A world between yeaterday and tomorrow

The week of March 25, 2019 I had the opportunity to visit with a room full of community banks with assets in the 100 million to billion range. Organization with 25 to maybe 300 staff.

The presentations taught me more about the difference between what large International Organizations worry about and what these small community banks need to learn. Faster Payments, Zelle, same day ACH all new services these organizations must integrate into their organization, both technically and procedurally.

Things I have been exposed to are new challenges for these small town banks.

Words like liquidity risk clearly top of mind. Yet, as we move from over night settlement to real time settlement.

Phone fraud, risk mitigation all greater challenges not necessarily appreciated yet alone understood.

In the end what is clear these community banks exist because of the small towns they understand and work within. Do those of us exposed to a larger world understand what drives these communities banks, at least not I.

Account TakeOver should be the Bankers concern

FASTER PAYMENTS, FASTER FRAUDSTERS

Another article published by PYMNTS.COM causes me to reflect on a discussion I had last we at the Payment Summit organized by the Secure Technology Alliance. When the US Faster Payments work groups where stood up on e of the working groups focuses on security, yet no particular drive exists to protect the consumer of the corporate treasure from their account being hacked into by some phishing, vishing or other criminal act. Account takeover will become a much more interesting attack vector. Moneys will irrevocably flow out of the hacked account and to whatever account the criminal so directs them.

Key word real time gross settlement and faster payments depend on the irrefutability of the funds. once executed they instantaneously transfer to the receiving party. What is required is a concerted effort to implement strong multi-factor authentication, at least at the time the transaction is authorized by the sending party. Some will say the risk is no greater than what exists today when a consumer or treasurer executes a Wire Transfer or any form of transfer between two financial institutions. This maybe true. the availability and assumed convenience will as the article described lead to heightened risk.

As I have written in other blogs we need to embrace strong Multi-Factor Authentication. The standards exist, the security of the device in many case is present. Relaying parties need to decide security is worth the investment. They need to recognize the value of satisfying the consumers’ need to have access to their funds properly protected.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Distributed Ledger and Things

As I sat to write, I was drawn to the Wikipedia’ Bitcoin article. As I read the story of how it all happened memories and concerns once again flowed through the neurons of my mind. Silk Road and their involvement and the evolution of the value of a Bitcoin, struck me as a magical mystery tour through a world of mathematicians, anarchists, profiteers and speculators.

I then remember reading

an element of a report from the Bank of International Settlement on crypto currency. The picture above is intriguing for those of us who appreciate the complexity of payments. The article gets ever so intriguing when one continues to read and finds this interesting illustration of

the difference between what we all are familiar with and what those who understand DLT and Bitcoin appreciate. The central focus of this new technology is to address one and only one concern. Trust in the intermediary.

I must admit this particular article is not the one I originally intended to speak to. I do though recommend reading it.

The article I had intended to reflect on is Central Bank Cryptocurrencies. In this document they speak to the possibility of the banks issuing a stablecoin. The recent announcement of JPMorgan Chase is one example of such.

This then causes me to reflect on the various use cases and conversations with people about the potential of DLT. I wonder why, at least here in the USA with our judicial and regulatory framework and the rule of law; we would seek to replace the existing intermediaries with a permissionless distributed ledger and the associated consensus mechanisms of a public ledger. There is enormous and growing cost in consensus built on “Proof of Work” and massive duplication of the ledger or as most call it the chain. Be it the electrical cost, the cost of a data center or the specialized computers necessary. The people and companies, the nodes and miners, will expect a reward for their effort.

Which is cheaper, if a reasonable level of trust exists?

Where are we going from here

This is the question. There are those that believe Block-chain and all of the other distributed ledger technologies are the answer to everything. I would suggest one much consider:

- The level of trust the various parties have in each other.
- The cost of multiple copies of the distributed ledger.
- The cost of the consensus mechanism versus a trusted intermediary.
- The governance required to maintain security, software and specifications.
- The value and ethical issues of anonymity.

This then begs the question of a permissioned or a permissionless ledger. Which then begs the question of governance and who is responsible to establish the rules.

It is clear there is value in the idea of a distributed ledger. I would suggest caution in deciding if it makes sense for your use case.

- - What are the goals and objectives of the solution?
  - What are the economics of the various approaches?
  - Who are the stakeholders?
  - Who determines the rules and manages change?
  - Can the participants trust an intermediary?
  - Does everyone fear what another could do?

Helping you to understand the answers to these questions is what we do.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”. An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport. You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism. In the digital world, we depend on Cryptography. This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”. Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip. Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured. This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second. The key to its architecture is the Private Key associated with your store of coins. Lose it and they are lost. Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present. Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about. Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices. This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing. This is what Bill Gates started talking about in 2002. BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments. Immutability and irrefutably become key requirements. To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

EMV Light Touch

Wednesday February 27th, 2019
At Kennesaw State University
As part of Coles College of Business

Information Security Lecture

I offered the following:

What I call an EMV Light Touch

Video of the Presentation
Payment Card Security

EMV_light_touch

Disruption or the Reality of Legacy

Often times people speak of disruption as this traumatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching the market with different tools.

The world of payments, as so many others, have implemented technology then gone on to enhance or update multiple times. Each time, someone or some group of people, had to adapt therefore invest to keep up. More often than not, a community would decide to hold on to what they built, sometime ago, hoping no one tried to disrupt the status quo.

