Proofing or Identity Verification is the Key to any Relationship

When we consider our activity in cyber space  and even in in person.  The most important element is the relationships we develop.

If we consider the characteristics of a relationship, we need to think about the question from the perspective of each of the two parties.

  1. The relying party: be it a bank, merchant, club, government, employer or other operator of a website or facility; are interested in serving, selling and supporting the user
  2. The user: be it a individual, consumer, citizen or employee; are interesting in accessing information, exploring, shopping, browsing, communicating, sharing or otherwise enjoying something.

A relationship can then either be enduring or can be that of a guest.

  • The user wants to know if the party they are attempting to engage with is who that party claims to be.  Rely party simultaneously needs to believe the individual is who they claim to be.
  • What the users identity is or better said what attributes of user’ identity are necessary is down to the objectives and longevity of the relationship.

Being assured of these truths is what proofing or identity verification is all about.  Data privacy and need to know then filter into the conversation.  This then needs to be balanced against risks the relying party and the user are taking,

With all of this in mind each party can decide what level of identity verification is required.  This task is all about how one balances privacy, convenience, security and risk.

More and more to secure our digital world

The behavioral economics of authentication

Password Management Remains an Issue — What’s Next?

These articles cause me to think about the future and how the consumer will ultimately respond to the changes now taking place to how we Log-in to a website.  Yesterday, or better said 10 years ago, we all understood that simple User Name password.  A single screen with a reasonably consistent user interface.  Sometime we might have to put up with two screens, One for the User name and the next for the password.

Today we are being confronted with a variety of methods to authenticate ourselves to the websites we frequent.  Many register cookies on your machine and when your told they needs to be deleted, we are confronted with a second or even third layer of security and identity proofing.  Often times we are then told to wait for an email sent to some email address we once registered or asked to enter the number we will receive in a text message to a mobile phone number we once registered.  Some websites are using one of the various authenticators our mobile phones may now be hosting.

In my case, ignoring the various authenticators I have already deleted, I am using:

  1. Samsung Pass
  2. Google Authenticator
  3. Microsoft Authentication
  4. Norton Password Vault
  5. Samsung FIDO Certified “SIDF”, inside my Galaxy 7s phone
  6. email or text messages with a code I must type in
  7. Emails with a link as a means of verification

What is clear is there are start-ups and legacy technology companies busy trying to profit from authentication.

My concern is the consumer will be confronted with more and more as everyone claims they have a better widget capable of securing our digital world.

Why not come to consensus on a common approach to authentication?

A world between yeaterday and tomorrow

The week of March 25, 2019 I had the opportunity to visit with a room full of community banks with assets in the 100 million to billion range. Organization with 25 to maybe 300 staff.

The presentations taught me more about the difference between what large International Organizations worry about and what these small community banks need to learn. Faster Payments, Zelle, same day ACH all new services these organizations must integrate into their organization, both technically and procedurally.

Things I have been exposed to are new challenges for these small town banks.

Words like liquidity risk clearly top of mind. Yet, as we move from over night settlement to real time settlement.

Phone fraud, risk mitigation all greater challenges not necessarily appreciated yet alone understood.

In the end what is clear these community banks exist because of the small towns they understand and work within. Do those of us exposed to a larger world understand what drives these communities banks, at least not I.

Account TakeOver should be the Bankers concern

FASTER PAYMENTS, FASTER FRAUDSTERS

Another article published by PYMNTS.COM causes me to reflect on a discussion I had last we at the Payment Summit organized by the Secure Technology Alliance.  When the US Faster Payments work groups where stood up on e of the working groups focuses on security, yet no particular drive exists to protect the consumer of the corporate treasure from their account being hacked into by some phishing, vishing or other criminal act.  Account takeover will become a much more interesting attack vector.  Moneys will irrevocably flow out of the hacked account and to whatever account the criminal so directs them.

Key word real time gross settlement and faster payments depend on the irrefutability of the funds.  once executed they instantaneously transfer to the receiving party.  What is required is a concerted effort to implement strong multi-factor authentication, at least at the time the transaction is authorized by the sending party.  Some will say the risk is no greater than what exists today when a consumer or treasurer executes a Wire Transfer or any form of transfer between two financial institutions.  This maybe true.  the availability and assumed convenience will as the article described lead to heightened risk.

