Consult Hyperion and Osmodal Group partner to deliver combined mass transit payment expertise to new markets.
Consult Hyperion partners with Osmodal Group
Author: Consult Hyperion
QR – codes the comeback (they never really went away)
Payments are hard. That’s why the world’s leading payment organisations come to us.
5 things you need to know about Central Bank Digital Currencies
Guest blog post by Mirela Ciobanu, The Paypers
The topic of Central Bank Digital Currency (CBDC) is gaining momentum. Across the globe, many CBDC initiatives aim to digitalise payments, support financial inclusion, make cross border payments faster and cheaper, support fiscal transfer, etc. What is firing up discussions around CBDC and why is it important today?
Adoption of new technologies and understanding of their huge potential to support and stimulate our life has caused the world to change a lot in the last year. The current pandemic has triggered the decline of cash usage to avoid getting the virus and safeguard the most vulnerable ones (health-wise). Economic wise, as many governments wanted to protect their citizens and directly stimulate the economy down to every citizen, they offered ‘helicopter money’ via digital wallets.
Raising contactless limits to allow more paying without the PIN
In these extraordinary times with the need for social distancing, the payments industry is raising the contactless limits across many countries in order to prevent the need to touch PIN Pads in order to pay for our essential supermarket and pharmacy shopping. Indeed, such is the concern over the use of cash that contactless payments are being actively encouraged over cash, with some countries, notably China and Russia[1] now requiring that cash is sanitised before it is allowed back into circulation.
The Dutch Payment Association[2] has moved to double their contactless CVM limit from €50 to €100, similar increases are being introduced by Poland; Norway; Canada; Turkey etc. Yesterday the British Retail Consortium[3] announced that the UK too will raise its contactless limit from £30 to £45 on the 1st April.
So why do we need to wait a week? What does it mean? What are the alternatives?
First let us explain how contactless limits work and understand the difference between contactless payments in the UK compared to most other countries. Contactless payment terminals have 3 limits:
- Floor Limit
- CVM Limit
- Transaction Limit
The Floor Limit determines if the transaction should be sent online to the Issuing bank for authorisation. In the UK the contactless floor limit has been set at £0 for some time, ensuring all transactions are sent online, preventing spend from any cards that have been reported lost or stolen.
The CVM Limit is the one which is being changed on the 1st April. Above the CVM Limit a transaction requires a cardholder PIN or biometric authentication in order to be approved, which generally means a Chip & PIN transaction is needed. We are now seeing the introduction of some biometric contactless cards, but there are very few of them in the market today. By raising the CVM limit to £45 any contactless transactions below this will be sent to the Issuer for authorisation, which should result in the need to touch the POS less by reducing the number of Chip & PIN transactions.
The Transaction Limit is the maximum value that is allowed for any contactless transaction at that Merchant. This has been badly handled in the past, creating different customer experiences at different merchants. Ideally the contactless Transaction Limit should be the same as the Chip and PIN transaction limit. This then allows a contactless transaction carried out using a mobile phone, with Apple Pay or Google Pay, to be treated in the same way as Chip & PIN transactions. In the coming weeks, most payments will be made at Supermarkets, and whilst the raising of the limit to £45 will enable a higher number of contactless transactions, a large family shop will exceed £45. To be able to Pay without PIN, people should enable their cards in Apple Pay or Google Pay, this will allow them to Pay by contactless no matter the transaction amount.
In the UK, the Transaction Limit has not been uniformly implemented, in some merchants it is set to the same as the CVM Limit, meaning contactless can only happen below £30. The result has been confusion over when Apple Pay and Google Pay transactions will work and when you need to perform Chip & PIN. POS providers and merchants need to take the opportunity of this limit change to test their systems to ensure that both the CVM Limit and the Transaction Limit are set appropriately to provide the maximum opportunity to pay by contactless.
As my fellow Principal Consultant Tim Richards points out in our video blog, other countries are using mobile apps to prevent the need for PIN – completely “Contact Free” transactions. We don’t have that capability in the UK yet, Apple Pay and Google Pay being the best options for now. We expect this to change as Open Banking progresses and payments without the need for PIN become more common.
Consult Hyperion have extensive experience in contactless and “Contact Free” payments and testing, we will be able to help organisations ensure they optimise their payments capability to meet the needs of their customers, get in touch for more information on how we can help.
In the meantime, to avoid PIN Pads, shop below £45 or ensure Apple Pay or Google Pay is working on your mobile device, and stay safe.
