Author: Philip Andreae

Disruption or the Reality of Legacy

Often times people speak of disruption as this tramatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching to opportunity with different tools.

The world of payments, as so many others, have been implemented, enhanced or updated multiple times over history. Each time someone or some group of people had to adapt therefore invest to keep up. More often a community would decide to hold on to what they built sometime ago and hope no one tried to disrupt the status quo.

With payment the need to embrace more effective approaches parrallels the robustness and frequency of transactions. It also parrallels in the desire of sellers to be able to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carried around drove markets to create promissory notes. These promissory notes further evolves as trusted intermediaries entered to market and created more efficient methods of providing that promise of payment.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where are are here in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution.

To connect or disconnect this is the quandry

Pymnts.com in conjunction with Visa published a study of the connectedness of the American population. While reading I wondered how they could identify 36% of our population as Super Connected Consumers. Thinking this profile might be people like myself. I began to wonder how could such a large percent of the population be so connected.

Reaching out to the publisher it became clear this report was well developed and the sample matched the citizen of this country. This led me to wonder about our connected world and how over 42 years I have gone from carrying a beeper to having thermostats, phones, watches, computers, Alexa, TVs, security systems and who knows what else connected somehow to that great network we once dreamed about.

What happened

Reading about the history of the NRA I was surprised and pleased to learn of the original purpose of the NRA, Marksmanship.  It was all about assuring the effective use of firearms. As I continued to read I was further impressed when I read the following from:  https://en.wikipedia.org/wiki/National_Rifle_Association

Karl Frederick, NRA President in 1934, during congressional NFA hearings testified “I have never believed in the general practice of carrying weapons. I seldom carry one. … I do not believe in the general promiscuous toting of guns. I think it should be sharply restricted and only under licenses.” Four years later, the NRA backed the Federal Firearms Act of 1938.

As I read the second amendment, the NRA President seems to embrace the first clause.

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

The NRA focus seems to have been on making sure those who bear arms are properly trained. Clearly a principal roll of a regulated militia is the training of its members.

A key word in the initial phrase of the Second amendment is “regulated”.  This word means:

control or supervise (something, especially a company or business activity) by means of rules and regulations.

Reading more about the history of this organization there was a unfortunate strategic shift.

Until the middle 1970s, the NRA mainly focused on sportsmen, hunters and target shooters, and downplayed gun control issues. However, passage of the GCA galvanized a growing number of NRA gun rights activists, including Harlon Carter. In 1975, it began to focus more on politics and established its lobbying arm, the Institute for Legislative Action (NRA-ILA), with Carter as director. The next year, its political action committee (PAC), the Political Victory Fund, was created in time for the 1976 elections. The 1977 annual convention was a defining moment for the organization and came to be known as “The Cincinnati Revolution”. Leadership planned to relocate NRA headquarters to Colorado and to build a $30 million recreational facility in New Mexico, but activists within the organization whose central concern was Second Amendment rights defeated the incumbents and elected Carter as executive director and Neal Knox as head of the NRA-ILA. Insurgents including Harlon and Knox had demanded new leadership in part because they blamed incumbent leaders for existing gun control legislation like the GCA and believed that no compromise should be made

The question – why this shift away from Marksmanship, hunting and sportsmen?
How do gun manufactures play into this shift? How does the desire for profit, stimulate a shift to advocating gun ownership?

I then read a bit of Harlon Carter’s history. Convicted of murder and one can sense a racist attitude. Maybe the manufacturers came later and the white supremacist came first.

We America need to take politics out of the discussion and commission a panel of professional English language grammar scholars.  We should  ask them to carefully read the language of the second amendment and provide clarity as to what people, at the time it was written, meant if there is a strict interpretation of the Grammar. This thought led to a search for some previously prepared analysis of the construction of the second amendment.

“A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.”

https://www.law.cornell.edu/wex/second_amendment

guns and grammer
 The_Commonplace_Second_Amendment

Clearly there are multiple interpretations, ranging from the objective of “Maintain a well regulated militia” to the objective of “the right of the people to keep and bear Arms”.

