Author: Consult Hyperion

Crazy Cards

16th April 2019by Consult HyperionLeave a comment

Crazy Cards

The reasons behind the presence of mag stripe on cards alongside chip (and PIN) has long been a debate at Consult Hyperion. Especially for the US where things were different for years – of course now the US has introduced chip and PIN as well.

But putting numbers and signatures on cards helps criminals. There’s no need for it.

A couple of years later, in “Tired: Banks that store money. Wired: Banks that store identity” we asked why banks didn’t put a token in Apple Pay that didn’t disclose the name or personal information of the holder, a “stealth card” that could be used to buy adult services online using the new Safari in-browser Apple Pay experience. This would be a simple win-win: good for the merchants as it would remove CNP fraud and good for the customers as it would prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give the customer a blank card to go shopping with.

Brazil Nuts

Some years ago, we were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.

You might call these cards pseudo-clones. They acted like clones in that they worked correctly in the terminals, but they were not real clones. They didn’t have the right keys inside them. Naturally, if you made one of these pseudo-clones, you didn’t want to be bothered with PIN management so you made it into a “yes card” – instead of programming the chip to check that the correct PIN is entered, you programmed it to respond “yes” to whatever PIN is entered. We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals. Of course it’s worth noting things have progressed and fortunately this wouldn’t work now as the schemes have moved on from SDA.

I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this, he made a similar white plastic pseudo-clone card and went into a shop to try it out.

When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.

The guy, thinking quickly, told him that it was one of the new Apple credit cards!

“Cool” said the shopkeeper, “How can I get one?”.

Titanium Dreams

That Brazil story was written back in 2014! There was no white Apple credit card at that time but it was interesting that the shopkeeper expected an Apple credit card to be all white and with no personal data on display, just as we had suggested in our ancient ruminations on card security. Imagine the total lack of surprise when the internet tubes delivered the news of the new actual Apple credit card launched in California a couple of weeks ago. Apple CEO Tim Cook said that the new Apple Card would be the biggest card innovation “in 50 years” [FT]. This seems a little rough on the magnetic stripe, online authorisation, chip and PIN, debit cards, contactless interfaces and so on, but it is certainly an interesting development for people like us at Consult Hyperion.

The story gathered the usual media interest. A number of reports on the web reporting on “Apple going into banking” which, obviously, they are not. Far from it. The Apple Card issuer is Goldman Sachs (it’s their first credit card product) and the card product is wholly unremarkable. The card looks pretty cool though, no doubt about that. I still don’t know why they put the cardholder name on the front (instead of their Apple ID).

Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.

The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.

Now You See It

While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!

I can’t help feeling that there’s a bit of misdirection going on with Apple Card. The press are reporting about the card product, but it’s really not that earth shattering. It seems to me that what is really important in the announcement isn’t extending Goldman Sachs’ consumer credit business or that bribe to persuade apparently reluctant consumers to use Apple Pay at contactless terminals instead of swiping their card, but the attempt to get people to use Apple Cash. Cognisant of how Starbucks makes out by persuading citizens to exchange their US dollars that are good anywhere into Starbucks Dollars that are not, and of Facebook’s likely launch of some kind of Facebook Money, Apple are hoping to kick-start an Apple Cash ecosystem.

You may have noticed that as of now, you can no longer fund person-to-person Apple payments (in Messages) using a credit card. You can still fund your Apple Cash via a debit card. You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via ACH to a bank account for free. They want to reduce the costs of getting volume into Apple Cash and make it possible for you to get it out with jumping through hoops. Given that you can do this, you’ll be more relaxed about holding an Apple Cash balance and that means that next time you go to buy a game or a song or whatever, Apple can knock it off of your Apple Cash balance rather than feeding transactions through the card rails.

And why not? In this ecosystem Apple would carry the float, which might well run into millions of dollars (Starbucks’ float is over a billion dollars), and if it could persuade consumers to fund app, music and movie purchases from Apple Cash instead of cards it would not only save money, but anchor an ecosystem that could become valuable to third-party providers as well. With Facebook’s electronic money play on the horizon, I think Apple are making a play not for a new kind of card to compete with my Amex Platinum and my John Lewis MasterCard but for a new kind of money to compete with BezosBucks, ZuckDollas an Google Groats.

Know 2019 Vegas

5th April 2019by Consult HyperionLeave a comment

Well, Know 2019 in Las Vegas was great. Having attended the One World Identity (OWI) “KnowID” Washington events, it was exciting to see them grow and relocate to Las Vegas!

