What is EMVCo goal with the release of their SRC framework

October 2017 EMVCo published version 1.o of their Secure Remote Commerce Technical Framework.  Today I decided to read and appreciate what they are trying to accomplish and then consider how it ties into what I remember and think we need to do moving forward.

Clearly the challenge links back to the now infamous New Yorker Cartoon.  We have not successfully established a means of assuring the identity of an individual when presenting payment credentials (the PAN, Expiry date, name, billing address and CVV.  The first attempt, still not 100% implemented, was the introduction of CVV2, CVC2 or CID a 3 or 4 digit number printed on the back or the front of the payment card.

We then developed something called SET or Secure Electronic Transactions and unfortunately the payment networks were not willing to allow Bill Gates and Microsoft to earn 0.25% of every sale for every transaction secured by SET he proposed to build into Microsoft’s browser.  Without easy integration into the consumer browser, the challenges of integrating SET into the merchant web pages and the Issuer authorization systems caused this effort to fail the death of some many other noble but complicated attempts to create a means of digital authentication.

Next came 3D-Secure, a patented solution Visa developed.  It offered what was considered a reasonable solution to Cardholder authentication.  Unfortunately, given the state of HTML and the voracious use of pop-ups, the incremental friction, led to abandon shopping carts and consumer confusion.  Another aborted attempt at Internet fraud mitigation.

Yet 3D-Secure was not a total failure.  Many tried to enhance it, exploit it and avail themselves of the shift of liability back to the Issuer.  Encouraging consumer engagement and adoption was futile in some markets mandated and cumbersome in others.

Now let’s consider what EMVCo is attempting to do with their Secure Remote Commerce Technical Framework.  As I started to read, I ran into this:

“As remote commerce becomes increasingly targeted and susceptible to compromise, it is important to establish common specifications that protect and serve Consumers and merchants.”

Clearly the authors do not have institutional memory and cannot remember the various attempts alumni of these same organizations spent time on and encouraged many to invest in their implementing.  Clearly this lack of historic context will leave some pondering the purpose of this paper.

I then read this sentence and reflect back on a recent hearing on “Social Security Numbers Loss and Theft Prevention” in front of The House Ways and Means Subcommittee on Social Security

“Over time the Consumer has been trained to enter Payment Data and related checkout data anywhere, making it easy for bad actors to compromise data and then attempt fraud.”

Once again, I stand  troubled by how the Payment Data clearly printed on the face of the card and especially the PAN, 11-19 digits, designed to simply be an identifier, was converted into an authenticator.  Like the social security number, the drivers license number, the passport number and your library card number, the PAN and other “Payment Data” was never designed to be an authenticator.  It was meant to be data a merchant could freely record.

The secure features of the card now the EMV cryptographic techniques otherwise referred to as the Application Request Cryptogram “ARQC” were meant to offer the “What You Have”  factor in a multi-factor authentication scheme.

As I began to appreciate the scope of this document, the term “Consumer Device” becomes critical.  I began to wonder if a PC is a consumer device or if a consumer device is only something like a mobile phone, watch or other like appliance.  Fortunately, later in the document, the definition clears up any confusion created by the earlier use of this term..  This said, I then wonder about the difference between what they define as Cardholder Authentication and Consumer Verification?

After reading through all the definitions, I ponder why the authors had to change terminology?  Why could they not embrace known and recognized nomenclature.  Do we need a new vocabulary?

I wondered:

If this is another attempt to create a revenue stream for the payment networks?

Or, is this the effort of a “closed standards” body to reduce the potential value of the W3C WebPayments activity?

 In search of an answer to this last question, I found this discrete comment inside the SRC FAQ.

9. Are any other industry bodies working in this area?

EMV SRC is focused on providing consistency and security for card-based payments within remote payment environments.

EMVCo aims to work closely with industry participants such as W3C to capitalise on opportunities for alignment where appropriate.

Having read bits and pieces of this and the WebPayments efforts one does wonder what is EMVCo trying to do.  We shall see?

Why do we need Tokens and Tokenization

Recently I was directed to a link http://paymentsjournal.com/tokens-work-because/ and wanted to write the author Sarah Grotta.  As I wrote the message crystallized in my head and maybe as this prior post already discussed, this idea of tokenization made me cringe.

I contend that Tokens exist because we turned the PAN Personal  / Primary Account Number, like we turned the SSN Social Security Number, into an authenticator.  One can must ask the question.  How can a random value (an identifier) become an authenticator and remain secure?

