Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

Paying for food

It feels strange to be writing about paying for food, one of the basic skills we learn in early childhood. However, these are exceptional times, when the basic notion of how we pay is being challenged. It seems we are now considering the different options for paying safely when physical contact must be kept to a minimum.

Consult Hyperion has been alerted to many requests for advice from community groups who normally rely on cash payments, so in response we have drawn up some guiding principles:

1. Maintain good practice: be aware of the vulnerability, both real and perceived, of people unable to leave their homes. Asking them to do things differently risks increasing anxiety and leaving them open to fraud.

2. Keep it simple: work with payments options people already use, and those they are familiar with. The large spike in phishing attacks over the past month highlights scammers’ eagerness to abuse this situation.

3. Maintain records: clear and consistent transaction logging is essential to protect both organisers and the people they are helping. Keep invoices for tracking and reconciliation purposes.

4. Work with existing networks: local authorities, housing associations, care providers, charities, community groups, faith groups, even village shops. The mix will vary according to the community.

5. Only allow demonstrably trustworthy individuals to handle payments: the list of people permitted to countersign passport applications could be a good starting point, but each community is different. Trust is vital in payments.

6. Keep payments and shopping separate: older readers will remember having an account with their local shop and having items added to their tally, paying the bill weekly or monthly.

7. School meals provide a good example: cards (or biometrics) are used to ensure all students have equal access to food, without the stigma attached with free school meals. Food is still served, even if the system has technical issues.

8. Take the time to discuss people’s preferences over the phone: The person receiving the shopping doesn’t have to be the person who pays. Be creative in encouraging people to contribute a little extra, or allow friends and family to pay on their behalf.

When organising payments, only use options people already have. This is not the time for a stressful sign-up process. In order of preference:

Online – PayPal, Bank Transfer, Pingit

With any new online payment, if there is a level of trust through an existing relationship, ask the account holder to send a small sum of 1p or 10p to the intended account, to check that it does arrive in the right place.

PayPal: convenient if you already have an account. Allows you to choose different sources of funds to transfer. Can be used for paying individuals as well as organisations. Includes a degree of protection.

Bank transfer (frequently referred to as Faster Payments): Despite communication from many of our banks, the full roll out of Confirmation of Payee is delayed. There is uncertainty over whether the money will arrive in the right place, so test initially with small amounts. It is irreversible. It can be performed easily via internet banking if you have the capability. Telephone banking is currently overloaded.

Some apps enable an invoice with bank details to be presented through a link to web page. This is better than simply sending requests for payments within an email, as fraudsters can’t just intercept the email and change the recipient details. It requires more effort to set up a fraud and is more likely to get spotted.

Pingit: Less widespread but convenient person-to-person payments which can be sent to a mobile number.

Contactless at the door

Using a portable reader from companies like iZettle, SumUp and Square. Apple Pay and Google Pay are good options as they allow higher value payments without the need to touch the device, if people already have the capability. Appropriate distancing must be observed.

Cheques

The householder only has to part with a single piece of paper and does not have to receive change. Cheques will have to be paid in and take a while to clear but there is very little risk of the householder absconding.

Cash

People are encouraged to avoid handling cash and avoid touching ATMs. Keeping cash in the home makes people more vulnerable. However, some people rely on cash. Where change is to be given, this should be arranged in advance and put in an envelope.

These are extraordinary times, which force us to look differently at the way we pay. Consult Hyperion have been enabling secure payments for over 30 years and we are able to apply our own Structured Risk Analysis process to understand the threats and possible countermeasures in every situation. These threats normally relate to the security of systems but in this case also encompass the risk of infection and people being left without essential supplies.

Finally

If you are reading this from home and need help, try phoning your local shop. If they are not organising deliveries themselves, they may well be aware of groups who are. Many local stores and community groups are providing help to these who need it, providing a much needed service. Get in touch with your local group.

Raising contactless limits to allow more paying without the PIN

In these extraordinary times with the need for social distancing, the payments industry is raising the contactless limits across many countries in order to prevent the need to touch PIN Pads in order to pay for our essential supermarket and pharmacy shopping.  Indeed, such is the concern over the use of cash that contactless payments are being actively encouraged over cash, with some countries, notably China and Russia[1] now requiring that cash is sanitised before it is allowed back into circulation.