The event began with an “Education Day” on the Sunday preceding the main event. Consult Hyperion ran a couple of the sessions and we were taken aback at the turnout – standing room only in the session discussing the digital identity of people, companies and things that we presented with Mastercard and PaymentWorks (the hotel staff had to bring in three stacks of chairs during the talk!) and while we’d like to think that this is solely a reflection of Consult Hyperion’s leading position in the industry, we took it as a reflection of the increasing importance of digital identity across corporate strategies in a range of sectors.

As most of our clients are in the financial services sector, we naturally paid most attention to the presentations and discussions around digital identity in banking and finance. Mastercard chose the event to drive a stake into the ground around digital identity, with the launch of their paper on the topic, “Restoring Trust in a Digital World”. This presented a framework of how digital identity will work, putting the individual at the heart of every digital interaction. Mastercard’s commitment to the sector reinforced many peoples’ view that digital identity has gone up the priority list to become a matter of immediate concern for financial institutions, regulators and customers. The scale of identity theft and fraud on the one hand and the costs of patchwork digitised identity solutions on the other hand may not the pressure for real change is growing.

Outside the financial sector, I particularly enjoyed the keynote on the third day from Colleen Manaher from the US Customs and Border Control. She was talking about the use of biometrics and spent some of the time talking about the specific use of biometrics in airports as an interesting example of how to use biometric technologies for security but at the same time deliver convenience into the mass market.

The point of her talk, was partnerships around identity. In this case, she was talking about quite complex public-private partnerships in travel. The investments made in biometrics to allow paperless travel have obvious benefits in terms of security but, as we have found in our other work about the cross-sector exploitation of digital identity, intelligent use of these new capabilities can also transform the customer experience. The same biometric system that scans your passport picture on entry to the airport and then checks you in for your flight can also be used to direct you through the airport and implement smart departure boards that as you approach them switch from displaying a list of all flights to displaying your flight only.

The use of digital identity, as a means to provide what looks like convenience to the man in the street but under the hood provides much higher levels of security than are currently obtained through the use of physical documents and manual checking opens up new possibilities and set me thinking about how to replicate this dynamic, in other sectors. An obvious example of this back in financial services is for the kind of digital ID called for by Mark Carney, the governor of the Bank of England, which would result in significant cost savings around the K YC and AML for the banks but should at the same time mean that customers can connect securely and quickly to their financial services providers.

We were sad to leave Las Vegas after such a great event but I can assure you that we’ll be back there again next year for Know2020.

MWC 2019

4th March 2019by Consult Hyperion1 Comment

Well, #teamCHYP were out in force in Barcelona. Not for the Formula One testing but for the annual mobile industry shindig, the GSMA’s Mobile World Congress. As usual, we had full days of meetings interspersed with traversing the halls in search of anything that might be of interest to clients. I don’t want to talk about the innovations in mobile (like cool bendy screens and the Samsung S10 under glass fingerprint sensor) here, but I do want to make a point about the renewed focus on digital identity.

We made digital identity one of our “live five” areas for clients to focus on this year, so I was very happy indeed to to be asked to take part in a fireside chat on the subject of trust and identity with Ajay Bhalla, President, Cyber and Intelligence Solutions at Mastercard. He’s a smart guy, and well-positioned to survey the landscape to help us to pick out some routes between the hackers and fraudsters and hucksters and scaremongers.

We didn’t rehearse any questions, we just went on stage to have an intelligent conversation about what can be done to gain, and maintain, the trust of the public. If we cannot do this, then online commerce, online government and online interaction of all kinds will be subverted and the friction associated with online transactions will become so great that the economy will suffer. Ajay was optimistic about the new technologies in this space (as are the team at Consult Hyperion) and explained how biometrics and big data will work together to identify customers and minimise disruption to customer journeys.

(I think Mastercard and the other schemes will want to set the bar quite high here. When PSD2 comes in to effect in September, poor implementations of Secure Customer Authentication, or SCA, will have significant financial impacts on online businesses)

“As David put it during our discussion: Mastercard is moving from payment player to identity leader.“

It was certainly educational to discuss these issues with Ajay. The fact is that Mastercard is making significant investments in the digital identity space means that their opinions, and their strategy, are of great interest. As it happened, Mastercard’s executive Vice Chair Ann Cairns was also emphasising their focus on digital identity at the event.

