It’s that time of year again: where’s it’s traditional to take stock and look to the future. At Consult Hyperion, we do that through our ‘Live 5’ process; where we look at major trends in business, technology and consumer attitudes and project them onto our areas of business focus, with twists of our own. This is more than a marketing exercise. It informs our advisory services, but also sets our own strategy, for example by determining what technologies are investigated, and protypes built, by our Hyperlab unit.
For most of us 2020 isn’t going to be a year to linger fondly in the memory. It’s been a monumental slog in the face of grim news and little cheer but from a payments perspective we’ve seen an unsurprising surge in interest in all things payment related.
People have moved from cash to electronic payments – contactless transaction numbers have soared. People moved from face to face purchases to online. And, there’s been a ton of stress on payment systems as people have demanded refunds for holidays and flights they couldn’t take due to various travel restrictions. It’s been a year like never before.
We can expect this to be exacerbated over what will likely be an extended Black Friday and Christmas holiday shopping period. Online payments are expected to grow even though economies are in recession. For us in Europe it’s the last hurrah before PSD2 requirements on strong customer authentication come into force on January 1st. Merchants and payment companies will be well staffed on News Year Eve as they wait and see how the systems will hold up, and what sort of abandonment figures they’ll see as puzzled customers are presented with confusing authentication screens. We can probably expect a flood of concerned calls about phishing which are actually Strong Customer Authentication requests.
I recently had the pleasure of “attending” the LendIt Fintech – Europe 2020 virtual event. Now, much of the content covered banking services for Small and Medium Enterprises (SMEs), an area that personally I’m not particularly familiar with, but one that is gaining more focus in the news of late. One thing that struck me was the potential disruption of traditional business banking brought about by open banking.
As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.
Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.
Since the FCA announced a further 6 month delay in the UK’s deadline for Strong Customer Authentication there’s been a general expectation that the EBA would follow suit and relax the date for the EEA. However, it now appears that won’t happen – the 31st December 2020 remains the key date and there won’t be any further relaxation in the rules.
This hasn’t been officially announced but appears to have been the gist of a letter by the European Commission’s Executive Vice President Valdis Dombrovskis which makes clear that there’s no consideration in place for a delay and that, in the Commission’s view, the Coronavirus pandemic and the subsequent rise in e-commerce makes it more urgent to implement rather than less. It looks like the Commission is not for turning and with only a little over six months left to be prepared any merchant or payment service provider than hasn’t been planning for this is likely to be in full panic mode.
At one level it’s hard to disagree with the Commission’s position – the deadline has been shifted already from last September in order to accommodate the industry’s inability to implement in time. Although, in fairness, it ought to be noted that original requirements require a degree in semiotics to fully understand and clarifications have been fitful and, on occasion, too late. However, there’s a degree of real-world pragmatism missing from the decision – the last thing the European economy needs right now is an e-commerce cliff edge right in the middle of the busiest shopping period of the year.
The divergence between the UK and Europe also starts to raise some interesting questions. PSD2 applies to countries within the EEA and not to transactions starting or finishing outside – and as of January 1st 2021 the UK will be fully outside. PSD2 will apply within the EEA ex-UK and within the UK ex-Europe but, barring some kind of passporting agreement, not between them. One option for desperate European e-tailers may be to shift operations to the UK where the SCA deadline is a further 9 months away. Of course, the same applies in reverse: logically there ought to be a compromise, but those seem thin on the ground.
Overall, then, the message to all organisations involved in electronic payments is to assume that SCA will be enforced from January 1st next year and any firm that can’t support it should expect to see transactions declined. Merchants and PSPs may choose or may not be able to handle SCA but issuers will be ready and won’t want to be upsetting the regulators. For any companies out there that don’t know what to do come and talk to us, we can help guide you through the process – first by helping ensure you’re compliant and then by addressing the additional friction that SCA will introduce.
It isn’t too late to do something about SCA but it does very much look like we are at the eleventh hour.
It feels strange to be writing about paying for food, one of the basic skills we learn in early childhood. However, these are exceptional times, when the basic notion of how we pay is being challenged. It seems we are now considering the different options for paying safely when physical contact must be kept to a minimum.
Consult Hyperion has been alerted to many requests for advice from community groups who normally rely on cash payments, so in response we have drawn up some guiding principles:
1. Maintain good practice: be aware of the vulnerability, both real and perceived, of people unable to leave their homes. Asking them to do things differently risks increasing anxiety and leaving them open to fraud.
2. Keep it simple: work with payments options people already use, and those they are familiar with. The large spike in phishing attacks over the past month highlights scammers’ eagerness to abuse this situation.
3. Maintain records: clear and consistent transaction logging is essential to protect both organisers and the people they are helping. Keep invoices for tracking and reconciliation purposes.