With payment, the need to embrace more effective approaches parallels the robustness and frequency of transactions. It also parallels the desire of sellers to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carry drove markets to promissory notes. These promissory notes further evolved, as trusted intermediaries entered the market and created more efficient methods of providing that guarantee of payment. If you are still a little in the dark about what these are, you can Google questions such as “what is a promissory note?” “What are the elements of a promissory note?”, etc. so you are fully up-to-date with the information that you need.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where we are in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution of legacy. We find what we have, is a stumbling block, holding innovation back. We need to decide to adapt what exists or remove and replace.

Dual Interface Construction

When we think about the migration to contactless or Dual Interface cards it is important to have a general understanding of what goes into creating the card and the constraints one has to think about, as they work with their marketing teams to design these cards.

The design of a payment card involves assembling multiple of PVC into a sandwich that will be bonded and then punched out to form the card body.

On the face of the card: a clear laminate to protect the surface
On the back a clear laminate with the magnetic stripe affixed to it

In the middle two printed sheets

The front
The back

In the middle of the card body, your manufacturer will need to insert an antenna. The antenna is typically provided to the card manufacturer as an inlay, as seen on the left. The inlay is a sheet of plastic with the copper antenna, sometimes aluminum embedded within. The card manufacture will add this inlay into the middle of sandwich.

On the right is an example of a six layer card construction including one element as an example, a metal foil. This has been included given it has an impact on the effectiveness of the radio signal. More about this a little later. Using pressure and heat, the layers of the sandwich are bonded together in a process called lamination. The bonded sandwich is then run through a series of additional processes designed to create an ID-1 card as specified in the ISO 7810 specifications supplemented by the additional payment network requires, such as the signature panel and the hologram.

After quality inspection the next step is to mill and embedded chip into the card body and simultaneously assure a connection between the contacts on the back of the chip and the antenna. There are various means of connecting the chip to the antenna. These different methodologies for connecting the chip to the antenna is a specific skill and is the responsibility of your card manufacturer. Look to your manufacturers to propose, construct and certify your card to your requirements and employing their unique processes, techniques and technologies.

One thing you will need to be aware of is how the use of the antenna affects the certification process. It is important to understand that the combination of ink, materials and methods of construct means; each construction will need to go through a unique certification. This need for certification is a result of the use of radio frequency to communicate between the card and the terminal. Think of your cell phone when your inside a big building or within an elevator and how the conversation maybe disrupted. It is this possibility of the radio signal to be disruption based on the materials employed and the method of construction.

When metal elements like metallic foils and layers are used in card construction, the challenge increases. Eddy currents are emitted by the metal and will interfere with the level of power and quality of communications emanated by the antenna and radio in the POS received by the antenna and the computer in the card.

So far we have spoken only of the hardware. The chip in the card is a computer and needs an operating environment, application and data in-order to function. The introduction of the contactless interface alters the operating environment, the payment applications and the data which is loaded into the card. All of this impacts the card manufacturing and card personalization process.

Will the US truly embrace dual interface cards or is our phone the future

When the US decided to migrate to EMV, it took the safe course

When it was time to migrate to EMV here in the USA, both issuers and acquirers focused on addressing the market and the required technology, one step at a time. They recognized the confusion created by the Durbin Amendment, the reality of the competitive US debit market, the complexity of the merchant environment and the legacy infrastructure underneath the American card payment system. Unfortunately unlike in other parts of the world the American merchants tended to migration to EMV in the following order credit & debit, Common AID, contactless (MSD mode), Mobile Pays and finally contactless (EMV mode). This journey is still a long way from complete with less than 25% of the terminal base contactless enabled, let alone in EMV contactless mode.

The larger and most invested merchants also worried about the impact of sharing data with the likes of Amazon, Google and Apple. The “honor all card” rule is also the “honor all wallet” requirement. Wal-Mart, Target and Home Depot were clear, they did not intend to expose the NFC antenna to the various NFC Mobile Wallets. Instead they are implementing solutions, post MCX, based on their mobile apps using QR codes and often times enabled to support frictionless payment.

We are now looking at the second wave of card issuance and Issuers are wondering what merchants will finally do about enabling contactless. As the Issuers prepare to issue their cardholders with their second EMV enabled card they must also think about the future of the card in the context of the future of mobile payments.

Are the payment credentials carried in the mobile wallet the companion of the card
or
Is the card the companion (fallback) for the payment credential carried in mobile wallet / device

Or
Are we on a journey to a new paradigm
Where facial recognition, loyalty, geolocation
Enabled by the always connected devices

We surround ourselves with
Help merchants to focus on
the shopping experience
And
Turn the Payment into

A frictionless “thank you”

What Happens When the Lights Go Out

Since 1984, when I was told I needed to carry this mobile phone with me, there has been that nagging issue of needing to make sure it had enough life to get me to the next charge point. My first phone was luck if it could last a half a day so they gave me two, one was always being charged while the other hung on my shoulder. In 1993 while working on the development of the EMV Specifications we focused on the ability to authorize a transaction when the Point of Sale POS device was unwilling or unable to reach the issuer. In 2013 I listened to Visa representatives explain how 100% of all payment transactions could be executed online. Then I ponder getting a Tesla Model 3 and learn it is only capable of traveling a maximum of 310 miles, it make me wonder; how do I finish the last 19 miles to my fathers home.