You can see why digital ID is so crucial. Identity theft and fraud have become significant friction in the online world and so tackling them is a priority. But there’s also the strategic role of identity in the always-on, connected world. I can well imagine an ecosystem in which Mastercard switch vastly more identity transactions – everything from letting my garage door identity my car on the way to logging me to the Daily Telegraph – than payment transactions.

“Why digital identities will be so important in the next few years, according to Mastercard’s vice chairman.”

Europe’s approach to data protection will be adopted worldwide, Mastercard’s Cairns says from CNBC.

It wasn’t all thought leadership, customer meetings and heated debate about bendy screens though. We had some fun at #MWC19 too. Caption competition in 3… 2… 1…

See you all at MWC2020

Tough decisions for Acquirers and PSPs in 2019

14th February 2019by Consult HyperionLeave a comment

In 2018/2019 both merchants and payment providers face pressing, strategic questions related to the selection of the payment methods they support, that need to be answered.

European regulatory initiatives like PSD2, promoting instant payments, open banking, and data sharing have created a new payments ecosystem. Acquirers, PSPs and card schemes, threatened by the risk of being bypassed by Third Party Providers, are now looking at new business models and the roles they can play in this new ecosystem. However, the key questions remain, whether to continue playing in the traditional card acquiring space and/or to take full advantage of PSD2 by opting for PISP/AISP licensing? What can be done in-house, and what in collaborating with partners for those opportunities that lie outside the expertise?

There are other questions relating to the future direction of European Card Acquiring. In 2018, cards continued to grow their share of the European payments market, but the increasing scheme fees are eroding the benefits of interchange regulation. The British Retail Consortium warned in 2018 that scheme fees increased 39% in 2017. Various consumer groups asked the European regulators to step in to protect merchants from hidden fee increases. The UK Payment Systems Regulator (PSR) announced in July 2018 a market review into card-acquiring services, including a public consultation whether there is effective competition and supply of card-acquiring services.

What’s next for Card Acquiring, Scheme fees and Interchange Fee Regulation in Europe in 2019?

The future of card acquiring, fees evolution, new merchant payments options, Open API technology are among the key topics to be discussed at the MPE 2019, Europe’s Largest Merchant Payment Acceptance Conference in Berlin, February 19-21. Consult Hyperion are delighted to support MPE once again. If you’d like to meet with the team, please email sam.wakefield@chyp.com to arrange a meeting.

You can request the Agenda & register at www.merchantpaymentsecosystem.com.

Something old, something new

28th January 2019by Consult Hyperion1 Comment

I recently stumbled across an old white paper I wrote with Neil McEvoy some 15 years ago on the subject of securing retail payments and found it fascinating to read with older eyes. The white paper started with a nod to the “ancient” art of securing payments

“For as long as people have been trading goods with each other, there has been the potential for fraudulent transactions and the need for measures to secure payments against attempted fraud.”
Securing Retail Payments, Consult Hyperion, January 2004

Now that I myself am ancient (according to my kids, anyway) I look back on the picture we painted a decade and a half ago with a strange sense of déjà vu as I read my younger self lament the disparity in fraud levels between card present and card not present, and discuss the options for closing that fraud gap and generally making the (payment) world a safer place.

If I’d been re-reading this white paper 5, or even 2 years ago, I’d probably have given a wry smile, contemplated how little had changed and put it back in the drawer before moving on to the next thing. Today was different. What I found most interesting, was that one of the ideas we presented was the concept of a distributed payment terminal for the online environment. We suggested that the disjointed, variable experience of the online world needed to come closer the consistent, certified experience EMV provided for chip and PIN. In 2004 the prototypes we built to prove this concept involved moving the terminal logic and security onto a big grey computer hosting a web server (today we call that, putting it in the ‘cloud’).

It was a little bit of a blue sky idea at the time… using EMVCo specifications and standards to deliver a secure online checkout experience with cross industry interoperability and consistent security…Crazy huh?

In December, the Visa Global Head of Payments Products and Platforms TS Anil described the new EMVCo’s Secure Remote Commerce (SRC) specification as EMVCo’s opportunity to create:

“…a single digital terminal that can be used to create a secure, interoperable experience when consumers check out online”
Visa On SRC As eCommerce’s Single Digital Terminal Future, pymnts.com, December 2018

And I think he’s right. What online payments have been crying out for is the industry to raise the bar. The lowest common denominator of typing in a PAN and expiry date has to become a thing of the past and that will only happen if the entire ecosystem moves to a new way of transacting.

