At this time of year my colleague, Dave Birch looks forward, his annual “Live Five” started as a bit of fun, but over the years has become a thought provoking look at what might impact our industry in the coming year, if you haven’t read it yet, please follow this link.
As we come to the holiday season, we know that we will be bombarded with reviews of 2020 on television, in our newspapers and online. A conversation with some colleagues about how long they had worked in the payments industry, prompted my own review when I realised that on the 8th December, I clocked up 40 years in the industry, how technology has changed our lives in that time.
I recently had the pleasure of “attending” theLendIt Fintech – Europe 2020 virtual event. Now, much of the content covered banking services for Small and Medium Enterprises (SMEs), an area that personally I’m not particularly familiar with, but one that is gaining more focus in the news of late. One thing that struck me was the potential disruption of traditional business banking brought about by open banking.
As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.
Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.
At Consult Hyperion, we have already seen the pandemic accelerate the adoption of contact-free payments in the face to face environment as customers have become wary of catching COVID by touching shared devices, such as self-service terminals and PIN pads. The use of personal devices for payments is hardly new but the attraction of an in-app/in-store version of mobile payments, whereby the consumer uses an app on their own device to interact with the retailer or service provider and pay for services, has just increased dramatically. Solutions for parking (RingGo) and for restaurants (like the Wahaca app, powered by Judopay) were already demonstrating the benefits of such an approach for customers and businesses before COVID struck.
The ongoing COVID-19 crisis has been ruthlessly exposing fragile business models and weak balance sheets across a whole range of industries but perhaps never more so than in the travel business. In fairness, no one could have anticipated a global, government dictated total shutdown and no business models could ever be flexible enough to support such an improbable scenario. Still, it’s become clear that many travel industry companies are effectively broke and that the payments model they rely on is broken. Going forward we need a better and more sustainable approach to payments in the industry.
Most travel industry payments rely on payments cards so it’s worth starting by recapping on how most card payment models work. When a cardholder makes a payment to a merchant – either in store or, increasingly, on-line, this is routed to the merchant’s card acquirer. The acquirer has a direct relationship with the merchant in the same way that a card issuer has a direct relationship with cardholders and the acquirer will route the payment request to the relevant issuer – usually by sending the request to a payment scheme who uses the card number to identify the correct issuer. If the issuer approves the transaction then the response is routed back through the same path and the purchase completed. This is no different from any other card payment, although there are hidden complexities where the merchant is an online travel agent sourcing flights, hotels, etc from multiple underlying vendors. However, that’s a detail.
We live in interesting times. Whatever you think about the Coronavirus situation, social distancing will test our ability to rely on digital services. And one place where digital services continue to struggle is onboarding – establishing who your customer is in the first place.
One of the main reasons for this,
is that regulated industries such as financial services are required to perform
strict “know your customer” checks when onboarding customers and risk
substantial fines in the event of compliance failings. Understandably then,
financial service providers need to be cautious in adopting new technology,
especially where the risks are not well understood or where regulators are yet
to give clear guidance.
Fortunately, a lot of work is being done. This includes the development of new identification solutions and an increasing recognition that this is a problem that needs to be solved.
The Paypers has recently
published its “Digital Onboarding and KYC Report 2020”. It is packed
full of insights into developments in this space, features several Consult
Hyperion friends and is well worth a look.
At Consult Hyperion we take a certain amount of enjoyment looking back over
some of our most interesting projects around the world over the previous year
or so, wrapping up thoughts on what we’re hearing in the market and spending
some time thinking about the future. Each year we consolidate the themes and
bring together our Live Five.
2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.
Our Live Five has once again been put together with particular regard to the
views of our clients. They are telling us that over the next 12 months
retailers, banks, regulators and their suppliers will focus on privacy as a
proposition, customer intimacy driven by hyper-personalisation and personalized
payment options, underpinned by a focus on cyber-resilience. In the background,
they want to do what they can to reduce their impact on the global environment.
For our transit clients, there will be a particular focus on bringing these
threads together to reduce congestion through flexible fare collection.
So here we go…
1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.
2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.
Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.
3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.
We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.
4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.
We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.
5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.
Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.
So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!
was originally published on Money20/20.
We are in the midst of seismic societal
changes of how people interact and transact. Across societies,
geographies and segments, digital is the new norm. Change has accelerated,
placing greater value upon flexibility and speed. Historically, money and
finance have been among the more conservative and slower changing parts of
society, but this has changed dramatically over the past decade by viewing
money as an instigator of change rather than a lagging indicator.
Whether you are a marketer in shining armor
conquering new territory, a financial wizard casting spells upon the balance
sheet, or the queen or king guiding the whole enterprise, here are 4 trends
about money that you should keep in mind for your business.
Platforms are the new kingdoms
Platforms are the base upon which other
structures can be built. For example, App stores from Apple and Google
provide the infrastructure for consumers to complete commercial transactions
and manage finances through their mobile phones. While these companies
develop their own digital wallets, they also enable similar services from
banks, retailers and other companies. Building and maintaining the
platform enables services that they would not have created on their own, like
Uber or Lyft, which in turn, have created their own platforms.
