Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.
My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.
Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.
Role of the TSP
- Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
- Should device manufactures understand payments? Can they?
- The TSP must appreciate its role and what it is not.
- As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.
- What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
- Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
- What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
- With the pre-provisioned credential how does one manage long term life cycle.
Root of Trust
- Is PKi the right approach to the necessary level of trust this emerging environment requires.
- We must remember the complexity of a PKi infrastructure.
- In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
- As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
- This discussion is very much about the value and need for HSMs.
- The question is raised as to the future of PKi given the US Gov’t perspective.
- And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?
- A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
- The car can host merchant apps.
- The idea of a POS device in the car leaves me lost. Who is the seller?
Smart Cities and Multi-Modal
- To address smart cities one has to think across the wider context.
- What are the roles the FTA can support, becomes a question of what the cities want.
- Mobility on Demand driven by the needs to reduce congestion and improve life.
- Built on local partnership within the community
- A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.
Multimodal Payment Integration
- The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
- They want a brand and system agnostic solution that is intelligent and can help better manage spend.
- How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
- The roadmap is in development, it is early days.
Wearables – lessons learned
BLE of IoT Payments
- The cloud may restrict what could be communicated.
- BLE is “local” allowing secure application management and secure transactions.
Managing Trust and Security
- Identity is the key to much.
- The next question therefore it trust in the Identifier.
- Authentication with what, in what where?
- Life cycle management. How do you know your device been wiped clean of all your credentials.
Continuing the learning and commentary
IoT Payments 2017 – Austin TX October 10th and 11th
- Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
- Growth in fraud in online payments is typically a result of the deployment of EMV.
- As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
- What is context? Our digital footprint as we go through our daily lives.
- The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
- It is all about acquiring data and building a profile, your context.
- What is the unique identifier that links all the objects to the individual.
Bridging the Security Gap
- Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
- The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
- The fear of who is able to access the vast array of data available through these connected devices.
- Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
- In the world of IoT who will define the security requirements and who shall pay becomes the key question.
- We should consider using Common Criteria as a baseline for the security of IoT devices.
- Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.
The key to top of wallet
- Like a card
- Mobile device (secure element)
- Wearable are in market today
- Wearable are in market today
Risk Based Payment Security
- Beth took a walk through the history of payment acceptance
- The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
- Risk is or was always about the balance between security and convenience.
- Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
- The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
- Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
- We need to agree on a common set of security values not necessarily on a common standard.
- When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
- Security must be designed in from the beginning.
The day came to a close.
Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.
- MasterCard spoke of the opportunity IoT offers in this connected world and how technology can transform physical retailing.
Prof. Gideon Samid, PhD, PE.
- Speaks of the use of randomness as the key to the security of the future.
- The challenge of IoT is the processing capabilities of these devices.
- Digital Money & Contract you cannot separate identity from the value. Cyber economics and the associated cyber security is all about setting up a scheme where for each action there is a payment for service rendered, hence an audit trail is established for each action.
- What happens to anonymity in this new world where every action is identified and recorded.
- Anonymity will be dictated by regulation and the political domain. BitMint embraces the controls inherent in the 4th amendment.
IoT payment landscape
- A brief wander back through the way back machine as we watch time mover forward.
- Samsung shared a vision of what this new world of IoT looks like.
- Cars, washing machines and so much more connected and controlled.
- Samsung is a Token Requestor post identity and development. The. Samsung Pay technologies now in the phone can easily be transferred into almost any device.
- Gemalto was asked to address the multiplicity of devices emerging in the market place. There are just a plethora or new form factors.
- The question is all about getting the key set into these devices. The aggregation model as a Token Service Manager is what Gemalto has developed.
- There are two basic models the pre-personalized and the over the air personalization.
- There is then the emergence of the new domestic Token Service Providers. G&D speaks of the breadth of security required for these IoT devices.
- We now need to think about Life Cycle Management especially when considering payment credentials. Key to this conversation relates to upgrading and replacing the device carrying the credential.
- How will the consumer figure out where all their payment credentials are.
- How shall the standards evolve to support all of this new and competitive plethora of IoT objects?
- We must a careful and embrace standardization to support interoperability.
- Why can’t this market embraced the device and not cloud model to store the payment credentials.
- We are layering security onto the existing legacy infrastructure. The payment brands are responsible to define what the rules and technology requirements.
- Tokenization was created as a means of solving for device limitations by pushing the point of compromise into the cloud.
- MST is a nice transitional technology, NFC is more than likely the future, at least in some peoples view.
- The point of interaction bottom line the point of acceptance.
With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.