As I have written in other blogs we need to embrace strong Multi-Factor Authentication.  The standards exist, the security of the device in many case is present.  Relaying parties need to decide security is worth the investment.  They need to recognize the value of  satisfying the consumers’ need to have access to their funds properly protected.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Biometrics carry risks.

Hacking Our Identity: The Emerging Threats from Biometric Technology

As I skimmed through this article I was reminded of the reality of biometrics.  It is a statistical algorithm designed to compare what was registered to that was just sensed.  It is an imprecise process.  The author reminds us of the importance of our identity in each and every interaction we engage in.  She further ponders the question, of the potential threats to the biometric solutions that countries, people and enterprises are embracing, as we work to address the questions of Authentication and Identification in our complex digital and physical world.

The article asks the questions:

      • Do the countries and enterprises understand the technology and processes used to support biometrics as a means of authentication.
      • Do they appreciate the need to secure and protect this most sensitive of data?
      • Is the data they store able to be used to compromise the individual of the integrity of that which it seeks to protect?
      • Are we at risk of creating a surveillance society?

Finally there is the question of the accuracy of biometric matching.  It is interesting to observe the comparison of the accuracy of biometric matching to PIN or password matching.  We all recognize the challenges of PIN and password.  It is not the concept it is the question of how many complex PIN or passwords is the human mind capable of retaining without writing them down or storing them someplace that can be compromised.

As I have argued in other blogs, the answer must be in the possess of something unique which has a False Reject Rate FRR and a False Accept FAR Rate, both approaching zero.  Clearly the PIN or password has such a characteristic the challenge is in remembering so many.  An object or a thing “Something You Have”, be it a card, phone, watch or bracelet with a Restricted Operating Environment inside e.g. secure element, TEE or TPM, secured using strong cryptography, paired with a biometric makes the most sense.

Distributed Ledger and Things

As I sat to write, I was drawn to the Wikipedia’ Bitcoin article. As I read the story of how it all happened memories and concerns once again flowed through the neurons of my mind. Silk Road and their involvement and the evolution of the value of a Bitcoin, struck me as a magical mystery tour through a world of mathematicians, anarchists, profiteers and speculators.

I then remember reading

an element of a report from the Bank of International Settlement on crypto currency. The picture above is intriguing for those of us who appreciate the complexity of payments. The article gets ever so intriguing when one continues to read and finds this interesting illustration of

the difference between what we all are familiar with and what those who understand DLT and Bitcoin appreciate. The central focus of this new technology is to address one and only one concern. Trust in the intermediary.

I must admit this particular article is not the one I originally intended to speak to. I do though recommend reading it.

The article I had intended to reflect on is Central Bank Cryptocurrencies. In this document they speak to the possibility of the banks issuing a stablecoin. The recent announcement of JPMorgan Chase is one example of such.

This then causes me to reflect on the various use cases and conversations with people about the potential of DLT. I wonder why, at least here in the USA with our judicial and regulatory framework and the rule of law; we would seek to replace the existing intermediaries with a permissionless distributed ledger and the associated consensus mechanisms of a public ledger. There is enormous and growing cost in consensus built on “Proof of Work” and massive duplication of the ledger or as most call it the chain. Be it the electrical cost, the cost of a data center or the specialized computers necessary. The people and companies, the nodes and miners, will expect a reward for their effort.

Which is cheaper, if a reasonable level of trust exists?

Where are we going from here

This is the question. There are those that believe Block-chain and all of the other distributed ledger technologies are the answer to everything. I would suggest one much consider:

    • The level of trust the various parties have in each other.
    • The cost of multiple copies of the distributed ledger.
    • The cost of the consensus mechanism versus a trusted intermediary.
    • The governance required to maintain security, software and specifications.
    • The value and ethical issues of anonymity.

This then begs the question of a permissioned or a permissionless ledger. Which then begs the question of governance and who is responsible to establish the rules.

It is clear there is value in the idea of a distributed ledger. I would suggest caution in deciding if it makes sense for your use case.

      • What are the goals and objectives of the solution?
      • What are the economics of the various approaches?
      • Who are the stakeholders?
      • Who determines the rules and manages change?
      • Can the participants trust an intermediary?
      • Does everyone fear what another could do?

Helping you to understand the answers to these questions is what we do.

Identifiers, Tokens and Authentication

Often times I have wondered why everyone is so enamored with Tokens and Tokenization. Some time ago I begged the question of the broken token in a presentation to the Smart Card Alliance.