The Dutch Payment Association[2] has moved to double their contactless CVM limit from €50 to €100, similar increases are being introduced by Poland; Norway; Canada; Turkey etc.  Yesterday the British Retail Consortium[3] announced that the UK too will raise its contactless limit from £30 to £45 on the 1st April.

So why do we need to wait a week? What does it mean? What are the alternatives?

First let us explain how contactless limits work and understand the difference between contactless payments in the UK compared to most other countries.  Contactless payment terminals have 3 limits:

  • Floor Limit
  • CVM Limit
  • Transaction Limit

The Floor Limit determines if the transaction should be sent online to the Issuing bank for authorisation. In the UK the contactless floor limit has been set at £0 for some time, ensuring all transactions are sent online, preventing spend from any cards that have been reported lost or stolen.

The CVM Limit is the one which is being changed on the 1st April. Above the CVM Limit a transaction requires a cardholder PIN or biometric authentication in order to be approved, which generally means a Chip & PIN transaction is needed. We are now seeing the introduction of some biometric contactless cards, but there are very few of them in the market today. By raising the CVM limit to £45 any contactless transactions below this will be sent to the Issuer for authorisation, which should result in the need to touch the POS less by reducing the number of Chip & PIN transactions.

The Transaction Limit is the maximum value that is allowed for any contactless transaction at that Merchant. This has been badly handled in the past, creating different customer experiences at different merchants. Ideally the contactless Transaction Limit should be the same as the Chip and PIN transaction limit. This then allows a contactless transaction carried out using a mobile phone, with Apple Pay or Google Pay, to be treated in the same way as Chip & PIN transactions. In the coming weeks, most payments will be made at Supermarkets, and whilst the raising of the limit to £45 will enable a higher number of contactless transactions, a large family shop will exceed £45. To be able to Pay without PIN, people should enable their cards in Apple Pay or Google Pay, this will allow them to Pay by contactless no matter the transaction amount.

In the UK, the Transaction Limit has not been uniformly implemented, in some merchants it is set to the same as the CVM Limit, meaning contactless can only happen below £30. The result has been confusion over when Apple Pay and Google Pay transactions will work and when you need to perform Chip & PIN.  POS providers and merchants need to take the opportunity of this limit change to test their systems to ensure that both the CVM Limit and the Transaction Limit are set appropriately to provide the maximum opportunity to pay by contactless.

As my fellow Principal Consultant Tim Richards points out in our video blog, other countries are using mobile apps to prevent the need for PIN – completely “Contact Free” transactions. We don’t have that capability in the UK yet, Apple Pay and Google Pay being the best options for now. We expect this to change as Open Banking progresses and payments without the need for PIN become more common.

Consult Hyperion have extensive experience in contactless and “Contact Free” payments and testing,  we will be able to help organisations ensure they optimise their payments capability to meet the needs of their customers, get in touch for more information on how we can help.

In the meantime, to avoid PIN Pads, shop below £45 or ensure Apple Pay or Google Pay is working on your mobile device, and stay safe.


[1] https://www.finextra.com/newsarticle/35509/russian-banks-act-to-decontaminate-cash?utm_medium=newsflash&utm_source=2020-3-24&member=56902

[2] https://www.finextra.com/newsarticle/35493/dutch-banks-raise-contactless-limits-for-pin-entry

[3] https://www.theguardian.com/money/2020/mar/24/limit-for-contactless-spending-to-rise-to-45-at-beginning-of-april


Transport Ticketing Global 2020

We were at TTGlobal (28-29 Jan 2020) this year for the fifth year running. It was a much bigger event in Kensington Olympia, London, with around 30% more attendees. This blog is a summary of how the two days went for us.

Day 1

The Plenary session had a surprise guest in the form of the Future of Transport Minister, George Freeman. He spoke eloquently about subjects very close to our hearts:

  • Seamless end-to-end ticketing
  • Integrated PAYG
  • Sustainability: he explained that the emissions of the transport sector are expected to double by 2050 unless something radical is done.

I have written before about a shift in government thinking about mobility that seems to be taking place. Let’s hope this signals more of the same and is followed with positive, decisive action.