Marketers trying to address customers’ needs
can plug into platforms to broaden offerings or deepen engagement with target
markets. Platform-based thinking implies that product and service design is
ongoing and doesn’t stop with a product launch. Jack Dorsey didn’t stop
when he built the Square credit card reader. The team went into lending
with Square Capital. They got into consumer P2P payments with Square
Cash. Their ecosystem has grown through partnerships with other companies
as well as in-house development.
Digital Identities open the gates
How do your customers interact with you?
Do they need to create a username and password, or can they use a 3rd
party system like Google or Facebook? Are security services like
two-factor authentication or biometrics used to protect credentials? Is
your company protecting customer identities adequately? The importance of
all of these questions is increasing and often the difference between being
forced into early retirement by a massive data breach or surviving to continue
to grow your business.
While identity management and digital
security might not be top of mind for most marketers, they are table stakes for
even the most basic future business. History is full of tales of rulers
successfully fighting off armies laying sieges on castles and fortresses, only
to fail when another army gets access to a key for the back door.
Context rules the experience
Credit card transactions moved from
predominantly being in-store, to e-commerce sites accessed from desktop
computers, and now to mobile phones. As the point-of-purchase expanded,
so did the consumer use cases and thought processes. In tandem, mobile screens
presents less information than desktop computer screens, which in turn presents
less information than associates in a brick-and-mortar environment.
Companies best able to understand context and deliver the right user
experience within these constraints will build loyal customer relationships.
Apps or services created for a different
use cases on the same platform, such as Facebook and Messenger apps, can help
achieve this. Banks and have different apps for managing accounts or for
completing transactions or payments. On a desktop, you can access these
services through a single interface but on the mobile, forcing users to select
their use case helps present a streamlined experience on the smaller, more
time-constrained mobile screen. The use of additional data such as
location, device, etc. can further streamline the experience. Marketers that
don’t think about the context will lose the battle before it even begins.
Data is gold
While a marketer’s goal is to generate
sales, data has become a value driver. In the financial world, data about
payments, assets and liabilities has become critical in how products and
services are delivered. PayPal, a fintech that began even before the word
‘fintech’, has recently been using payments data from their platform to help
build a lending business for their customers. Similarly, an SME lender
named Kabbage has grown to unicorn status by using data from other sources to
make smarter lending and pricing decisions. In the payments industry,
Stripe distilled a previously complex technology integration into a minimal
data set, accessed via API, to easily build payments into new digital products
Those that are able to harness the power of
data will be able to predict what customers want and more effectively address
their needs. In some cases, it might be using data from within your
enterprise or from other platforms for targeting, pricing or servicing
decisions. In other cases, it might be using data to reimagine what your
product or service is.
Looking for more insights on key trends in
money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will
be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and
attend visit us.money2020.com.
On Friday 13th September this year, the full
force of PSD2 Strong Customer Authentication (SCA) comes into force.
Anecdotally the lack of readiness of the card payment industry is beginning to
suggest that the immediate impact may well look like the aftermath of a dinner
party hosted by Jason Voorhees.
To summarise: after 13th September 2019 (yes,
that’s in just over 3 months) account holding banks must require two factor
authentication compliant with PSD2 SCA on all electronic payments, including
all remote card payments, unless an applicable exemption is triggered. There
are no exceptions allowed to this, there is no concept of merchants choosing to
take liability and avoiding SCA. In the event that a merchant attempts a
transaction without SCA and the issuing bank determines that no exemption
applies or that there is significant risk associated with the payment the bank must
decline and request the merchant to perform a step-up authentication.
Currently, the only real option open to merchants for
performing SCA for online card payments is 3DS. To support all of the PSD2
exemptions – which are needed to provide a near frictionless payment experience
– the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2
will not be ready, so the initial implementation of this will be sub-optimal.
So, come 14th September this year what will happen?
Figures are hard to come by, but within Europe we believe
that 75% of merchants don’t implement 3DS today. We also believe that about a
fifth of large issuers are taking a hard line in order to be compliant with the
regulations and will decline all non-3DS transactions. Even where the issuer is
taking a more subtle approach they will request step-up SCA on somewhere
between 1 in 5 and 1 in 10 transactions. On top of this, if the merchant
does not support 3DS and the issuer authorises anyway any fraud is the
merchant’s responsibility: for non-complying merchants this is a lose-lose-lose
Given this woeful state of preparedness there’s some
industry hope that the regulators may take a relaxed view of compliance come
September. Certainly there are representations being made in Brussels, but we
think it’s unlikely there’ll be any relief from that direction: (1) the
migration date is written into law, national regulators cannot alter it and (2)
many issuers will implement PSD2 fully regardless of any softening of the
implementation. We suspect that there may be some movement from national
regulators since the alternative may be unthinkable, but travelling hopefully
doesn’t look like much of a strategy, especially if you’re an e-com retailer or
Going forward there are a wide range of solutions being
developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS
is not the only solution, but it is the only pervasive one and it certainly is
the only one available in the current time frames.
What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.