EMV works because it renders the Card unique, hence addressing the question of counterfeit, by employing the first factor of the classic MFA Multi-Factor Authentication concept “What You Have”.  EMV defined a common set of secrets and digital credentials; securely stored in a Secure Element or Chip Card.

We here in the United States decided not to implement the second factor, the Personal Identification Number or PIN, for a variety of reasons. Hence, why Lost and Stolen remains an issue or weakness in the American Card Payment environment.

Biometrics are emerging and could solve for the assurance of cardholder presence.  The challenge is how to effectively (cost and convenience) locate the biometric sensor and facilitate the matching of the sensors output to the persons registered biometric.  Let alone, how does one make sure the right persons biometric was registered and associated with the device.

In the mail order / telephone order, now cyberspace, we did not replicate merchant authentication, the first factor – “What You Have. The card, once was secured with things like the magnetic stripe, using CVV1, the Hologram and the other physical features.  We simply shifted the liability to the merchant and called it a “card not present” transaction.

People can claim all sorts of goodness because of tokenization.  They can talk about how the EMVCo’s tokenization framework describes the use of tokens in device and domain specific scenarios.  All of this, an issuer, could have done; if they, like some did, simply issued another number, a PAN, to the wife, bracelet, watch, ring or whatever other permutation they deemed appropriate.  They can talk about dynamic data.  yet what they often forget to include when they use the words “Dynamic Data” they are really talking about a cryptographic value as described in EMVCo Book 2.

Yes, this does mean the question of how the PAN and its digital credentials get deployed; has to be addressed.  This said, GSMA with EPC did offer some thoughts, last decade, when they described the Trusted Service Manager

Instead handset oligopolies replaced the MNO with the their Mobile Pay wallets.  They working with the Payment Networks and focused on control and the creation of income.  They, as monopolist will, have created barriers, restricting others from offering comparable services.  The TSP now becomes this restrictive service that guarantees the power of companies like Apple and Google, supported by their friends, the payment network operators.

The original article also spoke of the PAR; another data element merchants, processors and the industry, will have to invest in supporting.

I ask the question.

If we had assured the authentication and verification of every payment transaction
Using Multi-Factor Authentication
Why did we need to turn the PAN into a dynamic value? 

My contention, simply use the appropriate level of  cryptography.

If the Issuer or their processor is in control and understands basic EMV and Cryptography, then securing the PAN is not an issue.

Consider household financial management.  If each member of a household has a unique PAN; budget, tax preparation and understanding who spent what where is a lot easier.  The husband,wife and children should have their own unique PAN, stored in the clear in their devices and on their card.

The real requirement, my personal devices, including my payment card, simply need to be linked to one PAN their Personal Account Number, associated with the individual.  The PAN Sequence number could easily allows each device to be uniquely identified, if necessary.  The card and devices becomes the carrier of your identifier.  A thing that can be authentication as something you have.

Here is where the second factor comes in.  Is the person presenting the PAN the rightful and authorized individual? All this required, is assurance to the shareholders that the presentment of the PAN is a unique and authorized event.  This is best achieve by using either something you know or something you are to bind the individual to the instrument carrying the Identifier.

Yes, a bit of friction to assure the  consumer they are securely paying for what they want to buy

Since the World Wide Web came of age and merchants saw its potential.  The question of how to secure the Card Not Present space, this question of cardholder presence, has not been properly addressed.  Visa and MasterCard (when they were not for profit associations) created the utility of the Card Verification Result CVV2, CID or CVC2 which would be printed on  on the card and not part of the magnetic stripe, the problem the bad guys could still steal the card or get hte card number and capture CVV2..  MasterCard and Visa then created SET, 3D-Secure and now, as for profit owners of EMVCo, are proposing, maybe even will mandate, the industry implement EMV 3D-Secure.

Each, an attempt to provide some means of Authentication and Verification.

Each introducing a level of friction as a means of security.

This is the problem.  The market did not start by emphasizing the need for security by educating the consumer.  The industry needed to help the consumer understand they should care and want to securely pay for what they intend to buy.

Instead:

  • The Zero Liability Policy was adopted.
  • The merchant was more than happy to sustain a degree of lose (fraud) in exchange for sales and profits.

The result, as all anticipated would happen, was blissfully ignored and eventually they cried out about.

