially avoiding up to 10 bps in interchange fees on Visa for online transactions, according to Merchant Advisory Group (August 2022).
For more on the benefits of network tokenization, check out Stripe’s February 2023 announcement about expanding its network tokenization capabilities and why merchants should care.
So far this sounds like a win-win-win. So what’s the problem? Simply put: network tokenization was designed to preclude least-cost routing. Network tokenization implies the need for network de-tokenization, which is another way of getting to the same outcome that Visa and Mastercard have always wanted: network exclusivity rather than network competition. If a merchant uses Visa’s network tokenization to save cards on file and wants to run a transaction, they necessarily need to send a request to Visa to authenticate the transaction and run the payment on the underlying PAN. Guess who can’t detokenize a Visa-specific network token without Visa’s buy-in? That’s right — STAR, Accel, NYCE, Pulse, and the other, cheaper, regional debit networks who the merchants may have sought to leverage to reduce their payment processing fees.
Here’s the National Retail Federation (represents ~4M retailers across the US) in August 2021 providing comments to the Fed about how Mastercard and Visa have weaponized tokenization:
Mastercard:
“When a merchant chooses to route a transaction over a competitive network, Mastercard is arbitrarily selective about whether it is willing to detokenize the PAN. If the transaction is a CNP transaction, Mastercard refuses to detokenize the transaction, taking away the merchant’s routing choice. By virtue of Mastercard’s refusal, these transactions are only routable to Mastercard.”
Visa:
“Visa goes about using tokens to inhibit merchant routing choice in a different way. When a token is detokenized, there are two security checks run — confirmation of the cryptogram and domain channel — to ensure that the token is valid. Issuers require that the network processing the transaction confirm that these security checks have been successfully performed before the issuer will authorize a transaction. Knowing this, when a competitive network requests that Visa detokenize a CNP transaction in particular, Visa will provide the PAN, but it will not confirm whether the token was validated. The result is the same as with Mastercard’s policy: the transaction may only be routed to one network — this time, Visa.”
So if you’re wondering why it was in Visa/Mastercard collective interests to push adoption of network tokenization so much, we now have the toolkit to solve the puzzle: it’s because Visa/Mastercard were trying to fortify their positions. In a world where merchants may freely adopt least-cost routing strategies for CNP debit, there would be a direct volume transfer from Visa/Mastercard to players like Accel, STAR, NYCE, etc. Related, this also has huge consequences for the acquiring side of the ecosystem. If you’re Stripe, you’re similarly hoping that network tokenization is successful and that Visa/Mastercard are able to control debit volume flows. Because in a world with frictionless least cost routing, the biggest competitors in your space — FIS and Fiserv — who literally own the regional debit networks, are going to be able to price you out of deals with large merchants (more on this in the last section).
The One Thing Amazon and the FTC Are Aligned On
Tokenization as a defensive tactic by the global networks was a stroke of genius. However, you simply can’t pull the wool over the eyes of regulators in this country — at least not when it comes to banking and financial services.
Following the Fed’s clarification about CNP debit routing, the FTC got to work straight away and began to investigate the global networks’ anti-competitive practices through the use of network tokenization. In December 2022, the FTC handed Mastercard an early Christmas present.
In the agency’s own words:
“Mastercard used its control over a process called “tokenization” to block the use of competing payment card networks… Mastercard refuses to provide conversion services to competing networks for remote ewallet debit transactions (i.e., online and in-app transactions, as opposed to in-person transactions made by the customer in a store), thereby making it impossible for merchants to route their e-wallet transactions on a network other than Mastercard.”
Under the new FTC consent order, Mastercard is required to provide the customer’s underlying PAN when a competing network asks to retrieve the same from a Mastercard token in order to process a debit card payment. For Visa’s part, here’s their 10-Q for the period ended December 31, 2022 showing on p. 24 that the Antitrust Division of the U.S. Department of Justice is ramping up their demands on Visa, seeking information about their debit competition practices (thank you to Reggie Young for the tip). So it seems that the tokenization barricade is imminently falling apart. Unambiguously, this only helps merchants as it levels the playing field for the global and regional debit networks once more.
But regulators aside, here’s another tidbit: The top online retailers in the US were already too shrewd from the outset to take the network tokenization bait from Visa and Mastercard. The likes of Amazon, Walmart, etc. said no thank you to network tokenization, preferring instead to stick with good old fashioned acquirer tokenization or even vaulting cardholder data themselves where they are fully PCI compliant. As we discussed earlier, there’s a difference between network tokenization (Visa’s VTS, Mastercard’s MDES) and good old fashioned acquirer tokenization (Adyen tokenization, Fiserv’s Transarmor): the former is technically more secure, but is also designed to limit your ability to exploit least-cost-routing.
So these large online retailers were actively forgoing all the benefits of network tokenization (greater security, reduced fraud, etc.) but they weren’t too fussed. Why? Because, as payments industry legend, Tom Noyes points out, unlike smaller merchants — who actually benefit a lot from the strong fraud/chargeback protections through tokenization — large retailers already have highly sophisticated fraud prevention systems that limit their fraud losses to 3–5 bps. So for them, the cost savings of 15–30 bps from switching signature debit volume over to PINless debit is an easy trade that can add up to tens or even hundreds of millions of dollars annually in savings.
So, Visa and Mastercard Have to Cede Debit Supremacy?
Absolutely not. CNP debit volume is a must-win battleground for the network giants. The FTC reported as of Dec. 2022 that over $4 trillion in debit card purchases are made annually. Brandi Gregory from Cornerstone notes in Gonzobanker (May 2021) that Visa’s CNP volume grew ~18% in Q1 2021 compared to just ~4% growth in card-present volume; the average ticket size for a CNP transaction was $61.36 vs. $32.65 for card-present. So there’s no way they’ll just let this one slide; they’ll keep pursuing other means.