Here at Chyp we’ve spent the last two years helping Issuers,
Schemes, Acquirers, PSPs and merchants prepare – so although the impact across
the payments industry may be patchy, we know there will be winners as well as
losers. If the worst case comes to pass then the only merchants likely to
escape the bloodbath come September are those taking action now. And there’s
unlikely to be any downside to immediate action – PSD2 has been in the works
for over five years, the SCA implementation date has been known for over a
year, and there’s little indication that the European Commission intends to
undo or loosen the regulations.
Friday 13th is coming, best make sure you’re
The reasons behind the presence of mag stripe on cards alongside chip (and PIN) has long been a debate at Consult Hyperion. Especially for the US where things were different for years – of course now the US has introduced chip and PIN as well.
numbers and signatures on cards helps criminals. There’s no need for it.
A couple of years later, in “Tired: Banks that store money. Wired: Banks that store identity” we asked why banks didn’t put a token in Apple Pay that didn’t disclose the name or personal information of the holder, a “stealth card” that could be used to buy adult services online using the new Safari in-browser Apple Pay experience. This would be a simple win-win: good for the merchants as it would remove CNP fraud and good for the customers as it would prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give the customer a blank card to go shopping with.
Some years ago, we were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.
You might call
these cards pseudo-clones. They acted like clones in that they worked correctly
in the terminals, but they were not real clones. They didn’t have the right
keys inside them. Naturally, if you made one of these pseudo-clones, you didn’t
want to be bothered with PIN management so you made it into a “yes card” –
instead of programming the chip to check that the correct PIN is entered, you
programmed it to respond “yes” to whatever PIN is entered. We used these
pseudo-clone cards in a number of shops in Guildford as part of our testing
processes to make sure that issuers were checking the cryptograms properly. Not
once did any of the Guildford shopkeepers bat an eyelid about us putting these
strange blank white cards into their terminals. Of course it’s worth noting
things have progressed and fortunately this wouldn’t work now as the schemes
have moved on from SDA.
I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this, he made a similar white plastic pseudo-clone card and went into a shop to try it out.
When he put
the completely white card into the terminal, the Brazilian shopkeeper stopped
him and asked him what he was doing and what this completely blank white card
was, clearly suspecting some misbehaviour.
thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.
story was written back
in 2014! There was no white Apple credit card at that time but it
was interesting that the shopkeeper expected an Apple credit card to be all
white and with no personal data on display, just as we had suggested in our
ancient ruminations on card security. Imagine the total lack of surprise when
the internet tubes delivered the news of the new actual Apple credit card
launched in California a couple of weeks ago. Apple CEO Tim Cook said that
the new Apple Card would be the biggest card innovation “in 50 years” [FT].
This seems a little rough on the magnetic stripe, online authorisation,
chip and PIN, debit cards, contactless interfaces and so on, but it is
certainly an interesting development for people like us at Consult
gathered the usual media interest. A number of reports on the web reporting on
“Apple going into banking” which, obviously, they are not. Far from it. The
Apple Card issuer is Goldman Sachs (it’s their first credit card product) and
the card product is wholly unremarkable. The card looks pretty cool though, no
doubt about that. I still don’t know why they put the cardholder name on the
front (instead of their Apple ID).
Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.
The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.
Now You See It
While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!
I can’t help
feeling that there’s a bit of misdirection going on with Apple Card. The press
are reporting about the card product, but it’s really not that earth
shattering. It seems to me that what is really important in the
announcement isn’t extending Goldman Sachs’ consumer credit business or that
bribe to persuade apparently reluctant consumers to use Apple Pay at
contactless terminals instead of swiping their card, but the attempt to get
people to use Apple Cash. Cognisant of how Starbucks makes out by persuading
citizens to exchange their US dollars that are good anywhere into Starbucks
Dollars that are not, and of Facebook’s likely launch of some kind of Facebook
Money, Apple are hoping to kick-start an Apple Cash ecosystem.
You may have
noticed that as of now, you can no longer fund person-to-person Apple
payments (in Messages) using
a credit card. You can still fund your Apple Cash via a debit card.
You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via
ACH to a bank account for free. They want to reduce the costs of getting volume
into Apple Cash and make it possible for you to get it out with jumping through
hoops. Given that you can do this, you’ll be more relaxed about holding an
Apple Cash balance and that means that next time you go to buy a game or a song
or whatever, Apple can knock it off of your Apple Cash balance rather than
feeding transactions through the card rails.
And why not?
In this ecosystem Apple would carry the float, which might well run into
millions of dollars (Starbucks’ float is over a billion dollars), and if it
could persuade consumers to fund app, music and movie purchases from Apple Cash
instead of cards it would not only save money, but anchor an ecosystem that
could become valuable to third-party providers as well. With Facebook’s
electronic money play on the horizon, I think Apple are making a play not for a
new kind of card to compete with my Amex Platinum and my John Lewis MasterCard
but for a new kind of money to compete with BezosBucks, ZuckDollas an Google
Subscribe to our newsletter
You have successfully subscribed to the newsletter
There was an error while trying to send your request. Please try again.