Fraud migrated to the weakest point
Just like water finds its way to the lowest point. 

EMV, introduced in the Face to Face card present environment, pushing the bad guys: be they criminals, state actors and terrorists to find alternate another channels for their financial gain.

EMV and now the recently published WebAuthN and FIDO specifications create effective mechanisms for Consumer Authentication.

Let us please remember – the PAN, a user name, your social security number or your email address are excellent Identifiers.  They should not be authenticators and they are not a means of “Identification”.

Let us also remember, the term Identification means that one is assured of the irrefutability of identity.

The big question:

  • Why did we have to get rid of or replace the PAN?
  • Why did we and continue to need to invent and invest in all this addition overhead?
  • Why did we not simply address authentication?

Some will argue the challenge of using the PIN or a Password, as a means of Verification, is because it is to hard to remember. Especially, if each password people use to access website, services, building, has to be unique.  Some will argue imposing friction to add security is not convenient.  Others will remind us that security is and has been a necessity since the beginning of time.

Why didn’t we when we created this great new digital shopping mall?

Bottom line each of the devices used to present or acquire the PAN, must be capable of authenticating the identity of the authorized presenter, in both the physical and virtual world.

At least these are the views of someone who believe history provides a baseline for tomorrow and tomorrow must be designed as a function of where you want to be, knowing where things came from.

 

Of NFC, Mobile and History

Today I read Karen Augustine’s  Mobile Payments Use in the U.S. Lags

As I read and reflected on what Karen wrote, I reflected on my experiences as a sagged payment consultant and executive, with international experience.

What I see is an issue of legacy and muscle memory – setting a pattern for the future.  Said another way – our history defines the boundaries of our future.

Asia did not have electronic payments.  I am sure did not want to embrace the globally dominate American solution.  Therefore, they had the opportunity to start fresh.  It is very much like what Spain went through, went they moved from cash to electronic card-based payments.  They bypassed the check.

Her article brings back memories of life in Belgium in the 90’s.  Writing a check was a rare occurrence.  Direct debit mandates, a MisterCash card and a Eurocard was all we needed to buy and enjoy life.  Electronic payments was the norm, paper checks were a rare oddity and cash, well yes there was a very present grey economy.

Here in the USA we developed our payment systems off the back of regional or state banks with acceptance networks limited to a local domain.  Moving to a national system required early adoption of a common national currency.  We then went on to replace IOUs with paper checks and store cards with credit cards.  In time we enhances the ACH system and developed support for remote deposit and check capture.

Why do we need to move the card into the wallet?  Why change habits that are comfortable and work?  Most of us drive to shop and therefore must have our drivers license.  We must carry a physical document with us.  We simply carry two or more ID-1 sized cards.

You make the statement and was once again reminded of times past.

“… universal mobile wallets and more often driven from merchant based applications that often incorporate loyalty and rewards, which to date still remain nascent in universal mobile wallets.

When I produced this rendering, back in 1996, I was on stage talking about a world where leather and technology converged.  I imaged Bluetooth, NFC, secure elements, GPS and our various credentials converging into this personal device.  Those credentials grouped into: travel, identity, membership, loyalty and payments; easy to find and present.

When contactless payments were  introduced, in 2004, by Visa’s with PayWave and MasterCard’s PayPass; I argued why contactless cards – how can the issuer afford the extra dollar per card (cost of the antenna and inlay) and the merchant the extra 60 dollars to enable the NFC reader?  The way Issuer income works, “Interchange”, the consumer would need to spend more on that issuer’s card.  For the merchant to justify the necessary POS investment, meant the retailer believed the consumers would spend more, because it was “easier”.  Was Tap To Pay going to make me spend more.  Maybe for small ticket purchases, I may use cash less; but at the merchants expense!  We argued the cost of cash was more than the Merchant Discount.  Some agreed.  Many wondered what the blank are they trying to sell us!

Around the same time America was exploring this contactless experience, the European Payment Council and GSMA debated and ultimately offered an approach for mobile card based contactless payments https://www.europeanpaymentscouncil.eu/sites/default/files/KB/files/EPC220-08-EPC-GSMA-TSM-WP-V1.pdf .  Handset manufactures like Nokia had already added NFC Antenna’s to their mobile phones and mobile network operators, the MNO, saw the SIM as the secure element capable of holding payment credentials.

