trust is a pretty serious issue, but it’s not alway easy to quantify. We all
understand that it is important, but what exactly is the value in pounds,
shillings and pence (or whatever we will be using after Brexit) and how can we
use that value to develop some business cases? It’s one thing to say (as you
will often hear at conferences) that some technology or other can increase
trust, but how do we know whether that means it is worth spending the money on
it? At Consult Hyperion we have a very well-developed methodology, known as
Structured Risk Analysis (SRA), for managing risk and directing countermeasure
expenditures, but we need reasonable, informed estimates to make it work.
businesses undoubtedly find fake reviews an incredibly useful tool. There are
millions of examples we could use to illustrate this, but here is just
one.”Asad Malik, 38, used fake reviews and photographs of secure car parks
hundreds of miles away to trick customers into leaving their vehicles with him
when they flew from Gatwick [Airport parking boss jailed for dumping cars in muddy
So how can
we use technology to make a difference here? When you read a review of an
airport parking service, or a restaurant or a Bluetooth speaker, how can you
even be sure (to choose the simplest example) that the reviewer purchased the
product? Well, one possibility might be to co-opt the payment system: and this
can be done in a privacy-enhancing way. Suppose when you pay the bill at a
restaurant, and you have told your credit card provider that you are happy to
be a reviewer, your credit card company sends you an unforgeable cryptographic
token that proves you ate at the restaurant. Then, when you go to Tripadvisor
or wherever, if you want to post a review of the restaurant, you have to
provide such a token. The token would be cryptographically-blinded so that the
restaurant and review-readers would not know who you are, so you could be
honest, but they could be sure that you’ve eaten there.
“review tokens” are an obvious thing to store in digital wallets. You could
easily imagine Calibra, to choose an obvious case study, storing these tokens
and automatically presenting them when you log in to review sites. This would
be a simple first step toward a reputation economy that would benefit consumers
and honest service providers alike.
one of the cross-overs between payments and identity that we expect to be much
discussed at Money20/20 in Las Vegas this week. I’ll be
there with the rest of the Consult Hyperion team, so do come along to the
great, great Digital Trust Track on Tuesday 29th and
join in the discussions.
was originally published on Money20/20.
We are in the midst of seismic societal
changes of how people interact and transact. Across societies,
geographies and segments, digital is the new norm. Change has accelerated,
placing greater value upon flexibility and speed. Historically, money and
finance have been among the more conservative and slower changing parts of
society, but this has changed dramatically over the past decade by viewing
money as an instigator of change rather than a lagging indicator.
Whether you are a marketer in shining armor
conquering new territory, a financial wizard casting spells upon the balance
sheet, or the queen or king guiding the whole enterprise, here are 4 trends
about money that you should keep in mind for your business.
Platforms are the new kingdoms
Platforms are the base upon which other
structures can be built. For example, App stores from Apple and Google
provide the infrastructure for consumers to complete commercial transactions
and manage finances through their mobile phones. While these companies
develop their own digital wallets, they also enable similar services from
banks, retailers and other companies. Building and maintaining the
platform enables services that they would not have created on their own, like
Uber or Lyft, which in turn, have created their own platforms.
Marketers trying to address customers’ needs
can plug into platforms to broaden offerings or deepen engagement with target
markets. Platform-based thinking implies that product and service design is
ongoing and doesn’t stop with a product launch. Jack Dorsey didn’t stop
when he built the Square credit card reader. The team went into lending
with Square Capital. They got into consumer P2P payments with Square
Cash. Their ecosystem has grown through partnerships with other companies
as well as in-house development.
Digital Identities open the gates
How do your customers interact with you?
Do they need to create a username and password, or can they use a 3rd
party system like Google or Facebook? Are security services like
two-factor authentication or biometrics used to protect credentials? Is
your company protecting customer identities adequately? The importance of
all of these questions is increasing and often the difference between being
forced into early retirement by a massive data breach or surviving to continue
to grow your business.
While identity management and digital
security might not be top of mind for most marketers, they are table stakes for
even the most basic future business. History is full of tales of rulers
successfully fighting off armies laying sieges on castles and fortresses, only
to fail when another army gets access to a key for the back door.
Context rules the experience
Credit card transactions moved from
predominantly being in-store, to e-commerce sites accessed from desktop
computers, and now to mobile phones. As the point-of-purchase expanded,
so did the consumer use cases and thought processes. In tandem, mobile screens
presents less information than desktop computer screens, which in turn presents
less information than associates in a brick-and-mortar environment.
Companies best able to understand context and deliver the right user
experience within these constraints will build loyal customer relationships.
