After a successful career in payments and digital identity. Philip is now focusing on enabling the ability to vote from our mobile phone.
Europeans still love paying cash even if they don’t know it
Interesting to reflect on how much we allow Europe to lead as we think about EMV and the technology we use to secure our payment cards. Maybe American’s need to embrace and take over the management of these key standards that drive an economy.
Words to ponder as we think about the best way to secure our digital persona.
Identifier – A text string we use to uniquely identify ourselves to a relying party, person, government, employer, club or entity we wish to have or need to maintain a relationship with. This group of entities hereafter will referred to as a replying party.
Identity – We each are unique and have attributes
Verification – A process the entity we seek to establish a relationship with uses to determine the truth of the attributes we share. One could argue this is or should be a mutual process. Many call this identity verification or identity proofing.
Registration – When we take these three words identifier, verification and identification and think about the first time we present ourselves to a relying party in the global digital environment. We typically present ourselves through a user interface to the entity we are interested in establishing a relationship with. We register and the relying party creates a record of our existence. They seek to recognize and record our identity.
This process typically requires us to invent or the relying party to present us with a unique identifier and agree to identify ourselves with this unique string, often called a user name, email address, bank account number, social security number, employee id, passport number, drivers license number or payment (card) account number ‘PAN’. The ultimate goal of registration is for the relying party tonassure themselves we are unique and that the attributes we share are linked to our person. They verify our identity.
Today the challenge is to find an efficient, convenient and none intrusive method of Verification.
Authentication – We exist, we can be recognized and are able to present oneself over and over again to the relying party, using our identifier. The challenge is how do we prove or assure our identity to the relying party each time. We need to authenticate ourselves.
Identification – Many confuse the dialogue above with this word. The difference is how we present ourselves or better said how the relying party expects us to present ourselves.
With the wide use of biometrics and many of the identifier we spoke of earlier, our identifier many not simply be some random string. A biometric is personal and linked to our body or actions. This biometric can be converted into an identifier and therefore once accepted as genuine and integrates the act of authentication into recognition of our identity.
Certain identifiers create a level of assurance, because the relying party trusts the attributes it asserts based on who issued that identifier. They are willing to trust in our identity and associated attributes because of the verification done by the isuing party. It a passport, an employee id, bank card or a drivers license. The instrument has characteristic, privileges and attributes linked to the issuing party, not simply attributes associated with the individual.
As we move from a physical world to a digital world. As people seek to use our identity to present themselves as someone they are not. As we seek to separate the various relationships we establish. Requires that we find ways of assuring our privacy while securing our relationships. All this demands we find more secure methods of authentication that are convenient.
Walmart Pay to surpass from pymnts.com – from the Washington Post. – and another
To open the news and find more than a press release in fact true commentary describing the success of a merchant mobile payment solution. This is big news and speaks to the value of loyalty and the power of largest global merchants willingness to focus and innovate.
In 1991 I had to learn the difference between million dollar transactions and hundred dollar transactions. As I came to explain, when telling my life story, I had to shift my thinking from 100 transactions at a million to 1,000,000 for a hundred. This transition took me from capital markets to payment cards.
Today, I wonder about the future of the ID-1 based payment card? A piece of plastic 3 3/8 x 2 1/8 with rounded corners.
In another blog I spoke of how this ID-1 object became a token responsible to act as the first factor, something you have. Printed, encoded and embossed characteristics were the security features. Today, with EMV as the global standard for payment CARD security; cryptography and the “secure element” replace those physical security with digitally mastered circuitry embedded inside something capable of protecting those secrets cryptography requires. We digitized the payment card. What we now must do is shift our vocabulary to tokens and credentials.
We need to embrace a new way of speaking we need to think about our “Payment Credentials”.
Today, we now tap our phone to pay, we use our phone to browse the internet, we shop & book tickets with apps and we listen to music & watch movies all from this device we apparently use, thousands of times a day. For those of us who remember computers that filled floors, we now are capable of buying more powerful computers, similar in size to those same cards. Think about the Raspberry Pi, a computer almost as small as a card, not quite! Yet!
The embedded secure element integrated inside our payment cards are being integrated into phones, bracelets, rings and things. The question; will they replace the card we are now comfortable with? Yes – maybe? Will we embrace these objects as the new carriers of our payment credentials? Many hope so.
In oder to think about the probability of cards disappearing, one must begin by think about the number of cards now in circulation. In round numbers we can think about 1.2 billion debit and credit cards, 300 million prepaid cards and 300 million retail branded cards. In round numbers, 1.8 billion payment cards. We next must think about our population and how many people now carry cards – 115 million households and 242 million Americans over the age of 16, according to a recent census. We now has a numerator and a set of denominators.
