Secure Remote Commerce (SRC) officially launched in the US last week, supported by a limited set of merchants, with more to launch by year-end and into early 2020. We’ve been tracking SRC for some time now as it moved through the specification development process within EMVCo. It has emerged at launch as a customer-facing brand called “Click-to-Pay,” unless you’re using an Amex card, where it’s also called “Online Checkout” in confirmation emails received after registering a card.
was originally published on Money20/20.
We are in the midst of seismic societal
changes of how people interact and transact. Across societies,
geographies and segments, digital is the new norm. Change has accelerated,
placing greater value upon flexibility and speed. Historically, money and
finance have been among the more conservative and slower changing parts of
society, but this has changed dramatically over the past decade by viewing
money as an instigator of change rather than a lagging indicator.
Whether you are a marketer in shining armor
conquering new territory, a financial wizard casting spells upon the balance
sheet, or the queen or king guiding the whole enterprise, here are 4 trends
about money that you should keep in mind for your business.
Platforms are the new kingdoms
Platforms are the base upon which other
structures can be built. For example, App stores from Apple and Google
provide the infrastructure for consumers to complete commercial transactions
and manage finances through their mobile phones. While these companies
develop their own digital wallets, they also enable similar services from
banks, retailers and other companies. Building and maintaining the
platform enables services that they would not have created on their own, like
Uber or Lyft, which in turn, have created their own platforms.
Marketers trying to address customers’ needs
can plug into platforms to broaden offerings or deepen engagement with target
markets. Platform-based thinking implies that product and service design is
ongoing and doesn’t stop with a product launch. Jack Dorsey didn’t stop
when he built the Square credit card reader. The team went into lending
with Square Capital. They got into consumer P2P payments with Square
Cash. Their ecosystem has grown through partnerships with other companies
as well as in-house development.
Digital Identities open the gates
How do your customers interact with you?
Do they need to create a username and password, or can they use a 3rd
party system like Google or Facebook? Are security services like
two-factor authentication or biometrics used to protect credentials? Is
your company protecting customer identities adequately? The importance of
all of these questions is increasing and often the difference between being
forced into early retirement by a massive data breach or surviving to continue
to grow your business.
While identity management and digital
security might not be top of mind for most marketers, they are table stakes for
even the most basic future business. History is full of tales of rulers
successfully fighting off armies laying sieges on castles and fortresses, only
to fail when another army gets access to a key for the back door.
Context rules the experience
Credit card transactions moved from
predominantly being in-store, to e-commerce sites accessed from desktop
computers, and now to mobile phones. As the point-of-purchase expanded,
so did the consumer use cases and thought processes. In tandem, mobile screens
presents less information than desktop computer screens, which in turn presents
less information than associates in a brick-and-mortar environment.
Companies best able to understand context and deliver the right user
experience within these constraints will build loyal customer relationships.
Apps or services created for a different
use cases on the same platform, such as Facebook and Messenger apps, can help
achieve this. Banks and have different apps for managing accounts or for
completing transactions or payments. On a desktop, you can access these
services through a single interface but on the mobile, forcing users to select
their use case helps present a streamlined experience on the smaller, more
time-constrained mobile screen. The use of additional data such as
location, device, etc. can further streamline the experience. Marketers that
don’t think about the context will lose the battle before it even begins.
Data is gold
While a marketer’s goal is to generate
sales, data has become a value driver. In the financial world, data about
payments, assets and liabilities has become critical in how products and
services are delivered. PayPal, a fintech that began even before the word
‘fintech’, has recently been using payments data from their platform to help
build a lending business for their customers. Similarly, an SME lender
named Kabbage has grown to unicorn status by using data from other sources to
make smarter lending and pricing decisions. In the payments industry,
Stripe distilled a previously complex technology integration into a minimal
data set, accessed via API, to easily build payments into new digital products
Those that are able to harness the power of
data will be able to predict what customers want and more effectively address
their needs. In some cases, it might be using data from within your
enterprise or from other platforms for targeting, pricing or servicing
decisions. In other cases, it might be using data to reimagine what your
product or service is.
Looking for more insights on key trends in
money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will
be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and
attend visit us.money2020.com.
I’ve just been in Bristol at the annual Transport Card Forum (TCF) two-day event. I was on the agenda as chair of Working Group 27 giving the final report on progress. The report will be going to DfT shortly and thereafter available to TCF members via the website. I’ve been attending TCF for many years and it is impossible not to notice how very slowly things change in transport ticketing.