Apps or services created for a different
use cases on the same platform, such as Facebook and Messenger apps, can help
achieve this. Banks and have different apps for managing accounts or for
completing transactions or payments. On a desktop, you can access these
services through a single interface but on the mobile, forcing users to select
their use case helps present a streamlined experience on the smaller, more
time-constrained mobile screen. The use of additional data such as
location, device, etc. can further streamline the experience. Marketers that
don’t think about the context will lose the battle before it even begins.
Data is gold
While a marketer’s goal is to generate
sales, data has become a value driver. In the financial world, data about
payments, assets and liabilities has become critical in how products and
services are delivered. PayPal, a fintech that began even before the word
‘fintech’, has recently been using payments data from their platform to help
build a lending business for their customers. Similarly, an SME lender
named Kabbage has grown to unicorn status by using data from other sources to
make smarter lending and pricing decisions. In the payments industry,
Stripe distilled a previously complex technology integration into a minimal
data set, accessed via API, to easily build payments into new digital products
Those that are able to harness the power of
data will be able to predict what customers want and more effectively address
their needs. In some cases, it might be using data from within your
enterprise or from other platforms for targeting, pricing or servicing
decisions. In other cases, it might be using data to reimagine what your
product or service is.
Looking for more insights on key trends in
money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will
be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and
attend visit us.money2020.com.
We’ve been thinking about Mobility as a Service (MaaS)
for some time. I remember suggesting its consideration in a meeting with a UK
sub-national transport body (STB) in 2016 and the question being ‘Isn’t MaaS
just a buzz-word?’ In December 2018, the UK Government Office for Science
issued a review, ‘MaaS
in the UK: Change and its implications’. It was commissioned as part
of the UK government’s Foresight Future of Mobility project.
While the review contains the usual disclaimer, ‘this document is not a statement of government policy’, there is actually a lot of change happening in transit-related policy, based around the opportunities presented by technology and the need to provide convenient services for the travelling public, while limiting the impact on the environment. The Williams Rail Review was launched by the Department for Transport in 2018, taking evidence through 2019, with a view to implementation starting in 2020. Its purpose is to put passengers at the heart of the railway of the future, while taking into account the needs of operators and the taxpayer.
The Rail Delivery Group has
responded to the Williams review. They report that eight out of ten
people feel the current system should be overhauled, while nine out of ten are
in favour of smart or electronic ticketing. They also describe the need to
include a range of flexible options to support passenger choice. Integrated and
Smart Ticketing offers a way of achieving these goals, incorporating
flexibility to accommodate a variety of services in a format that is convenient
The Rail Delivery Group itself has undertaken a
consultation on simplification of fares, resulting in the publication of the
‘Easier Fares for All’ report.
They received around 20,000 responses to the consultation, with very strong
support for simplification of fare structures. At present, there is a huge
variety of fare products available, which means that a passenger can
never be sure of getting best value. The priorities highlighted by
responses to the consultation were value for money, fair pricing, simplicity,
flexibility and assurance. MaaS is specifically mentioned as a goal in the
report, to be achieved by simplification of fare structures and implementation
of appropriate technologies. Account-based ticketing, to include capping and
integration with other modes of transport such as buses and trams, was also
Even before all this, the UK government had policies in place that would seem to be ideal for the encouragement of MaaS implementations. These included:
Department for Transport:
MaaS could offer an opportunity to support the DfT’s high-level policy commitments, namely: Boosting economic growth and opportunity, Building a One Nation Britain, Improving journeys, and Safe, Secure and Sustainable Transport. Specifically, MaaS would offer a greater level of integration between modes of transport and enable passengers to have confidence in choosing a variety of different options for their journey. This could encourage individuals to choose public transport more often, promoting social cohesion and sustainability.
The DfT’s Single Departmental Plan (SDP) 2015-2020 outlines the progress made in supporting the Department’s high-level policy commitments. The SDP’s commitments cross a range of transport sector delivery areas and illustrate DfT’s engagement in many initiatives that support the development of MaaS, These include capping of fares, introduction of more flexible part-time season tickets, focusing on accessibility to enable people with disabilities to have confidence in public transport provision.
Department of Health:
To support active lifestyle objectives – perhaps through engaging the travel behaviour change capabilities of MaaS. This is typified by initiatives by TfL to encourage people to walk or cycle rather than taking the tube.
Reducing respiratory and air quality related health issues – perhaps through engaging with MaaS Providers to manage travel patterns in areas with poor air quality. This could include managing the types and numbers of vehicles permitted in an area. This can be achieved in a number of ways, such as using bus lanes to promote public transport and giving low emissions vehicles exemptions to congestion charging.
Department for Business, Innovation and Skills:
Supporting innovation and growth, particularly in the sharing economy. This could include car sharing, ride sharing and other innovative approaches to transport and ticketing.