Our CEO, Neil McEvoy, moderated the plenary panel on ‘the role of ticketing and urban transport policies in delivering MaaS,’ with panellists from:

  • Visa
  • Mastercard
  • Government of the city of Buenos Aires, Argentina
  • Dallas Areas Rapid Transit, USA
  • Uber

Picture1

It was felt that to meet public policy objectives on congestion, air quality and CO2 emissions, facilitating multi-modal, door-to-door, everyday journeys would be key. Facilitating journeys outside of a traveller’s home city or region is welcome but won’t meet wider goals alone.

Highlight of the rest of Day 1 included:

  • An update on the Future of Oyster from Transport for London. There are still no plans to turn it off, though the uptake of bank cards by the travelling public continues to rise steadily.
  • The Masabi presentation about Fare Payments as Service which was the subject of a recent podcast I made with Ben Whitaker.
  • Contactless bank card ticketing has come of age. There were lots of presentations about cEMV roll outs. Visa announced that they have solutions to the classic problems with bank cards (they don’t work for the unbanked or family groups). Contact them if you want to learn more.

Day 2

I moderated a panel about the future of ticketing technologies with panellists from:

  • Deutsche Bahn, Germany
  • GVB, Netherlands
  • The Human Chain, UK
  • Department for Transport, UK

Picture2

We made a whistle-stop tour of up and coming technologies relevant to the different actors in the Mobility ecosystem, ranging from big data and augmented reality for Data Providers to Open Banking and distributed ledger technology for Maas Providers.

Other highlights for me from Day 2 included:

  • The UK’s Rail Delivery Group’s presentation on developing insight from barcode data, linking tickets sold with tickets scanned to inform revenue protection.
  • An update from Transport for the North on their Integrated and Smart Travel activities.
  • A presentation by MOTC about the difficulties faced by Qatar which currently is massively dependent on the private car and their plans to address the congestion problems they face.

Exhibition

I spent most of my time in the exhibition hall talking with contacts and vendors. I wish there had been time to attend more of the presentations.

I took the opportunity to record another podcast while at the event. This time with Eric Reese, CEO of ByteMark over from New York.

Awards

Once again, I was delighted to be one of the panel of judges for the awards presented at the Gala Dinner and Awards held at the Science Museum and hosted by comedian Phil Wang. It was decided by the judges to introduce a Highly Commended tier this year within each award category. This is in recognition that the standard or submissions was generally high. So, while Moscow won the Best Smart Ticketing Programme 2020, both of the following were Highly Commended:

  • Flowbird Transport Intelligence & Lothian Buses for their smooth role out of contactless payments card acceptance in Edinburgh in time for the Edinburgh Festival dramatic rise in population and bus usage;
  • Rail Delivery Group & Cubic Transportation Systems for the delivery of barcode ticketing under budget and achieving collaboration between 19 Train Operating Companies.

Overall, the event was a great success and great fun to be part of. Here’s to next year.

At Consult Hyperion we have experience globally with transport and mobile ticketing and deploying the latest technologies. If you would like to learn more, give us a call.

Consult Hyperion’s Live 5 for 2020

At Consult Hyperion we take a certain amount of enjoyment looking back over some of our most interesting projects around the world over the previous year or so, wrapping up thoughts on what we’re hearing in the market and spending some time thinking about the future. Each year we consolidate the themes and bring together our Live Five.

2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.

Hello 2020

Our Live Five has once again been put together with particular regard to the views of our clients. They are telling us that over the next 12 months retailers, banks, regulators and their suppliers will focus on privacy as a proposition, customer intimacy driven by hyper-personalisation and personalized payment options, underpinned by a focus on cyber-resilience. In the background, they want to do what they can to reduce their impact on the global environment. For our transit clients, there will be a particular focus on bringing these threads together to reduce congestion through flexible fare collection.

So here we go…

1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.

2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.

Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.

3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.

We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.

4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.

We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.

5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.

Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.

So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!



SRC enters the secure digital commerce arena

Secure Remote Commerce (SRC) officially launched in the US last week,
supported by a limited set of merchants, with more to launch by year-end and into early 2020. We’ve been tracking SRC for some time now as it moved through the specification development process within EMVCo. It has emerged at launch as a customer-facing brand called “Click-to-Pay,” unless you’re using an Amex card, where it’s also called “Online Checkout” in confirmation emails received after registering a card.