One piece of our recent advice to a sub-national transport body, when hired to outline their smart ticketing strategy can be summarised as: do not seek government funding to implement a region-wide (expensive) smart ticketing solution, but rather look at what already exists and how these ticketing schemes might be brought together to meet the needs of the various travelling customer types in the region. In this context, I was pleased to hear mention of software development kit (SDK) offerings from Masabi and FAIRTIQ giving me hope that the transport ticketing industry is moving in the right direction. For example, Masabi using their SDK to insert their ticketing technology into the Uber app for trials in Denver, Colorado.
A recurring theme at the event was operators reporting how PAYG solutions are proving popular with customers and how they are eroding the other forms of ticketing such as season tickets. This is an increasing area of concern for clients we are working with, most notably in terms of cash flow and forecasting but also technically. Some of our current work is helping clients deal with the array of ticketing solutions they are operating and how to rationalise these in the light of the way that the automated fare collection (AFC) industry is moving and responding to customer needs. Consumer demands will continue to drive change in their purchase patterns as flexible and remote working opportunities increase.
It is not uncommon for a transport operator to support all of the following:
Paper tickets as the only medium interoperable at all acceptance points for all customer types.
Legacy smart card solutions based on 1990s technologies where the operators were focussed on owning the customer by issuing them with a smart card.
Barcodes as a cheaper alternative to smart cards that can also go paperless if delivered to mobile phones.
Open-loop (EMV bank card) PAYG solutions which have grown out of our work with TfL in 2008-14. These are intended to increase ridership and reduce costs by using the bank card in the customer’s pocket, but because they are one card per passenger, they do not cater for group tickets or for those not having (e.g. children) or not wishing to use bank cards. This could be addressed on buses by introducing a ‘retail model’, but this would require driver interaction to determine the price of the ticket before purchase and slow down bus boarding.
Operators are transport providers and their core business is providing transport services, not running ticketing solutions. The last thing they want is to be maintaining systems that have to be able to handle multiple different front ends, though many of them find themselves doing so. The classic example is TfL’s intention to switch off Oyster when open-loop was up and running, but they not yet managed to achieve this.
Our recent work with clients about how to use Digital Wallet Ticketing in a customer’s smart phone to unify their disparate ticketing solutions is proving popular. This has been both in sports stadiums and transport ticketing. Digital Wallet Ticketing was not much discussed at TCF19, which I guess is a sign of how slowly things move within the transit ticketing community. We believe DWT is the future.
We have a wealth of experience over several years of designing and building DWT solutions. Let us know if you’d like a chat about how this might work for you, be it payment, identity or ticketing.
Information Commissioner’s Office (ICO) has finally done what it’s been
threatening to for a while and levied enormous fines on British Airways’ parent
International Consolidated Airlines (£183 million) and Marriott Hotels (£99
million). While subject to appeal, these are the first signs of how the
ICO now has real teeth and is prepared to use them. The question is, what
lessons can we learn from this?
Well, firstly, we can observe that card payments aren’t
optimised for the internet. The BA breach looks like it was at entry
point – i.e. it wasn’t that the data was breached while stored in a database
but that someone managed to get hacked software to intercept payments in flight
and capture the details. The point here, of course, is that the paradigm of
giving your card details to the merchant so they can pass them to your issuer
originated in the 20th century when we didn’t have a choice. Now,
given that we have this internet thing it makes more sense to contact our
issuer directly and tell them to pay the merchant. Realistically, this may be
the only way we can be sure merchants won’t lose our card details – don’t give
them to them.
This points to push payments a la PSD2 APIs. But
given that these won’t be pervasive for a while then the next best option is to
tokenise cards to either limit their use to a single merchant or even a
single transaction. Both of these are areas we’re seeing lots of interest in,
and ought to be high on the agenda of heads of IT security and payments
Secondly, we can note that static credentials are a
sitting target. Seeing email addresses and passwords breached opens up
companies to all sorts of horrible consequential damages under GDPR – let’s
face it, most people reuse the same combinations across multiple sites so a
breach on one site can lead to exposure on another. Any company relying on
static credentials should basically assume they’re going to get some level of
Fixing this requires two factor authentication and we
have a ready-made, state-of-the-art, solution here in the EU. PSD2 SCA
is about as strong an approach as you could ask for and we have banks and
authentication providers drowning in relevant technology. There simply is no
excuse for a company using static credentials if they get breached. We’ve
been working closely with providers to look at how to take these solutions into
the wider authentication market, because there’s been a certain inevitability
about the way a lot of companies have dealt with their data breach protection.