EMVCo has by and large succeeded in delivering this ecosystem change at retail point of sale with the introduction of contact and contactless chip payments. Can they do the same for the online world with SRC? Time will tell; there are other initiatives vying for the prize that we’re closely watching too, but I have to say, after 15 years of waiting, it’s nice to see them giving it a go.

Why can’t I use Apple Pay for everything online?

11th January 2019by Consult Hyperion1 Comment

Pottering around on Twitter, I noticed an interesting question:

Why can’t I use Apple Pay for everything online? Shouldn’t there be some way for me to hold my phone up to the screen when I get to an order page online and scan a QR code and hold my thumbprint or something? — Joe Weisenthal (@TheStalwart) January 2, 2019

Joe has a point. Apple Pay is far more secure, and far more convenient, than messing around typing card numbers in to web pages as we did back in 1998. And globally, merchants lose some $20-$30 billion per annum in card-not-present fraud, so why aren’t we using our (secure) mobile payment systems to pay for things we buy on the (insecure) web already?

Well, first of all you can use Apple Pay to pay for things on the web but only if you are using Safari and only if the merchant has implemented Apple Pay. The merchants, however, don’t want to implement a solution that only works for a small proportion of their customers (ie, people who use iPhone, Safari on the web and have Apple Pay configured correctly). Merchants would prefer a more universal solution such as W3C or SRC.

Change, however, may be just around the corner.

Barclays Equity Research put out an interesting note on payments in November. Called “Sleepwalking into 3DS2.0 and PSD2”, it kicks off by saying that “the mandated 3-D Secure 2.0 and the requirement for two-factor Secure Customer Authentication (SCA) are around the corner, but the industry does not seem ready for this major change in transaction processing protocols”.

Well, quite. I’m glad to see they agree with our decision to make SCA the highest priority of our “Live 5” areas for our clients to focus on in the coming year.

In this note, Barclays say that an unintended consequence of PSD2 will be a better e-commerce experience on mobile, where biometrics are a convenience technology, rather than the desktop, and this should benefit digital wallets (again as we note in our Live 5). In the store too, mobile may have the advantage. Contactless payments will require a PIN entry every five transactions or €150 (depending which the issuer mandates), unless an online transaction in the interim authenticates the card and restarts the counter.

However, an Apple Pay or Google Pay mobile transaction would be authenticated every time and because of CDCVM, can ignore the contactless limit (currently £30 in the UK). While a card is arguably marginally easier than mobile wallets today for contactless, this may be enough to shift the advantage to mobile.

Thus, the future of secure retail transactions will converge on the smartphone, irrespective of whether those transactions are physical or virtual.

IATA Pay and the unintended consequences of PSD2

10th January 2019by Consult HyperionLeave a comment

The Irish central bank’s decision to authorise Google Payment Ireland under the second Payment Services Directive (PSD2) attracted a fair bit of comment, some of it informed. As Finextra pointed out, this does not grant Google with the ability to offer a full banking service including bank accounts, but they don’t need to because with a PI licence they can obtain API access to bank accounts under PSD2.

The licence means that Google can offer PSD2 Payment Initiation Services (PIS) and Account Information services (AIS)

It’s an obvious move for Google. My good friend Simon Lelieveldt noted in his blog on the subject, that this makes “Google Brexit-proof and PSD2-proof” which would be reason enough to do it, but it’s important to understand just how disruptive this licence might be.

I wrote about this back in 2017 for Wired, pointing out that changes in regulation “mean the tech giants will soon be able to access customers’ bank account data” and that companies such as Google would take this obvious step in order to gain access to financial services infrastructure without the overheads and scrutiny that a banking licence involves. Similarly, I’ve commented before that it makes sense for Amazon to get such a licence, not a banking licence because there is nothing that the banks can do to stop Amazon from becoming a neo-bank. PSD2 means that bank customers will give Amazon permission to access their bank accounts, at which point Amazon will become the interface between the customer and financial services.

Hence my point just how disruptive this might be. Only last month, banks in Spain were complaining (with some justification) that there are considerable implications to Google, Amazon and Facebook entering the financial services industry. This is because the introduction of PSD2 means that these new “big tech” entrants can benefit from asymmetric regulation and extend their appeal to consumers. The regulation is asymmetric, as my colleague Tim Richards I discussed in our “fireside chat” last year, because it means that tech companies can access banks’ customer data but the banks do not get to access the tech companies’ customer data.