Today, I was reading an article emanating from the Money 2020 event when IDEMIA spoke of the idea of the mobile drivers license and that nagging feeling emerged. What happens when the power goes off after the hurricane hit and someone asks me for my drivers license. Its locked securely inside my dead mobile phone. I then saw that their competitor Gemalto and even NIST are working on this concept of the mDL.

We live in a world where electricity is becoming as essential as water and food. Yet, we hear of power outages that last weeks and even months.

It is like with Mobile Payments, if the phone is dead and in order to pay it must, then what? The card remains the essential element of a successful payment transaction.

I dream of the day when I can merge my leather wallet and my mobile device into one. Yet, I appreciate there are technical challenges like the need for electricity. Until we lead with these technical challenges and not simply the dream. Exciting concepts and ideas will go where so many have gone before.

A Letter to Karen Webster of PYMNTS.COM

Karen, you come to mind off and on, especially when I’m try to keep up with what is happening in the wild world of payments, block chain, cryptocurrency, identity, authentication, trust, identification and who knows what else.

One thing is clear. Lot’s of companies are investing significant sums of money in these various “opportunities”. Yet are we, as a society, on the right path?

We could look to Washington DC, and the other capitals around the world, and this same question would apply. But, not to get distracted.

Let’s start with identity and authentication in the digital space

As you may remember, EMV was something I got deeply involved with, both here in the USA and back when we originally conceived of the specification. We the three founding payment associations had one goal – solve for counterfeit. And, when the issuer or country so desired address lost and stolen fraud. Focused on the physical world of commerce, the Point of Sale. Our original goal was simple. Assure global interoperability by defining a global migration path away from the magnetic stripe. We mutually agreed we had to select a technology capable of protecting the physical token, the card, well into the 21st century.

Simultaneously, as was so beautifully captured by the Pete Steiner’s famous 1993 New Yorker cartoon, we knew there would be an issue in the digital space, that thing we then call the World Wide Web. MasterCard and Visa set out to define the Secure Electronic Transactions SET, then Visa patented a concept called 3D Secure and more recently worked together with the other owners of EMVCo to create EMV 3D Secure. Each of these, attempts to find a meaningful way of authenticating the cardholder when they paid with a credit or debit card.

Today billions of identities have been compromised. The techniques used during an enrollment process online, to verify who you, are no longer viable. Identifiers like our social security number and Person Account Number (PAN), unfortunately, became authenticators, a role they were never designed to support. As EMV was deployed criminal shifted their focus to the Internet and PCI had to be introduced to address the challenges of criminals acquiring payment card and PII data.

As the World Wide Web morphed and grew in value and importance, the potential of monetizing the vast amount of data companies where collected began to scare people; as this recently found comic so aptly demonstrates. People, governments and corporations started to struggle with their desire for privacy offset against the value of data corporations are collecting.

Way back then, an opportunity to address the issue was offered by Bill Gates. As is always the case, Microsoft the then technical giant wanted something to support what society would ultimately need. The idea of the social good was lost to the value of corporate profit and control.

As the Internet grew to become this marketplace, library, museum, cinema, place to play and place to meet and connect; we imposed well understood enterprise security techniques (username and password) to the consumer space. The password thus became our challenge. How do we convince customers (let alone employees) of the importance of complex, hard to remember passwords – unique to every security conscious relationship we establish on the World Wide Web.

Are biometrics the answer, has the FIDO Alliance and W3C created a set of authentication standards we can all embrace? Hopefully. Unfortunately, most opportunists are seeking to monetize their often proprietary solution, creating what they think is a best of breed consumer experience.

My fear, we are moving from the familiar experience of typing our user name and password; to multiple unique experiences at the front door of each and every web site we seek to log-in to.

As an example my Samsung Android phone has a fingerprint sensor and is FIDO certified. There is a Samsung Pass Authenticator, Microsoft Authenticator, Google Authenticator and several demo versions of various other authenticators. I also receive SMS messages with one time tokens I am asked to enter onto the screen. My PC it also is enabled with a FIDO U2F set of dongles.

Unfortunately my tablet has none of these and assumes I will simply remember, thank you Norton Identity Safe, my various passwords. What a mess we are created all with monetization and the desire to offer a unique consumer experience as the justification.

With all those already installed, I await the introduction of WebAuthN, within the various browsers installed in my PC, tablet and phone.

Moving to Block Chain and Cryptocurrencies

The wild west. The makings of a speculators dream. The realm of the incomprehensible, built on complex mathematical concepts and the desire to remove the man in the middle and replace them with the miners and nodes distributed around the center. Or, is the idea of the distributed ledger the solution to the challenges of trust in an every expanding universe of connected people and things. One can only wonder?

People speak of removing central governments. Yet, they remind us that there is a governing body, book of rules and set of code that is designed to assure immutability. If I understand their, logic we should not trust Governments instead we trust these new open societies and digital enterprises? they speak of removing intermediaries and replace them with nodes and miners. New players responsible for creating and signing the new blocks and distributing it all those who maintain a current copy of the chain.

Is there potential, Absolutely. The challenge is to understand why one would wish to move data from a trusted central repository to a distributed trustless environment. Cost and latency should be part of the discussion and most importantly the level of trust the parties have with each other, identified intermediaries and governing bodies involved in the ecosystem.

Finally Payments

Barter, gold sovereign, IOU, government or bank back notes and coins, checks, cards, account based solutions, digital coins and what next. Payments have been this ever evolving space. Some seek to monetize the methods businesses, consumers and governments use to pay for the good and services they seek to acquirer, use or explore. Others argue that the cost of payment should not be a source of profit. The interesting twist here is more about the stage an economy is at in their migration from one from of payment to another. Questions of legacy and history limit a markets ability to embrace the new and retire the old.