I personally am of the view that what one of these articles described as the “Collective Rights Approach”

Given these multiple interpretations, we the people as the majority of the people should vote and decide which we seek to be the appropriate interpretation.

The State of Our Nation

The three of you represent my interests as members of the legislative branch of our country. I have written to each of you at various moments in time expressing my concerns on specific issues. On this Thanksgiving Day I write not of one issue but of many.

I worry about:

• The cost and state of our Healthcare system
• Safety of our citizens be they at school, temple, church, out for the evening or at work.
• The inability to properly manage immigration be it legal or illegal
• The new trade wars that are emanating from these tariffs we are imposing on our trading partners.
• The need to preserve and protect the members of the fourth estate and to make sure they have the ability to, as appropriate and with the right level of decorum, forcefully question our appointed and elected leaders.
• The vicious and untampered attacks on the judicial and legislative branches of our government by the leader of the third branch of our government.
• The continued erosion of our position as a world leader.
• The loose of respect we are sustaining around the globe, especially with our friends and allies.
• The lack of confidence verbally expressed in the work and working of our dedicated intelligence services.
• The inability to express our disappointment when the leader of Saudi Arabia orders the killing of a US Resident.
Yes, I understand the implications and recognize this should be limited to a slap on the wrist not all out sanctions, they should understand our disapproval and national disappointment in their willful act.
• The continued warfare happening on this planet and the continued animosity, religious intolerance, tribal hatred, racial hatred, and economic inequities of our global economy.
• The concentration of wealth & power.
• The reduction in competition and belief in excess profit at the expense the employees and citizens.
I could continue and I am sure all three of you are fully aware of and can add items to this list I could not even imagine.

Our two-party system was designed in such a manner that consensus would be the result and that our government would seek to address the will of the majority. Unfortunately, the way our system has evolved: the will of the minority, the company with the loudest voice, the affiliations with the most money to contribute to the reelection of you are your colleagues and those who work as lawyers and lobbyist dominate the halls of our capital and the results of your deliberations.

I implore the three of you to work collectively to bring order, respect and decorum to the workings of our government and make sure that the freedoms, liberties and rights our constitution established are respected and maintained.

CC:
Senator Purdue
Senator Isakson
Representative Scott

2018 Christmas List

Merry Christmas All

Welcome to the Andreae Secret Santa Wish List

All It seems we enjoyed the idea of the Christmas List as we used last year

Liz and I will arrange to use random number generator to create the secret Santa List

Married couples will be treated as one unit, unless each member of the couple wants to buy a present.

The dollar amount for the presents will be between $50 and $150 (the lower dollar amount is for those who have just gotten out of school and just are starting with their jobs).

To make sure everyone gets what they want and also respect each others situation.

Please include in your list of gifts, a number of gifts ranging from 50 to 150.

We will draw names the 26th of November.

Please post your wish list here and have it ready by December 15. This should be a fun new family tradition.

Please use the comment section below to publish your Christmas wishes.

We assume Santa will also be reading entrees on this Blog and will be checking the list at least twice to find out who has been naughty or nice. Hint, Hint Santa Claus.

Philip will approve without edits or comment, all comments/wishes emanating from family members.
The need for approval is simply to avoid SPAM across the Blog

The only absolute truth is God is all and in all

“Beware that no one leads you astray.” This biblical statement belies the reality of the perspective of one is only a perspective. The truth is the sum of all and the simplicity in the teaching of many not a few.

There is more faith in honest doubt than all the truths people will profess.

God sent – inspired – Jesus, to share with us the need to love each other and to recognize that God is in each and everyone of us.

We must remember God is everything. God is not a body, God is the body and we are simply part of the body.

God touches all, in a manner consistent with where they were and are, at and in their time of life.

Acceptance of each others’ belief is key

The following is an actual question given on a University of Liverpool chemistry final exam.

The answer by one student was so “profound” that the professor shared it with colleagues via the Internet, which is why we now have the pleasure of enjoying it as well.