4. Work with existing networks: local authorities, housing associations, care providers, charities, community groups, faith groups, even village shops. The mix will vary according to the community.
5. Only allow demonstrably trustworthy individuals to handle payments: the list of people permitted to countersign passport applications could be a good starting point, but each community is different. Trust is vital in payments.
6. Keep payments and shopping separate: older readers will remember having an account with their local shop and having items added to their tally, paying the bill weekly or monthly.
7. School meals provide a good example: cards (or biometrics) are used to ensure all students have equal access to food, without the stigma attached with free school meals. Food is still served, even if the system has technical issues.
8. Take the time to discuss people’s preferences over the phone: The person receiving the shopping doesn’t have to be the person who pays. Be creative in encouraging people to contribute a little extra, or allow friends and family to pay on their behalf.
When organising payments, only use options people already have. This is not the time for a stressful sign-up process. In order of preference:
Online – PayPal, Bank Transfer, Pingit
With any new online payment, if there is a level of trust through an existing relationship, ask the account holder to send a small sum of 1p or 10p to the intended account, to check that it does arrive in the right place.
PayPal: convenient if you already have an account. Allows you to choose different sources of funds to transfer. Can be used for paying individuals as well as organisations. Includes a degree of protection.
Bank transfer (frequently referred to as Faster Payments): Despite communication from many of our banks, the full roll out of Confirmation of Payee is delayed. There is uncertainty over whether the money will arrive in the right place, so test initially with small amounts. It is irreversible. It can be performed easily via internet banking if you have the capability. Telephone banking is currently overloaded.
Some apps enable an invoice with bank details to be presented through a link to web page. This is better than simply sending requests for payments within an email, as fraudsters can’t just intercept the email and change the recipient details. It requires more effort to set up a fraud and is more likely to get spotted.
Pingit: Less widespread but convenient person-to-person payments which can be sent to a mobile number.
Contactless at the door
Using a portable reader from companies like iZettle, SumUp and Square. Apple Pay and Google Pay are good options as they allow higher value payments without the need to touch the device, if people already have the capability. Appropriate distancing must be observed.
The householder only has to part with a single piece of paper and does not have to receive change. Cheques will have to be paid in and take a while to clear but there is very little risk of the householder absconding.
People are encouraged to avoid handling cash and avoid touching ATMs. Keeping cash in the home makes people more vulnerable. However, some people rely on cash. Where change is to be given, this should be arranged in advance and put in an envelope.
These are extraordinary times, which force us to look differently at the way we pay. Consult Hyperion have been enabling secure payments for over 30 years and we are able to apply our own Structured Risk Analysis process to understand the threats and possible countermeasures in every situation. These threats normally relate to the security of systems but in this case also encompass the risk of infection and people being left without essential supplies.
If you are reading this from home and need help, try phoning your local shop. If they are not organising deliveries themselves, they may well be aware of groups who are. Many local stores and community groups are providing help to these who need it, providing a much needed service. Get in touch with your local group.
In these extraordinary times with the need for social distancing, the payments industry is raising the contactless limits across many countries in order to prevent the need to touch PIN Pads in order to pay for our essential supermarket and pharmacy shopping. Indeed, such is the concern over the use of cash that contactless payments are being actively encouraged over cash, with some countries, notably China and Russia now requiring that cash is sanitised before it is allowed back into circulation.
The Dutch Payment Association has moved to double their contactless CVM limit from €50 to €100, similar increases are being introduced by Poland; Norway; Canada; Turkey etc. Yesterday the British Retail Consortium announced that the UK too will raise its contactless limit from £30 to £45 on the 1st April.
So why do we need to wait a week? What does it mean? What are the alternatives?
First let us explain how contactless limits work and understand the difference between contactless payments in the UK compared to most other countries. Contactless payment terminals have 3 limits:
- Floor Limit
- CVM Limit
- Transaction Limit
The Floor Limit determines if the transaction should be sent online to the Issuing bank for authorisation. In the UK the contactless floor limit has been set at £0 for some time, ensuring all transactions are sent online, preventing spend from any cards that have been reported lost or stolen.
The CVM Limit is the one which is being changed on the 1st April. Above the CVM Limit a transaction requires a cardholder PIN or biometric authentication in order to be approved, which generally means a Chip & PIN transaction is needed. We are now seeing the introduction of some biometric contactless cards, but there are very few of them in the market today. By raising the CVM limit to £45 any contactless transactions below this will be sent to the Issuer for authorisation, which should result in the need to touch the POS less by reducing the number of Chip & PIN transactions.