Finally, note that the point that BA have made – that they
haven’t seen any impact due to their breach – needs to be quantified: “yet”.
Hackers tend to sit on breach data for 18 months before using it, waiting for
the identity protection schemes that are often engaged post these events to expire.
GDPR allows affected companies and individuals to sue – up until now the costs
of a data breach have been borne by banks having to deal with fraud and issue
new cards and consumers having to sort out identity protection. The ICO fines
may yet be just the be tip of a very expensive iceberg as GDPR ensures that the
costs more appropriately allocated to the offending parties.
The EBA’s recent Opinion on the elements of strong customer
authentication under PSD2 was, apart from moving the goalposts on when SCA will
be enforced, full of interesting information about what constitutes a valid SCA
element. It closes some doors, opens others and ends any notion that merchants
can take liability and not do SCA themselves.
Taking the final point first, there’s been a view that Article 74(2) of PSD2 permits merchants to carry on without implementing SCA as long as they take liability. We at Consult Hyperion have long argued that that is an optimistic and overly legalistic reading of the regulations and this has now been confirmed. The EBA states:
In addition, even if there were a liability shift to the payee or the payee’s PSP for failing to accept SCA, as articulated in Article74(2) of PSD2, this could not be considered an alleviation of PSPs’ obligation to apply SCA in accordance with and as specified in Article 97 of PSD2.
Basically, Article 97 takes precedence – PSPs (aka Issuers)
must apply SCA so if the merchant chooses not to then rather than end up with a
payment for which they’re liable they’ll end up with no payment at all. Which,
you’d imagine, would rather miss the point of being a merchant.
Beyond this point the Opinion has lots of interest to say
about inherence, possession and knowledge elements.
On inherence two points stand out. Firstly the
Opinion unambiguously states that behavioural biometrics can be a valid factor:
this opens up a world of possible low friction SCA, and we expect to see lots
of innovation in this area. Secondly it states that 3DS-2 does not support
inherence as none of the data points being gathered relate to biological or
behavioural biometrics but – and we view this as important – 3DS-2 is a valid
means of supporting SCA.
This is critical because the dynamic linking process behind
3DS-2 is not straightforward and there have been differences of opinion over
whether this is compliant. Given that 3DS-2 appears to be the only game in town
for CNP transactions having a statement that it’s OK is mighty important.
On possession, the EBA clarifies that OTP SMS is
valid and also that mobile app based approaches can be – but only if the app is
linked to the device. We’ve been arguing that this is obviously the case for a
while, so it’s good to see this confirmed: although there are going to be a few
app developers out there that need to revise their approaches pdq (we can help,
Also on possession the EBA has stated something that really
should have been obvious to anyone taking more than a moderate interest in the
topic – printed card details such as PAN and CVV or user ids and email
addresses are not valid possession or knowledge elements. As a number of
prominent industry players have been taking the opposite approach this could
lead to some interesting developments in the coming weeks, particularly as the
Opinion states that if the CVV is not printed on the card and is instead sent
on a separate channel, then it is a valid knowledge element.
Overall, the analysis and discussion in the Opinion on valid
SCA elements is welcome, if a trifle tardy. To be fair to the EBA, we don’t see
anything in their analysis that a proper reading of the RTS wouldn’t have
produced. However, it’s been clear for some time that many industry players
have been making a highly liberal interpretation of the requirements usually
based on a legal opinion. But PSD2 and the RTS are about principles, not rules:
if you need advice on this you need to talk to the people who understand this
stuff. Which, by the way, is us, not law firms.
The doom-laden headlines appearing in the press have, it seems, worked and the EBA has decided to replace the 14th September deadline for the introduction of SCA with … another deadline. Only they won’t tell us what it is, presumably we have to figure it out for ourselves.
So, let’s see what the EBA has done now …
Firstly, they haven’t actually changed the date as they can’t, it’s written into EU law. But given dire warnings of a collapse in online payments they’ve come up with a fudge:
The EBA therefore accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, CAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.