[1] https://www.finextra.com/newsarticle/35509/russian-banks-act-to-decontaminate-cash?utm_medium=newsflash&utm_source=2020-3-24&member=56902 [2] https://www.finextra.com/newsarticle/35493/dutch-banks-raise-contactless-limits-for-pin-entry [3] https://www.theguardian.com/money/2020/mar/24/limit-for-contactless-spending-to-rise-to-45-at-beginning-of-april
Counterintuitive Cryptography
There was a post on Twitter in the midst of the coronavirus COV-19 pandemic news this week, that caught my eye. It quoted an emergency room doctor in Los Angeles asking for help from the technology community, saying “we need a platform for frontline doctors to share information quickly and anonymously”. It went on to state the obvious requirement that “I need a platform where doctors can join, have their credentials validated and then ask questions of other frontline doctors”.
This is an interesting requirement that tell us something about the kind of digital identity that we should be building for the modern world instead of trying to find ways to copy passport data around the web. The requirement, to know what someone is without knowing who they are, is fundamental to the operation of a digital identity infrastructure in the kind of open democracy that we (ie, the West) espouse. The information sharing platform needs to know that the person answering a question has relevant qualifications and experience. Who that person is, is not important.
Now, in the physical world this is an extremely difficult problem to solve. Suppose there was a meeting of frontline doctors to discuss different approaches and treatments but the doctors wanted to remain anonymous for whatever reason (for example, they may not want to compromise the identity of their patients). I suppose the doctors could all dress up as ghosts, cover themselves in bedsheet and enter the room by presenting their hospital identity cards (through a slit in the sheet) with their names covered up by black pen. But then how would you know that the identity card belongs to the “doctor” presenting it? After all the picture on every identity card will be the same (someone dressed as a ghost) and you have no way of knowing whether it was their ID cards or whether they were agents of foreign powers, infiltrators hellbent on spreading false information to ensure the maximum number of deaths. The real-world problem of demonstrating that you have some particular credential or that you are the “owner” of a reputation without disclosing personal information is a very difficult problem indeed.
(It also illustrates the difficulty of trying to create large-scale identity infrastructure by using identification methods rather than authenticating to a digital identity infrastructure. Consider the example of James Bond, one of my favourite case studies. James Bond is masquerading as a COV-19 treatment physician in order to obtain the very latest knowledge on the topic. He walks up to the door of the hospital where the meeting is being held and puts his finger on the fingerprint scanner at the door… at which point the door loudly says “hello Mr Bond welcome back to the infectious diseases unit”. Oooops.)
In the virtual world this is quite a straightforward problem to solve. Let’s imagine I go to the doctors information sharing platform and attempt to login. The system will demand to see some form of credential proving that I am a doctor. So I take my digital hospital identity card out from my digital wallet (this is a thought experiment remember, none of the things actually exist yet) and send the relevant credential to the platform.
The credential is an attribute (in this case, IS_A_DOCTOR) together with an identifier for the holder (in this case, a public key) together with the digital signature of someone who can attest to the credential (in thsi case, the hospital the employs the doctor). Now, the information sharing platform can easily check the digital signature of the credential, because they have the public keys of all of the hospital and can extract the relevant attribute.
But how do they know that this IS_A_DOCTOR attribute applies to me and that I haven’t copied it from somebody else’s mobile phone? That’s also easy to determine in the virtual world with the public key of the associated digital identity. The platform can simply encrypt some data (anything will do) using this public key and send it to me. Since the only person in the entire world who can decrypt this message is the person with the corresponding private key, which is in my mobile phone’s secure tamper resistant memory (eg, the SIM or the Secure Enclave or Secure Element), I must be the person associated with the attribute. The phone will not allow the private key to be used to decrypt this message without strong authentication (in this case, let’s say it’s a fingerprint or a facial biometric) so the whole process works smoothly and almost invisibly: the doctor runs the information sharing platform app, the app invisibly talks to the digital wallet app in order to get the credential, the digital wallet app asks for the fingerprint, the doctor puts his or her finger on the phone and away we go.
Now the platform knows that I am a doctor but does not have any personally identifiable information about me and has no idea who I am. It does however have the public key and since the hospital has signed a digital certificate that contains this public key, if I should subsequently turn out to be engaged in dangerous behaviour, giving out information that I know to be incorrect, or whatever else doctors can do to get themselves disbarred from being doctors, then a court order against the hospital will result in them disclosing who I am. I can’t do bad stuff.