The Transaction Limit is the maximum value that is allowed for any contactless transaction at that Merchant. This has been badly handled in the past, creating different customer experiences at different merchants. Ideally the contactless Transaction Limit should be the same as the Chip and PIN transaction limit. This then allows a contactless transaction carried out using a mobile phone, with Apple Pay or Google Pay, to be treated in the same way as Chip & PIN transactions. In the coming weeks, most payments will be made at Supermarkets, and whilst the raising of the limit to £45 will enable a higher number of contactless transactions, a large family shop will exceed £45. To be able to Pay without PIN, people should enable their cards in Apple Pay or Google Pay, this will allow them to Pay by contactless no matter the transaction amount.
In the UK, the Transaction Limit has not been uniformly implemented, in some merchants it is set to the same as the CVM Limit, meaning contactless can only happen below £30. The result has been confusion over when Apple Pay and Google Pay transactions will work and when you need to perform Chip & PIN. POS providers and merchants need to take the opportunity of this limit change to test their systems to ensure that both the CVM Limit and the Transaction Limit are set appropriately to provide the maximum opportunity to pay by contactless.
As my fellow Principal Consultant Tim Richards points out in our video blog, other countries are using mobile apps to prevent the need for PIN – completely “Contact Free” transactions. We don’t have that capability in the UK yet, Apple Pay and Google Pay being the best options for now. We expect this to change as Open Banking progresses and payments without the need for PIN become more common.
Consult Hyperion have extensive experience in contactless and “Contact Free” payments and testing, we will be able to help organisations ensure they optimise their payments capability to meet the needs of their customers, get in touch for more information on how we can help.
In the meantime, to avoid PIN Pads, shop below £45 or ensure Apple Pay or Google Pay is working on your mobile device, and stay safe.
 https://www.finextra.com/newsarticle/35509/russian-banks-act-to-decontaminate-cash?utm_medium=newsflash&utm_source=2020-3-24&member=56902  https://www.finextra.com/newsarticle/35493/dutch-banks-raise-contactless-limits-for-pin-entry  https://www.theguardian.com/money/2020/mar/24/limit-for-contactless-spending-to-rise-to-45-at-beginning-of-april
It has become practically impossible to keep up with the number of loyalty-related security breaches. In today’s edition of “Who Got Hit?”, we read that Tesco is sending security warnings to 600,000 Tesco Clubcard loyalty members following fraudulent activities. The breach is suspected to be attackers trying to ‘brute-force’ their way into the loyalty system, using stolen credentials, potentially from a different breach. In recent years, fraud associated with loyalty has been on the rise. According to a 2019 report by Forter was an 89% increase in loyalty related fraud, from the previous year.
By GSMA Future Networks Team, Lishoy Francis, Senior Consultant , Consult Hyperion
Mobile telecommunications services, and the devices consumers use to access them, are evolving rapidly – and, with the roll-out of 5G, the integration of IoT and wearables, and the adoption of embedded SIM, mobile services will soon be available everywhere.
Service providers relying on mobile apps, however, face several challenges. These include falling consumer retention figures, as app transaction abandonment rates increase; the cost of developing and maintaining mobile apps; ensuring adequate security for accurate billing and fraud prevention; and meeting regulations such as PSD2.
Rich Communication Services (RCS) – the mobile industry’s upgrade to SMS, which brings enriched multimedia services and enhanced security to mobile messaging – provides a range of solutions to these challenges, and with them new commercial opportunities in the delivery of consumer payments. RCS is now gaining momentum in the consumer market, and is a key platform to watch in 2020 and beyond. Adoption of RCS is mainly driven by buy-in from mobile platform providers such as Samsung and Google, more than 20 device OEMs, and over 90 mobile network operators to date.
From the consumer’s perspective, the RCS experience means forgoing the need to download multiple different apps and instead using a native messaging app on their device which is not limited to plain text, but is capable of handling feature-rich communications in the style of WhatsApp, Facebook Messenger or WeChat. The RCS infrastructure consists of an IP Multimedia Subsystem (IMS) core with implementation-specific Application Server (AS) functions. The messaging feature in RCS is enhanced by RCS Business Messaging (RBM) supported by backend platform components.
Security and trust are scarce in the messaging world, where unwitting consumers can fall victim to phishing attacks leading to monetary loss and compromise of personal information. RCS can help here with Verified Sender, a feature of RBM which provides proof of the sender’s identity. This proof is technically based on a digital signature and, for consumer confidence at a glance, can be shown as a visual tick-mark, with a verified name and logo of the sender on the messaging client.
Consumer authentication has been commonly based, until recently, on the use of a one-time password (OTP) sent over SMS, in conjunction with a memorable secret. Since the arrival of PSD2, however, strong customer authentication (SCA) is required for all electronic payments. PSD2 SCA requires the use of at least two from the following elements:
- Knowledge – something the consumer knows
- Possession – something the consumer has
- Inherence – something the consumer is (typically using a biometric)
Although OTP-over-SMS is a permitted possession factor under PSD2 (acting as proof of possession of a SIM card), RBM can offer better security – the question mark over where a given message has originated is now, thankfully, gone.