Supporting new markets for Connected and Autonomous Vehicles (CAV). This might include provision of autonomous vehicles for use by visitors within a tourist area or more effective monitoring of the use of hire cars in and around airports.
At the time of writing, the government has tabled secondary
legislation, expected to pass very shortly, to mandate net-zero
carbon emissions throughout the economy by 2050. MaaS is expected to be a key
enabler in reaching this goal by offering a range of more convenient
alternatives to individual passenger car journeys. These might include ride
sharing, car sharing, or simply bus and train services that are better tailored
to local needs. Paying for a recharge of electric vehicle at (say) a park and
ride centre, potentially at a discount to that available commercially in city
centre car parks might be considered.
The UK government has described its support for
transformation in the area of mobility in its paper “Future
of mobility: urban strategy”. It promotes safe and secure mobility
services designed around the needs of the individual, which prioritise active
travel such as walking and cycling. It also highlights the key role of mass
transit, with the aim of reducing congestion and emissions. Creative use of
published data is seen as an important tool in managing an integrated mobility
The MaaS Alliance and UK Transport Systems Catapult
commissioned a survey in spring 2017 to generate data on the critical
regulatory enablers and barriers for the development and full deployment of
MaaS. It is worth noting that policy targets on emissions are likely to have a
positive effect on MaaS market developments.
A recent report by the House of Commons Transport Committee concluded:
The key choices the Government can make are on its approach to the governance around MaaS in the areas of incentivising data sharing; introducing a regulatory framework such as a code of conduct and ensuring passenger rights are protected.
Finland was the first country to regulate to facilitate
the pre-conditions necessary for MaaS. Their Act on Transport Services (also
known as the Transport Code) was adopted in April 2017. All provisions in the
Act entered into force by July 2018. It promotes customer-oriented,
market-based transport services on a competitive basis. It aims to enable new
technologies and digitalisation into the transport sector. It obliges transport
operators to make essential data available and provides for the
interoperability of ticketing and payment systems. The presentation in January
from Minna Soininen, Director of the Finnish Public Transport Association, was less
than glowing about the progress to date since regulation, indicating that the
way forward is still not clear.
A lot has changed since our STB meeting in 2016. Our
recent work with another STB uncovered a shift in thinking. A facilitation role
is being sought and there is openness to forming partnerships with a wide range
of mobility providers. There is a great deal of uncertainty about the future of
MaaS and therefore future policy makers are looking at how to better deal with
uncertainty and avoid committing too strongly to the early adopters.
If you’re interested in finding out more, please contact:
The doom-laden headlines appearing in the press have, it seems, worked and the EBA has decided to replace the 14th September deadline for the introduction of SCA with … another deadline. Only they won’t tell us what it is, presumably we have to figure it out for ourselves.
So, let’s see what the EBA has done now …
Firstly, they haven’t actually changed the date as they can’t, it’s written into EU law. But given dire warnings of a collapse in online payments they’ve come up with a fudge:
The EBA therefore accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, CAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.
Let’s summarise that. National regulators – competent
authorities (CAs) – may work with PSPs (Issuing and Acquiring banks) and
unregulated actors (merchants, consumers) to agree to delay the introduction of
SCA. Which presumably means unprepared merchants and confused consumers are
breathing a sigh of relief. Unfortunately, as this is now in the hands of local
regulators there’s no guarantee at all that this will be applied evenly,
opening up the possibility that some countries will enforce and others (notably
the UK and France) will not.
On top of that, there’s no guarantee that Issuers won’t
apply SCA anyway, even if their local regulator permits them to not do so. So
merchants who are unprepared may still find themselves suffering random
declines. And, furthermore, if Acquirers haven’t implemented the necessary
changes then even if the merchants are compliant they may still have
transactions irrevocably declined.
Note also the “limited additional time” clause. Frankly, introducing SCA prior to the critical holiday shopping period was foolish anyway (but was an unintended consequence of the 18 month implementation period following the adoption of the RTS), so we can assume that the date will be pushed out at least into early or mid 2020. The EBA adds (but not in the actual Opinion):
In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.
And that’s the catch:
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner. CAs should monitor the execution of these plans to ensure swift compliance with the PSD2 and the EBA’s technical standards and to achieve consistency of authentication approaches across the EU.
Basically, Issuers and Acquirers need to publish what they’re
going to do including how they’re going to communicate the requirements to
consumers and merchants respectively. Quite how this is all going to be
co-ordinated is unclear – no sensible merchant is going to disadvantage
themselves by unilaterally turning on SCA when its competitors aren’t. Issuers
may take the same approach, as they probably don’t want their cardholders
switching to other banks: but there’s no requirement on them to do so.
