CanDo

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference.  Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution.  ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

A look at the actors that support Internet Payments

The payment landscape is a complex space with an array of stakeholders specializing a focusing on various aspects of the processing of a payment.  This diagram is oneof several used to form a backdrop to various educational sessions Philip offers to organizations and executives seeking to identify and position themselves in the payments landscape.

This particular one seeks to help people understand who the key actors to a card not present eCommerce transactions.

Citizen Bill of Cyber Bill of Rights

Created in December of 2011 as I reflected on the emergence of the Cyber Risk

My identity is mine electronic or otherwise

I will be prudent in its use

I understand if I enter into an agreement that you can prove it was me
Then I am responsible

I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed

You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to

Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it

You will recognize that I am your human equal and will,
Save for acts of God and Nature,

Endeavor to provide quality and service

 

IoT Payments Wednesday Morning

Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.

Role of the TSP

  • Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
  • Should device manufactures understand payments? Can they?
  • The TSP must appreciate its role and what it is not.
  • As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.

  • What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
  • Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
  • What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
  • With the pre-provisioned credential how does one manage long term life cycle.

Root of Trust

  • Is PKi the right approach to the necessary level of trust this emerging environment requires.
  • We must remember the complexity of a PKi infrastructure.
  • In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
  • As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
  • This discussion is very much about the value and need for HSMs.
  • The question is raised as to the future of PKi given the US Gov’t perspective.
  • And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?

In-Vehicle Payments

  • A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
  • The car can host merchant apps.
  • The idea of a POS device in the car leaves me lost. Who is the seller?

Smart Cities and Multi-Modal

  • To address smart cities one has to think across the wider context.
  • What are the roles the FTA can support, becomes a question of what the cities want.
  • Mobility on Demand driven by the needs to reduce congestion and improve life.
  • Built on local partnership within the community
  • A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.

Multimodal Payment Integration

  • The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
  • They want a brand and system agnostic solution that is intelligent and can help better manage spend.
  • How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
  • The roadmap is in development, it is early days.

Wearables – lessons learned

  • What ìs a wearable? Do define them based of feature and function. Cloths, jewelry…
  • We use a wearable when we need them. Athletic, climate, entertainment or work.
  • These electronic wearable needs to consider the use cases that should be integrated into a limited number of devices we would wear.
  • Three words – simple – connected – enablements
  • How will we enable more specifically load the various certificates we need to access, employ and pay for.
  • Interoperability will become the challenge. Do we imagine a world restricted by brand / manufacturer? Or, open to a wide array of designs and capabilities then how do we get there.
  • Secure element
    Data management & personalization
    Mobile device software integration
    Device life cycle management

    Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.

BLE of IoT Payments

  • The cloud may restrict what could be communicated.
  • BLE is “local” allowing secure application management and secure transactions.

Managing Trust and Security

  • Identity is the key to much.
  • The next question therefore it trust in the Identifier.
  • Authentication with what, in what where?
  • Life cycle management. How do you know your device been wiped clean of all your credentials.

All in a Name

IDEMIA

Here in France, we will stick to “ee-day-myah”…

An Englishmen wrote “Eye” “Dem” “e-ha

Others say “eye dim e-ha”

When the new name was launched the following explanation was offered.

As an expression of this innovative strategy, the group has been renamed IDEMIA in reference to powerful terms: Identity, Idea and the Latin word idem, reflecting its mission to guarantee everyone a safer world thanks to its expertise in trusted identities.

Thinking on the first two syllables and reference to Latin, a definition is found.

idem. is a Latin term meaning “the same”. It is commonly abbreviated as id., which is particularly used in legal citations to denote the previously cited source (compare ibid.). It is also used in academic citations to replace the name of a repeated author.

It is interesting to listen to clients, competitors and industry insiders speak of this new name.

It is the Brand that drives recognition. It is the shape and color which establishes the emotion attachment.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

  • Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
  • Growth in fraud in online payments is typically a result of the deployment of EMV.
  • As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
  • What is context? Our digital footprint as we go through our daily lives.
  • The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
  • It is all about acquiring data and building a profile, your context.
  • What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

  • Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
  • The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
  • The fear of who is able to access the vast array of data available through these connected devices.
  • Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
  • In the world of IoT who will define the security requirements and who shall pay becomes the key question.
  • We should consider using Common Criteria as a baseline for the security of IoT devices.
  • Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

  • Changing our top of wallet card is not something we are driven to do.
  • So many sites drive to Card on File
  • The objects will end up with an embedded payment within
  • There is a hierarchy of needs
  • BASIC WANTS & NEEDS

  • MASS & PERMITTED RECOMMENDATION

  • SOCIAL & RELEVANT 1REFERRALS

  • ON-BEHALF

    As he speaks of On-behalf a document produced back in 1996 must be found

  • Will the IoT evolution increase consumption, Maybe?

