The Federal Trade Commission issued a stinging order against Mastercard on Friday, accusing the payments network of anti-competitive tactics in handling debit-card payments that violate the 2010 Durbin Amendment to the Dodd-Frank Act. That amendment is the model for a bipartisan bill, also initiated by U.S. Senate Majority Whip Dick Durbin (D-IL), that aims to impose similar restrictions on Mastercard and Visa’s credit card practices, too.
The FTC order is part of an ongoing battle to bring more competition to the U.S. payment cards space, which Visa and Mastercard dominate with about three-quarters market share. This one is especially fascinating because it focuses on heated debates in the realm of e-commerce, tokenization and cybersecurity. Here’s some context for why this matters:
What is the Durbin Amendment?
The Durbin Amendment was passed as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. It capped the fees that large banks (more than $10 billion in assets) can charge to merchants for processing debit card transactions. It also forced Visa and Mastercard to give merchants an option to route those payments over at least two unaffiliated networks — their own plus an independent processing network such as Star, NYCE or Shazam, which typically offer lower swipe fees and comparable — or arguably better — security.
The Merchants Payments Coalition (MPC), an industry lobby group, claims the amendment has saved merchants billions of dollars a year in swipe fees, with 70 percent of the savings passed on to consumers. (It also says swipe fees cost merchants and their customers $32.6 billion last year, Visa and Mastercard’s networks accounting for $28.1 billion of the total.) Others dispute those figures, arguing that the amendment has hurt consumers.
Why is the FTC only focused on debit card transactions?
The Dodd-Frank amendment applies only to debit cards, which means similar tactics in restricting the handling of credit-card payments is not against the law. Senator Durbin has co-sponsored a bill with Senator Roger Marshall. (R-KS)— the proposed Credit Card Competition Act of 2022 — that would apply similar rules on credit-card transactions.
Although introduced in 2022, it’s likely to be heard when the new Congress convenes in 2023. If passed, it would direct the Federal Reserve to ensure that credit card-issuing banks offer a choice of at least two networks over which an electronic credit transaction may be processed, with certain exceptions.
Why is this FTC order being issued now?
The issue that the FTC explored here is not the fee cap but competition—specifically whether Visa and Mastercard were enabling merchants to process transactions on other networks for all types of payments. A major catalyst was an October update from the Federal Reserve Board, requiring competition across all debit payments — including “card not present” transactions, such as online payments.
According to statistics compiled by the Fed, about 40% of in-store debit transactions are routed over competing networks other than Visa or Mastercard, versus only 6% of online transactions.
Why is there so much less competition in routing e-commerce transactions?
The reason is tokenization — the ability to convert payment card data to a string of randomly generated numbers that’s then stored as a digital token. While tokenization has enabled thousands of merchants to assure customers that their information is safe if a site is hacked, it has also put power in the hands of payment providers.
Both Visa and Mastercard have come under scrutiny for allegedly making it difficult to use other systems and even refusing to de-tokenize data for competitors, thus preventing e-commerce transactions from being routed over their networks. But Doug Kantor, General Counsel for the National Association of Convenience Stores and MPC Executive Committee member, says “Mastercard has been particularly egregious at preventing merchants from using other networks.”
Mastercard spokesman Seth Eisen frames the issue as one of security. While merchants have chip technology to ensure the security of physical transactions, they typically need pin numbers or other forms of validation online. In an emailed statement, Eisen confirmed that Mastercard had entered into an agreement with the Commission but argued “we believe that our existing routing practices are lawful and have always provided choice to merchants.” Added Eisen: “While we are taking these steps to bring this matter to a close, there should be no question that tokenized transactions provide an increased level of protection to both consumers and merchants.”
Does competition have to come at a cost to security?
Critics counter that there are numerous ways to guarantee security, tokenize data and encrypt sensitive information. Some draw a comparison to the Justice Department decision that found Microsoft essentially created a market monopoly by bundling free web-browsing software as part of its Windows operating system package — making it hard for consumers to install rival browsers like Netscape instead. (Others suggest the Visa and Mastercard models are more akin to industry cartels such as OPEC.)
There is no doubt that security is a paramount concern, given the number of cybersecurity attacks on financial institutions. Networks that handle ATM transactions, such as Star, NYCE or Shazam, have systems that are likely comparable to comparable to Visa and Mastercard. The consequences for breaches of any sort are serious for everyone.