The rest of the opinion focuses on the validity of various authentication
factors. That’s interesting too, but we’ll look at the implications of it
The one thing this does allow is for 3DS-2.2 to be made
ready. That’s an advantage to smart merchants who can at least develop a
proper, low friction SCA strategy. In the meantime, we’re looking forward to
getting involved in lots of migration planning.
The opening keynote at identity week in London was given by Oliver Dowden, the Minister for implementation at the Cabinet office and therefore the person in charge of the digital transformation of government. At Consult Hyperion we think digital identity is central to digital transformation of government (and the digital transformation of everything else, for that matter) so I was looking forward to hearing the UK government’s vision for digital identity. I accompanied the Minister on his visit to the IDEMIA stand where he was shown a range of attractive burgundy passports.
In his keynote, the Minister said that the UK is seen as being at the cutting edge of digital identity and that GOV.UK Verify is at the heart of that success.
(For foreign visitors, perhaps unfamiliar with this cutting edge position, a spirit of transparency requires me to note that back on 9th October 2016, Mr. Dowden gave written statement HCWS978 to Parliament, announcing that the government was going to stop funding Verify after 18 months with the private sector responsible for funding after that.)
Given that the government spends around £1.5 billion per annum on “identity, fraud, error, debt, how much identity costs to validate, and how much proprietary hardware and software bought”, it’s obviously important for them to set an effective strategy. Now, members of the public, who don’t really know or care about digital ID might be saying to themselves, “why can’t we just use ‘sign in with Apple’ to do our taxes?”, and this is a good point. Even if they are not saying it right now, they’ll be saying it soon as they get used to Apple’s mandate that all apps that allow third-party sign-in must support it.
Right now you can’t use a GOV.UK Verify Identity Provider to log into your bank or any other private sector service provider. But in his speech the Minister said that he looks forward to a time when people can use a single login to “access their state pension and the savings account” and I have to say I agree with him. Obviously you’d want a different single login for gambling and pornography, but that’s already taken care of as, according to Sky News, “thanks to its ill-conceived porn block, the government has quietly blundered into the creation of a digital passport – then outsourced its development to private firms, without setting clear limits on how it is to be used”. One of these firms runs the world’s largest pornography site, Pornhub, so I imagine they know a thing or two about population-scale identity management.
Back to the Minister’s point though. Yes, it would be nice to have some sort of ID app on my phone and it would be great if my bank and the HMRC and Woking Council and LinkedIn would all let me log in with this ID. The interesting question is how you get to this login. Put a PIN in that and we’ll come back to it later.
The Minister made three substantive points in the speech. He talked about:
The creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office. The Unit will help foster co-operation between the public and private sector, ensure the adoption of interoperable standards, specification and schemes, and deliver on the outcome of the consultation.
A consultation to be issued in the coming weeks on how to deliver the effective organisation of the digital identity market. Through this consultation the government will work with industry, particularly with sectors who have frequent user identity interactions, to ensure interoperable ‘rules of the road’ for identity.
The start of engagement on the commercial framework for consuming digital identities from the private sector for the period from April 2020 to ensure the continued delivery of public services. The Government Digital Service will continue to ensure alignment of commercial models that are adopted by the developing identity market to build a flourishing ecosystem that delivers value for everyone.
The Minister was taken away on urgent business and therefore unable to stay for my speech, in which I suggested that the idea of a general-purpose digital identity might be quite a big bite to take at the problem. So it would make sense to look at who else might provide the “digital identities from the private sector” used for the delivery of public services. Assuming the current GOV.UK Verify identities fail to gain traction in the private sector, then I think there are two obvious private sector coalitions that might step in to do this for the government: the big banks and the big techs.
For a variety of reasons, I hope that the big banks are able to come together to respond to the comments of Mark Carney, the Governor of the Bank of England, on the necessity for a digital identity in the finance sector to work with the banks to develop some sort of financial services passport. I made some practical suggestions about this earlier in the year and have continued to discuss the concept with potential stakeholders. I think it stacks up, but we’ll have to see how things develop.
On the other hand, if the banks can’t get it together and the big techs come knocking, they are already showing off their solutions. I’ll readily admit that when the Minister first said “private sector identities”, the first thought to flash across my brain was “Apple”. But I wouldn’t be at all surprised to go over to the HMRC web site fairly soon to find a “log in with Amazon” and “log in with Apple” next a button with some incomprehensible waffle about eIDAS that I, and most other normal consumers I’m sure, will simply ignore.
How do you use Apple ID to log into the Inland Revenue? Easy: you log in as you do now after sending off for the password and waiting for it to come in the post and that sort of thing and then once you are connected tell them the Apple ID that you want to use in the future. If you want to be “firstname.lastname@example.org” or whatever, it doesn’t matter. It’s just an identifier for the Revenue to recognise you in the future. Then next time you go to the Inland Revenue, you log in as email@example.com, something pops up on your iPhone and you put your thumb on it or look at it, and bingo you logged in to fill out your PAYE.