Some tried, the Trusted Service Manager as a service was developed and deployed.  The challenge, the economics of the model.  In this case the MNO saw revenue and wanted to charge fees to load the payment credential into the phone and better yet charge rent to store these payment cards in our phones.  Again I ask the question, by changing the way we pay, do I cause us to want to spend more? I think not!

Maybe some would argue, with  a credit card people am able to buy things today that they cannot afford.  Let them end up in debt.  This is true.  But then is debt  at 18% a good thing?  Europeans simply decided to establish a line of credit, as a feature of a Current Account, at reasonable interest rates.

We could go on and talk about how Apple saw the possibility of a 0.15% income stream from ApplePay based mobile payments and how the EMVCo tokenization framework evolved to support their desire to protect the Apple Brand.

What is clear, we could solve George’s problem and replace his Full Grain Vegetable Tanned Cow Leather leather wallet with a Mobile Wallet managed by Apple, Google, Samsung or …

Or, we could think about the consumer and what they really want?

As your article made clear, and so many others have shared, Asia leaped forward.  Be it AliPay or WeChat, the device, the mobile phone, became the consumers wallet, their method of engaging, shopping, learning and exploring.

We need to accept to simply replace what we are comfortable with, with something new; which does not enhance our experience, is simply not worth it!

Many of us, like Karen, would argue the experience of shopping is what the mobile phone can enhance and let the act of payment become the afterthought.  A simple click to say – yes, I agree to pay.

Amazon got it right with One Click.  Others, as the patent expires, are embracing the same technique to simplify payment to a friction-less act of satisfaction.  When my favorite stores offer me an mobile app designed to enhance my shopping experience, to thrill me with offers and entice me with things I want; then yes I will become more loyal, I will shop at their store more frequently and maybe even buy a few things I did not intend to buy.

Many years ago while attending conference of groceries  in Abu Dhabi – one of the speakers share an experience.  when that supermarket executive instructed each store to put the beer across from the diapers, the intended result occurred.  The husband, sent to get the diapers, ended up buying  a six pack too.

Maybe, like this experience reveals, if we focus on the consumer experience and on delighting them.  They will embrace change.

If there is no value why should we?

Years ago I prepared and published an idea.  I called it Cando.  I was still committed to the idea of the mobile wallet.  I was an early adopter of the smart phone and saw its potential.

 

Cando

Payment Card Construct and Dual Interface Deployment

Payment Card Construction

The discussion focused on the construction of the sandwich. Four layers. Clear front laminate to protect the ink, front with the banks design and brand logo, back with the banks back design and a clear laminate with the magnetic stripe integrated into it.

To enhance design additional layers may be added, such a metal foil.

These four sheets are then bonded together, at 120 degrees, in sheets of 21, 36 or 48 or other various sheet sizes. Next step punch out cards, add hologram and signature panel.

For a standard EMV card the next phase is to mill and embed the module with the chip inside. Last, the manufacturer typically loads the O/S & EMV application into the integrated circuit card.

When we move to dual interface caed, this process is modified to add an inlay, with the antenna embedded within. This inlay is inserted in the middle of the sandwich and during the embedded process the contacts exposed on the base of the module are connected to the antenna in the inlay.

Next step, personalization, when the appropriate data is loaded into the chip, along with the encoding of the magnetic strip and printing and/or embossing of the cardholders, name, expiry date, cvv2 and other information onto the card.

Contactless or Not That is a Question

Contactless NFC acceptance and dual interface issuance is all about the chicken and the egg. Who will go first? The merchant or the issuer? Each need each other. Both are wondering about the incremental value.

  • Faster transactions – Yes
  • Less cash – maybe
  • More revenue – good question!
In other parts of the world, transit and their choice of contactless, as the right answer to a more efficient fare collection solution is driving conversion. In other, markets a group decision to adopt or a desire to find the next great thing drives the market. Here in the USA, we have a less than successful history of contactless. Let’s not forget PayPass and PayWave, it was tried the middle of the last decade, to little or no success.
We have Google and the FinTech world looking to mobile payments as the next great adventure. Merchants, like Wal-Mart, are resisting NFC acceptance given their own plans for QR based wallets and desire to limit the sharing of data with competitors.

Given these questions and observations, one can only wonder.

Financial Trade Groups Write to House Leaders in Support of Data Breach Notification Bill

https://bankingjournal.aba.com/2018/02/financial-trade-groups-write-to-house-leaders-in-support-of-data-breach-notification-bill/

 The American Bankers Association and six other financial trade organizations wrote to House leaders today underscoring the need for businesses across all industries to be held to the same data protection and breach notification standards currently adhered to by regulated financial institutions.