So now we know SRC has launched as Click-to-Pay, but what is it? As the card brands have positioned it, Click-to-Pay is intended to solve the challenges that come with guest checkout (i.e. the first time a customer shops with a merchant, or when a customer prefers not to let the merchant store their payment details). SRC itself is a specification that acts behind the scenes to provide a secure and interoperable card acceptance environment
and covers both web-based and native app-based transactions. EMVCo has suggested that by having a simpler integration for merchants to access a consolidated brand wallet through a single buy button, it can enable a smoother process for consumers to access their payment cards and shipping details without having to manually fill out payment details for these types of transactions. This is not the first attempt by the brands to solve this problem (e.g. Visa Checkout, Masterpass, and Amex Express Checkout), but previous attempts struggled with adoption by both consumers and merchants. This new iteration under SRC has all the brands working together under EMVCo to coordinate efforts, so if implemented correctly, and if it does simplify the process for merchants and consumers, the momentum of this joint effort might help enable broad adoption.

Naturally, as all intrepid payment consultants are inclined to do, we went out and tested SRC with the launch merchants to see how it’s working and what we could learn for our clients. We bought some chocolate, movie tickets and also donated to the Movember charity. Based on these payments we found a few peculiarities to note so far:

• The checkout experience across the three launch merchants varies quite a bit, which can be expected for different types of goods or services (i.e. donations vs. goods that need to ship). However, even the experience after returning to the merchant checkout from the SRC checkout varied. Sometimes there was a “Payment Review” screen before confirming payment, and others the payment was submitted immediately after clicking a button to “Confirm” payment on the SRC screens.
• The flows for desktop web and mobile web varied slightly as well when returning to the merchant checkout. Interestingly, there were more steps to complete on a mobile browser after returning from the SRC checkout.
• On subsequent payment attempts after initial registration, more cards appeared without needing to register each one. It’s not entirely clear how these were loaded or where they came from, though we believe it could be due to past use of Visa Checkout, or registration of cards within Apple Pay using the same email address. Even though these cards appeared, they still needed to be authenticated (with a card security code or a one-time passcode) before use.
• While a registered SRC profile contains the customer’s shipping address, the merchant checkout flow forced manual entry of shipping information since payment method selection comes after entering shipping details. As solutions mature, this flow may shift to bring Click-to-Pay earlier in the flow.
• There is a trusted device process, but it doesn’t appear to be recognized by subsequent attempts as even after using Click-to-Pay as a “Returning User”, we were forced to enter a one-time passcode sent via email.

Some of these variations can be expected in early iterations of SRC, and some of them are by design. Jess Turner, executive vice president of digital payments and labs of North America at Mastercard told PYMNTS.com,
“…the way a merchant deploys SRC will depend on their chosen verticals, consumer bases, and how large or small the merchant may be.” This flexibility, in the long run, should actually provide merchants with more choice about how they implement SRC, and which features are most important to them. At this time, the only thing that SRC seems to save for a customer is entering their card details. As adoption expands, we expect to see the checkout experience optimized and simplified for everyone involved.

Speaking of merchants, what’s in it for them? If a consumer is going to enroll any payment cards into a wallet, historically, merchants have preferred this be in a merchant wallet under their control, rather than a scheme wallet. However with SRC there is no merchant card on file “honey pot” to be breached, so for many merchants this is an appealing security feature that reduces their risk of becoming the next credit card data breach in the news like Home Depot, Target, TJX, Marriott, British Airways, Macy’s, Lord & Taylor or Saks Fifth Avenue. For consumers who do not regularly shop with certain merchants, SRC could help reduce the checkout friction while also simultaneously securing the cardholder’s payment details.

There are a variety of ongoing developments attempting to make the experience of guest checkout more convenient and more secure for both consumers and merchants. These include different approaches like storing payment details in your device’s browser (W3C Payments Request API in Safari, Chrome, Firefox, etc.) or leveraging digital wallets like Apple Pay, Google Pay or Samsung Pay for in-app payments. While the technologies available today are still early to the market and need time to mature, they each are striving to enable universal acceptance, increased security, and a common checkout experience, but do we need all these solutions? Are we going to just confuse consumers? Which solutions will gain traction and survive? Which solution works best for different merchant types? The answer to these questions may well depend on the consumer experience a merchant wants to provide on their website.