How time flies, GDPR has
just had its first birthday!
This past year you will
have been inundated with articles and blogs about GDPR and the impact on
consumers and businesses alike. According to the UK’s Information Commissioner,
Elizabeth Denham, GDPR and its UK implementation, the Data Protection Act (DPA)
2018, has marked a “seismic shift in privacy and information rights”.
Individuals are now more aware of their information rights and haven’t been shy
about demanding it. In the UK, the ICO received
around 14,000 personal data breach reports and over 41,000 data protection
concerns from the public from 25 May 2018 to 1 May 2019, compared to around
3,300 PDB reports and 21,000 data protection concerns in the preceding year. Beyond
Europe, the regulation has had a remarkable influence in other jurisdictions, where
they have either enacted or are in the process of enacting a ‘GDPR equivalent’ law
– something similar is underway in Brazil,
With all the good
intentions of GDPR some of its provisions contradict, other, equally
well-intentioned EU laws. Bank Secrecy Laws on one hand, require that customers’
personal data should be protected and used for the intended purpose(s), except
where otherwise consented to by the customer. AMLD4/5 on the other hand,
requires that identifying personal data in ‘suspicious transactions’ should be
passed on to appropriate national authorities (of course without the customer’s
consent/ knowledge). Then PSD2 requires banks to open up customers’ data to authorised
Third Party Providers (TPPs), subject to obtaining the customer’s consent. One issue that arises out of this is the seeming incongruity
between Article 94 PSD2’s explicit consent, and GDPR’s (explicit) consent.
Under GDPR, consent is
one of the lawful bases for processing personal data, subject to the strict requirements
for obtaining, recording, and managing it, otherwise it’s deemed invalid. In
some cases, a lack of good understanding of these rules has resulted in poor
practices around consent processing. That is why organisations like the Kantara Initiative
are leading the effort in developing specifications for ‘User Managed Access’
and ‘Consent Receipt’.
In addition, EU regulators
have been weighing in to clarify some of the conundrums. For example, the Dutch
DPA issued a guidance
on the interplay of PSD2/GDPR, which shows that there’s no straightforward
answer to what seems like a relatively simple question, as one might think. The
has also published an opinion
on the interplay between GDPR, and the slowly but surely evolving ePrivacy
regulation. Suffice to say, correctly navigating the compliance
requirements of all these laws are indeed challenging, but possible.
What will the second
year of GDPR bring?
While regulators are keen
to enforce the law, their priority is transparent co-operation, not penalties. The
ICO has provided support tools, and guidance, including a dedicated help line and
chat services to support SMEs. They are also in the process of “establishing
a one-stop shop for SMEs, drawing together the expertise from across our
regulatory teams to help us better support those organisations without the
capacity or obligation to maintain dedicated in-house compliance resources.”
However, for those who still choose to ‘wilfully or negligently break the law’,
GDPR’s recommended administrative
fines may help to focus the mind on what is at stake, in addition to
the ‘cleaning up’ costs afterward. Supervisory Authorities require time and
resources to investigate and clear the backlog as a result of the EU
wide increase in information rights queries and complaints of the past one year.
The UK’s ICO, and its Netherlands and Norwegian counterparts are collaborating
to harmonise their approaches and establish a “matrix”
for calculating fines. France’s CNIL has led the way with the $57
million Google fine earlier in the year, however, the ICO has confirmed
that there will soon be fines for “a
couple of very large cases that are in the pipeline, so also,the Irish DPC expects to levy “substantial”
fines this summer.
A new but important principle
in GDPR is the ‘accountability principle’ – which states that the data
controller is responsible for complying with the regulation and must be
able to demonstrate compliance. So, it is not enough to say, ‘we have
it,’ you must be able to produce ‘appropriate evidence’ on demand to back it
up. The ICO states in its ‘GDPR
– one year on’ blog that “the focus for the second year of the
GDPR must be beyond baseline compliance – organisations need to shift their
focus to accountability with a real evidenced understanding of the risks to
individuals in the way they process data and how those risks should be
mitigated.” By now one would expect that most organisations would have put
in the effort required beyond tick boxes to achieve an appropriate level of
compliance with the regulation so they can reap the reward of continued
business growth borne out of trust/loyalty from their customers.
One of the methods of demonstrating
GDPR accountability is through a Data Protection Impact Assessment (DPIA)
– a process by which organisations can systematically analyse, identify, and
minimise the data protection risks of their project or plan ‘before going live.’