The impact of open banking is, of course, not limited to the tech giants. IATA Pay is an industry-supported initiative to develop a new payment option for consumers when purchasing airline tickets online. It uses PSD2 to instruct transfers direct from customer accounts and I think it might turn out to be one of those things that economists call a “weak signal” of change? Looking back, I think we’ll see a kind of inflexion point where major retailers started to bypass the card networks and use open banking to go straight to the customer account.

“Hello this is British Airways. Click here to pay by IATA Pay and get double Avios”.

We spend a lot of time speculating on what might happen when the internet giants get access to bank accounts, but it could be just as big a deal across major retail categories. A year ago we wrote “platform-provided strong authentication to retailer apps will allow them to bypass the existing card infrastructure (with some projections indicating that a third of European card volume could disappear in the coming years) and perhaps even the physical POS itself”.

We’ve said it before and we’ll say it again: open banking is a much bigger deal than many people think.

Consult Hyperion’s Live 5 for 2019

10th December 20182nd September 2024by Consult Hyperion2 Comments

It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2019. Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So, let’s begin by looking back over the past year and then we’ll take a shot at the future.

Goodbye 2018

As we start to wind down 2018, let’s see how we did…

1. Open Banking. Well, it was hardly a tough call and we were bang on with this one. We’ve been working on open banking projects in the UK, on the continent and beyond. What seems to be an obviously European issue, is of course a global one and we’ve been helping the global payment brands understand the opportunities. Helping existing market participants and new market entrants to develop and implement responses to open banking has turned out to be intellectually challenging and complex, and we continue to build our expertise in the field. Planning for the unintended consequences of open banking and the potentially un-level playing field that’s been created by the asymmetry of data, was not the obvious angle of opportunity for traditional tier one banks.

2. Conversational Transactions. Yes, we were spot on with this one and not only in financial services. Many organisations are shifting to messaging channels for customer support and for transactions, in both the banking and retail sectors. The opportunity for this continues with the advancements of new messaging enablers, such as the GSMA backed RCS. But as new channels for support and service are introduced to the customer experience, so are new points of vulnerability.

3. The Internet of Cars. This is evolving although the security concerns that we spoke about before, continue to add friction to the development of new products and services in this area. Vulnerabilities to card payments or building entry systems are security threats, vulnerabilities to connected or autonomous vehicles are potentially public safety threats.

4. Artificial Intelligence. Again, this was an easy prediction because many of our clients were already active. Where we did add to thinking this past year, it was about the interactive landscape of the future (i.e. bots interacting with bots) and how the identity infrastructure needs to evolve to support this.

5. Tokens/ICOs. Well, we were right to highlight the importance of “tokens” (the basis of Initial Coin Offerings, or ICOs) and our prediction that once the craziness is out of the way, then regulated token markets will become significant looks to be borne out by mainstream commentary. At Money2020 Asia in Singapore, I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

As we said, 2018 has seen disruption because the shift to open banking, starting in the UK,has meant the reshaping of financial services while at the same time the advance of AI into the transaction flow (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.

Hello 2019

This year we are organising our “live five” in a slightly different way, listing them by priority to our clients rather than as a simple list. So here are the four key technologies that we think will be hot throughout the coming year together with the new technology that we are looking at out of the corner of our eyes, so to speak. The mainstream technologies are authentication,cross-sector digital identity, digital wallets for ticketing and secure IoT in the insurance sector. The one coming up on the outside is post-quantum cryptography.

So here we go…

1. With our financial services customers we are moving from developing strategies about open banking to developing implementation plans and supporting the development of new systems and services. The most important technology at the customer interface from the secure transactions perspective is going to be the technology of Strong Customer Authentication (SCA). Understanding the rules around which transactions need SCA or not is complicated enough, and that’s before you even start working out which technologies have the right balance of security and convenience for the relevant customer journeys. Luckily, we know how to help on both counts!

As it happens, better authentication technology is going to make life easier for clients in a number of ways, not only because of PSD2. We are already planning 3D Secure v2 (3DSv2) and Secure Remote Commerce (SRC) implementations for customers. Preventing “authentication friction” (using e.g. FIDO) is central to the new customer journeys.

