IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
Growth in fraud in online payments is typically a result of the deployment of EMV.
As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
What is context? Our digital footprint as we go through our daily lives.
The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
It is all about acquiring data and building a profile, your context.
What is the unique identifier that links all the objects to the individual.

Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
The fear of who is able to access the vast array of data available through these connected devices.
Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
In the world of IoT who will define the security requirements and who shall pay becomes the key question.
We should consider using Common Criteria as a baseline for the security of IoT devices.
Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

Changing our top of wallet card is not something we are driven to do.
So many sites drive to Card on File
The objects will end up with an embedded payment within
There is a hierarchy of needs
BASIC WANTS & NEEDS
MASS & PERMITTED RECOMMENDATION
SOCIAL & RELEVANT 1REFERRALS
ON-BEHALF

As he speaks of On-behalf a document produced back in 1996 must be found
Will the IoT evolution increase consumption, Maybe?

What is the connectivity
Where are the credentials stored
Is it a configurable device relative to which credentials
Types
Contactless cards and devices
The mobile ecosystem introduces the token requestor

A solid overview of the world of tokenization
The tap experience with a wearable is an interesting design experience.
A wearable is smaller and much more personal.
As seen from the payment networks

Like a card

Mobile device (secure element)

HCE

Wearable are in market today

Beth took a walk through the history of payment acceptance
The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
Risk is or was always about the balance between security and convenience.
Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
We need to agree on a common set of security values not necessarily on a common standard.
When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
Security must be designed in from the beginning.

Leave a Reply Cancel reply