The associations expressed support for draft legislation released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) that would create a level playing field of nationally consistent data protection standards and post-breach notification requirements. This bill would not create duplicative standards for financial institutions which are already subject to robust standards, but rather extend similar expectations to other sectors that handle consumer data.

“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” the groups wrote.

The draft bill contains a provision that recognizes the existing, effective regulatory framework for covered financial sector entities.  While the provision was intended to prevent banks and credit unions from being subject to duplicative notification requirements, it has been the target of recent negative campaigns circulated by the National Retail Federation and the Retail Industry Leaders Association, which incorrectly suggested that banks do not notify customers of breaches on their computer systems and   The ads from the retailer groups also mischaracterize and exaggerate the share of data breaches occurring at banks and credit unions while omitting their members’ (higher) share of data breaches.

The financial trades refuted the notification assertion, noting that “banks and credit unions have long been subject to rigorous data protection and breach notification practices for financial institutions to follow,” and that in the event of a data breach, banks and credit unions work continuously to communicate with customers, reissue cards and enact measures to mitigate the effects of fraud. They added, however, that “no solution will work unless everyone has an obligation to take these steps.” For more information, contact ABA’s Jess Sharp.

The management of our identity

A few weeks ago I learned of the Sovrin Foundation a foundation interested in establish a concept to support the idea of a self Sovereign means of identity.

As an advocate for stronger forms of identification and more important Authentication I am pleased to have received your response today.

Back in 1993 I was part of Europay and drove the creation of the EMV specifications as a form of Authentication and frankly reflecting back a strong form of Identification with the Trust Anchor being the Financial institution issuing the card and the foundation anchor being the payment network that the issuer used to assure acceptance globally.

In 2013 I joined the Board of the FIDO Alliance and eventually become the Secretary of that Board.

Today I am engaged with a company called IPSIDY, that is promoting and selling Identity as a solution.

Clear the conversations we are having include:

  • Device based versus centralized biometric authentication
  • Identification based on a central repository of Biometrics or a simply identifier linked to a means of authentication
  • Claims and assertions one points (URL) to or those that one has in their own possession
  • Repositories or Distributed databases of information
  • Privacy of attributes and rights to defining what can be shared

When I ask about the future of Sovrin, I hear people saying great concept how does it scale to be useful. 

This, as was my experience in the Payments world, is the challenge of a  two sided market

  • Consumer – Merchant
  • IndividualRely Party and those seeking attributes and proofs of identity

The challenge is developing a value proposition and more importantly critical mass that will excite both sides of the market to want to participate.

To further complicate developing the market is the challenge of the “Go To Market” strategy.  Who does one partner with given that the usefulness to the citizen/consumer is predicated on the number of parties or places this solution, token or Identity with a set of sharable attributes can be usefully used.

 

This is the question this is the challenge.

 

A Shift from Check-out to Check-in will reshape the way merchants engage with their consumers

Think Uber, think order ahead, think account on file. With these ideas in your mind think engagement and Omni channel. Then consider the need of merchants to assure revenue by delighting and engaging with their customers in meaningful ways. Their focus, increasing basket size, more frequent visits and loyalty; in other words increased sales.

Then remember, Check-out is about friction, payments and long lines. These characteristics merchants seek to eliminate, reduce the cost of and enhance the experience around.

If we think Check-in, using big-data, geo-location, BLE, facial recognition, consumer centric apps and other techniques, we can image a world where human and device based personal assistants engage with the merchants loyal customers in a friendly, informed and satisfying way.

For payment people this means we need to remember that merchants want lower cost payments and friction-less check-out.

Bottom line, for loyal customers solutions that retain the payment credentials securely in the cloud. For one time and infrequent customers, they will look to incent loyalty and registration or simply accept classic means of payments e.g. cards.

This drive to move from recording a loyal customers visit to engaging when the customer arrives or better yet when they are doing their research is what we the consumer seek.

We are all about saving time, enjoying life and satisfying our needs and wants. Merchants that focus on the customer and their shopping experience will succeed and prosper./ Those that do not focus on delighting their customer will learn.

