A wallet is a way of organising things. My Apple Wallet, just like my real wallet, doesn’t have any cash in it. It has credit cards, debit cards, loyalty cards, vaccination records, boarding passes, train tickets and driving licences (Apple have just gone live with their driving licence and state in Arizona). These things are all held independently in the wallet: they don’t talk to each other and they don’t share data with each other. They are also, as you will have noticed, mostly about identity, not money.
Contactless Card Acceptance
Solutions to enable Android phones to be used to accept EMV contactless card payments without requiring additional hardware have been around for a while. We’ve been advising and helping our clients architect, secure, build and certify SoftPOS solutions for the last 5 years. However, this has not been possible on iOS devices, until now. Speculation that Apple was looking to add contactless payment card acceptance support to iPhone grew when they bought Mobeewave for $100MM in 2020. Based on the technology acquired in this purchase, Apple has recently added contactless card acceptance capability by implementing their Proximity Reader framework to iOS 15.4, for what Apple calls Tap to Pay.
At last week’s FDX Virtual Spring Global Summit, I received a glimpse into the huge strides being made by the Financial Data Exchange in the adoption of their data sharing API for the US market. In the context of minimal centralised regulation in the US, progress is driven by industry. This marks a substantial move away from screen scraping, which has historically been prominent in the US market. While the API approach provides value in terms of security and standardisation, many organisations still depend on screen scraping to support their business model.
16 years on from PIN day (Valentines Day 2006) how is our relationship with PIN holding up?
Last year Dave Birch postulated that PIN was in decline and indeed no longer necessary as our mobile phones make use of various biometrics to authenticate us and our transactions, but as we often remind ourselves in Chyp, we’re not normal. UK Finance statistics tells us that whilst the use of Apple Pay & Google Pay at the Point of Sale is on the rise, the humble plastic card is still the preferred way to pay.
Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.
The biggest news in payments security in the last month concerns allegations that point of sale terminals supplied by PAX Technology have been subverted to have the capability of launching cyberattacks. Details of the allegations can be found at Krebs and Bloomberg; in response, PAX Technology has published a rebuttal.
Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.
EMV is at the heart of global payment card processing. As a specification it governs the processing of billions of transactions globally, with the vast majority of those flowing through the international payment schemes. As a technology it has been incredibly successful, reducing fraud levels everywhere it’s been introduced and its extension into contactless payments is now the fastest growing area of face-to-face payments. The idea that EMV might soon be obsolescent seems far-fetched, to put it mildly, but there are reasons to believe that its hegemony is under threat.