Wearables 101

  • What is the connectivity
  • Where are the credentials stored
  • Is it a configurable device relative to which credentials
  • Types
  • Contactless cards and devices
    The mobile ecosystem introduces the token requestor

    A solid overview of the world of tokenization

  • The tap experience with a wearable is an interesting design experience.
  • A wearable is smaller and much more personal.
  • As seen from the payment networks
  • Like a card
  • Mobile device (secure element)
  • HCE
  • Wearable are in market today
  • Wearable are in market today

Risk Based Payment Security

  • Beth took a walk through the history of payment acceptance
  • The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
  • Risk is or was always about the balance between security and convenience.
  • Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
  • The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
  • Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
  • We need to agree on a common set of security values not necessarily on a common standard.
  • When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
  • Security must be designed in from the beginning.

The day came to a close.

IoT 2017 Payments Tuesday Morning

October 10th

Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.

  • MasterCard spoke of the opportunity IoT offers in this connected world and how technology can transform physical retailing.

Prof. Gideon Samid, PhD, PE.

  • Speaks of the use of randomness as the key to the security of the future.
  • The challenge of IoT is the processing capabilities of these devices.
  • Digital Money & Contract you cannot separate identity from the value. Cyber economics and the associated cyber security is all about setting up a scheme where for each action there is a payment for service rendered, hence an audit trail is established for each action.
  • What happens to anonymity in this new world where every action is identified and recorded.
  • Anonymity will be dictated by regulation and the political domain. BitMint embraces the controls inherent in the 4th amendment.

IoT payment landscape

  • A brief wander back through the way back machine as we watch time mover forward.
  • Samsung shared a vision of what this new world of IoT looks like.
  • Cars, washing machines and so much more connected and controlled.
  • Samsung is a Token Requestor post identity and development. The. Samsung Pay technologies now in the phone can easily be transferred into almost any device.
  • Gemalto was asked to address the multiplicity of devices emerging in the market place. There are just a plethora or new form factors.
  • The question is all about getting the key set into these devices. The aggregation model as a Token Service Manager is what Gemalto has developed.
  • There are two basic models the pre-personalized and the over the air personalization.
  • There is then the emergence of the new domestic Token Service Providers. G&D speaks of the breadth of security required for these IoT devices.
  • We now need to think about Life Cycle Management especially when considering payment credentials. Key to this conversation relates to upgrading and replacing the device carrying the credential.
  • How will the consumer figure out where all their payment credentials are.
  • How shall the standards evolve to support all of this new and competitive plethora of IoT objects?
  • We must a careful and embrace standardization to support interoperability.
  • Why can’t this market embraced the device and not cloud model to store the payment credentials.
  • We are layering security onto the existing legacy infrastructure. The payment brands are responsible to define what the rules and technology requirements.
  • Tokenization was created as a means of solving for device limitations by pushing the point of compromise into the cloud.
  • MST is a nice transitional technology, NFC is more than likely the future, at least in some peoples view.
  • The point of interaction bottom line the point of acceptance.

Lunch

Tuesday Afternoon

Tokenization and the search for Identification and Authentication

These two words began to fascinate me as I began to understand the value of cryptography while working through the goals we established when developing EMV and attempted to secure the payment credentials when used on the Internet.

With EMV we were trying to address the challenge of the fraud (an issuer cost) resulting from the ease of counterfeiting the token of the token which was a token of a token already.

This last broken token is the magnetic stripe on the payment card.

The payment card, in and of itself, is a token. An instrument imbued with physical security features e.g. the hologram and signature panel. Security features the merchant is supposed to check when attempting to allow a buyer, the consumer, to use the payment credential associated with the card to make payment for good and services.

The PAN is just a unique number, another token. This unique number is simply the index, The identifier within the payment credentials, which associates the payment with the underlining source of funds.

The source of funds, the PAN or Token pointing to, is then either a line of credit, prepaid balance or bank account.

The card, the hologram, the magnetic stripe and the printed security features and the PAN had reached the end of their useful life, as security features or tokens. The criminal knew how to compromise the card and associated static data.

As we entered the 90’s, the card as the carrier of the payment credential, with those physical security features, was longer a means of Authentication. These layers of authentication had been compromised. In other words the token was broken!