At Consult Hyperion, we are continually working with our clients to make payments simple and secure. Based on what we can see so far, SRC should make paying online more secure for everyone while reducing integration and enrollment roadblocks for the merchant and consumer respectively, however the current implemenatations are somewhat clunky and need to be more streamlined to succeed. The real test will be the adoption rate and the brands’ responsiveness to feedback from participants in the ecosystem to ensure a beneficial approach for everyone involved. If you’d like to learn more please contact us for a copy of our latest digital commerce material at sales@chyp.com.

4 Essential Trends in Money for your Business

By Sanjib Kalita, Editor-in-Chief, Money20/20

This article was originally published on Money20/20.

We are in the midst of seismic societal changes of how people interact and transact.  Across societies, geographies and segments, digital is the new norm. Change has accelerated, placing greater value upon flexibility and speed. Historically, money and finance have been among the more conservative and slower changing parts of society, but this has changed dramatically over the past decade by viewing money as an instigator of change rather than a lagging indicator.

Whether you are a marketer in shining armor conquering new territory, a financial wizard casting spells upon the balance sheet, or the queen or king guiding the whole enterprise, here are 4 trends about money that you should keep in mind for your business.

Platforms are the new kingdoms

Platforms are the base upon which other structures can be built.  For example, App stores from Apple and Google provide the infrastructure for consumers to complete commercial transactions and manage finances through their mobile phones.  While these companies develop their own digital wallets, they also enable similar services from banks, retailers and other companies.  Building and maintaining the platform enables services that they would not have created on their own, like Uber or Lyft, which in turn, have created their own platforms.

Marketers trying to address customers’ needs can plug into platforms to broaden offerings or deepen engagement with target markets. Platform-based thinking implies that product and service design is ongoing and doesn’t stop with a product launch.  Jack Dorsey didn’t stop when he built the Square credit card reader.  The team went into lending with Square Capital.  They got into consumer P2P payments with Square Cash.  Their ecosystem has grown through partnerships with other companies as well as in-house development.

Digital Identities open the gates

How do your customers interact with you?  Do they need to create a username and password, or can they use a 3rd party system like Google or Facebook?  Are security services like two-factor authentication or biometrics used to protect credentials?  Is your company protecting customer identities adequately?  The importance of all of these questions is increasing and often the difference between being forced into early retirement by a massive data breach or surviving to continue to grow your business.

While identity management and digital security might not be top of mind for most marketers, they are table stakes for even the most basic future business.  History is full of tales of rulers successfully fighting off armies laying sieges on castles and fortresses, only to fail when another army gets access to a key for the back door.

Context rules the experience

Credit card transactions moved from predominantly being in-store, to e-commerce sites accessed from desktop computers, and now to mobile phones.  As the point-of-purchase expanded, so did the consumer use cases and thought processes. In tandem, mobile screens presents less information than desktop computer screens, which in turn presents less information than associates in a brick-and-mortar environment.  Companies best able to understand context and deliver the right user experience within these constraints will build loyal customer relationships.

Apps or services created for a different use cases on the same platform, such as Facebook and Messenger apps, can help achieve this. Banks and have different apps for managing accounts or for completing transactions or payments. On a desktop, you can access these services through a single interface but on the mobile, forcing users to select their use case helps present a streamlined experience on the smaller, more time-constrained mobile screen.  The use of additional data such as location, device, etc. can further streamline the experience. Marketers that don’t think about the context will lose the battle before it even begins.

Data is gold

While a marketer’s goal is to generate sales, data has become a value driver.  In the financial world, data about payments, assets and liabilities has become critical in how products and services are delivered.  PayPal, a fintech that began even before the word ‘fintech’, has recently been using payments data from their platform to help build a lending business for their customers.  Similarly, an SME lender named Kabbage has grown to unicorn status by using data from other sources to make smarter lending and pricing decisions.  In the payments industry, Stripe distilled a previously complex technology integration into a minimal data set, accessed via API, to easily build payments into new digital products and services.

Those that are able to harness the power of data will be able to predict what customers want and more effectively address their needs.  In some cases, it might be using data from within your enterprise or from other platforms for targeting, pricing or servicing decisions. In other cases, it might be using data to reimagine what your product or service is.