My premise is simple.

Identifiers are not authenticators. Replacing the identifier with a token as a result of turning an Identifier, the PAN, Social Security Number or other identifying index value, is a bandage on a festering mistake.

What we need to do is address the challenge of authentication in a convenient and frictionless way. Having to protect an identifier was the issue that created PCI and the whole issue of PII data. The Identifier should not need to be protected. It was and still should be an index and means of recognizing the relationship the relying party has with you. The authentication function is to make sure the person linked to that identifier is you!

User name: Identifier

Password: *********

Was not a bad start. Single factor authentication “what you know”.

Given the number of relying parties we all maintain relationships with, it is time to retire the password; Introducing “what you have” a secure thing (be it a chip card, Fob, Mobile Phone or Personal computer) and exploit the power of cryptography. Then add a second factor, a password or PIN, is a great first step. Changing the PIN or Password to a Biometric is a great leap into a truly secure environment.

The Key is to embrace the first factor “What You Have” a true token.

SCA Workshop Tokenization - 2015

We are here to help you figure out the right approach for your organization.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”.  An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport.  You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism.  In the digital world, we depend on Cryptography.  This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”.  Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip.  Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured.  This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second.  The key to its architecture is the Private Key associated with your store of coins.  Lose it and they are lost.  Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present.  Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about.  Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices.  This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing.  This is what Bill Gates started talking about in 2002.  BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments.  Immutability and irrefutably become key requirements.  To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Authentication, Trust, Identity and Identification

This week the following title caught my eye Why Authentication Needs to Simplified for Users and Organizations. As one of those users who wants authentication to be easier, I was driven to reflect back on what companies have offered as mechanisms to secure this amazing landscape called the World Wide Web or the Internet. Each of the four devices on the right are samples of the primary factor “What You Have”. They date back over 25 years and each included a Secure Element currently referred to as a Restricted Operating Environment ROE. The one with the keyboard was issued to me by my european bank in the 90’s. It was used as step up authentication to secure the transfer of funds.

Cumbersome to say the least. I had to enter a PIN, a number displayed on the screen then type the number displayed on LCD into a field on my personal computer. What I always asked myself, why can’t they integrate that thing inside my keyboard or laptop.

Reflecting forward and thinking about what we have to do today to authenticate ourselves. We are confronted with a myriad of solutions each different each claiming to be the right answer to the wider question. Secret questions, PINs, patterns, passwords, an SMS or email with one time passcode, the Google authenticator, the Microsoft authenticator, the FIDO U2F keys, the Fingerprint sensor on my phone, the camera on my desk top, how I use my mouse, where I am located, is there a cookie in my machine.

On top of all of those commercial solutions, there are numerous demo authenticators clients and prospects have asked me to look at.

Each different.

Each requiring the user to appreciate when and how to use it.

What is the answer. First we must agree on the requirements.

  1. Convenient
  2. Intuitive
  3. Easy to Integrate
  4. Secure

Starting with secure it must be able to offer a unique method of authentication that cannot be spoofed, counterfeit or otherwise compromised. It must have a false accept rate approaching zero and a false reject rate also approaching zero.

As it relates to easy to integrate the people who manage identity & access management systems IAM, computers and applications need to be able to quickly and with a minimum of effort, replace what is now used to identify and authenticate the user, with something new.

Intuitive this is the real challenge. There is the variety of users that must be considered. Are they their willing to learn or capable to make the leap, we hope they will?

Finally convenient which demands fast, easy, memorable and even something that is device independent.

How did we get here? Nobility provided individuals letters of introduction, sealed with wax and a signet ring to confirm the origin. This letter assured the attributes, capabilities and identity of the carrier. We trusted because of the seal we recognized

We, one of 7 billion people on this planet, have more contacts on LinkedIn, Facebook and a myriad of other social networks than many towns and cities when a ring and wax was an effective means of authentication.

Today we carry a number of documents. Each designed to provide proof of our identity. We simultaneously expect schools, employers, friends and other agents to be ready to offer proof of our claims. Did we graduate? Did we work there? Are we of good character? Did we received particular certificate?

Insurance companies, airlines, merchants, hotel and banks all provide cards and other means of identity. Each designed to inform someone of our rights, privileges or capabilities.