To address this concern, in 1993 the founders of EMV embraced the chip card and its Cryptographic capabilities. In particular, the use of symmetric and asymmetric algorithms to provide a new set of tokens the merchants (asymmetric) and Issuer (symmetric) could use to Authenticate the unique carrier of the payment credential – the token – the chip card.

On the Internet the challenge is different. The physical features of the card are not easily accessible, hence useless. In 1993, when WWW became the thing of conferences, everyone said lets think of the internet in the same way we allow merchants to sell stuff via mail and telephone. Everyone simply decided and agreed to exploit the acceptance rules agreed on for those other virtual environment, the phone and the mail.

Bottom line, in the world of mail order / telephone order and now a browser; merchant simply agrees to accept the cost of fraud, given the CARD is NOT PRESENT. Worse still how do they prove the right cardholder in present?. For the merchant, given the potential of the Internet, it is was a small price to pay.

Everyone simply accepted that be capturing the data embossed on the front (PAN, expiry date and cardholder name) and the CVV printed on the back of the card and, in some cases, using the power of AVS “Address Verification Service” a modicum of security could be factored in. At least for a time!

SET “Secure Electronic Transactions”, a cryptographic mechanism Visa and MasterCard cooked up, was developed circa 1995-1996 and deployment was attempted. The challenge, the limitations of the then deployed technologies and the inability to provide a reasonably convenient user interface. The problem begins with loading payment credentials into the browser and more importantly figuring out how to use them when shopping.

A set of great ideas foiled by convenience.

Next came 3D-Secure, an invention of Visa. This time the idea was to exploit the power of passwords and secret questions to authenticate the user.

Nice idea, well thought out; but, unfortunately not designed with the consumer in mind.

Another feeble failed attempt to develop a mechanism to authenticate the buyer. Or better put, solve the dilemma the New Yorker so aptly described

“On the Internet nobody knows your a dog”.

All this begs the question – how will we secure payments on the Internet?

3D-Secure 2.0, maybe? Or maybe W3C and the FIDO Alliance have the answer in what is called WebAuthN.

To address this question we must begin by defining the problem.

When we think about payments and we think about shopping on the internet it is all about someone or something {read issuer} agreeing that the consumer will make good on the promise to pay and therefore the issuer is willing to guarantee payment towards the merchant. The challenge, how do we confirm it is the legitimate person seeking to pay with their means of payment.

In other spheres of endeavour it’s about granting access to someplace or some website. In the physical world we have a key that we can insert into the lock or a security device {card} we can insert or tap on a reader programmed to recognize our credential and allow us access.

On the Internet, the use of a physical card with physical security features, numbers, letters, and a magnetic stripe was not feasible. Instead, we ended up employing user names, passwords, and payment encryption. Payment encryption, which secures sensitive financial information during online transactions, offers a crucial layer of protection. The user name – a unique identifier, and the password, a secret, support the identification of the person using the browser or connected device, from somewhere out there.

If we could each create and remember complex secrets, these cumbersome things call passwords. And, more importantly, never share them with nefarious individuals seeking to take advantage of our naiveté. All would be at peace in the world of security and convenience. The problem is expecting you and I to remember the myriad of complex passwords and not get tricked into sharing our secrets.

Is there an answer, I believe so and at Money 2020 October 25 we will be discussing this very topic. Wednesday Morning at 8:30 in the Titian room at The Venetian in Las Vegas on Level 2, join us as we discuss Identity is Fundamental: What You Need to Know About Identity & The Future of Money.

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.

In the News as the Vice President of Oberthur Technologies

Oberthur Technology seeks to educate and support the migration to EMV

 

 

An Interview with George Peabody of Glenbrook

 

 

From a merchant perspective Oberthur offers thoughts for consideration

 

Healthcare is in need of secure authentication an Interview with Karen Webster

 

 

An Article published by Pymnts.com as we consider the last days before the migration

 

 

Digital Identity is what we require to secure our world an interview with Karen Webster

 

 

W3C and the WebCrypto Working group considering payments and Same Origin Policy

 

 

Why EMV and Why Now with Pymtns.com

 

 

A Founders of EMV’s view of the US migration to EMV

 

 

Understanding EMV in Our Digital Future an interview with Karen Webster

 

 

Counting Down to the migration to EMV

 

 

The ABCs of EMV

 

 

An interview with the Atlanta Constitution

 

Interchange fact, fiction and myths

Interchange a word that describes a method that allows cars and truck to move from one road to another. Interchange a
word that describes the exchange of ideas or data between two or more individuals. Interchange a fee paid to an Issuer of a payment card.

It is this third definition that this blog will explore.  A fee or income paid to an Issuer of a payment card.