We could shift the conversation and focus on the store of funds: be it the safe in the wall, the checking or savings account at an institutions or digital coins stored in digital memory. We could talk about the entities that focus on the experience and employ the already existing mechanisms. We could think about block chain, crypto currency, identity and authentication.

Does the consumer care? or would we be pleased to simply hear the merchant say thank you for your payment. The frictionless experience of get out of an Uber car or when we click the buy button on Amazon we know the payment will be made and that we will see a receipt in our email. Remove the friction and make sure that only what I owe is paid, that is the experience we seek. We the consumer are not interested in the detail. We just want to know we successfully paid, using the source of funds we set up as our default.

In Conclusion

Yesterday, with this blog incomplete, I listened to The Economist article titled Rousseau, Marx and Nietzsche – The prophets of illiberal progress – Terrible things have been done in their name. What grabbed my attention is that it spoke to the depth of my wider concerns. The article concludes with the following:

The path from illiberal progress to terror is easy to plot. Debate about how to improve the world loses its purpose—because of Marx’s certitude about progress, Rousseau’s pessimism or Nietzsche’s subjectivity. Power accretes—explicitly to economic classes in the thought of Marx and the übermenschen in Nietzsche, and through the subversive manipulation of the general will in Rousseau. And accreted power tramples over the dignity of the individual—because that is what power does.

As I think of our capitalist environment, I am concerned and wonder if the publication of the Economist article is timed to educate and alarm. The reality is we are experiencing a concentration of power leading to an increase in the distance between those in the upper 1% and those we call the middle class. Therefore, there is a need to about what is good for the whole, yes a tiny bit of socialism, to restore balance to make sure the wealth and benefits accrue to all and not just the few.

As identification, authentication and payment systems, discussed above, evolves we need to think about the structure of how these solutions will be offered to the market. Are we seeking to address a social issue like crime or terrorism? Are we seeking to improve confidence? Are we attempting to focus on the consumer, citizen and employee needs? Or, is it all about shareholder value and the search for profit?

Like in the article discusses, my fear is Profit will create confusion and complexity. Not more convenient and frictionless experiences.

NYTimes: Transaction Costs and Tethers: Why I’m a Crypto Skeptic

Transaction Costs and Tethers: Why I’m a Crypto Skeptic https://nyti.ms/2NYYSdw

As a technologist with an understanding of cryptography and very aware that in order to remain secure and tamper proof we increasingly increase the complexity of the work to assure the integrity of what we are using cryptography to protect. I wonder why so many people got so excited about Bit coin and Blockchain. As I have written before the cost to assure the integrity of the ledgar. Be it the original work to calculate the nonce or the subsequent work to confirm that the nonce the miner calculated was the right one, there is a need to spend money buying work specific computers, renting or building a facility to houses these work units and the power to cool and run these computers.

Mr. Krugman properly outlines the challenges. He effectively focuses on two issues. The cost and the idea of tethering.

It is this need to identify the value of the coin. Governments help to stabilize their defined currency. The intrinsic value or use of Gold, establishes its value.

Understanding and being able to clearly articulate how cryptocurrencies are valued and how then can achieve the stability necessary to support commerce is essential. This is what tethering is about. How do we establish and more importantly share the nature of the valuation.

Could a US Cryptocurrency Prevent Systemic Harm to the Underbanked and Underserved?

I recently absorbed the following article and offer the following reflections.

Frankly, it disturbed my social consciousness.

http://paymentsjournal.com/there-are-an-estimated-how-many-million-smartphones-in-the-hands-of-us-consumers/

An article answering the question can now be found at this link.
http://paymentsjournal.com/could-a-us-cryptocurrency-prevent-systemic-harm-to-the-underbanked-and-underserved/

After reading the article, I thought about this graph derived from the US Census. What income level equates to that of the un-banked? I think of my expenses and about the expenses most people are dealing with. Health issuance for two people in Georgia is $1,100 a month. That’s a lot of people struggling to make sure they at least have health insurance! If $53,700 is the median income and $13 thousand is spent on health Insurance, and then we consider all the other daily expenses we need to live: food, medicine, co-pay, gas, utilities …

Then I remember an economics report which claimed that the hourly wage required to afford a place to live in the least expensive part of the US was something just over $15/hour. All of this causes me to ask the question – At what income do people find it of value to have a banking relationship, e.g. a card?

Those who argue that we should migrate from Cash to Card should remember the primary motivation for credit cards is directly related to the profits and revenue the banks, processors and other players who touch the flow of money earn from processing the payment transaction, and the revenues earned by lending money (i.e., a credit card) or by holding your money (a debit card).

Sure, we could propose giving the poor pre-paid cards, as some of the Government’s entitlement programs already do. But then who will be responsible for the fees to manage the program and who will earn the interchange from each transaction?

The service fees, OK, maybe we the taxpayer will cover, given the perceived social value of supporting the poor. On the other hand, entitlement is perceived by many to be a scheme to support the lazy, therefore many would say that the fees are part of what the entitlement should cover.

Let’s get back to the real subject at hand: What is the most economic form of payment and are crypto-currencies the future?