This is a good example of how cryptography can deliver some amazing but counterintuitive solutions to serious real-world problems. I know from my personal experience, and the experiences of colleagues at Consult Hyperion, that it can sometimes be difficult to communicate just what can be done in the world of digital identity by using what you might call counterintuitive cryptography, but it’s what we will need to make a digital identity infrastructure that works for everybody in the future. And, crucially, all of the technology exists and is tried and tested so if you really want to solve problems like this one, we can help right away.
KYC at a distance
We live in interesting times. Whatever you think about the Coronavirus situation, social distancing will test our ability to rely on digital services. And one place where digital services continue to struggle is onboarding – establishing who your customer is in the first place.
One of the main reasons for this, is that regulated industries such as financial services are required to perform strict “know your customer” checks when onboarding customers and risk substantial fines in the event of compliance failings. Understandably then, financial service providers need to be cautious in adopting new technology, especially where the risks are not well understood or where regulators are yet to give clear guidance.
Fortunately, a lot of work is being done. This includes the development of new identification solutions and an increasing recognition that this is a problem that needs to be solved.
The Paypers has recently published its “Digital Onboarding and KYC Report 2020”. It is packed full of insights into developments in this space, features several Consult Hyperion friends and is well worth a look.
You can download the report here: https://thepaypers.com/reports/digital-onboarding-and-kyc-report-2020
Dave New World #IWD2020
One of my favourite quotes is, “at any given IT conference, there are more attendees named Dave[1] than there are women”. Having checked the attendee list at several conferences, it seems a pretty fair rule of thumb.
My first step into IT was to escape a rogue boss, who handled both male and female employees equally, resulting in my predecessor taking a case to tribunal. The local university offered postgraduate qualifications in both IT and accountancy. The first year of IT counted towards both, so I took the path of least resistance. After a year creating expert systems and researching Artificial Life, my choice was made.
Having settled into a technical role with a major network provider, I expressed an interest in moving into the security team, only to be told “you can’t have that job, it’s Dave’s job”. When I insisted, a second opening was found and Dave became a much-valued colleague and friend. When I was promoted to lead the team, it emerged that my salary even after promotion was well below Dave’s and rapid adjustments had to be made.
At around this time I worked alongside a firewall consultant, whose best client had bandwidth beyond our wildest imaginings. She needed cutting edge technology to protect her revenues while engaged in the world’s oldest profession. This consultant, known to use the same password on every system, later put the first firewall into 10 Downing Street. In recent years, I have had the opportunity to research (in a professional capacity) the importance of digital identity in the context of adult services, highlighting the sheer scale of this industry and the important role of technology in this area.
When I first joined Consult Hyperion in 2006, I was asked to organise a workshop for identity experts from across Europe. It was a great opportunity and a real inspiration when Angela Sasse, a leading light in HCI, spoke about the importance of both women and men contributing to systems which are to serve the public. One of my favourite feminists, another Dave, was later to highlight the peculiar assumptions behind some technologies. For instance, the concept of the smart home managed remotely by a man on the move. It may work for people living alone but the ability to turn the lights off or the heating down while partners or family members are at home is not so great.
We are lucky at CHYP to have a diverse and highly skilled team working in Hyperlab, including a Dave. His working proof that an EMV contactless transaction could be completed in under 500ms in a live transit environment was critical to the adoption of the technology by Transport for London, which in turn contributed to the wider implementation of contactless payments. He has also worked on financial inclusion projects in both the UK and Africa, enabling aid to be distributed to farmers in remote areas.
On a personal level, it is always good to see more women joining the industry. It’s a great place to work, with constant change and exciting new challenges. I respect initiatives such as Microsoft’s Girls in STEM[2], although it has caused upset in my household, as my son was very disappointed that there was no equivalent for Boys in STEM. He has a truly inspirational IT teacher, who spent much of her career working in the industry and is equally at home with coding and infrastructure (or ‘the boring stuff’, as my son likes to call my main area of interest). Despite every possible encouragement, there are no girls taking Computer Science in his year. The local girls’ school does not even offer the subject at A level. However, whatever profession you adopt, chances are you will need technology to achieve your goals. At a time of huge opportunity, it is important to remember that there are many different paths into a career in technology. For instance, privacy requires strong legal and technical underpinnings. It is therefore vital that from the earliest years, we encourage children to engage with technology in whatever way best suits their own individual passions.
I’ve run up against some interesting attitudes in my working life: “you don’t look like a techie[3]”, “girls can’t do firewalls”, “a female consultant?” and, disappointingly, female colleagues refusing to take on “men’s work”. Having spent my formative years around a boys’ prep school, where women were mostly ‘below stairs’, I learned early to take this kind of thing in my stride.