Some would call it a tax on merchants.  Merchants who wish to sell products and services to individuals and corporations who wish to pay with moneys loaned to them by a financial institution (credit card) or held on deposit by a financial institution (debit card and pre-paid card). Wikipedia offers the following; Http://en.wikipedia.org/wiki/Interchange_fee.  To add to this sound Wikipedia definition, I offer a little story of how Interchange was described to me was a way of helping people appreciate the way interchange has changed over the years.

In 1991 I joined EPSS, a technology company then owned by Eurocard International (50%), Eurocheque International (35%) and MasterCard International (15%). EPSS or European Payment System Services ran and managed a set of technologies designed to support the authorization, clearing and settlement of payment transactions initiated by a payment card being presented to a merchant. We supported both credit and debit card transaction and would when they emerged also supported pre-paid card transactions.

As part of the settlement process we calculated and assured acquirers (merchant bank service provider) were paid, less interchange and scheme fees, for those payment card transactions they had submitted on behalf of the merchants they serviced. Therefore understanding and assuring the accuracy of these calculations were essential to assuring the successful operation of those systems we managed.

In the first few weeks of starting, general counsel sat me down and described Interchange. What I learned is that on a biannual basis we hired a consulting firm, Edgar Dunn; to conduct an anonymous survey of the member organizations, the banks that issued credit cards.  Their role was to ascertain what it cost the issuers to support the processing of payment card transactions.  Three elements were key to these calculations:

  • Cost of Carry – The interest charge or income the bank had to pay or forego in order to to fund payment card transactions conducted on the credit cards they issued to their customers.  This cost was calculated based on the reality that the issuing bank paid to payment network (MasterCard, Eurocard or Eurocheque) either immediately or within a few days of submission; and, the  fact that credit
    card charges are billed to the cardholder periodically.  This time between paying the merchant and the card holder paying their credti cards bill was assumed to be about 45 days.
  • Systems costs – The depreciation of assets and cost of operation of the systems necessary to process these payment card transactions.  These systems included those that authorize, in real time, payment card transactions and receive, each evening, the clearing transactions and reconcile the moneys the Issuer had to settle, daily, with the payment network.
  • Fraud costs – The loses the issuing bank incurred for payment card transactions where the consumer claimed they did not recognize the charge and the merchant proved that they had accepted the card and followed all the rules and procedures associated with the acceptance of that brand of payment card.

Our consultant then would amalgamate all the data they collected from the issuing members and submit a recommendation of what interchange should be for the next two years.  These recommendations recognized that interchange must vary based on two key characteristic:

  1. Location of Merchant and home country of cardholder
    1. Global
    2. Regional
    3. Domestic
  2. Nature of transaction
    1. Card present and electronically read
    2. Card present and paper voucher with card imprint
    3. Card Not Present (mail order telephone order and in time eCommerce)

We then discussed how the Issuer earned income from payment cards.  I learned; yes for those efficient issuers there were profits, whereas for inefficient issuer they might actual lose money. Bottom line the calculation was designed not to create profits.  It was designed to cover cost.

Management then took these recommendations to their board to seek approval.  At this stage the boards where a balance view with both the issuing and acquirering institutions represented.  Unlike today when it is fundamentally the Issuers that sit on these boards.

In 2002 I joined Visa and again was asked to visit with general counsel to make sure I understood what interchange was.  My first statement was that I understood and explained what I had been taught all those years ago.  I was informed that although I understood the foundation, things had changed.  Two additional components had been added to the calculation and moreover instead of being limited to a few easy to understand categories, the structure of interchange has been MADE complex.

While it still was calculated through the use of anonymous survey of issuers, interchange now included:

  • Rewards – this was meant to cover the cost of the reward programs Issuers used to entice cardholders to adopt a particular card product.
  • A Reasonable Profit

As to the characteristics used to identify what interchange fee would be earned by the issuer, the original two categories of transaction location and the presence of the card continued.  Yet now to complication matters  two new ones were added:

  1. Type of card – In order to justify the addition of the cost of rewards into the formula the payment network attempted to sell merchants
    on the idea that corporate cards and premium “Gold” cards where used by people or organizations who would be more loyal, spend more hence more valuable customers for the merchant.
  2. Merchant size and category – This distinction was driven by the reality that certain merchant categories are prone to fraud.  But more importantly, certain merchant segments where essential to the expansion of card usage and were known to sue or complain about the cost of interchange.

Interchange had morphed from a cost recovery mechanism to a complex formula that takes into consideration the complexity of the payment ecosystem and a source of revenue  to financial institutions.