But, and this is a big but. We do not have an effective and convenient way of sharing these rights, attributes, and privileges on the internet. We let people identify themselves with user Ids and passwords. As the number of digital relations grow the challenge of maintaining secure passwords gets worse. As the challenges of phishing and vishing attacks got more sophisticated the risks, fraud and loses escalated.

We understand these challenges helped to secure card payment systems, were involved in defining new authentication standards and have seen and been exposed to way more ideas than necessary. Happy to help your organization’s secure your consumer and employee relationships.

Making you you – A question of Identity

The Economist | Making you you https://www.economist.com/node/21755427?frsc=dg%7Ce

An intriguing question, who defines our identity. Is it the certificate we may or may not have which was issued  issued to our parents at Birth, assuming some entity has that role? Who is this entity with the right to guarantee you are you or I am Philip?

When we hear of the challenges some must deal with in order to vote, we quickly realize it is others who hold the ability to define our identity or for that matter alter or erase our identity.

This article explores the history of systems developed to create means of linking an individual to the assets, obligations and rights they possess. What is clear, it is another who defines and establishes societies means of establishing your identity.

As we move into the world of virtual identity there are those who are and have sought to assume what often was the role of the village elders, the church or most often the government.

Are we the people comfortable with these technocrats, in it for profit, becoming the ordinators of our identity? Clearly advertisers and those seeking to take advantage, happily collect data about us and will happily use this data to push us to buy what they want to sell or take advantage of us in ways we may not be able to recover from.

For those of you incline to think about the question of identity, I recommend reading what The Economist has to say.

As Facebook Raised a Privacy Wall

NYTimes: As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants

As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants https://nyti.ms/2GqnbC9

As I read this article my mind asked the question what drives an organization and its American employees to forget they are American citizen’s with responsibilities to protect this nation from the acts of our enemies.

Excess profits, what other motivation could there be. The one motivation which is and will remain the greatest threat to society, the environment and our grandchildrens’ future.

Be it the concentration of power which drives excess profits or the reduction of quality, weight, volume or size, simply to maintain price and margin the shareholder will be served after senior management take its plenty. Stakeholders – client and employees come second, after the key executive and strategic shareholders are rewarded.

Russian’s and our other enemies will find our weaknesses and take advantage deluding us with propaganda and lies, all to achieve their aims.

Disruption or the Reality of Legacy

Often times people speak of disruption as this traumatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching the market with different tools.

The world of payments, as so many others, have implemented technology then gone on to enhance or update multiple times. Each time, someone or some group of people, had to adapt therefore invest to keep up. More often than not, a community would decide to hold on to what they built, sometime ago, hoping no one tried to disrupt the status quo.

With payment the need to embrace more effective approaches parallels the robustness and frequency of transactions. It also parallels the desire of sellers to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carry drove, markets to promissory notes. These promissory notes further evolved, as trusted intermediaries entered the market and created more efficient methods of providing that guarantee of payment.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where we are in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution of legacy.  We find what we have, is a stumbling block, holding innovation back.  We need to decide to adapt what exists or remove and replace.

To connect or disconnect this is the quandry

Pymnts.com in conjunction with Visa published a study of the connectedness of the American population. While reading I wondered how they could identify 36% of our population as Super Connected Consumers. Thinking this profile might be people like myself. I began to wonder how could such a large percent of the population be so connected.

Reaching out to the publisher it became clear this report was well developed and the sample matched the citizen of this country. This led me to wonder about our connected world and how over 42 years I have gone from carrying a beeper to having thermostats, phones, watches, computers, Alexa, TVs, security systems and who knows what else connected somehow to that great network we once dreamed about.

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience.  The discussion considered the balance between friction and security.  All of the panelist  articulating the demand for convenience.  The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing.  The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web.  How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to  watch carefully and be part of the move to  restore the consumers’, OUR, right to the data that is us.

The Dual Interface Business Case

These cards and often times the terminals are more expensive than a classic “Dip” EMV card

How much, is dependent on volume, complexity and the pure skill of negotiation. This incremental expense is the first factor one must quantify when building the business case

  • for enabling, in the case of the terminal
  • adding in the case of the card, the contactless antenna
  • upgrading the software by adding the contactless terminal kernels or selecting the appropriate chip software and profile

This then must be compared to the incremental value
For the merchant, issuer and ultimately the cardholder

To explore the benefits lets think about

  • The user experience
  • Availability of merchant contactless acceptance
  • The intersect of the cardholder base with the contactless acceptance infrastructure

As we look around the world and consider what stimulates dual interface card issuance and merchant NFC enablement. Two scenarios emerge.