In the world of cards, interchange is a cost to the merchant and revenue to the Banks. Therefore, since merchants end up loading their processing costs into their price, the consumer pays. Those who advocate migration away from cash recognize and argue cash has costs, for intance:

Cost of Employee pilferage
Cost to store and carry to the bank
Cost to handle and count

Many would agree that a card is cheaper. Others would argue they are not. This becomes a question of faith in your employees, the cost of a safe and a visit to the bank and the fun of sitting up at night counting your earnings.

Are crypto-currencies an answer? At whose cost? The nodes or miners who maintain the Blockchain need to be paid to ensure the immutability and consensus inherent in the Bitcoin model. Someone must pay.

This begs the question: Which is more expensive to society?

Cards
Crypto-currencies
Checks
Cash
Coins
Certificates – in other words, tokens

Could a US Cryptocurrency Prevent Systemic Harm to the Underbanked and Underserved?

cryptocurrencies

A toll on the Massachusetts turnpike is $4.00, unless you can’t afford an EZPass then it will cost you $7.35*. This article published in Convenience, the web site of National Association of Convenience Stores (NACS), points out that restaurants are also increasingly eliminating cash and that the impact this has on the poor has finally started to create some pushback in D.C.:

“As more restaurants go cashless, a backlash is building, especially in the nation’s capital, where an increasing number of fast-casual eateries are only accepting credit or debit cards and mobile payments, the Washington Post reports. Sweetgreen, a national chain, doesn’t accept cash at most locations, including its Washington, D.C., unit, while Menchie’s, Barcelona Wine Bar, The Bruery, Jetties and Surfside in the District also refuse cash payments.

‘By denying the ability to use cash as a payment, businesses are effectively telling lower income and younger patrons that they are not welcome,’ said D.C. Council member David Grosso, who has introduced a bill that would require retailers to let customers pay in cash. Chicago didn’t pass a similar bill last year, and Massachusetts has a 1978 law on the books that’s for cash payments but it hasn’t been enforced regularly, according to the state retailers association.” (Emphasis by Payments Journal)

I was unaware of the 1978 Massachusetts law described here, but clearly MassDOT and the Massachusetts legislature are more interested in how it will spend the money saved and the new revenue generated than it is in old laws. The fact that the policy to go all electronic will also increase late payment fines from the poor, perhaps even putting some in jail for non-payment, is just icing on the cake.

In our rush to save money we have ignored the systemic biases this action creates against the poor (if you doubt this statement reread the Justice Department’s report on Ferguson Missouri and how the town’s cost cutting measures created that very same bias). My dollar bill states that “THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE” and yet nobody is considering how this is becoming less true every day and the impact that reality will have and it isn’t just the poor.

It is ludicrous to think that paper currency can survive even as everything around us shifts to electronic bits that are controlled by software. But we mustn’t ignore the ramifications of this shift. Consider what the future would be like if all payments are electronic utilizing our existing payments infrastructure. It is likely the cost burden would move from the Federal government (that prints money) to all the entities that need to send or accept money (because they pay the network and processing fees). In this scenario a) the government will see significant savings, b) the entities making a payment will see increased costs, and c) payment networks will receive increased revenue and profits.

If we would prefer to keep the status quo then the Federal government should support an electronic form of tender, establishing a cryptocurrency that replaces paper but is also recognized as “LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE”.

If not done relatively soon, say in the next 5-8 years, then every state and private payment network will be so entrenched that it would likely prove too difficult and costly to switch.

* The difference described above is for anyone driving 113 miles between Natick and West Stockbridge according to MassDOT’s toll calculator

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together. EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience. then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments. The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”. In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database. In order to maintain a unique and secure cloud identity, they might probably make use of various opportunities that come their way (you can hover over at this website to learn more).

However, does that mean it includes what you know username, email address or phone number? Maybe! If it is simply the captured image or behavior, then it is a 1 to many match. If it is with an identifier, it is classic authentication with a one-to-one match.

In the pure authentication space where the relying party simply wants to know it is the person they registered. Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices. Additionally, the use of a visitor sign in sheet synced with the security database could expedite the sign-ins of visitors. It could also see its applications with employee log authentication and verification. Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

Enrollment = I would like to become a client or member

Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.

Registration – Verification = Ok, now we confirm it is you registering your device(s)

Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem-part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

What is Microsofts strategy for integrating into the broader security community?
What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

Tech support fraud
Online Chile exploitation
Cloud crime and malware
Global strategic enforcement
Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity

Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credentials in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my driver’s license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the driver’s license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question, given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a saving, she would only have saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is the reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion, it is an all or nothing situation. Yes, I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still, it does not need to be recharged. My leather wallet still works after the phone’s battery has died.

Mobile Payment – Thoughts after listening

Thoughts resulting from The webinar Doug King of the Atlanta Federal Reserve gave on “Future Proofing Payments”

The long standing question of the future of Mobile Payments, again discussed and again similar conclusions.

Will the American market embrace the idea of mobile payments?
Is it a question of when or a question of why?
Why do emerging markets embrace new ways and mature markets resist?
Is it all about acceptance and the merchants investment in contactless reader capability?
Is it an all or nothing concern?
Could it be simply reality, as ling need our wallet with other cards e.g. our drivers license, why eliminate payment cards from the physical wallet?

Doug touched on all of these questions. He shared relevant statistics demonstrating the slow and possibly indistinguishable grow in usage of mobile wallets. He shared the success of several of the merchant proprietary mobile payment approaches.