The GSMA – working with Consult Hyperion, thought leaders in mobile telecommunications, payments, ticketing, and digital identity – has produced a white paper on what RCS has to offer in digital payments. ‘RCS and Payments’ provides a detailed investigation of RCS’ potential in meeting PSD2’s SCA requirements, including the potential of RCS to replace SMS for delivery of OTP, and explores various payment options across the RCS channel.
Also considered are the additional security mechanisms RCS can offer to gain customer confidence and protect payments: the platform for instance offers service providers advanced functionalities such as message recall if a device is offline; additional controls to validate SIM swap requests; rapid service provisioning; and providing continuous customer engagement via AI chatbots.
In short, RCS offers the most exciting opportunity for service providers and MNOs to work together on providing consumers with secure payments and strong authentication since the availability of NFC and HCE on consumer mobile devices.
Read the latest ‘RCS and Payments’ whitepaper for more details.
We were at TTGlobal (28-29 Jan 2020) this year for the fifth year running. It was a much bigger event in Kensington Olympia, London, with around 30% more attendees. This blog is a summary of how the two days went for us.
The Plenary session had a surprise guest in the form of the Future of Transport Minister, George Freeman. He spoke eloquently about subjects very close to our hearts:
- Seamless end-to-end ticketing
- Integrated PAYG
- Sustainability: he explained that the emissions of the transport sector are expected to double by 2050 unless something radical is done.
I have written before about a shift in government thinking about mobility that seems to be taking place. Let’s hope this signals more of the same and is followed with positive, decisive action.
Our CEO, Neil McEvoy, moderated the plenary panel on ‘the role of ticketing and urban transport policies in delivering MaaS,’ with panellists from:
- Government of the city of Buenos Aires, Argentina
- Dallas Areas Rapid Transit, USA
It was felt that to meet public policy objectives on congestion, air quality and CO2 emissions, facilitating multi-modal, door-to-door, everyday journeys would be key. Facilitating journeys outside of a traveller’s home city or region is welcome but won’t meet wider goals alone.
Highlight of the rest of Day 1 included:
- An update on the Future of Oyster from Transport for London. There are still no plans to turn it off, though the uptake of bank cards by the travelling public continues to rise steadily.
- The Masabi presentation about Fare Payments as Service which was the subject of a recent podcast I made with Ben Whitaker.
- Contactless bank card ticketing has come of age. There were lots of presentations about cEMV roll outs. Visa announced that they have solutions to the classic problems with bank cards (they don’t work for the unbanked or family groups). Contact them if you want to learn more.
I moderated a panel about the future of ticketing technologies with panellists from:
- Deutsche Bahn, Germany
- GVB, Netherlands
- The Human Chain, UK
- Department for Transport, UK
We made a whistle-stop tour of up and coming technologies relevant to the different actors in the Mobility ecosystem, ranging from big data and augmented reality for Data Providers to Open Banking and distributed ledger technology for Maas Providers.
Other highlights for me from Day 2 included:
- The UK’s Rail Delivery Group’s presentation on developing insight from barcode data, linking tickets sold with tickets scanned to inform revenue protection.
- An update from Transport for the North on their Integrated and Smart Travel activities.
- A presentation by MOTC about the difficulties faced by Qatar which currently is massively dependent on the private car and their plans to address the congestion problems they face.
I spent most of my time in the exhibition hall talking with contacts and vendors. I wish there had been time to attend more of the presentations.
I took the opportunity to record another podcast while at the event. This time with Eric Reese, CEO of ByteMark over from New York.
Once again, I was delighted to be one of the panel of judges for the awards presented at the Gala Dinner and Awards held at the Science Museum and hosted by comedian Phil Wang. It was decided by the judges to introduce a Highly Commended tier this year within each award category. This is in recognition that the standard or submissions was generally high. So, while Moscow won the Best Smart Ticketing Programme 2020, both of the following were Highly Commended:
- Flowbird Transport Intelligence & Lothian Buses for their smooth role out of contactless payments card acceptance in Edinburgh in time for the Edinburgh Festival dramatic rise in population and bus usage;
- Rail Delivery Group & Cubic Transportation Systems for the delivery of barcode ticketing under budget and achieving collaboration between 19 Train Operating Companies.
Overall, the event was a great success and great fun to be part of. Here’s to next year.
At Consult Hyperion we have experience globally with transport and mobile ticketing and deploying the latest technologies. If you would like to learn more, give us a call.