The dynamics are easy to understand. The downward pressure on the pricing of commodity payments, the ubiquity of intelligent devices (of which the mobile is currently the most important) and the ease of connecting banks, retailers, processors and others, combine to create a new landscape, where most of the value of the payments layer comes from the ability to identify and authenticate the participants in the transaction.
We have long observed, in our classification, that in the long run digital identity will be more valuable than digital money. This is because authentication is difficult and expensive: if you break down the way that, say, your debit card works, and separate the authentication part (the chip and PIN) from the processing and settlement of the transaction (and all of the fraud management, customer support and so on) you can see the asymmetry between the money part — a few bytes moving from bank to bank — and the identity part.
There is an interesting area for speculation identified by this analysis. Who will provide the identity functions? Will it be the existing players who bundle identity as part of the payments business — PayPal or Barclaycard — or will it be players who deal with identity and reputation — Experian or the Passport Services — or will it be the players who with authentication and switching — Vodafone or Google — or will it be an entirely new class of organisation?
I have a suspicion that it will be the latter. Just as new economic environments have led to new kinds of organisations before, so they will again. Just as Visa arose to exploit new opportunities, so something like Visa arise to create a digital identity infrastructure that creates new value. There is some logic to the proposition that it will be the mobile operators who in some way will give birth to this new organisation. That’s because the technology required to implement digital identity is founded on public key infrastructure (PKI) and for this to work we need some secure storage, some tamper-resistant hardware, to store our private keys and to execute authentication processes. Right now, the one piece of tamper-resistant hardware that everyone has is the SIM in their mobile phone. Indeed, there are a number of initiatives around the world that are already starting to use the SIM for precisely this purposes. The examples of Turkcell in Turkey and BankID in a number of Scandinavian markets have been looked at before. I’ve bored about this at length before:
One of the world’s leading experts in this field, David Birch, spent some time with me explaining how mobile operators, in particular, could actually become ‘smart pipes’ with financial transactions. The ‘secret sauce’ according to Birch, lies in the ability for operators to provide secure identification linked to the SIM providing private and public keys for multiple providers. The resultant digital signatures would allow for ultra-secure tow level authentication via the mobile device.[From The ‘secret sauce’? – The Insider – TM Forum Online Community]
How might this play out? In the US, we already see ACH alternatives to scheme payments emerging. An example is the “Pinpoint” card marketed by First Data ISO American Payment Systems. It provides a per-retailer loyalty scheme combined with ACH payment. Imagine something like this combined with stronger 2FA authentication at POS — perhaps using 2FA to release an identity credential or authenticating using some mobile network-based validation (eg, ValidSoft’s “proximity” transactions validation) — to create a product where the payment is a commodity but identity isn’t.
We can see the coming together of payments and identity from others directions: the use of ID cards for payments and the use of payment cards for identification. In the former case, the transition to “smart” ID cards means that
NETS was approached through IDA Singapore by governments in the Middle East to provide the “the technical know-how” of building the ePurse system for each Gulf country, along with the necessary cards, payment terminals and back-end structure.
Hong admits the company is in discussions with the governments of the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain and Jordan for a similar service, but expects greater traction once Oman goes live with ePurse this year.[From National ID card to allow e-payments in future – IT Business – News & Features – ITP.net]
In the latter case, both Visa and MasterCard have deployed systems that allow EMV cards to be used to authenticate remote transactions and, with appropriate federation, these do not need to be payment transactions.
Sandra Alzetta, head of innovation at Visa Europe, says: “The banks and their cardholder trials have shown an appetite for innovation and the broadening of a payment card’s use. “CodeSure is an extremely convenient way to bring a similar level of security to payments online as we now enjoy on the high street with chip and pin.”[From The Guardian]
What does all of this mean at the business level? Well, I don’t think the richness of the world of identity is understood at the management level — whether in the public sector (see, for example, the UK’s experiences trying to introduce an ID card) or in the private sector, where security and privacy are still seen as a trade-0ff — and so the serious thinking about new businesses and new opportunities hasn’t really started yet.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]