Let’s summarise that. National regulators – competent
authorities (CAs) – may work with PSPs (Issuing and Acquiring banks) and
unregulated actors (merchants, consumers) to agree to delay the introduction of
SCA. Which presumably means unprepared merchants and confused consumers are
breathing a sigh of relief. Unfortunately, as this is now in the hands of local
regulators there’s no guarantee at all that this will be applied evenly,
opening up the possibility that some countries will enforce and others (notably
the UK and France) will not.
On top of that, there’s no guarantee that Issuers won’t
apply SCA anyway, even if their local regulator permits them to not do so. So
merchants who are unprepared may still find themselves suffering random
declines. And, furthermore, if Acquirers haven’t implemented the necessary
changes then even if the merchants are compliant they may still have
transactions irrevocably declined.
Note also the “limited additional time” clause. Frankly, introducing SCA prior to the critical holiday shopping period was foolish anyway (but was an unintended consequence of the 18 month implementation period following the adoption of the RTS), so we can assume that the date will be pushed out at least into early or mid 2020. The EBA adds (but not in the actual Opinion):
In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.
And that’s the catch:
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner. CAs should monitor the execution of these plans to ensure swift compliance with the PSD2 and the EBA’s technical standards and to achieve consistency of authentication approaches across the EU.
Basically, Issuers and Acquirers need to publish what they’re
going to do including how they’re going to communicate the requirements to
consumers and merchants respectively. Quite how this is all going to be
co-ordinated is unclear – no sensible merchant is going to disadvantage
themselves by unilaterally turning on SCA when its competitors aren’t. Issuers
may take the same approach, as they probably don’t want their cardholders
switching to other banks: but there’s no requirement on them to do so.
The rest of the opinion focuses on the validity of various authentication
factors. That’s interesting too, but we’ll look at the implications of it
The one thing this does allow is for 3DS-2.2 to be made
ready. That’s an advantage to smart merchants who can at least develop a
proper, low friction SCA strategy. In the meantime, we’re looking forward to
getting involved in lots of migration planning.
There are relevant economic and social trends to which public-sector bodies must respond with transport policies:
Circa 60% of the UK population lives in cities. Congestion is a real problem which in turn leads to increased pollution and reduced air quality.
As a population, we travel substantially less today than we did one or two decades ago.
We are travelling less by car and more by train and bike. Fewer of us are getting driving licences, and we are getting them much later in our lives.
A key response to these trends is to try to drive modal shift from privately owned cars to mobility as a service (MaaS). Rail is a key mode in MaaS solutions, and Rail, in the UK, is undergoing a root and branch review which was announced by Chris Grayling and the Department for Transport in September 2018. Keith Williams is leading the review, supported by an expert panel. Amongst other things, it will look at the structure of the whole rail industry, regional partnerships and improving value for money for passengers and taxpayers. Any emerging reform plans will be implemented from 2020.
One can imagine that there are many problems to be addressed as part of this review and that fares and ticketing might not get much of a look in. However, the ‘value for money for passengers and taxpayers’ part seems significant.
In a February meeting with DfT about the future of fare collection and transport payments, Consult Hyperion was asked to respond to the recent Rail PAYG Consultation covering:
what a Pay-As-You-Go (PAYG) travel area is, and how it would work in general
where a PAYG travel area could cover
the changes to fares that could be made within the area
The consultation ran from February to the end of April 2019 and now the Department for Transport is considering the responses.
In the context of this activity, the ORR statistical release makes perhaps more interesting reading than it otherwise would have done.
“Passenger journeys using ordinary tickets increased by 5.0% in 2018-19 compared to the previous year. This was driven by a 6.9% growth in anytime tickets. In contrast, the number of passenger journeys made using season tickets fell for the third consecutive year, down 0.4%. Market share of season ticket journeys was 36% in 2018-19, down from 48% a decade ago.”
These would seem like exactly the right market conditions for introducing PAYG on rail beyond London. Today’s passengers cannot easily predict their journeys in advance, but would like to be rewarded for frequency of travel; which, by choosing Rail, will help meet social and environmental goals. Granted, PAYG is not well suited to long-distance Rail if ticket prices are high, but there are many train journeys that are in the right price bracket.