GDPR does not mandate a specific DPIA process, but expects whichever
methodology chosen by the data controller to meet the requirements specified in
its Article 35(7).
At Consult Hyperion, we
have a long track record of thinking about the risks associated with
transactional data, so much so that we published and continue to use our own Structured
Risk Analysis (SRA) methodology. Our approach, in response to the needs of
our customers, has always been to describe the technological risks in a
language that allow the business owner, who ultimately owns the risk, to make a
judgement. Building on this we have developed a business focused approach to GDPR
compliant DPIA to help our customers, for the products we design, review, or
develop for them.
If you’re interested in finding out more, please contact: firstname.lastname@example.org
On Friday 13th September this year, the full
force of PSD2 Strong Customer Authentication (SCA) comes into force.
Anecdotally the lack of readiness of the card payment industry is beginning to
suggest that the immediate impact may well look like the aftermath of a dinner
party hosted by Jason Voorhees.
To summarise: after 13th September 2019 (yes,
that’s in just over 3 months) account holding banks must require two factor
authentication compliant with PSD2 SCA on all electronic payments, including
all remote card payments, unless an applicable exemption is triggered. There
are no exceptions allowed to this, there is no concept of merchants choosing to
take liability and avoiding SCA. In the event that a merchant attempts a
transaction without SCA and the issuing bank determines that no exemption
applies or that there is significant risk associated with the payment the bank must
decline and request the merchant to perform a step-up authentication.
Currently, the only real option open to merchants for
performing SCA for online card payments is 3DS. To support all of the PSD2
exemptions – which are needed to provide a near frictionless payment experience
– the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2
will not be ready, so the initial implementation of this will be sub-optimal.
So, come 14th September this year what will happen?
Figures are hard to come by, but within Europe we believe
that 75% of merchants don’t implement 3DS today. We also believe that about a
fifth of large issuers are taking a hard line in order to be compliant with the
regulations and will decline all non-3DS transactions. Even where the issuer is
taking a more subtle approach they will request step-up SCA on somewhere
between 1 in 5 and 1 in 10 transactions. On top of this, if the merchant
does not support 3DS and the issuer authorises anyway any fraud is the
merchant’s responsibility: for non-complying merchants this is a lose-lose-lose
Given this woeful state of preparedness there’s some
industry hope that the regulators may take a relaxed view of compliance come
September. Certainly there are representations being made in Brussels, but we
think it’s unlikely there’ll be any relief from that direction: (1) the
migration date is written into law, national regulators cannot alter it and (2)
many issuers will implement PSD2 fully regardless of any softening of the
implementation. We suspect that there may be some movement from national
regulators since the alternative may be unthinkable, but travelling hopefully
doesn’t look like much of a strategy, especially if you’re an e-com retailer or
Going forward there are a wide range of solutions being
developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS
is not the only solution, but it is the only pervasive one and it certainly is
the only one available in the current time frames.
What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.
Here at Chyp we’ve spent the last two years helping Issuers,
Schemes, Acquirers, PSPs and merchants prepare – so although the impact across
the payments industry may be patchy, we know there will be winners as well as
losers. If the worst case comes to pass then the only merchants likely to
escape the bloodbath come September are those taking action now. And there’s
unlikely to be any downside to immediate action – PSD2 has been in the works
for over five years, the SCA implementation date has been known for over a
year, and there’s little indication that the European Commission intends to
undo or loosen the regulations.
Friday 13th is coming, best make sure you’re
The mention of biometric cards may be met with a raised brow or a quizzical look. But if you offer a further explanation and ask a consumer if they can see the convenience of holding a payment card with a biometric sensor on it to make a high value payment without having to enter a PIN, things suddenly become clear and are generally very well received.
UK’s Natwest, France’s Société Générale and Italy’s Intesa Sanpaolo are all in the race to deliver this added convenience to their customers. The solution consists of having a physical card, with a fingerprint reader embedded in it, enabling the cardholder to authenticate themselves before tapping the card on the terminal. An interesting solution to a problem already solved by Apple Pay and the likes, you might be tempted to think.
Not quite. Market segments either left behind by or averse to the mobile payments revolution, can finally be targeted. My mother is part of that category. She fully adopted contactless payments when she visited me here recently, finding PINs to be too much of a hassle but quickly reverted to cash when she realised that contactless wouldn’t get her the weekly shop at Monoprix, by default greater than the 30 EUR limit, without the PIN accoutrement.
This biometric card offering also resolves the customer pain that is likely to hit contactless card payments as from the 14th September 2019, when the Regulatory Technical Standards (RTS) start to apply.
In less than six months, unless applicable exclusions apply, conventional contactless cards would, in all likelihood, need to be chipped and pinned again after as little as 5 coffees. These new biometric cards offer an edge on this issue.