With all this change there are also challenges.  With only two global “4 party” payment brands (Visa and MasterCard) regulators, merchants and politicians seek to manage and control interchange.  Words like monopolistic powers are used to describe the way interchange is calculated.   Therefore you find lobbyist speaking on behalf of merchants, arguing these fees create excessive profits for the issuer.  You here people complaining that the fees and the rules not allowing them to charge consumers for the use of these more expensive payment products, ends up that interchange simply gets embedded into the cost of sale and cash paying customers are seen to be subsidizing card paying customer.

As a prime example Wal-Mart and a consortium of merchants, banded together and successfully won an argument against both Visa and MasterCard. They argued that interchange associated with debit cards processed through the credit card networks should not be the same as credit card interchange given that the cost of carry was near euro.  When all was said and done  3 billion dollar was paid by the payment networks to the merchants and their lawyers.

The Australian Central Bank also decided to regulate interchange, although the benefit a reduction in the price did not occur thus the perceived benefit to the consumer was not achieved.  Currently the European Union continues to evaluate interchange with the argument that domestic and regional interchange must be the same and that monopolistic powers are used to manage interchange.

Here in the United States Senator Durbin succeeds in imposing significant change to debit interchange.

Interchange will continue to be scrutinizes.  My hope, let us return to original definition of interchange and focus on being a mechanism designed to simply cover the issuers’ cost of processing payment transaction and offer a reasonable profit for their efforts.

Let the issuer earn the core of their income through revolving Interest charges, annual card fees and other services paid for by their customer the Cardholder.  Why should the merchant subsidize the rewards offered to entice cardholders to take an issuers product without also garnering a demonstrable increase in sales?

Is recent EMV announcement the catalyst the U.S. needs to catch up?

August 22, 2011

Is recent EMV announcement the catalyst the U.S. needs to catch up?

During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?

http://portalsandrails.frbatlanta.org/2011/08/lessons-from-mario-brothers-finding-keys-to-fighting-fraud.html

Interesting question for the industry as we go through this transformation to a fully connected world where everything happens between our mobile phone and the merchant, friend, family, phone or cash.

 

 

ISIS the new Mobile Commerce JV … What next

This goes back to november 2010 when the announced ISIS (renamed SoftCard now dead and buried)

Over the last week many of us have read and attempted to understand what are the goals and objectives of Isis and its owners AT&T, Verizon and T-Mobile.

Visa reacted, pundits speak of ISIS becoming a new payment brand/system and Google, Ericson, Apple and RIM all are embracing NFC and speaking to inclusion in the mobile phone.

To include all these links would take more space than appropriate. A simple Google search with key words like ISIS Mobile Commerce etc. will quickly get you to more than you could digest.

In the Isis press release they speak of creating the Mobile Wallet and talk about offering their services to merchants, Banks and carriers. Yet in what capacity? Clearly the relationship between the citizen and merchant today belong to the merchant, carriers and banks. So one wonders if ISIS will interact directly or if the Banks, merchants and Carriers will be the channel to market for the underlining services ISIS offers.
Of significance is Bill Gajda’s, Visa’s head of mobile products, statements which does not identify Isis as a threat or a competitor. He speaks to collaboration. It will be interesting to see what MasterCard will say.
As I thought about what ISIS wants to be, I was drawn to reread a paper produced by GSMA and ECP Global Switch Mobile Association and European Council for Payments. That paper is titled.
Trusted Service Manager Service Management Requirements and Specifications

Doc: EPC 220-08, Version 1.0 January 2010

What occurred to me is that Isis could set itself up as a “Trusted Service Manager” TSM, taking on a trust function supporting Issuers and Mobile Network Operators MNO and why not the merchant; who all all talk about the capabilities of the mobile phone and will want to dematerialize their cards and install their certificates, data and applets within the context of a mobile wallet. ISIS can then derive their revenue from fees assocaited with “Trust” and assuring the identity of the owner of the phone,.

I do not see ISIS becoming a new means of payment. I see them becoming an enabler that helps build the business case to drive the necessary investments merchants and carriers must make to assure the consumer that they can move all their cards into their mobile phone. Mobile Commerce is the key words that leads me to think about coupons, loyalty, rewards, push marketing …

As we all know contactless and NFC are not getting the traction one might have expected. Mobile loyalty, Mobile commerce, services branded as a means of enhancing the customer experience those I do imagine will excite merchants and consuemrs to demand NFC capabiliites. Imagine walking into a store and getting coupons and discounts as you tap and add to your shopping cart. Clearly merchants appreciate that they can drive consumers to buy more it they can excite them.

So what is ISIS truly going to do, compete, collaborate or enable?