Looking for more insights on key trends in money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and attend visit us.money2020.com.

This article was originally published on www.money2020.com.

Digital Wallet Ticketing

I’ve just been in Bristol at the annual Transport Card Forum (TCF) two-day event. I was on the agenda as chair of Working Group 27 giving the final report on progress. The report will be going to DfT shortly and thereafter available to TCF members via the website. I’ve been attending TCF for many years and it is impossible not to notice how very slowly things change in transport ticketing.

One piece of our recent advice to a sub-national transport body, when hired to outline their smart ticketing strategy can be summarised as: do not seek government funding to implement a region-wide (expensive) smart ticketing solution, but rather look at what already exists and how these ticketing schemes might be brought together to meet the needs of the various travelling customer types in the region. In this context, I was pleased to hear mention of software development kit (SDK) offerings from Masabi and FAIRTIQ giving me hope that the transport ticketing industry is moving in the right direction. For example, Masabi using their SDK to insert their ticketing technology into the Uber app for trials in Denver, Colorado.

A recurring theme at the event was operators reporting how PAYG solutions are proving popular with customers and how they are eroding the other forms of ticketing such as season tickets. This is an increasing area of concern for clients we are working with, most notably in terms of cash flow and forecasting but also technically. Some of our current work is helping clients deal with the array of ticketing solutions they are operating and how to rationalise these in the light of the way that the automated fare collection (AFC) industry is moving and responding to customer needs. Consumer demands will continue to drive change in their purchase patterns as flexible and remote working opportunities increase.  

It is not uncommon for a transport operator to support all of the following:

  • Paper tickets as the only medium interoperable at all acceptance points for all customer types.
  • Legacy smart card solutions based on 1990s technologies where the operators were focussed on owning the customer by issuing them with a smart card.
  • Barcodes as a cheaper alternative to smart cards that can also go paperless if delivered to mobile phones.
  • Mobile ticketing solutions based on bar code or flash pass, sometimes with low security levels and high fraud levels. Some using the ‘software only’ HCE innovations which Apple will not currently allow.
  • Open-loop (EMV bank card) PAYG solutions which have grown out of our work with TfL in 2008-14. These are intended to increase ridership and reduce costs by using the bank card in the customer’s pocket, but because they are one card per passenger, they do not cater for group tickets or for those not having (e.g. children) or not wishing to use bank cards. This could be addressed on buses by introducing a ‘retail model’, but this would require driver interaction to determine the price of the ticket before purchase and slow down bus boarding.

Operators are transport providers and their core business is providing transport services, not running ticketing solutions. The last thing they want is to be maintaining systems that have to be able to handle multiple different front ends, though many of them find themselves doing so. The classic example is TfL’s intention to switch off Oyster when open-loop was up and running, but they not yet managed to achieve this.

Our recent work with clients about how to use Digital Wallet Ticketing in a customer’s smart phone to unify their disparate ticketing solutions is proving popular.  This has been both in sports stadiums and transport ticketing. Digital Wallet Ticketing was not much discussed at TCF19, which I guess is a sign of how slowly things move within the transit ticketing community. We believe DWT is the future.

We have a wealth of experience over several years of designing and building DWT solutions. Let us know if you’d like a chat about how this might work for you, be it payment, identity or ticketing.

GDPR: Consequences, Fines and Responses

The UK’s Information Commissioner’s Office (ICO) has finally done what it’s been threatening to for a while and levied enormous fines on British Airways’ parent International Consolidated Airlines (£183 million) and Marriott Hotels (£99 million).  While subject to appeal, these are the first signs of how the ICO now has real teeth and is prepared to use them. The question is, what lessons can we learn from this?

Well, firstly, we can observe that card payments aren’t optimised for the internet.  The BA breach looks like it was at entry point – i.e. it wasn’t that the data was breached while stored in a database but that someone managed to get hacked software to intercept payments in flight and capture the details. The point here, of course, is that the paradigm of giving your card details to the merchant so they can pass them to your issuer originated in the 20th century when we didn’t have a choice. Now, given that we have this internet thing it makes more sense to contact our issuer directly and tell them to pay the merchant. Realistically, this may be the only way we can be sure merchants won’t lose our card details – don’t give them to them.