In time, it would seem desirable to phase out season tickets. Ticketing should be tailored to the increasingly flexible patterns of work: perhaps for a specified number of days per month or the use of digital carnet tickets (to be enabled prior to departure). It would seem that smartphone apps are ideal for handling this.
Flexibility is also required within each day. Passengers travelling out in off peak times frequently don’t know until they start their return journey whether it will be peak or off-peak. In addition, designations of peak and off-peak are complex, localised and require further study.
A PAYG solution which focuses primarily on the gate line may limit subsequent progress. Mobile ticketing has an important role to play. It provides the means to offer a variety of ticket types on a single device and is comparatively easily updated. It also offers much greater flexibility for passengers travelling from unmanned stations, where gate lines don’t generally feature, and ticket machines are frequently vandalized. Another benefit of mobile ticketing is the quality of travel data that can be collected (while respecting passenger privacy).
We have recently been advising three UK Sub-national Transport Bodies (STBs) and recently facilitated a transport operator workshop to discuss options for fare collection and transport payments. The thing that the operators seemed most excited about was PAYG. The kind where customers just turn up and travel without having to worry about the tariffs in advance and trusting that they will be charged a fair price. Inevitably, the discussions dipped into which technologies are good at this and which are bad, but the fact remains, they are clear what their customers want and truly believe that by giving them what they want, they will receive increased ridership in return.
Clearly, this is what Transport for London already provides and their offering is slowly extending out from London into the SE region, for example to Gatwick Airport. However, the open-payment-based PAYG models (using contactless bank cards) are limited in the amounts up to which fares can be aggregated before payment is taken. This is for reasons of risk of payment for the journey never being received, but it also makes sense from the point of view of the customer who does not want to travel on trains all day not knowing how many hundreds of pounds they will be charged at the end and they also want to benefit from any available capping of fares.
What is needed is flexibility. Open-loop transit payments are better than conventional card-based transport cards for travelling within cities. As we have said before, open-loop transit payment suffers from the passenger identifier (their bank card) being tightly coupled to just one of their payment mechanisms (one of their bank accounts). We have been exploring other mobile-based solutions with the Rail Delivery Group (RDG) recently and are hopeful that such customer-centric alternatives will emerge soon.
If you’re interested in finding out more, please contact: email@example.com
On Friday 13th September this year, the full
force of PSD2 Strong Customer Authentication (SCA) comes into force.
Anecdotally the lack of readiness of the card payment industry is beginning to
suggest that the immediate impact may well look like the aftermath of a dinner
party hosted by Jason Voorhees.
To summarise: after 13th September 2019 (yes,
that’s in just over 3 months) account holding banks must require two factor
authentication compliant with PSD2 SCA on all electronic payments, including
all remote card payments, unless an applicable exemption is triggered. There
are no exceptions allowed to this, there is no concept of merchants choosing to
take liability and avoiding SCA. In the event that a merchant attempts a
transaction without SCA and the issuing bank determines that no exemption
applies or that there is significant risk associated with the payment the bank must
decline and request the merchant to perform a step-up authentication.
Currently, the only real option open to merchants for
performing SCA for online card payments is 3DS. To support all of the PSD2
exemptions – which are needed to provide a near frictionless payment experience
– the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2
will not be ready, so the initial implementation of this will be sub-optimal.
So, come 14th September this year what will happen?
Figures are hard to come by, but within Europe we believe
that 75% of merchants don’t implement 3DS today. We also believe that about a
fifth of large issuers are taking a hard line in order to be compliant with the
regulations and will decline all non-3DS transactions. Even where the issuer is
taking a more subtle approach they will request step-up SCA on somewhere
between 1 in 5 and 1 in 10 transactions. On top of this, if the merchant
does not support 3DS and the issuer authorises anyway any fraud is the
merchant’s responsibility: for non-complying merchants this is a lose-lose-lose
Given this woeful state of preparedness there’s some
industry hope that the regulators may take a relaxed view of compliance come
September. Certainly there are representations being made in Brussels, but we
think it’s unlikely there’ll be any relief from that direction: (1) the
migration date is written into law, national regulators cannot alter it and (2)
many issuers will implement PSD2 fully regardless of any softening of the
implementation. We suspect that there may be some movement from national
regulators since the alternative may be unthinkable, but travelling hopefully
doesn’t look like much of a strategy, especially if you’re an e-com retailer or
Going forward there are a wide range of solutions being
developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS
is not the only solution, but it is the only pervasive one and it certainly is
the only one available in the current time frames.