The path for the USA to EMV

http://www.finextra.com/community/fullblog.aspx?blogid=5875

EMV: Let the planning begin

 

There’s no way around it – EMV transition planning will be complicated. However, while EMV is a complex specification, the good news is that it can grow over time. Thus the key is to implement an infrastructure that lets you start with a simple, single portfolio that can expand and mature with you. Looking forward, the goal is to do it once, do it properly and avoid the pain of re-doing it when it’s time to move into mobile payments

I agree totally with this sentiment. Mobile is here. EMV addresses the requirement to include Dynamic data in a payment transaction to address questions of identity and irritability.

Update 02/22/2012

Having had a chance to sit inside EMVCo working group meeting and being fully aware of those words read every time that reminded us of our confidentiality and sharing of patent and secrets that might jeopardize the future of EMV.

What I saw was the successful release of the EMV contactless specifications and type approval processes capable of testing tap if one remembers the distance has to be 2 cm instead of 10.  Otherwise the protocol and security will last us until 2025.  Plans where underway as I left that where focusing on expanding the standardization of mobile and the development of a next generation or EMV 2.0.  They are talking about 2015 and 2017 for probably dates that these new specifications and processes would be in place to allow widespread adoption so that circa 2030.  If hey are right we have a new and transparent solution that opens and never hinders access to whatever we have the right to access.  what about the next 17 years,

Well, EMV works.  It already includes mobile and contactless.

Visa and MasterCard have said yes.  Amex is OK, discover has had lots of ads for payment people with EMV knowledge and such titles.

The Federal Reserve seems to be on-board and Global Platform, NFC and Mobey forum seem to be OK.

Looks like a plan to me.

Payment – Mobile Payments – Connectless payments and an opening to further discussion

Each day I receive a variety of articles on the subject of mobile payments and find countless opinions about the evolution, risks and capabilities of mobile payments.

As is always good form a definition is in order.  I could begin by suggesting a mobile payment is any time that while moving about I can purchase something from someone using some recognised means of payment or currency.  So at the most basic level of understanding carrying cash in our pockets was and still remains a form of mobile payments.  Yet this is not what we mean when we discuss mobile payments.  What we have done is combined two words from two worlds into a new thought.  Mobile emerging from the arena of telephony and the use of the concept of a phone that does not need to be connected with a piece of wire.  Wireless, cellular and mobile all are terms that we associate with the use of radio waves to connect a telephone to a network allowing us to make phone calls from someplace that is in proximity to a receiver or cell tower or satellite.  Now I’m sure all of my readers know these things and are wondering what is the point.

The point is that we also talk about contact-less payments that concept of waving a card in front of an antenna, thus  allowing the card to receive power through induction and then communicate with the device controlling the antenna.  Some people call it that “Tap and Go” feeling others refer to it a PayPass, Visa Wave, Express Pay card and if we travel the world we will find an assortment of other brand names such as Dexit.  In many cities transit agents discovered that by employing contact-less cards interfacing with – terminals they could create efficiencies, improve information about ridership and maybe even reduce fraud.

So now we have to discuss the application of the technology.  This brings us to the idea of closed loop and open loop systems.  Neither are new thoughts, charge cards issued by department stores are closed loop they only work at that companies stores.  Open loop refers to systems that are widely accepted because someone has gone out and branded a concept, convinced merchants it is convenient and then offered a “Card” to you and I so that we can be identified and employ this “Means of Payment”.  Classic brands that we think of as Open Loop systems include money, MasterCard, Visa, Interac, PIN, eurocheque and an assortment of national brands.

Yet all of these systems have inherent inefficiencies.  Inefficiencies that some see as benefits and others see as highway robbery.  Then there is that class of people who enjoy getting something for “nothing” they like the idea of counterfeiting money, replicating credit and debit cards, capturing our PIN and ultimately stealing our identity and more importantly our hard earned money.  I could also mention merchant discounts, late fees, interest charges, interchange but those are all for another day.

The operators of these systems understand or learn about these various methods of “Stealing” identity and money and have built systems to mitigate the risk, eliminate no minimize yes.  In Europe and throughout the world (except the USA) the members of MasterCard, Visa and the various domestic systems are working to reduce these threats by introducing Smart Cards or Chip Cards all cards employing the EMV specification that have a computer embedded within.  The benefit is that PIN can easily be introduced on credit cards, the cost of telecommunications can be reduced by allowing the computer in the card to make intelligent decisions when ever that card is used to effect a payment.

This movement to secure payment cards with the technology and specifications defined within the EMV specifications began first in France where they went out on their own developed their own specifications and proved to the world that smart cards or chip cards can and will reduce the level of card present fraud and can if employed properly also reduce the cost of telecommunications.  their success can easily be  seen in this chart that tracked their progress and success.