The question then becomes, how many payment cards does an American want to carry and how many payment credentials will an American end up having.
I would argue a debit card and a credit card is all we need to carry in our leather wallet, purse or pockets. Those other payment credentials can easily be accessed from wallets in the cloud or in our digital objects.
Merchants can integrate payment capabilities and focus on factoring their consumer receivables, behind relationships designed to service, thrill and sell. In an App and API enables economy, cards become a burden as the experience becomes the essential component of our lives.
Fantasy or a new reality. November 2nd 2017 I attended a conversation about the legal, accounting and tax implications of an ICO. Nelson Mullins was our host and brought their legal might to the discussion.
Language is the first concern in embracing and understanding. The first phrase requiring an appreciation is the “White Paper”. For me, this is something people or entities write to explain a concept; most often intended to educate and inform. In the world of ICOs the meaning is very different. This document is intended to explain what the entrepreneur is trying to do and what the investor is investing in. In other word the “White Paper” is the “Business Plan” or better said the Prospectus.
Next word is “Security”. Here I must admit I was out of my depth. First let’s be clear, the use of this word is not about securing something, it is about an instrument one invests in and ultimately expects to profit from. Having spent 9.
Years immersed in Capital Markets understanding what stocks, bonds and commodities are, this should have been easy. The challenge is we are trying to figure out how to not be classified as a security.
To fully appreciate the discussion one needed to be steeped in the regulations and opinions of the courts and regulators at a national and regional “State” level. What I understood, a key reason ICOs emerged is as a method to avoid the complexity of the regulations surrounding the sale and trading of securities.
Next term is “token”. Once again a term we are constantly confronted with as we move from a physical to a digital environment. I am not exactly sure what a “token” is in the context of the ICO discussion, save ti say it represents something. I appreciate it is another term one must properly framed when discussing ICOs.
With these familiar terms with new meanings it is clear, this digital ecosystem built on the complexity of Block Chain, as a technology, is either a long term transformational technology or a magical mystery tour that will end in confusion and discomfort.
A new term was added to my learning today The Fourth Industrial Revolution. Better said the age of Disruption.
Is the common man able to embrace the change ahead. Yes, those of us who have the education, the experience and the desire to embrace change; can fathom this new world. What of those that live in the middle – what happens to them in this new age
The Fourth Industrial Revolution – A video to help people understand the change ahead
Then in this weeks issue of the economic
Simple. We have the technology. We have the standards and more are coming. Authenticate, is done, use FIDO.
Identification with Biometrics is illuminatingly possible. Even the one I know how to spoof, Voice, with other factors layered in, does the job very well.
The challenge is Privacy and Confidentiality must be inherent while regulatory practices must be incorporated.
Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.
My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.
The payment landscape is a complex space with an array of stakeholders specializing a focusing on various aspects of the processing of a payment. This diagram is oneof several used to form a backdrop to various educational sessions Philip offers to organizations and executives seeking to identify and position themselves in the payments landscape.
This particular one seeks to help people understand who the key actors to a card not present eCommerce transactions.
Created in December of 2011 as I reflected on the emergence of the Cyber Risk
My identity is mine electronic or otherwise
I will be prudent in its use
I understand if I enter into an agreement that you can prove it was me
Then I am responsible
I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed
You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to
Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it
You will recognize that I am your human equal and will,
Save for acts of God and Nature,
Endeavor to provide quality and service
Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.
Secure element
Data management & personalization
Mobile device software integration
Device life cycle management
Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.
Here in France, we will stick to “ee-day-myah”…
An Englishmen wrote “Eye” “Dem” “e-ha
Others say “eye dim e-ha”
When the new name was launched the following explanation was offered.
Thinking on the first two syllables and reference to Latin, a definition is found.
It is interesting to listen to clients, competitors and industry insiders speak of this new name.
It is the Brand that drives recognition. It is the shape and color which establishes the emotion attachment.
Continuing the learning and commentary
IoT Payments 2017 – Austin TX October 10th and 11th
BASIC WANTS & NEEDS
MASS & PERMITTED RECOMMENDATION
SOCIAL & RELEVANT 1REFERRALS
ON-BEHALF
As he speaks of On-behalf a document produced back in 1996 must be found
Contactless cards and devices
The mobile ecosystem introduces the token requestor
A solid overview of the world of tokenization
- Like a card
- Mobile device (secure element)
- HCE
- Wearable are in market today
October 10th
Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.