Question: Is Hell exothermic (gives off heat) or endothermic (absorbs heat)?

Most of the students wrote proofs of their beliefs using Boyle’s law that gas cools when it expands and heats when it is compressed or some variant.

One student, however, wrote the following:

First, we need to know how the mass of Hell is changing in time. So we need to know the rate at which souls are moving into Hell and the rate at which they are leaving. I think that we can safely assume that once a soul gets to Hell, it will not leave. Therefore, no souls are leaving.

As for how many souls are entering Hell, let’s look at the different religions that exist in the world today. Most of these religions state that, if you are not a member of their religion, you will go to Hell. Since there is more than one of these religions and since people do not belong to more than one religion, we can project that all souls go to Hell. With birth and death rates as they are, we can expect the number of souls in Hell to increase exponentially. Now, we look at the rate of change of the volume in Hell. Because Boyle’s Law states that in order for the temperature and pressure in Hell to stay constant, the volume of Hell must expand proportionately as souls are added. This gives two possibilities:

  1. If Hell is expanding at a slower rate than the rate at which souls enter Hell, then the temperature and pressure in Hell will increase until all Hell breaks loose.
  2. If Hell is expanding at a rate faster than the increase of souls in Hell, then the temperature and pressure will drop until Hell freezes over.

So which is it? If we accept the postulate given to me by Sandra during my freshman year, that “it will be a cold day in Hell before I sleep with you,” and take into account the fact that I slept with her last night, then number 2 must be true, and thus I am sure that Hell is endothermic and has already frozen over. The corollary of this theory is that since Hell has frozen over, it follows that it is not accepting any more souls and is extinct … leaving only Heaven, thereby proving the existence of a divine being – which explains why, last night, Sandra kept shouting “Oh my God.”

THIS STUDENT RECEIVED THE ONLY “A”.

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience.  The discussion considered the balance between friction and security.  All of the panelist  articulating the demand for convenience.  The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing.  The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web.  How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to  watch carefully and be part of the move to  restore the consumers’, OUR, right to the data that is us.

The Dual Interface Business Case

These cards and often times the terminals are more expensive than a classic “Dip” EMV card

How much, is dependent on volume, complexity and the pure skill of negotiation. This incremental expense is the first factor one must quantify when building the business case

  • for enabling, in the case of the terminal
  • adding in the case of the card, the contactless antenna
  • upgrading the software by adding the contactless terminal kernels or selecting the appropriate chip software and profile

This then must be compared to the incremental value
For the merchant, issuer and ultimately the cardholder

To explore the benefits lets think about

  • The user experience
  • Availability of merchant contactless acceptance
  • The intersect of the cardholder base with the contactless acceptance infrastructure

As we look around the world and consider what stimulates dual interface card issuance and merchant NFC enablement. Two scenarios emerge.

  • A country made a collective decision and drove NFC terminal enablement and dual card issua.
  • A merchant segment, typically transit, decided to introduce electronic fare-collection.

The first scenario is often driven:

  • By the payment schemes
  • The belief NFC “Near Field Communications” mobile payments will happen
  • A country simply wants to start dual interface and prepare for mobile payments

Which ever option they select, the merchant and financial institutions, within the country, typically migrate together.

In the case of the second scenario, merchant driven migration. We can look to the United Kingdom as a perfect example. “Transit For London” made the decision to migrate from paper tickets to an electronic fare-collection solution based on NFC. The initial deployment was a closed loop payment card, branded the Oyster Card, they quickly decided to upgrade the solution to support Open Loop e.g. Visa, MasterCard and American Express enable dual interface cards and NFC enabled mobile phones.

Given the importance of public transit to the urban demographic. Their decision to embrace open contactless fear collect, becomes a driving factor for issuers and therefore a ripple effect on merchant enablement.

America, as is true in many things, is different.

Contactless was tried last decade without much success.