After all, if you come at the king, you best not miss. I wouldn’t be surprised if Visa and Mastercard just use this opportunity to really double down on the tried and tested approach of weaponizing issuer and merchant incentives (before the regulators — spurred by the retail lobby — try to close down that ‘anti-competitive’ loophole as well). Card payments have always been one giant poker game built on incentives after all, and Visa and Mastercard play with a sizably more potent bankroll than any of the regional networks.
The global networks still offer massive sign-on bonuses and volume-based incentives to large merchants. In order to hit these volume targets and qualify for the higher assessment fee rebates, merchants end up consolidating volume on a single network rather than distributing it across multiple different regional networks. Another particularly effective type of incentive agreement involves tying the incentive to achievement of multiple volume targets involving the merchant’s credit as well as debit volumes. In this context, the regional debit networks are at a further disadvantage.
So yes, the regional debit networks definitely have the potential to win market share in the coming years with this golden opportunity handed to them by the regulators, but that doesn’t mean Visa and Mastercard will go quietly. They can still make things incredibly hard for the regional debit networks to slow their ascent.
The Price of Independence
If you’re Stripe and you’ve got big ambitions to win the acquiring game, then you’re probably going to start having some tough conversations with your larger prospects and customers. You simply can’t offer the same types of incentives and rates to process CNP debit volume on the regional debit networks like Fiserv or FIS can — they own those networks.
If you’re a large online retailer, your Fiserv rep is probably already selling you on the fact that they have you maximally covered in the most number of scenarios — whether debit card issuers are increasingly going with the Mastercard on the front/STAR on the back network strategy or the Visa on the front/both Accel and Maestro on the back network strategy. Because as a sophisticated retailer you’re almost definitely going to have enabled some sort of smart routing capability through your acquirer/processor, which means that every debit card transaction presents an opportunity for you to route via whichever secondary network(s) the issuer made available. In fact, even though issuers are only required to enable two unaffiliated debit networks by law, the average number of debit networks available for you to route through for your typical debit card is three (Merchant Cost Consulting, 2022). As a merchant therefore, you want to be maximally prepared through your acquiring stack to take advantage of any least cost routing options you may have — including optimizing your rates/incentives when the transactions are routed over those regional debit networks.
And I think this is all playing out in real-time. Here’s Frank Bisignano from Feb 2023 announcing Fiserv’s Q4 2022 performance and specifically commenting that they signed,
“A large, e-commerce payments company for debit network services…This client will enable our Star and Accel networks for its millions of merchants as an alternative to the larger debit networks.”
To me, the most prescient canary in the coalmine though can be found in SHAZAM’s comments in response to the Fed’s notice of proposed rulemaking regarding Reg II:
“Reg II has a gap in its application in that it applies only to issuers and networks and does not require that acquirers enable support of routing to all existing national debit networks. In other words, if an issuer enables an unaffiliated network for a certain transaction set, an acquirer that does not support this network for this type of transaction will effectively deny the merchant routing options for this type of transaction…The Board should consider closing such gaps to ensure networks nor issuers are put into a position in which they have little to no ability to resolve.”
Regardless of whether or not it makes sense to try and force all acquirers to be able to process transactions on every single nationally-available network is besides the point here. The more important signal is that SHAZAM, which is independent — unlike STAR, NYCE, Accel, Culiance that are owned by the acquiring behemoths FIS and Fiserv — recognizes the potentially existential threat of being an independent debit network in a world where a small and powerful set of card acquiring giants can incent both issuers and merchants to direct payment flows over their own debit networks.
It makes you wonder what Stripe can possibly say to win the Etsy, H&M, or Chewy accounts when Fiserv can viciously undercut them with incentives on any CNP Debit volume flowing through Accel and STAR. The preamble to this piece — suggesting that Stripe should try and acquire SHAZAM — was meant to be somewhat cheeky and not entirely serious. There’s almost certainly not enough volume there for Stripe to be all that interested. But I’ll tell you what, it starts to make more and more sense when you consider that (i) your major competitors own their own debit networks and exploit the associated cost advantages, (ii) it’s the only ‘independent’ network remaining so it’s sort of the only one that’s even possibly up for grabs, making it a unique and scarce asset; and (iii) in the right hands i.e. coupled with Stripe’s expansive merchant portfolio and broader financial services ambitions, maybe it doesn’t need to be such a low volume mover after all.
Wrapping Up
So network tokenization was the Ruy Lopez opening move for Visa/Mastercard, and it now seems like the opposition was fairly well prepared to counter. The network giants do have other tricks up their sleeves, but for now we can expect competition between the various card networks for CNP debit is going to heat up, fast.
We haven’t really discussed where issuers sit in this whole equation all that much since that would require a whole other dedicated essay. But suffice to say, none of this paints a pretty picture. In particular, if you are a Durbin-exempt debit issuer and are indexed more heavily to online transactions (or a cardholder base that is disproportionately more online than the average), you should expect to see the biggest hit to your topline interchange revenue. But who knows, maybe this will also help weed out a lot of the new crop such that you can return to a world where customer acquisition doesn’t cost an arm and a leg.
If you’re a merchant doing any material GMV at all then you’d better close this tab right now and call up your payment processor to confirm that they offer smart debit routing capabilities across multiple networks. Don’t leave any money on the table.
Lastly, if you’re one of the old school card acquiring giants, then I hope you’re popping the champagne. Your under-appreciated debit network assets just became cool again.