DIY the Cyber Guy a conversation about Bitcoin and EMV 

https://www.voiceamerica.com/promo/episode/104814

A interesting discussion withDavid the the Cyber Guy.  We spoke of the inherent risk of Bitcoins and the essential issue of the secret and a BitCoin folders resoponsibility to make sure they never lose the secret.

We then wandering off to talk about EMV or Chip and Pin.

Always a pleasure to work with David.

Words all bound to who we claim to be – How do we identify ourselves on the Internet or in Cyberspace?

Identifier – Something you create or are provided to digitally identify yourselves. Identifiers are things like an alias, user name, email address are examples.

Identity – This is who we are or wish to represent ourselves to be. These are attributes and information about: where we live, who we work for, which banks we have relationships with, who our friends are, which clubs we belong to, our certified skills, what schools we graduated from, which country(s) we are citizens of, our LinkedIn profile, Our Twitter handle, our Facebook identifier, our phone number … .  It is the sum of the attributes we can and will share with others, be they individuals, governments, entities or organizations; as we establish relationships and prove to them who and often what we are.

Authentication – The method we employ to assure that you, based on the identifier presented, are who we (the relying parties) thinks you are.  You are the person the relying party accepted when you registered that Identifier as how you would digitally identify yourself.  By itself the method of authentication should not allow another party to be able to determine anything about your identity.  Privacy is the goal.  FIDO Alliance and W3C have defined standards to support authentication.

Verification – The process of confirming that the secret or biometric match the secret or biometric that where originally registered to that Identifier.

Identification – A means of authentication that is bound to your identity.  A EMV payment instrument “Chip and PIN”a PIV card, an electronic passport, a membership card, a drivers license, a national ID are all forms of identification  issued by a party that should be trusted to have performed a proof of the individuals Identity, based on a defined and often published criteria.

This particular word, for many, has an alternate meaning.  In the biometric community they see Identification as the ability to use a biometric to determine ones Identity.  This is achieved by performing a one (the person present) to many match (persons registered).  The goal is the same, bind Identity to the mean of Authentication by using the Biometric as the Identifier.

Proof – The method a relying party or an individual uses to validate your claim of a specific Identity.  In many cases this is achieved by relying on knowledge of another party.  The relying party accepts the due diligence to proof your claimed identity was done to their satisfaction by another party.  This other party is often referred to as a Trusted party.  This effort to proof the identity of an individual is linked to words and acronyms like KYC “Know Your Customer”, ID&V “Identity and Verification” and Self Sovereign Identity.  We classically assume that documents provided by a Government e.g. drivers License and Passports are a solid proof of the claims asserted on those same documents.

In a digital world this is the most important element of a how we as people, entities, governments and corporations can be assured that you are who we believe you to be.

I am once again am reminded of the 1994 New Yorker Cartoon

We must take care when we speak or sell the power of that which may not be

I always enjoy reading the words David writes.

This particular post creates a moment to reflect.  As we consider the implications of the  Fourth Industrial Revolution, we must remember the  significance many have attributed to Artificial Intelligence.  Those two letters AI are clearly key to the what, why and wherefore of the change ahead.

Clearly machines that work faster, search deeper and are capable of studying vast realms of data are changing the nature of so much.  Simply consider the risks to our security cyber hackers and terrorists wrought on this world or the shenanigans many claim the Russians use to disrupt as they explore and exploit the power of social media.

Moreover as we look afield many industries are being disrupted: movies, books, music, news … to name few.   Outsourcing and robotics is changing the nature of work and the skills necessary to compete and ultimately survive to enjoy the pleasures available in our increasingly digital world.

David makes the point that the intelligence Isaac Asimov and other science fiction envisioned has not yet emerged.  I think he is right.  The message I take aware -we who  market these  solutions should walk forward with care.

People are clearly feeling threatened by the change impacting their towns, families and livelihood.

We must be mindful that complexity breeds confusion.  Confusion drives disillusion.  This then causes people to react, often in nonsensical  ways.

Take On Payments

Federal Reserve Bank of Atlanta

How Intelligent Is Artificial Intelligence?

Posted: Nov 27, 2017 10:51 am

At the recent Money20/20 conference, sessions on artificial intelligence (AI) joined those on friction in regulatory and technological innovation in dominating the agenda. A number of panels highlighted the competitive advantages AI tools offer companies. It didn’t matter if the topic was consumer marketing, fraud prevention, or product development—AI was the buzzword. One speaker noted the social good that could come from such technology, pointing to the work of a Stanford research team trying to identify individuals with a strong likelihood of developing diabetes by running an automated review of photographic images of their eyes. Another panel discussed the privacy and ethical issues around the use of artificial intelligence.