Which leads me down the path of another question. What is the value proposition that will ignite the use of our phone and devices as carriers of our means of payment? The possibility to create value simply with a electronic wallet carrying only means of payment, does not create an exciting proposition.

Our mobile phones and connected devices provide us with such value

We have embraced dozens of apps. They help us to navigate, shop, explore, play and learn. Our phones are beginning to become security devices, taking advantage of sensors to integrate biometrics into how we access and authenticate ourselves as we browse and explore the ever increasing digital place we now call cyber space.

There is another phenomena emerging as a result of how we are transforming how we engage. Some called it the “Uberization” of payments, the ability to make payments frictionless. A change so profound we must stop and reflect and ponder what next.

I recognize there is a repetitive theme to my musing.

When physical world merchants fully embrace the concept of omni channel and build their virtual and physical experiences to complement and augment one another, then, with the ability to integrate payment seamlessly into the shopping experience a value proposition emerges.

What is EMVCo goal with the release of their SRC framework

October 2017 EMVCo published version 1.o of their Secure Remote Commerce Technical Framework. Today I decided to read and appreciate what they are trying to accomplish and then consider how it ties into what I remember and think we need to do moving forward.

Clearly the challenge links back to the now infamous New Yorker Cartoon. We have not successfully established a means of assuring the identity of an individual when presenting payment credentials (the PAN, Expiry date, name, billing address and CVV. The first attempt, still not 100% implemented, was the introduction of CVV2, CVC2 or CID a 3 or 4 digit number printed on the back or the front of the payment card.

We then developed something called SET or Secure Electronic Transactions and unfortunately the payment networks were not willing to allow Bill Gates and Microsoft to earn 0.25% of every sale for every transaction secured by SET he proposed to build into Microsoft’s browser. Without easy integration into the consumer browser, the challenges of integrating SET into the merchant web pages and the Issuer authorization systems caused this effort to fail the death of some many other noble but complicated attempts to create a means of digital authentication.

Next came 3D-Secure, a patented solution Visa developed. It offered what was considered a reasonable solution to Cardholder authentication. Unfortunately, given the state of HTML and the voracious use of pop-ups, the incremental friction, led to abandon shopping carts and consumer confusion. Another aborted attempt at Internet fraud mitigation.

Yet 3D-Secure was not a total failure. Many tried to enhance it, exploit it and avail themselves of the shift of liability back to the Issuer. Encouraging consumer engagement and adoption was futile in some markets mandated and cumbersome in others.

Now let’s consider what EMVCo is attempting to do with their Secure Remote Commerce Technical Framework. As I started to read, I ran into this:

“As remote commerce becomes increasingly targeted and susceptible to compromise, it is important to establish common specifications that protect and serve Consumers and merchants.”

Clearly the authors do not have institutional memory and cannot remember the various attempts alumni of these same organizations spent time on and encouraged many to invest in their implementing. Clearly this lack of historic context will leave some pondering the purpose of this paper.

I then read this sentence and reflect back on a recent hearing on “Social Security Numbers Loss and Theft Prevention” in front of The House Ways and Means Subcommittee on Social Security

“Over time the Consumer has been trained to enter Payment Data and related checkout data anywhere, making it easy for bad actors to compromise data and then attempt fraud.”

Once again, I stand troubled by how the Payment Data clearly printed on the face of the card and especially the PAN, 11-19 digits, designed to simply be an identifier, was converted into an authenticator. Like the social security number, the drivers license number, the passport number and your library card number, the PAN and other “Payment Data” was never designed to be an authenticator. It was meant to be data a merchant could freely record.

The secure features of the card now the EMV cryptographic techniques otherwise referred to as the Application Request Cryptogram “ARQC” were meant to offer the “What You Have” factor in a multi-factor authentication scheme.

As I began to appreciate the scope of this document, the term “Consumer Device” becomes critical. I began to wonder if a PC is a consumer device or if a consumer device is only something like a mobile phone, watch or other like appliance. Fortunately, later in the document, the definition clears up any confusion created by the earlier use of this term.. This said, I then wonder about the difference between what they define as Cardholder Authentication and Consumer Verification?

After reading through all the definitions, I ponder why the authors had to change terminology? Why could they not embrace known and recognized nomenclature. Do we need a new vocabulary?

I wondered:

If this is another attempt to create a revenue stream for the payment networks?

Or, is this the effort of a “closed standards” body to reduce the potential value of the W3C WebPayments activity?

In search of an answer to this last question, I found this discrete comment inside the SRC FAQ.

9. Are any other industry bodies working in this area?

EMV SRC is focused on providing consistency and security for card-based payments within remote payment environments.

EMVCo aims to work closely with industry participants such as W3C to capitalise on opportunities for alignment where appropriate.

Having read bits and pieces of this and the WebPayments efforts one does wonder what is EMVCo trying to do. We shall see?

Why do we need Tokens and Tokenization

Recently I was directed to a link http://paymentsjournal.com/tokens-work-because/ and wanted to write the author Sarah Grotta. As I wrote the message crystallized in my head and maybe as this prior post already discussed, this idea of tokenization made me cringe.

I contend that Tokens exist because we turned the PAN Personal / Primary Account Number, like we turned the SSN Social Security Number, into an authenticator. One can must ask the question. How can a random value (an identifier) become an authenticator and remain secure?

EMV works because it renders the Card unique, hence addressing the question of counterfeit, by employing the first factor of the classic MFA Multi-Factor Authentication concept “What You Have”. EMV defined a common set of secrets and digital credentials; securely stored in a Secure Element or Chip Card.