This points to push payments a la PSD2 APIs. But given that these won’t be pervasive for a while then the next best option is to tokenise cards to either limit their use to a single merchant or even a single transaction. Both of these are areas we’re seeing lots of interest in, and ought to be high on the agenda of heads of IT security and payments everywhere.

Secondly, we can note that static credentials are a sitting target. Seeing email addresses and passwords breached opens up companies to all sorts of horrible consequential damages under GDPR – let’s face it, most people reuse the same combinations across multiple sites so a breach on one site can lead to exposure on another. Any company relying on static credentials should basically assume they’re going to get some level of breach.  

Fixing this requires two factor authentication and we have a ready-made, state-of-the-art, solution here in the EU. PSD2 SCA is about as strong an approach as you could ask for and we have banks and authentication providers drowning in relevant technology. There simply is no excuse for a company using static credentials if they get breached.  We’ve been working closely with providers to look at how to take these solutions into the wider authentication market, because there’s been a certain inevitability about the way a lot of companies have dealt with their data breach protection.

Finally, note that the point that BA have made – that they haven’t seen any impact due to their breach – needs to be quantified: “yet”. Hackers tend to sit on breach data for 18 months before using it, waiting for the identity protection schemes that are often engaged post these events to expire. GDPR allows affected companies and individuals to sue – up until now the costs of a data breach have been borne by banks having to deal with fraud and issue new cards and consumers having to sort out identity protection. The ICO fines may yet be just the be tip of a very expensive iceberg as GDPR ensures that the costs more appropriately allocated to the offending parties.

Friday the 13th: PSD2 SCA Cometh

On Friday 13th September this year, the full force of PSD2 Strong Customer Authentication (SCA) comes into force. Anecdotally the lack of readiness of the card payment industry is beginning to suggest that the immediate impact may well look like the aftermath of a dinner party hosted by Jason Voorhees.

To summarise: after 13th September 2019 (yes, that’s in just over 3 months) account holding banks must require two factor authentication compliant with PSD2 SCA on all electronic payments, including all remote card payments, unless an applicable exemption is triggered. There are no exceptions allowed to this, there is no concept of merchants choosing to take liability and avoiding SCA. In the event that a merchant attempts a transaction without SCA and the issuing bank determines that no exemption applies or that there is significant risk associated with the payment the bank must decline and request the merchant to perform a step-up authentication.

Currently, the only real option open to merchants for performing SCA for online card payments is 3DS. To support all of the PSD2 exemptions – which are needed to provide a near frictionless payment experience – the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2 will not be ready, so the initial implementation of this will be sub-optimal.

So, come 14th September this year what will happen?

Figures are hard to come by, but within Europe we believe that 75% of merchants don’t implement 3DS today. We also believe that about a fifth of large issuers are taking a hard line in order to be compliant with the regulations and will decline all non-3DS transactions. Even where the issuer is taking a more subtle approach they will request step-up SCA on somewhere between 1 in 5 and 1 in 10 transactions.  On top of this, if the merchant does not support 3DS and the issuer authorises anyway any fraud is the merchant’s responsibility: for non-complying merchants this is a lose-lose-lose proposition.

Given this woeful state of preparedness there’s some industry hope that the regulators may take a relaxed view of compliance come September. Certainly there are representations being made in Brussels, but we think it’s unlikely there’ll be any relief from that direction: (1) the migration date is written into law, national regulators cannot alter it and (2) many issuers will implement PSD2 fully regardless of any softening of the implementation. We suspect that there may be some movement from national regulators since the alternative may be unthinkable, but travelling hopefully doesn’t look like much of a strategy, especially if you’re an e-com retailer or PSP.

Going forward there are a wide range of solutions being developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS is not the only solution, but it is the only pervasive one and it certainly is the only one available in the current time frames.

What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.

Here at Chyp we’ve spent the last two years helping Issuers, Schemes, Acquirers, PSPs and merchants prepare – so although the impact across the payments industry may be patchy, we know there will be winners as well as losers. If the worst case comes to pass then the only merchants likely to escape the bloodbath come September are those taking action now. And there’s unlikely to be any downside to immediate action – PSD2 has been in the works for over five years, the SCA implementation date has been known for over a year, and there’s little indication that the European Commission intends to undo or loosen the regulations.

Friday 13th is coming, best make sure you’re prepared …


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.