Lunch
These two words began to fascinate me as I began to understand the value of cryptography while working through the goals we established when developing EMV and attempted to secure the payment credentials when used on the Internet.
With EMV we were trying to address the challenge of the fraud (an issuer cost) resulting from the ease of counterfeiting the token of the token which was a token of a token already.
This last broken token is the magnetic stripe on the payment card.
The payment card, in and of itself, is a token. An instrument imbued with physical security features e.g. the hologram and signature panel. Security features the merchant is supposed to check when attempting to allow a buyer, the consumer, to use the payment credential associated with the card to make payment for good and services.
The PAN is just a unique number, another token. This unique number is simply the index, The identifier within the payment credentials, which associates the payment with the underlining source of funds.
The source of funds, the PAN or Token pointing to, is then either a line of credit, prepaid balance or bank account.
The card, the hologram, the magnetic stripe and the printed security features and the PAN had reached the end of their useful life, as security features or tokens. The criminal knew how to compromise the card and associated static data.
As we entered the 90’s, the card as the carrier of the payment credential, with those physical security features, was longer a means of Authentication. These layers of authentication had been compromised. In other words the token was broken!
To address this concern, in 1993 the founders of EMV embraced the chip card and its Cryptographic capabilities. In particular, the use of symmetric and asymmetric algorithms to provide a new set of tokens the merchants (asymmetric) and Issuer (symmetric) could use to Authenticate the unique carrier of the payment credential – the token – the chip card.
On the Internet the challenge is different. The physical features of the card are not easily accessible, hence useless. In 1993, when WWW became the thing of conferences, everyone said lets think of the internet in the same way we allow merchants to sell stuff via mail and telephone. Everyone simply decided and agreed to exploit the acceptance rules agreed on for those other virtual environment, the phone and the mail.
Bottom line, in the world of mail order / telephone order and now a browser; merchant simply agrees to accept the cost of fraud, given the CARD is NOT PRESENT. Worse still how do they prove the right cardholder in present?. For the merchant, given the potential of the Internet, it is was a small price to pay.
Everyone simply accepted that be capturing the data embossed on the front (PAN, expiry date and cardholder name) and the CVV printed on the back of the card and, in some cases, using the power of AVS “Address Verification Service” a modicum of security could be factored in. At least for a time!
SET “Secure Electronic Transactions”, a cryptographic mechanism Visa and MasterCard cooked up, was developed circa 1995-1996 and deployment was attempted. The challenge, the limitations of the then deployed technologies and the inability to provide a reasonably convenient user interface. The problem begins with loading payment credentials into the browser and more importantly figuring out how to use them when shopping.
Next came 3D-Secure, an invention of Visa. This time the idea was to exploit the power of passwords and secret questions to authenticate the user.
Another feeble failed attempt to develop a mechanism to authenticate the buyer. Or better put, solve the dilemma the New Yorker so aptly described
3D-Secure 2.0, maybe? Or maybe W3C and the FIDO Alliance have the answer in what is called WebAuthN.
When we think about payments and we think about shopping on the internet it is all about someone or something {read issuer} agreeing that the consumer will make good on the promise to pay and therefore the issuer is willing to guarantee payment towards the merchant. The challenge, how do we confirm it is the legitimate person seeking to pay with their means of payment.
In other spheres of endeavour it’s about granting access to someplace or some website. In the physical world we have a key that we can insert into the lock or a security device {card} we can insert or tap on a reader programmed to recognize our credential and allow us access.
On the Internet, the use of a physical card with physical security features, numbers, letters, and a magnetic stripe was not feasible. Instead, we ended up employing user names, passwords, and payment encryption. Payment encryption, which secures sensitive financial information during online transactions, offers a crucial layer of protection. The user name – a unique identifier, and the password, a secret, support the identification of the person using the browser or connected device, from somewhere out there.
If we could each create and remember complex secrets, these cumbersome things call passwords. And, more importantly, never share them with nefarious individuals seeking to take advantage of our naiveté. All would be at peace in the world of security and convenience. The problem is expecting you and I to remember the myriad of complex passwords and not get tricked into sharing our secrets.
Is there an answer, I believe so and at Money 2020 October 25 we will be discussing this very topic. Wednesday Morning at 8:30 in the Titian room at The Venetian in Las Vegas on Level 2, join us as we discuss Identity is Fundamental: What You Need to Know About Identity & The Future of Money.
With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.
Interchange a word that describes a method that allows cars and truck to move from one road to another. Interchange a
word that describes the exchange of ideas or data between two or more individuals. Interchange a fee paid to an Issuer of a payment card.