We here in the United States decided not to implement the second factor, the Personal Identification Number or PIN, for a variety of reasons. Hence, why Lost and Stolen remains an issue or weakness in the American Card Payment environment.

Biometrics are emerging and could solve for the assurance of cardholder presence. The challenge is how to effectively (cost and convenience) locate the biometric sensor and facilitate the matching of the sensors output to the persons registered biometric. Let alone, how does one make sure the right persons biometric was registered and associated with the device.

In the mail order / telephone order, now cyberspace, we did not replicate merchant authentication, the first factor – “What You Have. The card, once was secured with things like the magnetic stripe, using CVV1, the Hologram and the other physical features. We simply shifted the liability to the merchant and called it a “card not present” transaction.

People can claim all sorts of goodness because of tokenization. They can talk about how the EMVCo’s tokenization framework describes the use of tokens in device and domain specific scenarios. All of this, an issuer, could have done; if they, like some did, simply issued another number, a PAN, to the wife, bracelet, watch, ring or whatever other permutation they deemed appropriate. They can talk about dynamic data. yet what they often forget to include when they use the words “Dynamic Data” they are really talking about a cryptographic value as described in EMVCo Book 2.

Yes, this does mean the question of how the PAN and its digital credentials get deployed; has to be addressed. This said, GSMA with EPC did offer some thoughts, last decade, when they described the Trusted Service Manager

Instead handset oligopolies replaced the MNO with the their Mobile Pay wallets. They working with the Payment Networks and focused on control and the creation of income. They, as monopolist will, have created barriers, restricting others from offering comparable services. The TSP now becomes this restrictive service that guarantees the power of companies like Apple and Google, supported by their friends, the payment network operators.

The original article also spoke of the PAR; another data element merchants, processors and the industry, will have to invest in supporting.

I ask the question.

If we had assured the authentication and verification of every payment transaction
Using Multi-Factor Authentication
Why did we need to turn the PAN into a dynamic value?

My contention, simply use the appropriate level of cryptography.

If the Issuer or their processor is in control and understands basic EMV and Cryptography, then securing the PAN is not an issue.

Consider household financial management. If each member of a household has a unique PAN; budget, tax preparation and understanding who spent what where is a lot easier. The husband,wife and children should have their own unique PAN, stored in the clear in their devices and on their card.

The real requirement, my personal devices, including my payment card, simply need to be linked to one PAN their Personal Account Number, associated with the individual. The PAN Sequence number could easily allows each device to be uniquely identified, if necessary. The card and devices becomes the carrier of your identifier. A thing that can be authentication as something you have.

Here is where the second factor comes in. Is the person presenting the PAN the rightful and authorized individual? All this required, is assurance to the shareholders that the presentment of the PAN is a unique and authorized event. This is best achieve by using either something you know or something you are to bind the individual to the instrument carrying the Identifier.

Yes, a bit of friction to assure the consumer they are securely paying for what they want to buy

Since the World Wide Web came of age and merchants saw its potential. The question of how to secure the Card Not Present space, this question of cardholder presence, has not been properly addressed. Visa and MasterCard (when they were not for profit associations) created the utility of the Card Verification Result CVV2, CID or CVC2 which would be printed on on the card and not part of the magnetic stripe, the problem the bad guys could still steal the card or get hte card number and capture CVV2.. MasterCard and Visa then created SET, 3D-Secure and now, as for profit owners of EMVCo, are proposing, maybe even will mandate, the industry implement EMV 3D-Secure.

Each, an attempt to provide some means of Authentication and Verification.

Each introducing a level of friction as a means of security.

This is the problem. The market did not start by emphasizing the need for security by educating the consumer. The industry needed to help the consumer understand they should care and want to securely pay for what they intend to buy.

Instead:

The Zero Liability Policy was adopted.
The merchant was more than happy to sustain a degree of lose (fraud) in exchange for sales and profits.

The result, as all anticipated would happen, was blissfully ignored and eventually they cried out about.

Fraud migrated to the weakest point
Just like water finds its way to the lowest point.

EMV, introduced in the Face to Face card present environment, pushing the bad guys: be they criminals, state actors and terrorists to find alternate another channels for their financial gain.

EMV and now the recently published WebAuthN and FIDO specifications create effective mechanisms for Consumer Authentication.

Let us please remember – the PAN, a user name, your social security number or your email address are excellent Identifiers. They should not be authenticators and they are not a means of “Identification”.

Let us also remember, the term Identification means that one is assured of the irrefutability of identity.

The big question:

Why did we have to get rid of or replace the PAN?
Why did we and continue to need to invent and invest in all this addition overhead?
Why did we not simply address authentication?

Some will argue the challenge of using the PIN or a Password, as a means of Verification, is because it is to hard to remember. Especially, if each password people use to access website, services, building, has to be unique. Some will argue imposing friction to add security is not convenient. Others will remind us that security is and has been a necessity since the beginning of time.

Why didn’t we when we created this great new digital shopping mall?

Bottom line each of the devices used to present or acquire the PAN, must be capable of authenticating the identity of the authorized presenter, in both the physical and virtual world.

At least these are the views of someone who believe history provides a baseline for tomorrow and tomorrow must be designed as a function of where you want to be, knowing where things came from.