Issuers did not see any significant lift in consumer spend nor did the merchant see any real increase in revenues. This experiment did not create a perception of a real benefit for either the merchant of the cardholder. Later in this same period, Starbucks launched their QR code mobile payment solution. From its original deployment to now it has been a resounding success.

Around the same time and based on the work of GSMA and the European Payment Council, major telecom operators began toying with NFC based mobile payments. Here in the United States two pilots emerged, the original Google Pay pilot and ISIS (SoftCard) offer. The results were intriguing, the commitment half hearted and frankly both solutions had issues. Google Pay tried to model its solution after de-coupled debit. Whereas the mobile network operators behind SoftCard, wanted to charge the issuers rent and load fees associated with the payment credentials they would store within the SIM.

Merchants Attempted to Create a new Payment Scheme

Major retailers in their continued quest to improve the customer experience and reduce the cost of payments; came together to create MCX the Merchant Commerce eXchange. The hope, merge their existing private label charge card programs together into a Mobile App capable of working across the family of MCX merchants.

Terms where written, in particular one agreeing these merchants would not accept another competing Mobile Wallet. Net result, the merchants agreed not to enable the NFC interface for any of the Visa, MasterCard, Discover or American Express contactless cards or NFC enabled mobile payment devices.
MCX slowly faded into oblivion, as the merchants struggles with the idea of sharing customer relationships and transaction data. Some merchants notably Walmart, Target, Macy’s and Kohl’s set out to build their won mobile wallets embracing QR codes and other none NFC based techniques.

The Introduction of HCE

While this was going on, north of the American border, the idea of HCE “Host Card Emulation” was created by the founders of Simply tapping 2011. It was ultimately by Android and released as part of KitKat in version 4.4 of the Android operating system. With HCE now inside the Android Operating System it unlocked the NFC interface from dependence on the SIM and MNOs. Now any application could take advantage of the NFC interface, once supported by the internarional payments schemes, enabling wider deployment of NFC enabled mobile payments. Google moved ahead to expand its payment ecosystem and Royal Bank of Canada embraced HCE. As Issuers enabled the ability to authorize the load of EMV secured Payment Credentials into the OEM Mobile Wallet or the Issuer’s own mobile app. Consumer now had the opportunity to experiment with mobile payments that communicate with the POS, just like a dual interface card.

Let’s not forget Apple Pay.

Given their brand value and total control of the Apple operating environment, Apple was able to turn to Issuers and suggest they enable the load of EMV secured Payment Credentials into the Apple Pay Wallet. They came at payments with all guns loaded. They knew the value of their brand and were able, unlike the MNOs to ask for a 0.15% of the issuers’ interchange revenue. Most importantly, they facilitated Visa and Mastercard domination of the role of the Trusted Service Manager TSM-SP or better said the Token Service Provider TSP.

Merchant Acceptance Is Key

As has been true with any solution designed to serve a two sided market, issuance and acceptance must grow together to assure the operator success and prosperity. Without a national imperative and with the experience of the original ZIP (Discover), Express Pay (Amex), PayPass (MasterCard) and PayWave (Visa), the merchant must determine if it is worth the effort to enable the NFC interface and train their staff to support Contactless payments.

Transit, like has been true around the world, absolutely sees the value of using contactless, for fare collection and are busy engaging with Visa and MasterCard to embrace and assure acceptance of bank branded dual interfaces cards. Urban areas such as Chicago (CTA), Salt Lake City (UTA), LA Metro, Portland OR (Trimet) and Philadelphia (SEPTA) are live with deployments. Others are in various stages of planned, including the MTA in New York City.

The Business Case

For issuers, where transit is seeking to exploit open loop contactless payments, at the turnstile, there is a revenue opportunity to deploy dual interface cards.

In rural areas or urban communities where public transportation does not exist. The business case is dependent on what local merchants do and if they intend to or will be forced to enable the NFC capabilities of their POS.

This is the big question. Does the merchant see value? Do they believe contactless will increase revenue, reduce time at checkout or do they believe Apple Pay, Android Pay and the other mobile NFC enabled devices are the future?

