Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

KYC at a distance

We live in interesting times. Whatever you think about the Coronavirus situation, social distancing will test our ability to rely on digital services. And one place where digital services continue to struggle is onboarding – establishing who your customer is in the first place.  

One of the main reasons for this, is that regulated industries such as financial services are required to perform strict “know your customer” checks when onboarding customers and risk substantial fines in the event of compliance failings. Understandably then, financial service providers need to be cautious in adopting new technology, especially where the risks are not well understood or where regulators are yet to give clear guidance.

Fortunately, a lot of work is being done. This includes the development of new identification solutions and an increasing recognition that this is a problem that needs to be solved.

The Paypers has recently published its “Digital Onboarding and KYC Report 2020”. It is packed full of insights into developments in this space, features several Consult Hyperion friends and is well worth a look.

You can download the report here: https://thepaypers.com/reports/digital-onboarding-and-kyc-report-2020

Biometric Travel

It’s been a while since I first read that British Airways (BA) was going to introduce facial biometrics for boarding international flights at Heathrow. I don’t recall going through biometric gates for flights, and I fly a lot, so it must still be in limited deployment. Hurry up BA – this is a great example of biometrics as a convenience technology.

If you been in a BA boarding queue recently, you’ll know how convenient it is to board using the QR code on your phone and how inconvenient it is to fumble around getting your passport out to show at the gate and how annoying it is to be in the line behind people who put the phone down to rummage around in a bag to find the passport and then have to mess around unlocking the phone again because it locked while they were rummaging. So, if BA can do the passport scan and face capture away from the boarding gate they can make for a much smoother boarding process.

Of course the boarding pass has to be real. I remember watching an episode of “Britain on the Fiddle” about boarding cards. The program, which was excellent by the way, included reports of ID fraud that I found fascinating, but also featured Mickey Pitt, an engaging cigarette smuggler who masterminded an operation that used fake boarding passes to get in and out of airports undetected. Perhaps we can fix that problem with the same technology.

According to International Airport Review, a scan of the customer’s face is recorded when they travel through security, and when they arrive at the gate, their face is matched with this representation when they present their boarding pass. Thus you can get on the plane just using the boarding pass in your Apple Wallet and you can leave your passport in your bag.

I hope Terminal 5 will move to remote capture for all flights. Surely as an Executive Club member I should be able to have them capture a picture of my passport at home using Au10tix or similar and store it with my account so that next time I go to the airport I can breeze through the boarding process: they should get rid of the “priority” boarding line (which on many BA flights seems to include almost all passengers) and replace it with a mobile/biometric line.

If we analyse the problem by breaking it down using our identity model, the three-domain model (3DID), we can see there are three separate problems that need to be solved using the technologically effectively:

  • identifying the person travelling (we need to bind a passport);
  • authenticating that the boarding pass is in the hand of the correct person; and
  • authorising the person with the boarding pass to go through the gate on to the plane.

The way to do this is, in my opinion, is to create a digital identity for the purposes of travelling (the travel ID) and to bind this identity to a mundane identity by linking it to a specific passport. Then British Airways can bind this identity to my Executive Club by creating a BA virtual identity, Delta can create a Delta identity and so on. Now, when I make a booking, the booking is connected to my BA ID.

That BA ID could, of course, contain either my face (in the form of a biometric template) or it could contain some other biometric that is optimised for speed and convenience at the airport. Finger vein, is a great example of a technology that has been around for ever and is tried and tested. You can’t take a picture of my finger vein when I’m walking down the road and then use it to pretend to be me, I have to walk up to a scanner and then physically insert my finger, thus consenting to the authentication.

That way, we could restructure the airport experience around technology instead of electronic simulations of paper. In this way, I can check in for the flight on my phone and then put my phone away. When I get to the airport, I go through security (at which point my face is checked against the passport photo in my BA ID) and then go to experience the Terminal 5 shopping experience. When it is time to board the plane, I put my finger into a scanner at the gate and off I go.

Consult Hyperion worked on a few projects looking at finger vein technology for UK banks a while ago – and it featured in our  Tomorrow’s Transactions blog back in 2007 because Hitachi and JCB were playing around with finger vein payments. If you’d like to know more about our model for identity (3DID) or would like to hear about our experiences with secure biometric technology, drop us a line info@chyp.com


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.