Author: Gary Munro

CTO / Technical Director at Consult Hyperion

Contactless is evolving. Here’s why C-8 matters more than you think.

Posted on by Leave a comment

We all love the convenience of ’Tap to Pay’. It’s fast, intuitive, and is widely accepted as part of everyday life. But behind that simple tap is a surprisingly complex ecosystem that’s starting to show its age.

One of the key challenges with the infrastructure supporting contactless payments, is that it’s far more fragmented than it should be. Today, there are more than 20 different contactless kernels in use globally. Each card scheme has its own proprietary version, and this means that every payment terminal has to carry the full suite of multiple kernels to ensure broad acceptance. For merchants, vendors and card schemes alike, this approach is expensive, difficult to maintain, and slows down innovation.

Then there’s the issue of security. Most contactless cards still rely on RSA encryption, a standard that is beginning to look vulnerable beyond ~2035 due to developments in standard computing as well as quantum. Issuers need to migrate to Elliptic Curve Cryptography (ECC) by 2030 to stay ahead of evolving threats. On top of that, current contactless cards still transmit sensitive data in the clear, raising concerns around data privacy, data harvesting and fraud.

So what do we do about it?

Enter C-8.

EMVCo’s C-8 specification is designed to solve these problems. It’s a single, unified contactless kernel that replaces the fragmented, brand-specific approach we’ve been working with for years. Think of it as the contactless equivalent of the chip card kernel: one common foundation that works across all card brands.

C-8 isn’t just about consolidation and cost saving. It’s a major upgrade in security and functionality:

  • Encrypted cardholder data using AES to protect sensitive information.
  • ECC-based authentication for a more secure, scalable cryptographic foundation
  • Support for loyalty, transit, and closed-loop schemes, enabling new use cases.
  • Simpler POS integration, reducing time-to-market and cost for merchants and vendors.
  • Better compatibility for smaller issuers and domestic card schemes trying to scale.

What we’re seeing in the market.

C-8 adoption is already underway. POS vendors like Ingenico and PAX have certified C-8 kernels on their devices. Card schemes are actively developing specifications. And there’s real interest from merchants, transit authorities, and fintech innovators.

At Consult Hyperion we’re at the heart of this next wave of innovation. We’re working with card schemes to develop their C-8 specifications, for both cards and mobile. We’re helping to define and produce test plans, and we’re guiding clients as they prepare for certification and rollout.

We’re seeing a clear shift in thinking. Stakeholders are no longer asking if C-8 will happen. They’re asking how they can ready themselves, rapidly, to be at the forefront of this evolution.

Strategic complications for payments & product teams.

If you’re in payments innovation, product development, or infrastructure strategy, C-8 should be on your radar now. It impacts how fast you can scale, how much you spend on certification, and how well you can support new use cases like Tap-to-Phone, in-transit payments, or loyalty-integrated cards.

For issuers, now is the time to plan your ECC migration, ideally before you’re boxed into a rushed reissuance cycle.

For acquirers and terminal vendors, C-8 reduces the cost and complexity of kernel management, helping you get to market faster and support more card types.

For emerging schemes, it offers a path to acceptance that doesn’t require fighting the kernel deployment battle.

Risks of standing still.

RSA has a limited life. The window to migrate contactless portfolios narrows. Waiting too long means you could end up trying to reissue millions of cards in a short timeframe, which is not an ideal scenario.

There’s also a competitive risk. As larger players roll out C-8 compatible cards and terminals, they’ll expand their acceptance footprint faster and more efficiently. Falling behind risks missing that window.

Our experience.

We’ve supported every major wave of EMV innovation from the beginning, and C-8 is among the most important shifts we’ve seen.

At Fime, We’re:

  • Actively working with global schemes on specification development.
  • Supporting test tool creation and certification workflows.
  • Helping clients understand what C-8 means for them, both technically and strategically.

C-8 isn’t just a tech upgrade. It’s a chance to reset the contactless ecosystem, reduce friction, and set the stage for faster innovation.

Let’s talk.

If you’re thinking about how C-8 fits into your product roadmap or want help navigating the next steps, we’re here.

Simpler, smarter contactless is coming. Let’s build it together.

How do we regulate and ensure AI Machines pay fairly?

Posted on by 4 Comments
Robot putting a coin into a vending machine

I was extremely fortunate to be invited to the recent BIS Securing The Future Monetary System conference in Basel.  This was a terrific event, bringing together some of the cleverest people in security from the worlds of banking; academia and industry to discuss the issues faced in securing our future CBDC based monetary systems.

I was there to speak about the technical considerations in Offline CBDCs, however I was also fortunate enough to take part in a roundtable on CBDCs and machine-to-machine payments, which was utterly fascinating, and produced some great insight and thinking that I thought I’d share, within the bounds of the Chatham House Rules. First, some background.

The call for Machine-to-Machine CBDCs

The GBIC model of three distinct types of CBDC is one that has always appealed to me. The GBIC is the voice of the main German banking associations: the National Association of German Cooperative Banks (BVR), the Association of German Banks (BdB), the Association of German Public Banks (VÖB), the German Savings Banks Association (DSGV), and the Association of German Pfandbrief Banks (vdp).  It was fascinating to have such a conservative organisation discussing not two but three kinds of digital currency in their digital euro policy paper. They call for a digital currency ecosystem encompassing:

  • A Wholesale CBDC, issued by the central bank but for use in capital markets and interbank transfers. The GBIC’s experts are calling for this form of the digital euro partly because, by adopting this approach, the ECB would be able to include further digitalisation of central bank accounts in its project. The ultimate aim is to achieve improvements which can benefit consumers, enterprises and also the banking sector.
  • A Retail CBDC, again issued by the central bank to be used by private individuals in the euro area in the same way as cash for everyday payments, e.g. to retailers or government agencies. It should be possible to use the digital euro like cash, anonymously and offline. They assume that credit institutions will provide consumers in Europe with the necessary smart wallets.
  • An Industry CBDC. What the GBIC call “tokenised commercial bank money” which will be made available by commercial banks to meet a corporate demand arising from Industry 4.0 and the Internet of Things. Tokenised commercial bank money could facilitate transactions based on “smart” – i.e. automated – contracts and thus increase process efficiency.

