Written by As I have long been advising our clients in the payment space, there will be inevitable implications for retail payments businesses once a national ID card is in place.
[From Digital Identity Forum: Paying for identity]
Retailers want business change, not just lower fees. Now, a barrier to their competing with existing card schemes themselves has been the cost of issuing and managing secure smart cards or other tokens. But if the government is going to do it for them, then they may as well exploit it. I can easily imagine taking my ID card and a blank cheque down to Tesco, putting them both into a machine and punching in my PIN. Then, next time I go shopping, I punch my PIN into the keypad at the checkout lane, wave my ID card over a reader and then go on my way. This kind of the service has already begun to spring up in the U.S.A., in response to the issuing of “Real ID”drivers’ licences which have machine readable magnetic stripes that can be read at POS terminals. A company called National Payment Card (NPC) has begun to exploit the opportunity, by getting customers to register their bank details and a PIN against their licence. This means that customers can then pay for fuel by swiping their licenses at petrol stations and entering a PIN. A similar national scheme has just launched in Malaysia, where one of the leading banks has begun installing kiosks where customers can use their bank chip card and the MyKad ID card (without biometric authentication) together to link the ID card with the bank account automatically:
Consumers will have to open either a savings or a current account with EON Bank, which is the only bank providing payment transactions through the MyKad at the moment.
[From Buy fuel with your MyKad]
The scheme is targeting the fuel sector in the first instance and has signed up all Caltex and BHP filling stations, so that customers can fill up and they pay at the pump with their ID card. Since the margins on fuel are thin, the sector has every incentive to cut payment schemes out of the loop and move to direct bank transfer via ACH. I wonder if they even bother to authorise the transactions: after all, if you try to cheat them by presenting the ID card when you have no money in the bank, they have your ID details and I imagine you'll be hotlisted pretty quickly.
I'm really curious what plans organisations in the payments value chain have for dealing with the introduction of smart identity cards. Naturally, I'm focusing on the U.K. Setting to one side for a moment whether it is right for an organisation to know your "real" identity at all, let alone for the purposes of making a purchase, it's the intersection of technology-led innovation and strategy that is interesting to me. I can't say that I have any evidence that banks, to choose the obvious type of organisation, have done any strategic thinking about identity at all. I attended a few meetings during the various ID card consultations, and while there were banks present they did not seem to have any kind of industry-wide co-ordinated response to the government's proposals and nor did they have any business plans to take advantage (or otherwise) to roll-out of smart identity cards on a national basis.
It's not just the ID cards that are an issue, I think, but the whole location of identity and identity management in the banking sector. Banks ought to be looking at both providing and consuming identity services and developing better identity and authentication services not merely for their internal use to reduce phishing and pharming but as a line of business in an online society. They are the obvious category of institution to provide credentials, manage personal information and deliver identity into the marketplace. If, as Sir James Crosby said in his report on the U.K. ID card scheme, "identity is the new money", then banks should already have generated strategic plans to accumulate the former, now that they've run out of the latter. Yet in practice the silo nature of retail banks means that the 2FA authentication scheme that I use to log in to home banking doesn't work if I'm trying pay online and I can't use it to log on to other banks, let alone other organisations. Which is going to be the first forward-looking bank to offer 2FA OpenID?
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Up to a point a lot of this bright shiny brave new world technology is superficially very attractive—like many bright shiny new things. Some of it may even be necessary just to allow us to function relatively safely in a networked society/state.
It all does rather depend on some unspoken assumptions though: 1. that the state and other legal agencies will use the power they gain over the individual entirely responsibly and benevolently;
and, 2. that illegal agents will not be able to gain access or any kind of control of ‘the system’.
To put it in more literary terms: what we’re looking at is effectively more and more like a ‘one ring to rule them all’ scenario—eggs all in one basket in other words. That is an extremely risky and foolish thing to allow to happen.
I do not want to be in a society where my life can simply be ‘switched off’ by an error or malicious act. We are already dangerously into that territory and should be doing some very serious thinking and talking about the kind of society we really all want to be living in regarding our security and freedom (responsibilities too), in a networked society/state.
Thanks a lot for this article… I’ve always just kind of winged it when it comes to citations.
Thanks a lot. Nice article. Keep up the great work.