It is this third definition that this blog will explore. A fee or income paid to an Issuer of a payment card.
Some would call it a tax on merchants. Merchants who wish to sell products and services to individuals and corporations who wish to pay with moneys loaned to them by a financial institution (credit card) or held on deposit by a financial institution (debit card and pre-paid card). Wikipedia offers the following; Http://en.wikipedia.org/wiki/Interchange_fee. To add to this sound Wikipedia definition, I offer a little story of how Interchange was described to me was a way of helping people appreciate the way interchange has changed over the years.
In 1991 I joined EPSS, a technology company then owned by Eurocard International (50%), Eurocheque International (35%) and MasterCard International (15%). EPSS or European Payment System Services ran and managed a set of technologies designed to support the authorization, clearing and settlement of payment transactions initiated by a payment card being presented to a merchant. We supported both credit and debit card transaction and would when they emerged also supported pre-paid card transactions.
As part of the settlement process we calculated and assured acquirers (merchant bank service provider) were paid, less interchange and scheme fees, for those payment card transactions they had submitted on behalf of the merchants they serviced. Therefore understanding and assuring the accuracy of these calculations were essential to assuring the successful operation of those systems we managed.
In the first few weeks of starting, general counsel sat me down and described Interchange. What I learned is that on a biannual basis we hired a consulting firm, Edgar Dunn; to conduct an anonymous survey of the member organizations, the banks that issued credit cards. Their role was to ascertain what it cost the issuers to support the processing of payment card transactions. Three elements were key to these calculations:
Our consultant then would amalgamate all the data they collected from the issuing members and submit a recommendation of what interchange should be for the next two years. These recommendations recognized that interchange must vary based on two key characteristic:
We then discussed how the Issuer earned income from payment cards. I learned; yes for those efficient issuers there were profits, whereas for inefficient issuer they might actual lose money. Bottom line the calculation was designed not to create profits. It was designed to cover cost.
Management then took these recommendations to their board to seek approval. At this stage the boards where a balance view with both the issuing and acquirering institutions represented. Unlike today when it is fundamentally the Issuers that sit on these boards.
In 2002 I joined Visa and again was asked to visit with general counsel to make sure I understood what interchange was. My first statement was that I understood and explained what I had been taught all those years ago. I was informed that although I understood the foundation, things had changed. Two additional components had been added to the calculation and moreover instead of being limited to a few easy to understand categories, the structure of interchange has been MADE complex.
While it still was calculated through the use of anonymous survey of issuers, interchange now included:
As to the characteristics used to identify what interchange fee would be earned by the issuer, the original two categories of transaction location and the presence of the card continued. Yet now to complication matters two new ones were added:
Interchange had morphed from a cost recovery mechanism to a complex formula that takes into consideration the complexity of the payment ecosystem and a source of revenue to financial institutions.
With all this change there are also challenges. With only two global “4 party” payment brands (Visa and MasterCard) regulators, merchants and politicians seek to manage and control interchange. Words like monopolistic powers are used to describe the way interchange is calculated. Therefore you find lobbyist speaking on behalf of merchants, arguing these fees create excessive profits for the issuer. You here people complaining that the fees and the rules not allowing them to charge consumers for the use of these more expensive payment products, ends up that interchange simply gets embedded into the cost of sale and cash paying customers are seen to be subsidizing card paying customer.
As a prime example Wal-Mart and a consortium of merchants, banded together and successfully won an argument against both Visa and MasterCard. They argued that interchange associated with debit cards processed through the credit card networks should not be the same as credit card interchange given that the cost of carry was near euro. When all was said and done 3 billion dollar was paid by the payment networks to the merchants and their lawyers.
The Australian Central Bank also decided to regulate interchange, although the benefit a reduction in the price did not occur thus the perceived benefit to the consumer was not achieved. Currently the European Union continues to evaluate interchange with the argument that domestic and regional interchange must be the same and that monopolistic powers are used to manage interchange.
Here in the United States Senator Durbin succeeds in imposing significant change to debit interchange.
Interchange will continue to be scrutinizes. My hope, let us return to original definition of interchange and focus on being a mechanism designed to simply cover the issuers’ cost of processing payment transaction and offer a reasonable profit for their efforts.
Let the issuer earn the core of their income through revolving Interest charges, annual card fees and other services paid for by their customer the Cardholder. Why should the merchant subsidize the rewards offered to entice cardholders to take an issuers product without also garnering a demonstrable increase in sales?
During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?
Interesting question for the industry as we go through this transformation to a fully connected world where everything happens between our mobile phone and the merchant, friend, family, phone or cash.