  • A country made a collective decision and drove NFC terminal enablement and dual card issua.
  • A merchant segment, typically transit, decided to introduce electronic fare-collection.

The first scenario is often driven:

  • By the payment schemes
  • The belief NFC “Near Field Communications” mobile payments will happen
  • A country simply wants to start dual interface and prepare for mobile payments

Which ever option they select, the merchant and financial institutions, within the country, typically migrate together.

In the case of the second scenario, merchant driven migration. We can look to the United Kingdom as a perfect example. “Transit For London” made the decision to migrate from paper tickets to an electronic fare-collection solution based on NFC. The initial deployment was a closed loop payment card, branded the Oyster Card, they quickly decided to upgrade the solution to support Open Loop e.g. Visa, MasterCard and American Express enable dual interface cards and NFC enabled mobile phones.

Given the importance of public transit to the urban demographic. Their decision to embrace open contactless fear collect, becomes a driving factor for issuers and therefore a ripple effect on merchant enablement.

America, as is true in many things, is different.

Contactless was tried last decade without much success.

Issuers did not see any significant lift in consumer spend nor did the merchant see any real increase in revenues. This experiment did not create a perception of a real benefit for either the merchant of the cardholder. Later in this same period, Starbucks launched their QR code mobile payment solution. From its original deployment to now it has been a resounding success.

Around the same time and based on the work of GSMA and the European Payment Council, major telecom operators began toying with NFC based mobile payments. Here in the United States two pilots emerged, the original Google Pay pilot and ISIS (SoftCard) offer. The results were intriguing, the commitment half hearted and frankly both solutions had issues. Google Pay tried to model its solution after de-coupled debit. Whereas the mobile network operators behind SoftCard, wanted to charge the issuers rent and load fees associated with the payment credentials they would store within the SIM.

Merchants Attempted to Create a new Payment Scheme

Major retailers in their continued quest to improve the customer experience and reduce the cost of payments; came together to create MCX the Merchant Commerce eXchange. The hope, merge their existing private label charge card programs together into a Mobile App capable of working across the family of MCX merchants.

Terms where written, in particular one agreeing these merchants would not accept another competing Mobile Wallet. Net result, the merchants agreed not to enable the NFC interface for any of the Visa, MasterCard, Discover or American Express contactless cards or NFC enabled mobile payment devices.
MCX slowly faded into oblivion, as the merchants struggles with the idea of sharing customer relationships and transaction data. Some merchants notably Walmart, Target, Macy’s and Kohl’s set out to build their won mobile wallets embracing QR codes and other none NFC based techniques.

The Introduction of HCE

While this was going on, north of the American border, the idea of HCE “Host Card Emulation” was created by the founders of Simply tapping 2011. It was ultimately by Android and released as part of KitKat in version 4.4 of the Android operating system. With HCE now inside the Android Operating System it unlocked the NFC interface from dependence on the SIM and MNOs. Now any application could take advantage of the NFC interface, once supported by the internarional payments schemes, enabling wider deployment of NFC enabled mobile payments. Google moved ahead to expand its payment ecosystem and Royal Bank of Canada embraced HCE. As Issuers enabled the ability to authorize the load of EMV secured Payment Credentials into the OEM Mobile Wallet or the Issuer’s own mobile app. Consumer now had the opportunity to experiment with mobile payments that communicate with the POS, just like a dual interface card.

Let’s not forget Apple Pay.

Given their brand value and total control of the Apple operating environment, Apple was able to turn to Issuers and suggest they enable the load of EMV secured Payment Credentials into the Apple Pay Wallet. They came at payments with all guns loaded. They knew the value of their brand and were able, unlike the MNOs to ask for a 0.15% of the issuers’ interchange revenue. Most importantly, they facilitated Visa and Mastercard domination of the role of the Trusted Service Manager TSM-SP or better said the Token Service Provider TSP.

Merchant Acceptance Is Key

As has been true with any solution designed to serve a two sided market, issuance and acceptance must grow together to assure the operator success and prosperity. Without a national imperative and with the experience of the original ZIP (Discover), Express Pay (Amex), PayPass (MasterCard) and PayWave (Visa), the merchant must determine if it is worth the effort to enable the NFC interface and train their staff to support Contactless payments.