What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.
Here at Chyp we’ve spent the last two years helping Issuers,
Schemes, Acquirers, PSPs and merchants prepare – so although the impact across
the payments industry may be patchy, we know there will be winners as well as
losers. If the worst case comes to pass then the only merchants likely to
escape the bloodbath come September are those taking action now. And there’s
unlikely to be any downside to immediate action – PSD2 has been in the works
for over five years, the SCA implementation date has been known for over a
year, and there’s little indication that the European Commission intends to
undo or loosen the regulations.
Friday 13th is coming, best make sure you’re
The mention of biometric cards may be met with a raised brow or a quizzical look. But if you offer a further explanation and ask a consumer if they can see the convenience of holding a payment card with a biometric sensor on it to make a high value payment without having to enter a PIN, things suddenly become clear and are generally very well received.
UK’s Natwest, France’s Société Générale and Italy’s Intesa Sanpaolo are all in the race to deliver this added convenience to their customers. The solution consists of having a physical card, with a fingerprint reader embedded in it, enabling the cardholder to authenticate themselves before tapping the card on the terminal. An interesting solution to a problem already solved by Apple Pay and the likes, you might be tempted to think.
Not quite. Market segments either left behind by or averse to the mobile payments revolution, can finally be targeted. My mother is part of that category. She fully adopted contactless payments when she visited me here recently, finding PINs to be too much of a hassle but quickly reverted to cash when she realised that contactless wouldn’t get her the weekly shop at Monoprix, by default greater than the 30 EUR limit, without the PIN accoutrement.
This biometric card offering also resolves the customer pain that is likely to hit contactless card payments as from the 14th September 2019, when the Regulatory Technical Standards (RTS) start to apply.
In less than six months, unless applicable exclusions apply, conventional contactless cards would, in all likelihood, need to be chipped and pinned again after as little as 5 coffees. These new biometric cards offer an edge on this issue.
Biometrics as a CVM enable, like PINs, fulfilling the Strong Customer Authentication (SCA) requirement of having at least two of three independent elements:
Knowledge (e.g PIN)
Possession (e.g Card Possession)
Inherence (e.g Biometrics)
The difference however lies in the perception of this SCA transaction. Where PINs would require lengthy Online PIN authentications in contactless or cumbersome and disruptive step-ups to contact transactions, biometrics on card offer a seamless continuity in payment ergonomics.
Moreover, biometrics are expected to be non-repudiable. Back in the days, signatures could make up for extravagant excuses like those of Rebecca Bloomwood’s in Sophie Kinsella’s ” The Secret DreamWorld Of A Shopaholic”:
I never go to Millets. […]. Some criminal’s pinched my credit card and forged my signature. Who knows where else they’ve used it? No wonder my statement’s so black with figures. […]. Someone must have pinched it from my purse, used it – and then put it back.
Sophie Kinsella: ” The Secret Dreamworld Of A Shopaholic”
Such excuses are less likely for PINs, but not impossible, considering shoulder surfing. And nearly impossible for biometrics.
There is therefore a risk, albeit infinitesimal of a wolf, someone whose subset of “8 features on a 100mm2 fingerprint sensor” being a match, going on that Millet’s spending spree. A little far-fetched certainly, when working out the probabilities.
The greatest challenge however, lies, at the very heart of the solution: Biometric self-enrolment. The enrolment procedures on roll-out have not been entirely unveiled yet. A proper enrolment procedure design is crucial to the whole lifecycle of the card, requiring a careful balance between the comfort of an easy procedure, maximum assurance that the right individual is being enrolled and well-suited risk mitigation actions. Unlike the OEM-Pays which, being based on phones, have the ability of having interactive onboarding checks, enrolment for the card form factor is not straightforward. Various solutions are being proposed, ranging from a controlled enrolment at the bank to checking-in on a banking portal, or online equivalent after enrolment. It is not clear that any one of these is the right answer for all customers.
Finding an optimal solution is vital. As Mastercard puts it, “it’s all about providing options that make life easier and more convenient, ultimately improving the shopping experience without compromising safety and security.”
The reasons behind the presence of mag stripe on cards alongside chip (and PIN) has long been a debate at Consult Hyperion. Especially for the US where things were different for years – of course now the US has introduced chip and PIN as well.
numbers and signatures on cards helps criminals. There’s no need for it.