  • If the answer to these questions is yes then Issuers should seriously consider deploying dual interface cards.
  • If the jury is still out then the investment in dual interface cards may not yet be worth it!

What is the Future Payment Credential Carrier

One cannot discuss contactless payments without thinking about how Apple Pay, Android Pay, Samsung Pay, OEM Pay, Issuer Pay … Device Pay play into the future of cards. Some years ago there were three belief systems

  1. Cards are here to stay the mobile device is a fad
  2. The wallet is replaced by the mobile device
  3. The card is the token of last resort

I think we know mobile devices are not a fad. Until mobile devices never run out of power they will not replace the wallet or all of the cards.

To say much more, given the fogginess my crystal ball, would be to wild a bet.

The following articles produced by the Secure Technology Alliance offer a series of perspectives on the value of migrating to a dual interface card.

Alliance Activities : Publications : Contactless Smart Cards

Alliance Activities : Publications : Payments : Contactless Payments

Alliance Activities : Events : Webinar: Contactless EMV Payments: Issuer Opportunities

Alliance Activities : Events : Webinar: Contactless EMV Payments: Merchant Opportunities

of Identity and Authentication in a Connected World of things.

Various engagement and conversations pull me into thinking about the realities and the necessities, of this emerging world of connected people, objects and thoughts.

Looking back, this topic has been part of my life since 1982 when I was first introduced to the concept of a smart card. At that time we spoke of using the smart card to securely configure a trading deck on Wall Street and in the City of London. The goal securely and automatically configure the voice, video and digital support a particular market trader.

In 1993 to when I was tasked to drive the development of EMV, we could have talked about the fact we were creating a means of secure digital identity. A trusted Identity document based on the trust that existed between the cardholder and the financial institution.

Instead We talked about:

  • Card Authentication “the CAM” now Data Authentication to assure the card was unique and genuine.
  • Cardholder Verification “the CVM” to verify the right user was presenting the card.
  • Card risk management to allow the issuer to support authorization in a offline world.
  • Should we include an electronic purse to support low value transactions?

Today the Debit card could easily be enabled as a secure means of digital identification, with the Financial Institution being the trusted party. Simply knowing the public key of the international or domestic debit card payment scheme allows the party reading the card will know the person was issued this card by that financial institution.

While we in financial services focused on our requirements, the telecom industry was working on the SIM & GSM specifications under ETSI leadership. They created another form of Secure Digital Identity. They focused on securing the identity of the communications channel and were less worried about making sure the right consumer was present, although there is the ability to allow the user to lock the SIM and now even the mobile phone.

2013 I had the opportunity to join the FIDO Board. Within that body, the objective was to separate the concept of identity from the act of authentication. It works from the premise that as digital relationships expanded, the use of passwords and PINs are becomes an issue. The FIDO Alliance also recognized that the only way to secure our digital world, like we secured payments and mobile communications was with the introduction of multi-factor authentication rooted in the belief that the first factor had to be “what You Have” a secure element / enclave, TEE, TPM … capable of generating and or storing secret (symmetric) and private (Asymmetric) keys unique to the object and more importantly unique to the relationship.

Clearly identity and authentication are essential to secure relationships. And, in a digital world, communication is the mechanism that connects people and things together.

Helping consumers manage their relationships assuring privacy is an interesting angle. If I am understanding your platform, at least at the level of the subscription for telecommunications services this you are helping to manage.

Anyway. Back to the pitch. I would like to see about scheduling another conversation and figure out if there is anything I can do to earn an income and create revenue for you.

From Password and PIN to Biometrics

The Evolution of Authentication

When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs.  These values are typically stored centrally within the relying party’s database.  Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database.  This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.

Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration

Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs.  Especially given the myriad of sites and digital relationships we each continue to establish.

To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is.  By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.

Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased.  The threat of rouge intrusions and the resulting reputational and financial lose is out of control.

As these loses escalated, the cost of the various techniques to support more secure authentication have been developed.  The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication.  Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software.  By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled.  Unfortunately, at considerable cost.