2. Forward thinking jurisdictions such as Canada and Australia have already started to deliver cross-sector digital identity (where in both cases we’ve been advising stakeholders). New technologies such as machine learning, shared ledgers and self-sovereign identity, if implemented correctly, will start to address the real issues and improvements in know your customer (KYC), anti-money laundering (AML), counter-terrorist financing (CTF) and the management of a politically-exposed person (PEP). The skewed cost-benefit around regtech and the friction that flawed digitised identity systems cause, mean that there is considerable pressure to shift the balance and in the coming year I think more organisations around the world will look at models adopted and take action.

3. In our work on ticketing around the world, we see a renewed focus on the deployment of real digital wallets. Transit and other forms of ticketing (such as for sporting events) are the effective anchor tenants of the digital wallet, not payments. In the UK and in some other countries there has been little traction for the smartphone digital wallet because of the effectiveness of the deployment and use of contactless cards. If you look in your real wallets, most of what your find isn’t really about payments. In our markets, payments alone do not drive consumers to digital wallets, but take-up might be about to accelerate. It’s one thing to have xPay put cards into a digital wallet but putting your train tickets, your sports rights and your concert passes into a digital wallet makes all the difference to take-up and means serious traction. Our expertise in using the digital wallets for applications beyond payments will give our clients confidence in setting their strategies.

4. In the insurance world we see the business cases building around the Internet of Things (IoT). The recent landmark decision of John Hancock, one of the oldest and largest North American life insurers, to stop selling traditional life insurance and instead sell only “interactive” policies that track fitness and health data through wearable devices and smartphones is a significant step both in terms of business model and security infrastructure. We think more organisations in the insurance sector will develop similar new services. Securing IoT systems becomes a priority. Fortunately, our very structured risk analysis for IoT and considerable experience in the practical assessment of countermeasures, deliver a cost-effective approach.

5. In our core field of security, we think it’s time to start taking post-quantum cryptography (PQC) seriously not as a research topic but as a strategic imperative around the development and deployment of new transaction systems. As many of you will know, Consult Hyperion’s reputation has been founded on the mass-market deployments of new transactions systems and services and this means we understand the long-term planning of secure platforms. We’re proud to say that we have helped to develop the security infrastructure for services ranging from the Hong Kong smart identity card, to the Euroclear settlement system and from contactless payments to open loop ticketing in major cities. Systems going into service now may well find themselves overlapping with the first practical quantum computer systems that render certain kinds of cryptography worthless, so it’s time to add PQC to strategies for the mass market.

And there you have it! Consult Hyperion’s Live 5 for 2019. Brexit does not mean the end of SCA in the UK (since PSD2 has already been transcribed into UK law) and SCA means that secure digital identities can support transactions conducted from digital wallets, and those digital wallets will contain things other than payment instruments. They might also start to store transit tickets or your right to travel, health and fitness data for your insurance company. Oh, and all of that data will end up in the public sphere unless the organisations charged with protecting it start thinking about post-quantum cryptography or,as Adi Shamir (one of the inventors of public key cryptography) said five years ago, post-cryptographysecurity.

Money2020 China

3rd December 2018by Consult HyperionLeave a comment

What an interesting experience the first Money2020 in China was. It was held in Hangzhou, the home of AliPay, and I was delighted to have been invited along to share some of our experiences in the payments and to learn first hand about the Chinese approach to the sector.

Money2020 China gets underway

The event was well-staged and with simultaneous translation from Chinese it provided an opportunity to hear about the wide variety of fintech activities in China. It was, as you might imagine, very different from the Las Vegas event last month. There was no discussion of cryptocurrency because of the Chinese regulatory context and while I did see one presentation on the use of digital signatures in smart contracts, there was little discussion of blockchain and related technologies.

Ron Kalifa talking about value-added merchant services

I particularly enjoyed Worldpay vice-chairman Ron Kalifa’s fireside chat (in which he said that people were underestimating the impact of open banking) and presentation of their annual world payments report. To a payments nerd like me this was a great opportunity to look at key trends in payments on a country-by-country basis and try to work out which trends are relevant to our clients around the world as they formulate strategies for the always-on, mobile-centric, open-banking future. Key to these strategies is, of course, security and so I always pay attention to the big picture presentations around fraud. In China, these have scary numbers attached to them, but you have to take into account the size of the Chinese economy (I think the Chinese cybercrime losses are lower than in many other countries).