Transit, like has been true around the world, absolutely sees the value of using contactless, for fare collection and are busy engaging with Visa and MasterCard to embrace and assure acceptance of bank branded dual interfaces cards. Urban areas such as Chicago (CTA), Salt Lake City (UTA), LA Metro, Portland OR (Trimet) and Philadelphia (SEPTA) are live with deployments. Others are in various stages of planned, including the MTA in New York City.

The Business Case

For issuers, where transit is seeking to exploit open loop contactless payments, at the turnstile, there is a revenue opportunity to deploy dual interface cards.

In rural areas or urban communities where public transportation does not exist. The business case is dependent on what local merchants do and if they intend to or will be forced to enable the NFC capabilities of their POS.

This is the big question. Does the merchant see value? Do they believe contactless will increase revenue, reduce time at checkout or do they believe Apple Pay, Android Pay and the other mobile NFC enabled devices are the future?

  • If the answer to these questions is yes then Issuers should seriously consider deploying dual interface cards.
  • If the jury is still out then the investment in dual interface cards may not yet be worth it!

What is the Future Payment Credential Carrier

One cannot discuss contactless payments without thinking about how Apple Pay, Android Pay, Samsung Pay, OEM Pay, Issuer Pay … Device Pay play into the future of cards. Some years ago there were three belief systems

  1. Cards are here to stay the mobile device is a fad
  2. The wallet is replaced by the mobile device
  3. The card is the token of last resort

I think we know mobile devices are not a fad. Until mobile devices never run out of power they will not replace the wallet or all of the cards.

To say much more, given the fogginess my crystal ball, would be to wild a bet.

The following articles produced by the Secure Technology Alliance offer a series of perspectives on the value of migrating to a dual interface card.

Alliance Activities : Publications : Contactless Smart Cards

Alliance Activities : Publications : Payments : Contactless Payments

Alliance Activities : Events : Webinar: Contactless EMV Payments: Issuer Opportunities

Alliance Activities : Events : Webinar: Contactless EMV Payments: Merchant Opportunities

of Identity and Authentication in a Connected World of things.

Various engagement and conversations pull me into thinking about the realities and the necessities, of this emerging world of connected people, objects and thoughts.

Looking back, this topic has been part of my life since 1982 when I was first introduced to the concept of a smart card. At that time we spoke of using the smart card to securely configure a trading deck on Wall Street and in the City of London. The goal securely and automatically configure the voice, video and digital support a particular market trader.

In 1993 to when I was tasked to drive the development of EMV, we could have talked about the fact we were creating a means of secure digital identity. A trusted Identity document based on the trust that existed between the cardholder and the financial institution.

Instead We talked about:

  • Card Authentication “the CAM” now Data Authentication to assure the card was unique and genuine.
  • Cardholder Verification “the CVM” to verify the right user was presenting the card.
  • Card risk management to allow the issuer to support authorization in a offline world.
  • Should we include an electronic purse to support low value transactions?

Today the Debit card could easily be enabled as a secure means of digital identification, with the Financial Institution being the trusted party. Simply knowing the public key of the international or domestic debit card payment scheme allows the party reading the card will know the person was issued this card by that financial institution.

While we in financial services focused on our requirements, the telecom industry was working on the SIM & GSM specifications under ETSI leadership. They created another form of Secure Digital Identity. They focused on securing the identity of the communications channel and were less worried about making sure the right consumer was present, although there is the ability to allow the user to lock the SIM and now even the mobile phone.

2013 I had the opportunity to join the FIDO Board. Within that body, the objective was to separate the concept of identity from the act of authentication. It works from the premise that as digital relationships expanded, the use of passwords and PINs are becomes an issue. The FIDO Alliance also recognized that the only way to secure our digital world, like we secured payments and mobile communications was with the introduction of multi-factor authentication rooted in the belief that the first factor had to be “what You Have” a secure element / enclave, TEE, TPM … capable of generating and or storing secret (symmetric) and private (Asymmetric) keys unique to the object and more importantly unique to the relationship.

Clearly identity and authentication are essential to secure relationships. And, in a digital world, communication is the mechanism that connects people and things together.

Helping consumers manage their relationships assuring privacy is an interesting angle. If I am understanding your platform, at least at the level of the subscription for telecommunications services this you are helping to manage.

Anyway. Back to the pitch. I would like to see about scheduling another conversation and figure out if there is anything I can do to earn an income and create revenue for you.