But do any of these applications marketed as AI pass Alan Turing’s 1950s now-famous Turing test defining true artificial intelligence? Turing was regarded as the father of computer science. It was his efforts during World War II that led a cryptographic team to break the Enigma code used by the Germans, as featured in the 2014 movie The Imitation Game. Turing once said, “A computer would deserve to be called intelligent if it could deceive a human into believing that it was human.” An annual competition held since 1991, aims to award a solid 18-karat gold medal and a monetary prize of $100,000 for the first computer whose responses are indistinguishable from a real human’s. To date, no one has received the gold medal, but every year, a bronze medal and smaller cash prize are given to the “most humanlike.”

Incidentally, many vendors seem to use artificial intelligence as a synonym for the terms deep learning and machine learning. Is this usage of AI mostly marketing hype for the neural network technology developed in the mid-1960s, now greatly improved thanks to the substantial increase in computing power? A 2016 Forbes article by Bernard Marr provides a good overview of the different terms and their applications.

My opinion is that none of the tools in the market today meet the threshold of true artificial intelligence based on Turing’s criteria. That isn’t to say the lack of this achievement should diminish the benefits that have already emerged and will continue to be generated in the future. Computing technology certainly has advanced to be able to handle complex mathematical and programmed instructions at a much faster rate than a human.

What are your thoughts?

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Europe Led the way with EMV yet Europe appears to prefer cash

Europeans still love paying cash even if they don’t know it

Interesting to reflect on how much we allow Europe to lead as we think about EMV and the technology we use to secure our payment cards.  Maybe American’s need to embrace and take over the management of these key standards that drive an economy.

Will Wal-Mart Pay surpass Apple Pay, Samsung Pay and Android Pay

Walmart Pay to surpass from pymnts.com  –  from the Washington Post. –  and another

To open the news and find more than a press release in fact true commentary describing the success of a merchant mobile payment solution.  This is big news and speaks to the value of loyalty and the power of largest global merchants willingness to focus and innovate.

Thinking about cards

In 1991 I had to learn the difference between million dollar transactions and hundred dollar transactions. As I came to explain, when telling my life story, I had to shift my thinking from 100 transactions at a million to 1,000,000 for a hundred. This transition took me from capital markets to payment cards.

Today, I wonder about the future of the ID-1 based payment card? A piece of plastic 3 3/8 x 2 1/8 with rounded corners.

In another blog I spoke of how this ID-1 object became a token responsible to act as the first factor, something you have. Printed, encoded and embossed characteristics were the security features. Today, with EMV as the global standard for payment CARD security; cryptography and the “secure element” replace those physical security with digitally mastered circuitry embedded inside something capable of protecting those secrets cryptography requires. We digitized the payment card. What we now must do is shift our vocabulary to tokens and credentials.

We need to embrace a new way of speaking we need to think about our “Payment Credentials”.

Today, we now tap our phone to pay, we use our phone to browse the internet, we shop & book tickets with apps and we listen to music & watch movies all from this device we apparently use, thousands of times a day. For those of us who remember computers that filled floors, we now are capable of buying more powerful computers, similar in size to those same cards. Think about the Raspberry Pi, a computer almost as small as a card, not quite! Yet!

The embedded secure element integrated inside our payment cards are being integrated into phones, bracelets, rings and things. The question; will they replace the card we are now comfortable with? Yes – maybe? Will we embrace these objects as the new carriers of our payment credentials? Many hope so.

In oder to think about the probability of cards disappearing, one must begin by think about the number of cards now in circulation. In round numbers we can think about 1.2 billion debit and credit cards, 300 million prepaid cards and 300 million retail branded cards. In round numbers, 1.8 billion payment cards. We next must think about our population and how many people now carry cards – 115 million households and 242 million Americans over the age of 16, according to a recent census. We now has a numerator and a set of denominators.

The question then becomes, how many payment cards does an American want to carry and how many payment credentials will an American end up having.

I would argue a debit card and a credit card is all we need to carry in our leather wallet, purse or pockets. Those other payment credentials can easily be accessed from wallets in the cloud or in our digital objects.

Merchants can integrate payment capabilities and focus on factoring their consumer receivables, behind relationships designed to service, thrill and sell. In an App and API enables economy, cards become a burden as the experience becomes the essential component of our lives.