Real, and scary, fraud numbers

Given the widespread use of scores of one form or another to determine trustworthiness it is no coincidence that China sees a rise in frauds relating to the manipulation of these scores. Without commenting on the benefits or otherwise of such models (most Brits, myself included, can only think of Black Mirror when social scores are discussed) it is worth making the point that preventing “gaming” of these scores while preserving individual privacy means dealing with paradoxes that might well be resolved through the use of cryptographic techniques that have no conventional analogues and are therefore difficult for policymakers to bear in mind.

Reputation fraud in action

Most of what I found thought-provoking, both in the presentations and the water cooler discussions, was to do with business models rather than new technologies. The new business models emerging in a regulated, platform-centric, dynamic market are what we should be studying. We might choose to implement some of these models in a slightly different way taking into account the varying cultural norms around security and privacy, but the idea of separating payments from banking and then turning payments into platforms, and then using these platforms to acquire customers at scale for other businesses is certainly very interesting.

These new models, of course, centre on data and value-adding using that data. When people pay for everything with their mobile phone, they lay down a seam of data that is waiting to be mined. Despite this, the convenience of the mobile-centre platforms is so great that people are clearly willing to put privacy concerns to one side. I chaired a great session on privacy with CashShield, Symphony and eCreditPal with, I think, gave out a very comforting message: if you build services with privacy in the first place, then actually complying with GDPR and other global regulations is actually not that much of a problem.

One more thing that struck me about the context for these developments that it seems to me that China is making its e-money regulation more like the EU’s. With an EU electronic money licence, the organisations holding the funds must keep them in Tier 1 capital and are not allowed to gamble the customer’s money, whereas in China there was no such restriction. Now the People’s Bank has said that from January 2019 the Chinese operators will have to hold a 100% reserve in non-interest bearing deposits at a commercial banks, a decision that will likely cost the main players (Tencent and Alipay) a billion dollars or so in revenue.

It was interesting spend a few days inside the mobile-centric, QR-everywhere, always-on, app and pay world of the future and picking up some useful lessons for our clients. A very interesting week.

Cyber Monday is here – and SRC is on its way

26th November 2018by Consult HyperionLeave a comment

With estimates of the sales over the Black Friday weekend in excess of £7bn in the UK and $90bn in the USA, retailers are currently focused on getting shoppers into their stores and through their checkouts as seamlessly as possible. As was apparent at last week’s US Payments Forum, the last part of that process, payment, is probably the one area that the retailer believes it has the least control over. Online the problem is even greater; consumers have a variety of ways to authenticate themselves to their bank and to their retailer, many of which leave something to be desired.

75% of sales on Black Friday are online and Cyber Monday is set to be the biggest yet. Many of these online sales depend on consumers having to manually enter card details, or log-in using dimly remembered passwords. Those who are not blessed with the memory of an elephant may have to undergo password reset processes that can involve checking rarely used email addresses or having to remember the incorrect spelling of their answers to a wide variety of questions about their past history. Having apparently completed the process, the percentage of remote transactions that are then declined by the Issuer is around 10 times greater than those completed in the store. Not all these declines will be valid, with legitimate customers being turned away in the name of fraud prevention. Even so millions of pounds of the approved transactions in the UK alone will still turn out to be fraudulent, further undermining the trust of the merchant and consumer alike.

Isn’t it strange that we live in a world where there is significant growth in online sales, but the mechanisms used to pay for those purchases are more cumbersome, less secure and less reliable than those used to buy on the high street? The good news is that the Payment Brands think that this is strange too and have a plan to fix it!

Earlier this month they published a draft version of their Secure Remote Commerce specification, which outlines an approach to promote security and interoperability within the card payment experience in a remote payment environment. The specification is currently out for public consultation. The Payment Brands are looking for feedback from those organizations which will deliver, interact with or use such solutions. (I know a few people who have read them and can help you to shape your reply if you are interested.) We may not see commercial solutions deployed in time for next year’s Black Friday event – these things take time. However they do offer the potential for interoperable payment solutions, with common authentication processes and levels of data security similar to those currently experienced on the high street.

In the short term, I really need to update the TV. So, in preparation for a flurry of holiday season internet shopping, I have cleared funds on my payment cards, cleaned the fingerprint readers on my tablets, found my long paper list of passwords and a similar list of answers to security questions. However, I can’t remember; was my first dog called Fido or Fenton?