French Banks demonstrate the Smart Cards workFrench Success Story

Remarkable success, yet they were now faced with an issue.  First the criminals understood if they disabled the chip (computer) the merchant could still swipe the card and read the magnetic stripe.  This one easily could be solved by eventually not allowing cards that should have a chip to be swiped through the magnetic stripe reader.  But what about when these cards were used in Holland, England or anywhere that had not, and at the time no one had, adopted the same means of defense.  The net result fraud migrated from being a domestic issue to the cards being used in neighboring countries.  Obviously the French became proponents of a global migration to smart cards and convinced Visa, MasterCard and Europay to develop the EMV specifications, recognising that they would have to eventually convert.

I could continue to digress from my main theme and talk about how each country went through its decision making process.  I could then go on and talk about how far along they are in their implementations. Suffice it to say some are finished, others are diligently working towards completion and others are moving at a pace that does not cause undue expense and allowing natural replacement cycles to drive the timescale for implementation.

Here in the country where I live they also have a Chip Migration strategy.  Canada is inpilot or a trial depending on how the lawyers interpret the efforts of banks potentially colluding together.  By the summer cardholders in the Kitchener Waterloo area will be using these chip cards and the media, banks, merchants, processors and associations will be monitoring and learning how the Canadian’s feel about and their willingness to embrace the change.

The following chart outlines Interac’s schedule for deployment.  MasterCard is playing along without committing.  Whereas Visa has stated that they will push the liability for fraudulent transaction not protected by EMV to the Acquirer if their merchants are not compliant by October of 2010.Canadian Chip Migraation Interac's EMV Timeline

So how does all of this affect the introduction of Mobile Payments or Contact-less Cards.  A mobile payment is simply, today, a contact-less payment performed using a mobile phone with the contact-less interface inside as apposed to to using the card as the form factor..  Well some will say not at all, the drivers are different the business case is not the same.  Yet the core technology is a computer in the card.  So why worry, eventually all of this could come together.  Or will the USA decide to take another path all together.

So to end this particular blog I ask a simple question, based on the premise that the mobile and contact-less payments that we see emerging are all about speeding up low value <$25 dollar transactions. What happens when I want to use my contact-less mobile phone for a payment for say a $1,500 hotel bill.  Will I tap my contact-less device “mobile phone”.  Have to find a place to put it while I either enter my PIN or sign the receipt.  Today the clerk typically holds the card for me while I sign the receipt tomorrow what.  Or will they decide to merge contactless and EMV creating a more interesting problem.  I’ll need to keep that phone near the antenna while my PIN is verified and the transaction is authorized.

Or should we go on and talk about the security concerns that everyone has described in countless articles and numerous logs.  The idea that the criminal will walk down the street reading the content of your purse or wallet with their hidden antenna.

Or should we talk about who is going to pay the price of adding the contact-less antenna to the merchants point of sale equipment.

Let me hold those for another day and another flow of thought.

Interac's EMV timeline

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations

 

 

 

 

Legacy infrastructure impedes truly innovative disruption

An interesting thought – Is the USA behind in adopting payment technologies.

Areas that one could ponder are:

* Payment Card Security
* P2P Mobile Payments
* P2P and P2B Electronic Funds Transfer as part of Home/Mobile Banking
* Elimination of Checks including Check images
* A/R and A/P electronic payments integration
* …

What would be interesting is to eventually be able to catalog the global differences and define the ultimate payment capabilities a country should adopt.

Please let’s share and explore.

Are the Pundits over thinking the ISIS proposition

Mobile payments is being discussed in the context of “creating” a new “means of payment” or in other words a new “Payment Brand”.  I would suggest  the expense and time it takes to create a new “Payment Brand” is significant not to ignore expensive. 

Just look at PayPal.  How long, on the backs of eBay, did it take to reach the point where they are ready to  enter into a venture with Verifone to become a “means of payment” their buyers can use at the real world stores of their sellers.

Two models for payments exist in the market today and frankly these two models have not changed, since the beginning of any form of commerce. 

The three party model and the four party model. 

Classically banks regulated and trusted to hold our moneys in accounts are fundamental to the act of payment.  They have always been key to developing and operating the payment systems. 

Unless of course we use cash. 

In both models two parties always exist – the Buyer and the Seller, the Payer and the Payee or the consumer/cardholder and the merchant.

In the four party model we add two Banks who support one of these two parties.  There is the bank with the relationship with the consumer/buyer/payer/cardholder, often called the Issuing Bank.  On the other side of the payment there is the bank with the relationship with the merchant/seller/payee, often called the Acquiring Bank.