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference.  Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution.  ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

A look at the actors that support Internet Payments

The payment landscape is a complex space with an array of stakeholders specializing a focusing on various aspects of the processing of a payment.  This diagram is oneof several used to form a backdrop to various educational sessions Philip offers to organizations and executives seeking to identify and position themselves in the payments landscape.

This particular one seeks to help people understand who the key actors to a card not present eCommerce transactions.

IoT Payments Wednesday Morning

Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.

Role of the TSP

  • Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
  • Should device manufactures understand payments? Can they?
  • The TSP must appreciate its role and what it is not.
  • As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.

  • What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
  • Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
  • What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
  • With the pre-provisioned credential how does one manage long term life cycle.

Root of Trust

  • Is PKi the right approach to the necessary level of trust this emerging environment requires.
  • We must remember the complexity of a PKi infrastructure.
  • In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
  • As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
  • This discussion is very much about the value and need for HSMs.
  • The question is raised as to the future of PKi given the US Gov’t perspective.
  • And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?

In-Vehicle Payments

  • A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
  • The car can host merchant apps.
  • The idea of a POS device in the car leaves me lost. Who is the seller?

Smart Cities and Multi-Modal

  • To address smart cities one has to think across the wider context.
  • What are the roles the FTA can support, becomes a question of what the cities want.
  • Mobility on Demand driven by the needs to reduce congestion and improve life.
  • Built on local partnership within the community
  • A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.

Multimodal Payment Integration

  • The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
  • They want a brand and system agnostic solution that is intelligent and can help better manage spend.
  • How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
  • The roadmap is in development, it is early days.

Wearables – lessons learned

  • What ìs a wearable? Do define them based of feature and function. Cloths, jewelry…
  • We use a wearable when we need them. Athletic, climate, entertainment or work.
  • These electronic wearable needs to consider the use cases that should be integrated into a limited number of devices we would wear.
  • Three words – simple – connected – enablements
  • How will we enable more specifically load the various certificates we need to access, employ and pay for.
  • Interoperability will become the challenge. Do we imagine a world restricted by brand / manufacturer? Or, open to a wide array of designs and capabilities then how do we get there.
  • Secure element
    Data management & personalization
    Mobile device software integration
    Device life cycle management

    Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.

BLE of IoT Payments

  • The cloud may restrict what could be communicated.
  • BLE is “local” allowing secure application management and secure transactions.

Managing Trust and Security

  • Identity is the key to much.
  • The next question therefore it trust in the Identifier.
  • Authentication with what, in what where?
  • Life cycle management. How do you know your device been wiped clean of all your credentials.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

  • Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
  • Growth in fraud in online payments is typically a result of the deployment of EMV.
  • As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
  • What is context? Our digital footprint as we go through our daily lives.
  • The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
  • It is all about acquiring data and building a profile, your context.
  • What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

  • Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
  • The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
  • The fear of who is able to access the vast array of data available through these connected devices.
  • Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
  • In the world of IoT who will define the security requirements and who shall pay becomes the key question.
  • We should consider using Common Criteria as a baseline for the security of IoT devices.
  • Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

  • Changing our top of wallet card is not something we are driven to do.
  • So many sites drive to Card on File
  • The objects will end up with an embedded payment within
  • There is a hierarchy of needs
  • BASIC WANTS & NEEDS

  • MASS & PERMITTED RECOMMENDATION

  • SOCIAL & RELEVANT 1REFERRALS

  • ON-BEHALF

    As he speaks of On-behalf a document produced back in 1996 must be found

  • Will the IoT evolution increase consumption, Maybe?

Wearables 101

  • What is the connectivity
  • Where are the credentials stored
  • Is it a configurable device relative to which credentials
  • Types
  • Contactless cards and devices
    The mobile ecosystem introduces the token requestor

    A solid overview of the world of tokenization

  • The tap experience with a wearable is an interesting design experience.
  • A wearable is smaller and much more personal.
  • As seen from the payment networks
  • Like a card
  • Mobile device (secure element)
  • HCE
  • Wearable are in market today
  • Wearable are in market today

Risk Based Payment Security

  • Beth took a walk through the history of payment acceptance
  • The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
  • Risk is or was always about the balance between security and convenience.
  • Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
  • The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
  • Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
  • We need to agree on a common set of security values not necessarily on a common standard.
  • When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
  • Security must be designed in from the beginning.

The day came to a close.