In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer.  In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.

Clearly PINs and passwords carry with them two flaws.  They need to be remembered and they need to be typed in.  Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters.  Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device.  The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S.  Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.

Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.

All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates.  The sensor and the related software have unique characteristics as to how the matching processes work.  It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.

The last concern – how do we measure the reliability of the biometric sensors and algorithms.  To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD.  These three are the ones I am most familiar with.  They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.

We now can leverage the biometric sensors in user devices

Paired with the assurance the device is unique

And be confident the registered user is present.

The Good and Evil

Sunday, these two text were sent to me, to us when speaking to the two ministers at Church that morning.

Tell Ashly. Pls what a selfish person I am.

Tell Brian. What a selfish person I am.

Am I the selfish person or, are we all selfish? Each to themselves!, Each focused on their own interests! I like the author of these messages accept my selfishness and can only pray to become more selfless. Clearly a struggle in this world and country we live in today

That morning, we studied John 11:32-44 and discussed how the resulting reaction to the miracle demonstrates the division which existed then and still today.

Why is there evil in this world? As I consider God and Satan and I think of the difference between those that see God as part of each of us and those that see God as someone above us, I wonder.

I read a bit from Carl Jung and heard someone speak of how Saints are selfless and have overcome the selfishness of the EGO.

Infinite truth – In this universe, the only thing which does not change, while everything else is, is “Light”.

Dual Interface Construction

When we think about the migration to contactless or Dual Interface cards it is important to have a general understanding of what goes into creating the card and the constraints one has to think about, as they work with their marketing teams to design these cards.

The design of a payment card involves assembling multiple of PVC into a sandwich that will be bonded and then punched out to form the card body.

  • On the face of the card: a clear laminate to protect the surface
  • On the back a clear laminate with the magnetic stripe affixed to it

In the middle two printed sheets

  • The front
  • The back

In the middle of the card body, your manufacturer will need to insert an antenna.   The antenna is typically provided to the card manufacturer as an inlay, as seen on the left.  The inlay is a sheet of plastic with the copper antenna, sometimes aluminum embedded within.  The card manufacture will add this inlay into the middle of sandwich.

On the right is an example of a six layer card construction including one element as an example, a metal foil.  This has been included given it has an impact on the effectiveness of the radio signal.  More about this a little later.  Using pressure and heat, the layers of the sandwich are bonded together in a process called lamination.  The bonded sandwich is then run through a series of additional processes designed to create an ID-1 card as specified in the ISO 7810 specifications supplemented by the additional payment network requires, such as the signature panel and the hologram.

After quality inspection the next step is to mill and embedded chip into the card body and simultaneously assure a connection between the contacts on the back of the chip and the antenna.  There are various means of connecting the chip to the antenna.  These different methodologies for connecting the chip to the antenna is a specific skill and is the responsibility of your card manufacturer.  Look to your manufacturers to propose, construct and certify your card to your requirements and employing their unique processes, techniques and technologies.

One thing you will need to be aware of is how the use of the antenna affects the certification process.  It is important to understand that the combination of ink, materials and methods of construct means; each construction will need to go through a unique certification.  This need for certification is a result of the use of radio frequency to communicate between the card and the terminal.  Think of your cell phone when your inside a big building or within an elevator and how the conversation maybe disrupted.  It is this possibility of the radio signal to be disruption based on the materials employed and the method of construction.

When metal elements like metallic foils and layers are used in card construction, the challenge increases.  Eddy currents are emitted by the metal and will interfere with the level of power and quality of communications emanated by the antenna and radio in the POS  received by the antenna and the computer in the card.

So far we have spoken only of the hardware.  The chip in the card is a computer and needs an operating environment, application and data in-order to function.  The introduction of the contactless interface alters the operating environment, the payment applications and the data which is loaded into the card.  All of this impacts the card manufacturing and card personalization process.