In other words, in addition to wholesale CBDC for institutions and retail CBDC for people, they want industrial CBDC designed for Machine-to-Machine payments to satisfy the demand that will arise from the Internet of Things (IoT). Therefore a roundtable session considering Machine-to-Machine CBDCs was going to be interesting. The round table had a great flow, considering three aspects of Machine-to-Machine CBDCs starting with:

What do we mean by CBDC M2M Payments?

Do we mean human induced CBDC Machine-to-Machine payments, or do we mean a fully autonomous exchange of assets? i.e. me pressing a button on my car user interface to allow it to pay the fuel dispenser for my electricity / diesel / petrol or a machine doing it’s own thing, buying and selling as it goes. Of course we went for the second one, much more interesting. As an example, the group considered a set of solar cells generating and putting electricity into the network, and an electric vehicle consuming that energy and paying for it.  Where is the human here? Are they explicitly involved in the payment process, well no, so do we have humans at the edge, disintermediated by the system, only involved at set up? Just what are the implications here?

We then consider whether these payments are open loop or closed loop CBDC payments. For Machine-to-Machine, a closed loop CBDC ecosystem could bring benefits, where micro-payments can take place between machines, predominantly offline, only going online occasionally, effectively enabling the machines to cash in and cash out. What if we go further and consider a fully autonomous AI machine, providing services, consuming resources, making and receiving payments as it goes, can this legally be the case, or is there always liability with humans accountable? Something that needs serious consideration.

How does regulation fit in?

How do we regulate for machine-to-machine CBDC payments? Indeed is regulation required? Of course it is, but not we cannot wait for this to appear retrospectively, too often in payments the regulator is playing catch up. For machine-to-machine CBDC payments, visionary regulation is required.

Regulators need to work together with the industry in order to understand machine-to-machine use cases, liabilities and put regulation in place ahead of machine-to-machine CBDC payments taking place. It was the view of the table that proactive, visionary regulation won’t be perfect, but principals-based regulation is needed in order to provide standards and trust. The table postulated that this could be implemented by smart contracts, with regulation at the edge where it can make use of the standard / regulation in place at that time, allowing change to quickly propagate. For example, we can imagine a tax compliant CBDC system for machine-to-machine CBDCs, updating to the latest tax regime. This may bring us to a place where technology, regulation and governance are intertwined, boundaries are not clear, where we have rails and assets. Good, well considered, clear regulation is essential to manage this.

What can we learn from the systems we have in play today?

Today we have bad actors in the system, using their own AI engines to feed their rules into the system.  So how do we apply the brakes? If / when things do go wrong where is the liability at the end of the chain? Is it even possible to find who is responsible in such an autonomous AI system with many interactions and components?

We concluded that to does this effectively we need to build the system with ethics embedded in the system, and perhaps for visionary regulation for machine-to-machine, or robot to robot, CBDC payments Asimov’s laws are not a bad place to start.

It was a fascinating event, with great conversations on all aspects of CBDC solution security. If you want to know more about CBDCs then please get in touch.

PIN: we need to talk about our relationship

Posted on by 1 Comment
person holding black and gray digital device

16 years on from PIN day (Valentines Day 2006) how is our relationship with PIN holding up?

Last year Dave Birch postulated that PIN was in decline and indeed no longer necessary as our mobile phones make use of various biometrics to authenticate us and our transactions, but as we often remind ourselves in Chyp, we’re not normal.  UK Finance statistics tells us that whilst the use of Apple Pay & Google Pay at the Point of Sale is on the rise, the humble plastic card is still the preferred way to pay.

Continue reading “PIN: we need to talk about our relationship”

Will Brexit make stealing bank cards attractive again?

Posted on by 2 Comments
black payment terminal

A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’

The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.

Continue reading “Will Brexit make stealing bank cards attractive again?”

Future-Ready Payments Processing

Posted on by Leave a comment
abstract aluminum architectural architecture

Payment Processing Platforms

At Consult Hyperion we spend a lot of our time looking into payments processing platforms for our clients. Over recent months we’ve delivered;

  • technical due diligence, assessing their capabilities
  • security and vulnerability analysis on networks and products
  • designed fundamental security architectures for new payments solutions
  • advised clients on the selection of payment platform solutions 
  • and helped design new platforms or extended the capability of their existing platforms

It’s fair to say we have a comprehensive understanding of payments processing.  The products and solutions offered by Fintechs, Banks, Neobanks etc. rely on the capabilities of the underlying payments platform(s). 

Continue reading “Future-Ready Payments Processing”

What does Apple’s purchase of Mobeewave mean for SoftPOS?

Posted on by 2 Comments
Apple acquires Mobeewave

Using mobile devices for securing payments has been, and continues to be, a key area of interest for Consult Hyperion and our customers.  We have helped many of our clients in this space from: providing advice on the market landscape, advising on security, testing security, developing security architectures, and building solutions.  Apple’s purchase of Mobeewave a couple of weeks ago has caught our, and everyone else’s, attention.  This gives us some time to reflect on this and consider what it means for the SoftPOS industry and ecosystems.

Continue reading “What does Apple’s purchase of Mobeewave mean for SoftPOS?”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.