[1] In this article, the term ‘Dave’ is used to denote anyone with the given name of ‘David’.
[3] https://www.bbc.co.uk/news/blogs-trending-33783007
To paraphrase Plato: the cost of not taking part is to be subject to the decisions of those less capable than you.
Is RCS set to transform Mobile Payments and PSD2 SCA?
By GSMA Future Networks Team, Lishoy Francis, Senior Consultant , Consult Hyperion
Mobile telecommunications services, and the devices consumers use to access them, are evolving rapidly – and, with the roll-out of 5G, the integration of IoT and wearables, and the adoption of embedded SIM, mobile services will soon be available everywhere.
Service providers relying on mobile apps, however, face several challenges. These include falling consumer retention figures, as app transaction abandonment rates increase; the cost of developing and maintaining mobile apps; ensuring adequate security for accurate billing and fraud prevention; and meeting regulations such as PSD2.
Rich Communication Services (RCS) – the mobile industry’s upgrade to SMS, which brings enriched multimedia services and enhanced security to mobile messaging – provides a range of solutions to these challenges, and with them new commercial opportunities in the delivery of consumer payments. RCS is now gaining momentum in the consumer market, and is a key platform to watch in 2020 and beyond. Adoption of RCS is mainly driven by buy-in from mobile platform providers such as Samsung and Google, more than 20 device OEMs, and over 90 mobile network operators to date.
From the consumer’s perspective, the RCS experience means forgoing the need to download multiple different apps and instead using a native messaging app on their device which is not limited to plain text, but is capable of handling feature-rich communications in the style of WhatsApp, Facebook Messenger or WeChat. The RCS infrastructure consists of an IP Multimedia Subsystem (IMS) core with implementation-specific Application Server (AS) functions. The messaging feature in RCS is enhanced by RCS Business Messaging (RBM) supported by backend platform components.
Security and trust are scarce in the messaging world, where unwitting consumers can fall victim to phishing attacks leading to monetary loss and compromise of personal information. RCS can help here with Verified Sender, a feature of RBM which provides proof of the sender’s identity. This proof is technically based on a digital signature and, for consumer confidence at a glance, can be shown as a visual tick-mark, with a verified name and logo of the sender on the messaging client.
Consumer authentication has been commonly based, until recently, on the use of a one-time password (OTP) sent over SMS, in conjunction with a memorable secret. Since the arrival of PSD2, however, strong customer authentication (SCA) is required for all electronic payments. PSD2 SCA requires the use of at least two from the following elements:
- Knowledge – something the consumer knows
- Possession – something the consumer has
- Inherence – something the consumer is (typically using a biometric)
Although OTP-over-SMS is a permitted possession factor under PSD2 (acting as proof of possession of a SIM card), RBM can offer better security – the question mark over where a given message has originated is now, thankfully, gone.
The GSMA – working with Consult Hyperion, thought leaders in mobile telecommunications, payments, ticketing, and digital identity – has produced a white paper on what RCS has to offer in digital payments. ‘RCS and Payments’ provides a detailed investigation of RCS’ potential in meeting PSD2’s SCA requirements, including the potential of RCS to replace SMS for delivery of OTP, and explores various payment options across the RCS channel.
Also considered are the additional security mechanisms RCS can offer to gain customer confidence and protect payments: the platform for instance offers service providers advanced functionalities such as message recall if a device is offline; additional controls to validate SIM swap requests; rapid service provisioning; and providing continuous customer engagement via AI chatbots.
In short, RCS offers the most exciting opportunity for service providers and MNOs to work together on providing consumers with secure payments and strong authentication since the availability of NFC and HCE on consumer mobile devices.
Read the latest ‘RCS and Payments’ whitepaper for more details.
Consult Hyperion’s Live 5 for 2020
At Consult Hyperion we take a certain amount of enjoyment looking back over some of our most interesting projects around the world over the previous year or so, wrapping up thoughts on what we’re hearing in the market and spending some time thinking about the future. Each year we consolidate the themes and bring together our Live Five.
2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.
Hello 2020
Our Live Five has once again been put together with particular regard to the views of our clients. They are telling us that over the next 12 months retailers, banks, regulators and their suppliers will focus on privacy as a proposition, customer intimacy driven by hyper-personalisation and personalized payment options, underpinned by a focus on cyber-resilience. In the background, they want to do what they can to reduce their impact on the global environment. For our transit clients, there will be a particular focus on bringing these threads together to reduce congestion through flexible fare collection.
So here we go…
1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.
2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.
Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.
3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.
We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.
4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.
We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.
5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.
Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.
So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!