 

Will the US truly embrace dual interface cards or is our phone the future

When the US decided to migrate to EMV, it took the safe course

When it was time to migrate to EMV here in the USA, both issuers and acquirers focused on addressing the market and the required technology, one step at a time.  They recognized the confusion created by the Durbin Amendment, the reality of the competitive US debit market, the complexity of the merchant environment and the legacy infrastructure underneath the American card payment system.  Unfortunately unlike in other parts of the world the American merchants tended to migration to  EMV in the following order credit & debit, Common AID, contactless (MSD mode), Mobile Pays and finally contactless (EMV mode).  This journey is still a long way from complete with less than 25% of the terminal base contactless enabled, let alone in EMV contactless mode.

The larger and most invested merchants also worried about the impact of sharing data with the likes of Amazon, Google and Apple.  The “honor all card” rule is also the “honor all wallet” requirement.  Wal-Mart, Target and Home Depot were clear, they did not intend to expose the NFC antenna to the various NFC Mobile Wallets.  Instead they are implementing solutions, post MCX, based on their mobile apps using QR codes and often times enabled to support frictionless payment.

We are now looking at the second wave of card issuance and Issuers are wondering what merchants will finally do about enabling contactless.    As the Issuers prepare to issue their cardholders with their second EMV enabled card they must also think about the future of the card in the context of the future of mobile payments.

Are the payment credentials carried in the mobile wallet the companion of the card
or
Is the card the companion (fallback) for the payment credential carried in mobile wallet / device

Or
Are we on a journey to a new paradigm
Where facial recognition, loyalty, geolocation
Enabled by the always connected devices

We surround ourselves with
Help merchants to focus on
the shopping experience
And
Turn the Payment into

A frictionless “thank you”

 

What Happens When the Lights Go Out

Since 1984, when I was told I needed to carry this mobile phone with me, there has been that nagging issue of needing to make sure it had enough life to get me to the next charge point.  My first phone was luck if it could last a half a day so they gave me two, one was always being charged while the other hung on my shoulder.  In 1993 while working on the development of the EMV Specifications we focused on the ability to authorize a transaction when the Point of Sale POS device was unwilling or unable to reach the issuer.  In 2013 I listened to Visa representatives explain how 100% of all payment transactions could be executed online.  Then I ponder getting a Tesla Model 3 and learn it is only capable of traveling a maximum of 310 miles, it make me wonder; how do I finish the last 19 miles to my fathers home.

Today, I was reading an article emanating from the Money 2020 event when IDEMIA spoke of the idea of the mobile drivers license and that nagging feeling emerged.  What happens when the power goes off after the hurricane hit and someone asks me for my drivers license.  Its locked securely inside my dead mobile phone.  I then saw that their competitor Gemalto and even NIST are working on this concept of the mDL.

We live in a world where electricity is becoming as essential as water and food.  Yet, we hear of power outages that last weeks and even months.

It is like with Mobile Payments, if the phone is dead and in order to pay it must, then what?  The card remains the essential element of a successful payment transaction.

I dream of the day when I can merge my leather wallet and my mobile device into one.  Yet, I appreciate there are technical challenges like the need for electricity.  Until we lead with these technical challenges and not simply the dream.  Exciting concepts and ideas will go where so many have gone before.

A letter to the legislative Representatives of our Government – be they Local, State or Federal

First an ask to all those who read this.  Please share.  I wills tart an personal campaign to send this also to various senators and representatives through their contact me page of their website maybe even a few my snail mail.

To those that are empowered as the representatives of the “We the People”.  As I write these three words I immediately think I need to hold true to what originalists would expect.  This said I hope we can all agree that in the Declaration of Independence one word is out of place.

“We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable rights, that among these are Life, Liberty and the Pursuit of happiness.”

The word “men”.  This word I hope you all would agree should instead be “people”, “male or female” or “men and women”.  I would also hope that when we think people or “men and women” we mean all entities that can be called Homo Sapiens, no matter, their color, place of birth, sexual orientation, age, religion or other descriptive variable.