Biometrics as a CVM enable, like PINs, fulfilling the Strong Customer Authentication (SCA) requirement of having at least two of three independent elements:
Knowledge (e.g PIN)
Possession (e.g Card Possession)
Inherence (e.g Biometrics)
The difference however lies in the perception of this SCA transaction. Where PINs would require lengthy Online PIN authentications in contactless or cumbersome and disruptive step-ups to contact transactions, biometrics on card offer a seamless continuity in payment ergonomics.
Moreover, biometrics are expected to be non-repudiable. Back in the days, signatures could make up for extravagant excuses like those of Rebecca Bloomwood’s in Sophie Kinsella’s ” The Secret DreamWorld Of A Shopaholic”:
I never go to Millets. […]. Some criminal’s pinched my credit card and forged my signature. Who knows where else they’ve used it? No wonder my statement’s so black with figures. […]. Someone must have pinched it from my purse, used it – and then put it back.
Sophie Kinsella: ” The Secret Dreamworld Of A Shopaholic”
Such excuses are less likely for PINs, but not impossible, considering shoulder surfing. And nearly impossible for biometrics.
There is therefore a risk, albeit infinitesimal of a wolf, someone whose subset of “8 features on a 100mm2 fingerprint sensor” being a match, going on that Millet’s spending spree. A little far-fetched certainly, when working out the probabilities.
The greatest challenge however, lies, at the very heart of the solution: Biometric self-enrolment. The enrolment procedures on roll-out have not been entirely unveiled yet. A proper enrolment procedure design is crucial to the whole lifecycle of the card, requiring a careful balance between the comfort of an easy procedure, maximum assurance that the right individual is being enrolled and well-suited risk mitigation actions. Unlike the OEM-Pays which, being based on phones, have the ability of having interactive onboarding checks, enrolment for the card form factor is not straightforward. Various solutions are being proposed, ranging from a controlled enrolment at the bank to checking-in on a banking portal, or online equivalent after enrolment. It is not clear that any one of these is the right answer for all customers.
Finding an optimal solution is vital. As Mastercard puts it, “it’s all about providing options that make life easier and more convenient, ultimately improving the shopping experience without compromising safety and security.”
The reasons behind the presence of mag stripe on cards alongside chip (and PIN) has long been a debate at Consult Hyperion. Especially for the US where things were different for years – of course now the US has introduced chip and PIN as well.
numbers and signatures on cards helps criminals. There’s no need for it.
A couple of years later, in “Tired: Banks that store money. Wired: Banks that store identity” we asked why banks didn’t put a token in Apple Pay that didn’t disclose the name or personal information of the holder, a “stealth card” that could be used to buy adult services online using the new Safari in-browser Apple Pay experience. This would be a simple win-win: good for the merchants as it would remove CNP fraud and good for the customers as it would prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give the customer a blank card to go shopping with.
Some years ago, we were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.
You might call
these cards pseudo-clones. They acted like clones in that they worked correctly
in the terminals, but they were not real clones. They didn’t have the right
keys inside them. Naturally, if you made one of these pseudo-clones, you didn’t
want to be bothered with PIN management so you made it into a “yes card” –
instead of programming the chip to check that the correct PIN is entered, you
programmed it to respond “yes” to whatever PIN is entered. We used these
pseudo-clone cards in a number of shops in Guildford as part of our testing
processes to make sure that issuers were checking the cryptograms properly. Not
once did any of the Guildford shopkeepers bat an eyelid about us putting these
strange blank white cards into their terminals. Of course it’s worth noting
things have progressed and fortunately this wouldn’t work now as the schemes
have moved on from SDA.
I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this, he made a similar white plastic pseudo-clone card and went into a shop to try it out.
When he put
the completely white card into the terminal, the Brazilian shopkeeper stopped
him and asked him what he was doing and what this completely blank white card
was, clearly suspecting some misbehaviour.
thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.
story was written back
in 2014! There was no white Apple credit card at that time but it
was interesting that the shopkeeper expected an Apple credit card to be all
white and with no personal data on display, just as we had suggested in our
ancient ruminations on card security. Imagine the total lack of surprise when
the internet tubes delivered the news of the new actual Apple credit card
launched in California a couple of weeks ago. Apple CEO Tim Cook said that
the new Apple Card would be the biggest card innovation “in 50 years” [FT].
This seems a little rough on the magnetic stripe, online authorisation,
chip and PIN, debit cards, contactless interfaces and so on, but it is
certainly an interesting development for people like us at Consult
gathered the usual media interest. A number of reports on the web reporting on
“Apple going into banking” which, obviously, they are not. Far from it. The
Apple Card issuer is Goldman Sachs (it’s their first credit card product) and
the card product is wholly unremarkable. The card looks pretty cool though, no
doubt about that. I still don’t know why they put the cardholder name on the
front (instead of their Apple ID).
Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.
The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.
Now You See It
While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!
I can’t help
feeling that there’s a bit of misdirection going on with Apple Card. The press
are reporting about the card product, but it’s really not that earth
shattering. It seems to me that what is really important in the
announcement isn’t extending Goldman Sachs’ consumer credit business or that
bribe to persuade apparently reluctant consumers to use Apple Pay at
contactless terminals instead of swiping their card, but the attempt to get
people to use Apple Cash. Cognisant of how Starbucks makes out by persuading
citizens to exchange their US dollars that are good anywhere into Starbucks
Dollars that are not, and of Facebook’s likely launch of some kind of Facebook
Money, Apple are hoping to kick-start an Apple Cash ecosystem.
You may have
noticed that as of now, you can no longer fund person-to-person Apple
payments (in Messages) using
a credit card. You can still fund your Apple Cash via a debit card.
You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via
ACH to a bank account for free. They want to reduce the costs of getting volume
into Apple Cash and make it possible for you to get it out with jumping through
hoops. Given that you can do this, you’ll be more relaxed about holding an
Apple Cash balance and that means that next time you go to buy a game or a song
or whatever, Apple can knock it off of your Apple Cash balance rather than
feeding transactions through the card rails.
And why not?
In this ecosystem Apple would carry the float, which might well run into
millions of dollars (Starbucks’ float is over a billion dollars), and if it
could persuade consumers to fund app, music and movie purchases from Apple Cash
instead of cards it would not only save money, but anchor an ecosystem that
could become valuable to third-party providers as well. With Facebook’s
electronic money play on the horizon, I think Apple are making a play not for a
new kind of card to compete with my Amex Platinum and my John Lewis MasterCard
but for a new kind of money to compete with BezosBucks, ZuckDollas an Google
Well, Know 2019 in Las Vegas was great. Having attended the One World Identity (OWI) “KnowID” Washington events, it was exciting to see them grow and relocate to Las Vegas!
The event began with an “Education Day” on the Sunday preceding the main event. Consult Hyperion ran a couple of the sessions and we were taken aback at the turnout – standing room only in the session discussing the digital identity of people, companies and things that we presented with Mastercard and PaymentWorks (the hotel staff had to bring in three stacks of chairs during the talk!) and while we’d like to think that this is solely a reflection of Consult Hyperion’s leading position in the industry, we took it as a reflection of the increasing importance of digital identity across corporate strategies in a range of sectors.
As most of our clients are in the financial services sector, we naturally paid most attention to the presentations and discussions around digital identity in banking and finance. Mastercard chose the event to drive a stake into the ground around digital identity, with the launch of their paper on the topic, “Restoring Trust in a Digital World”. This presented a framework of how digital identity will work, putting the individual at the heart of every digital interaction. Mastercard’s commitment to the sector reinforced many peoples’ view that digital identity has gone up the priority list to become a matter of immediate concern for financial institutions, regulators and customers. The scale of identity theft and fraud on the one hand and the costs of patchwork digitised identity solutions on the other hand may not the pressure for real change is growing.
Outside the financial sector, I particularly enjoyed the keynote on the third day from Colleen Manaher from the US Customs and Border Control. She was talking about the use of biometrics and spent some of the time talking about the specific use of biometrics in airports as an interesting example of how to use biometric technologies for security but at the same time deliver convenience into the mass market.
The point of her talk, was partnerships around identity. In this case, she was talking about quite complex public-private partnerships in travel. The investments made in biometrics to allow paperless travel have obvious benefits in terms of security but, as we have found in our other work about the cross-sector exploitation of digital identity, intelligent use of these new capabilities can also transform the customer experience. The same biometric system that scans your passport picture on entry to the airport and then checks you in for your flight can also be used to direct you through the airport and implement smart departure boards that as you approach them switch from displaying a list of all flights to displaying your flight only.
The use of digital identity, as a means to provide what looks like convenience to the man in the street but under the hood provides much higher levels of security than are currently obtained through the use of physical documents and manual checking opens up new possibilities and set me thinking about how to replicate this dynamic, in other sectors. An obvious example of this back in financial services is for the kind of digital ID called for by Mark Carney, the governor of the Bank of England, which would result in significant cost savings around the K YC and AML for the banks but should at the same time mean that customers can connect securely and quickly to their financial services providers.
We were sad to leave Las Vegas after such a great event but I can assure you that we’ll be back there again next year for Know2020.
Subscribe to our newsletter
You have successfully subscribed to the newsletter
There was an error while trying to send your request. Please try again.