The three party model, simply means that the Bank of the payer and the Bank of payee are the same.  The movements of funds flows from the buyers account to the sellers, as ledger entries, within a single institution.

American Express and PayPal are perfect examples of non-Banks who operate three party payment systems. 

The central bank is another example of a three party system.  All the banks within a country are clients of the central bank and have accounts at the central bank.

Clearly the three party model is the most efficient.  But, it requires that there is a monopolist who processes payments for all buyers and sellers in order for the system to truly work.  Reality dictates that a monopoly or agreement by all parties to use a single entity for their banking and payment services must exist for such a system to dominate the market.  

Therefore, the payment systems have evolved cooperatively; based on acceptance by the consumer and merchant of a recognized means of payment.  The banks work together to establish a set of rules and procedures they employ to transact payments.  Various four party models i.e. MasterCard and Visa along with checks, electronic fund transfers, dominate the payments landscape. 

Inherent to these models is  a Brand (acceptance mark), a set of rules and a clearing mechanism.  Everything works because there are agreed rules and procedures that govern how the two banks execute payments.  To complete the cycle these two banks ultimatelyexchange real money, typically through a settlement bank or the central bank representing the total value of the payments processed.

To add complexity to the landscape, the Issuer and Acquirer often contract with processors to do the work.  These to entities are identified in the graphic as the Issuing Processor and the Acquiring Processor.

Behind the term mobile payments, some think there is a more efficient method of affecting payments.  They believe inserting a new player into the game will make the whole system more efficient and therefore cheaper.  Or more appropriately they think that their new approach will allow them to earn a portion of the Merchant Discount (fee paid by the Merchant to the Acquirer) or the Interchange (fee paid by the Acquirer to the Issuer). 

The more I think, read and discuss, the more convinced I become that creating a new payment Brand is an expensive exercise and frankly believing we can create something new and more efficient than the existing four party models is irrational. 

So what does the Mobile Phone bring to the payment landscape? 

Clearly ISIS understands.  Mr Abbott states “We plan to create a mobile wallet that ultimately eliminates the need for consumers to carry cash, credit and debit cards, reward cards, coupons, tickets and transit passes.”  Key word “WALLET” by definition “A wallet  is a small, flat case used to carry personal items such as cash, credit cards and identification documents, such as a driver’s license. “  Interesting, a mobile phone is a small, flat object that can carry a digital facsimile of cash, cards, identifications documents … . 

Next we think about NFC “Near Field Communications”, a method of transferring data between the content of the Wallet to the merchant’s Point Of Sale device “POS”.   Tap instead of swipe.  NFC replaces the  read of the magnetic stripe with the transfer of the data from the Mobile Wallet to the merchant’s POS.  To achieve this goal PayPass and the otehr contactless payment cards simply stores what is on the magnetic stripe and passes it via NFC to the POS.  Given that a mobile phone is a computer we can introduce digital certificates and do it much more securely. 

This is exactly what  EMV Europay, MasterCard and Visa defined and employ.  Debit and credit card issuer throughout the world are now employing the  trusted characteristics of a chip card to secure their credit and debit card payments using digital certificates. 

With a Mobile Wallet (remember the SIM is a chip card) a trusted component is available, inside the consumer’s wallet, capable of supporting EMV and assuring the authenticity of the content (Card) of the wallet and the identity of the owner of the wallet.

Bob Egan in a recent Forbes article The ISIS Mobile Wallet: Are Visa, MasterCard and PayPal Under Siege? writes “To me it’s quite clear the ISIS is taking matters into its own hands. I predict we will see ISIS become the issuer behind new carrier partner plastic credit/debit and prepaid cards in addition to mobile wallet capabilities for those cards become resident as applications on mobile phones.” This suggests that Isis is going to compete with Barclaycard.  If this is the case then what does the following statement in the Isis release mean “Barclaycard US, part of Barclays PLC, is expected to be the first issuer on the network, offering multiple mobile payment products to meet the needs of every customer. “ 

So what is Isis planning?  Clearly Pundits are not sure.

EMV is truly becoming the base for secure Card Authentication and Cardholder Verification

INCREASING EMV CARD AND TERMINAL DEPLOYMENTS CONFIRM EMV AS GLOBAL PAYMENT STANDARD
06 October 2010: As of 1 September 2010, over one billion EMV®* cards and 15.4 million EMV terminals were active globally. These are the latest EMV deployment figures reported by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.

http://www.emvco.com/download_agreement.aspx?id=561