If we are suggesting that we must read this literally!  Then we have a major issue and this would explain why some of you explicitly exclude women from much of the deliberations.  I do hope I am wrong in writing this last statement!

The declaration then goes on to argue why we needed to declare our independence.

“That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness.”

We are at a time in the history of this great nation when one must wonder if we should seriously considering altering the nature of our Government.  The 45th President has no interest in representing “We The People”.  He panders to his base, not the majority as demonstrated by the populate vote and the results of multiple polls since he took office..  You, the legislative branch of our government have divided yourselves divisively into two tribes and as have demonstrated an inability to to work together as one body.  This might suggest a need to alter how our government operates.

I would plead with all of you to find a bipartisan way to restore the dignity of the various legislative bodies you are a member of.

This country stands divided and if it cannot restore unity it is at great risk.  It is incumbent on all members of  the legislative branches of our governments to restore balance, as one set of bodies and not as multiple sets of tribes and parties.

 

The Future of EMVCo Next Gen

Back in 2011, when I was part of American Express, I was part of the team responsible for our involvement in the work of EMVCo.  At this stage in the work of EMV the discussion had turned to the confusion the multiple contactless kernels was creating in the market and more importantly the challenges we would face as the external threats increased demanding that the length of the RSA keys increase accordingly.  Ultimately we collectively determined the best course of action was to begin the work on what began know as “Next Gen”.  From the beginning it was well understood the migration from where we are today to the “Next Gen” technology solution, both in the card and on the terminal, would be complex and expensive.  In September of 2014 an initial specification was released and my understanding is that a draft has been issued to subscribers and Associates for review and feedback.

This post stems from a conversation with a good friend, he asked me if I thought there was still relevance to what is now being called 2nd Gen.  In that discussion we reviewed the genesis of the work, the baseline for EMV and the unfortunately reality of how contactless was implemented.  Our conversation then turned to the question of what makes the most sense live with what we have today or suffer the expense of the migration to a new solution.

Thinking back to the original reason for “Next Gen” was to consolidate the 7 contactless kernels into one common kernel and replacement  RSA with what was called XDA or Elliptic Curves.  When I think about these two requirements one can only wonder why in the most recent EMVCo Stated EMV® 2nd Generation there is no  reference to enhanced cryptography.  In fact the only thing the document describes is the creation of one unique kernel.

Referring back to the September 2014 Net Gen Specification there is clear reference to enhanced security with specific call out of “an elliptic curve Diffie-Hellman key establishment protocol with blinding applied by the card”.  I then remember hearing about issues with Elliptic Curves and wonder why there is no reference to enhanced cryptograph in this most recent EMVCo document.

Back to the question raised in our conversation.

Do I see value in the world investing in the migration to 2nd Generation?

The answer is I am not sure anymore. 

When EMV started we had four agreed requirements, summarized on this slide I initially created back in 1994.  Offline Authorization, in other words, the issuer’s ability to securely approve a transaction without requiring the terminal to request an expensive online authorization request was the reason Offline Authentication was part of the original design of EMV.

  • If the value of offline authentication, given the ubiquity of wired and wireless telecommunications networks, is deprecated.
  • If  the performance efficiencies, original seen in Elliptic Curves, is no longer as significant, given the increased threats and vulnerability.

Then why make the investment in changing the software in both the card and the terminal to support XDA?

Next

  • If most if not all terminal manufacturers have addressed the complexity of the multi-kernel configurations, compounded by the existence of various unique national contactless kernels.

Then why demand the investment in supporting a complex migration from multiple kernels to a single EMVCo Licensed kernel?

Finally

The threat of quantum cryptograph suggests that most if not all asymmetric cryptographic algorithms commercially available will be broken.

It does beg the question.

What is the business case for driving the world into a expensive, long and complicated migration?

What we created in 1994, and EMVCo has maintained, is a very effective Online Authentication mechanism, the ARQC.  A mechanism based on symmetric cryptography which, as far as I can tell, will remain under the control of the Issuer and is not, as of yet, threatened by quantum computing.

I look forward to your feedback.