A couple of years later, in “Tired: Banks that store money. Wired: Banks that store identity” we asked why banks didn’t put a token in Apple Pay that didn’t disclose the name or personal information of the holder, a “stealth card” that could be used to buy adult services online using the new Safari in-browser Apple Pay experience. This would be a simple win-win: good for the merchants as it would remove CNP fraud and good for the customers as it would prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give the customer a blank card to go shopping with.
Some years ago, we were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.
You might call
these cards pseudo-clones. They acted like clones in that they worked correctly
in the terminals, but they were not real clones. They didn’t have the right
keys inside them. Naturally, if you made one of these pseudo-clones, you didn’t
want to be bothered with PIN management so you made it into a “yes card” –
instead of programming the chip to check that the correct PIN is entered, you
programmed it to respond “yes” to whatever PIN is entered. We used these
pseudo-clone cards in a number of shops in Guildford as part of our testing
processes to make sure that issuers were checking the cryptograms properly. Not
once did any of the Guildford shopkeepers bat an eyelid about us putting these
strange blank white cards into their terminals. Of course it’s worth noting
things have progressed and fortunately this wouldn’t work now as the schemes
have moved on from SDA.
I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this, he made a similar white plastic pseudo-clone card and went into a shop to try it out.
When he put
the completely white card into the terminal, the Brazilian shopkeeper stopped
him and asked him what he was doing and what this completely blank white card
was, clearly suspecting some misbehaviour.
thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.
story was written back
in 2014! There was no white Apple credit card at that time but it
was interesting that the shopkeeper expected an Apple credit card to be all
white and with no personal data on display, just as we had suggested in our
ancient ruminations on card security. Imagine the total lack of surprise when
the internet tubes delivered the news of the new actual Apple credit card
launched in California a couple of weeks ago. Apple CEO Tim Cook said that
the new Apple Card would be the biggest card innovation “in 50 years” [FT].
This seems a little rough on the magnetic stripe, online authorisation,
chip and PIN, debit cards, contactless interfaces and so on, but it is
certainly an interesting development for people like us at Consult
gathered the usual media interest. A number of reports on the web reporting on
“Apple going into banking” which, obviously, they are not. Far from it. The
Apple Card issuer is Goldman Sachs (it’s their first credit card product) and
the card product is wholly unremarkable. The card looks pretty cool though, no
doubt about that. I still don’t know why they put the cardholder name on the
front (instead of their Apple ID).
Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.
The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.
Now You See It
While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!
I can’t help
feeling that there’s a bit of misdirection going on with Apple Card. The press
are reporting about the card product, but it’s really not that earth
shattering. It seems to me that what is really important in the
announcement isn’t extending Goldman Sachs’ consumer credit business or that
bribe to persuade apparently reluctant consumers to use Apple Pay at
contactless terminals instead of swiping their card, but the attempt to get
people to use Apple Cash. Cognisant of how Starbucks makes out by persuading
citizens to exchange their US dollars that are good anywhere into Starbucks
Dollars that are not, and of Facebook’s likely launch of some kind of Facebook
Money, Apple are hoping to kick-start an Apple Cash ecosystem.
You may have
noticed that as of now, you can no longer fund person-to-person Apple
payments (in Messages) using
a credit card. You can still fund your Apple Cash via a debit card.
You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via
ACH to a bank account for free. They want to reduce the costs of getting volume
into Apple Cash and make it possible for you to get it out with jumping through
hoops. Given that you can do this, you’ll be more relaxed about holding an
Apple Cash balance and that means that next time you go to buy a game or a song
or whatever, Apple can knock it off of your Apple Cash balance rather than
feeding transactions through the card rails.
And why not?
In this ecosystem Apple would carry the float, which might well run into
millions of dollars (Starbucks’ float is over a billion dollars), and if it
could persuade consumers to fund app, music and movie purchases from Apple Cash
instead of cards it would not only save money, but anchor an ecosystem that
could become valuable to third-party providers as well. With Facebook’s
electronic money play on the horizon, I think Apple are making a play not for a
new kind of card to compete with my Amex Platinum and my John Lewis MasterCard
but for a new kind of money to compete with BezosBucks, ZuckDollas an Google
Subscribe to our newsletter
You have successfully subscribed to the newsletter
There was an error while trying to send your request. Please try again.