Of NFC, Mobile and History

Today I read Karen Augustine’s Mobile Payments Use in the U.S. Lags

As I read and reflected on what Karen wrote, I reflected on my experiences as a sagged payment consultant and executive, with international experience.

What I see is an issue of legacy and muscle memory – setting a pattern for the future. Said another way – our history defines the boundaries of our future.

Asia did not have electronic payments. I am sure did not want to embrace the globally dominate American solution. Therefore, they had the opportunity to start fresh. It is very much like what Spain went through, went they moved from cash to electronic card-based payments. They bypassed the check.

Her article brings back memories of life in Belgium in the 90’s. Writing a check was a rare occurrence. Direct debit mandates, a MisterCash card and a Eurocard was all we needed to buy and enjoy life. Electronic payments was the norm, paper checks were a rare oddity and cash, well yes there was a very present grey economy.

Here in the USA we developed our payment systems off the back of regional or state banks with acceptance networks limited to a local domain. Moving to a national system required early adoption of a common national currency. We then went on to replace IOUs with paper checks and store cards with credit cards. In time we enhances the ACH system and developed support for remote deposit and check capture.

Why do we need to move the card into the wallet? Why change habits that are comfortable and work? Most of us drive to shop and therefore must have our drivers license. We must carry a physical document with us. We simply carry two or more ID-1 sized cards.

You make the statement and was once again reminded of times past.

“… universal mobile wallets and more often driven from merchant based applications that often incorporate loyalty and rewards, which to date still remain nascent in universal mobile wallets.”

When I produced this rendering, back in 1996, I was on stage talking about a world where leather and technology converged. I imaged Bluetooth, NFC, secure elements, GPS and our various credentials converging into this personal device. Those credentials grouped into: travel, identity, membership, loyalty and payments; easy to find and present.

When contactless payments were introduced, in 2004, by Visa’s with PayWave and MasterCard’s PayPass; I argued why contactless cards – how can the issuer afford the extra dollar per card (cost of the antenna and inlay) and the merchant the extra 60 dollars to enable the NFC reader? The way Issuer income works, “Interchange”, the consumer would need to spend more on that issuer’s card. For the merchant to justify the necessary POS investment, meant the retailer believed the consumers would spend more, because it was “easier”. Was Tap To Pay going to make me spend more. Maybe for small ticket purchases, I may use cash less; but at the merchants expense! We argued the cost of cash was more than the Merchant Discount. Some agreed. Many wondered what the blank are they trying to sell us!

Around the same time America was exploring this contactless experience, the European Payment Council and GSMA debated and ultimately offered an approach for mobile card based contactless payments https://www.europeanpaymentscouncil.eu/sites/default/files/KB/files/EPC220-08-EPC-GSMA-TSM-WP-V1.pdf . Handset manufactures like Nokia had already added NFC Antenna’s to their mobile phones and mobile network operators, the MNO, saw the SIM as the secure element capable of holding payment credentials.

Some tried, the Trusted Service Manager as a service was developed and deployed. The challenge, the economics of the model. In this case the MNO saw revenue and wanted to charge fees to load the payment credential into the phone and better yet charge rent to store these payment cards in our phones. Again I ask the question, by changing the way we pay, do I cause us to want to spend more? I think not!

Maybe some would argue, with a credit card people am able to buy things today that they cannot afford. Let them end up in debt. This is true. But then is debt at 18% a good thing? Europeans simply decided to establish a line of credit, as a feature of a Current Account, at reasonable interest rates.

We could go on and talk about how Apple saw the possibility of a 0.15% income stream from ApplePay based mobile payments and how the EMVCo tokenization framework evolved to support their desire to protect the Apple Brand.

What is clear, we could solve George’s problem and replace his Full Grain Vegetable Tanned Cow Leather leather wallet with a Mobile Wallet managed by Apple, Google, Samsung or …

Or, we could think about the consumer and what they really want?

As your article made clear, and so many others have shared, Asia leaped forward. Be it AliPay or WeChat, the device, the mobile phone, became the consumers wallet, their method of engaging, shopping, learning and exploring.

We need to accept to simply replace what we are comfortable with, with something new; which does not enhance our experience, is simply not worth it!

Many of us, like Karen, would argue the experience of shopping is what the mobile phone can enhance and let the act of payment become the afterthought. A simple click to say – yes, I agree to pay.

Amazon got it right with One Click. Others, as the patent expires, are embracing the same technique to simplify payment to a friction-less act of satisfaction. When my favorite stores offer me an mobile app designed to enhance my shopping experience, to thrill me with offers and entice me with things I want; then yes I will become more loyal, I will shop at their store more frequently and maybe even buy a few things I did not intend to buy.

Many years ago while attending conference of groceries in Abu Dhabi – one of the speakers share an experience. when that supermarket executive instructed each store to put the beer across from the diapers, the intended result occurred. The husband, sent to get the diapers, ended up buying a six pack too.

Maybe, like this experience reveals, if we focus on the consumer experience and on delighting them. They will embrace change.

If there is no value why should we?

Years ago I prepared and published an idea. I called it Cando. I was still committed to the idea of the mobile wallet. I was an early adopter of the smart phone and saw its potential.

Cando

Block Chain a Conversation with Doug King at the SRPC event at the Federal Reserve of Atlanta

Blockchain_State of Retail Payments_04252018

Where are we going from here

The First Factor is Something(s) You Have My Thing(s)

The Second and Third factors Prove You Are Present

Storing Biometrics in the Cloud Creates a Honey Pot And, begs questions of Privacy