Loosely-coupled MaaS payments

I was a panellist discussing the barriers to mobility as a service (MaaS) at the Transport Ticketing Global (TTG19) conference in London in January. In fact, many of the presentations over the two-day conference were about MaaS and reasons why it is proving very hard to deliver. Perhaps one of the most mature MaaS offerings is the one from MaaS Global branded as ‘Whim’ which launched in the UK in the West Midlands but, by their own admission, has struggled to gain a foothold.

Until recently, MaaS providers have avoided London. We have seen some excellent journey planning apps exploiting Transport for London’s (TfL)  open APIs, but nobody was going that extra mile and actually proving a complete MaaS solution in a single app that allow both planning journeys together with payment and ticketing (i.e. proving authority to travel when entering the transit network). TfL has been very clear that they will not provide any cut of the fares to MaaS providers, so they will have to find other ways to make a profit.

So, the announcement from CityMapper that they are about to launch a MaaS solution in London surely doesn’t make any sense? Given the above barriers to MaaS and the high complexity of London’s public transport network, why on earth would you start there?

The answer is payments and identity, two of our favourite topics. These are services needed in order to offer account-based ticketing (ABT) and ABT is a corner-stone of MaaS. Passengers need to identify themselves to their customer account so that their journey charges can be calculated. Payment for the journeys needs to be handled in a way that is suitable to the particular customer.

One of the barriers I suggested on the TTG19 panel is that payment and identity are too ‘closely coupled’ in modern account-based ticketing offerings. I am old enough to remember the emergence of service oriented architectures in the ‘noughties’. The idea was that by ensuring services are ‘loosely coupled’, they can freely evolve without affecting consumers or implementations. I argued that if everyone rushes to implement the open-loop payment models with the payment networks like TfL has done, then we will be left with fare collection services that are highly dependent on the payment schemes and constrained from evolution. The identifier the passenger uses at the gate is their bank card (or its emulation on mobile or wearable devices). This identifies them to their ABT travel account but it also identifies their means of payment. Some would say this is convenient, I am suggesting it is too closely coupled and will stifle innovation.

Open banking APIs are a subject close to our hearts at the moment. The APIs are very new and they seem not to be thinking about transit payments at this stage. However, one could imagine that there could be future open banking APIs that would allow passengers to consent to transit payments from their bank to their MaaS provider without the need for the payment networks in between. I expect this will be subject of future blogs or white papers from Chyp.

The reason CityMapper is launching in London is that all the public transport modes accept open-loop payments and the CityMapper solution to payments and identity is to provide their MaaS customers with a Mastercard-branded prepaid card, ‘Pass’. CityMapper will offer a subscription model at a discount on TfL prices and any travel on TfL modes outside of this will simply use the prepaid bank card like any other.

This works for all London public transport modes, but there are very few other cities that have committed so totally to the open-loop models. It will be interesting to see whether CityMapper can make a profit and if they do, whether they can replicate it outside of London. Right now, it looks like they are using investment funding and planning on taking a loss to start with since they are offering to undercut the TfL fares and as stated above TfL has said they will not offer discounts to Maas providers. Or perhaps city mapper is planning on selling advertising space or plans to sell anonymised travel data to make up the shortfall? Only time will tell.

Meanwhile, may all your transit tokens be loosely coupled and your payment instruments plentiful.

Mobile Payments and Acceptance: The Future Is Soft

The last year has seen a lot of activity in the mobile payment ecosystem with regards to the risk associated with Consumer Off The Shelf (COTS) devices becoming not only a payment method (Google Pay, Samsung Pay etc) but more significantly becoming payment terminals ready to accept payments. A ‘COTS device’ is a mobile device (e.g. phones & wearables) intended for distribution and use by the mass-market, and traditionally were not designed exclusively for making or accepting payments. 

Historically, COTS devices have been viewed with caution.  Insecure and too risky to handle sensitive payment data, unless of course, they have a hardware tamper-proof Secure Element (SE). However, there was a significant shift in 2013 when Host Card Emulation (HCE) became mainstream, which meant an NFC enabled COTS device with no SE could be used to make payments. A combination of Tokenisation and software security techniques such as White-Box Cryptography meant the risk of exposure associated with COTS devices (with no SE) could be managed to levels acceptable to the stakeholders, hence Google Pay.

Whilst HCE was a big deal, something even more interesting and consequential is happening with regards to the use COTS devices for payment acceptance. In January of 2018, the Payment Card Industry Security Standards Council (PCI SSC) published a new standard – Software-Based PIN Entry on COTS Security Requirements (SPoC). This standard set out the security requirements for a payment acceptance solution where PIN entry is performed on a COTS device. This standard will be the first, in a series of software-based security standards published by PCI SSC. With the industry specifications becoming available, we are beginning to see a flavour of how these solutions will emerge. Square have deployed a “SPoC like” solution and both Worlpday and Mobeewave are deploying solutions which use the mobile device to accept NFC contactless payments.

A few weeks ago, PCI SSC published the PCI Software Security Framework – a collection independent standards and their associated validation processes that address the security of payment software. The standards within the framework thus far are: the PCI Secure Software Standard (PCI SSS) and the PCI Secure Software Lifecycle Standard (PCI Secure SLC), just what our world needs; more acronyms to remember.

The PCI SSS addresses the design, development and maintenance of payment software in a way that provides protection and minimises the risk of exposure to the payment data. The standard sets out requirements that ensures the integrity of sensitive data at rest, during processing and in transit. PCI Secure SLC in a similar vein provides baseline requirements that ensures software vendors integrate security at every stage of the Software Lifecycle. So, whilst PCI SSS is about specific payment software(s), PCI Secure SLC addresses security in the processes of payment software vendors.

Finally, in what has been a relentless churn of exciting standards over past year, PCI SSC has recently announced it is working on the PCI Contactless Payments on COTS Standard, to be published by the end of the year. The goal of the standard will be to define the security requirements that will allow the use of COTS mobile devices to accept payments, without the need for an additional hardware adaptor or dongle. Similarly, EMVCo also established the Software-Based Mobile Payment (SBMP) Approval Process, which checks that software payment solutions meet the minimum levels of security to protect against known attacks.

The implications of these developments could be profound, potentially turning every mobile device into a POS for payment acceptance. No more need for the small or mobile merchant to purchase dongles which they need to pair with their mobiles and keep charged up in order to accept card payments, just download the app and start taking payments.

Will this mean the end of traditional POS? Not in the near term. Software mobile POS is more about enabling more merchants to accept card payments.

At Consult Hyperion we’ve worked with Standards bodies, software and hardware vendors and the mobile industry for over three decades to ensure our clients design and product aspirations are met to the highest levels of security. We interrogate architecture, we assess risk and identify vulnerabilities before our Clients reputations are put at risk.

Something old, something new

I recently stumbled across an old white paper I wrote with Neil McEvoy some 15 years ago on the subject of securing retail payments and found it fascinating to read with older eyes.   The white paper started with a nod to the “ancient” art of securing payments

“For as long as people have been trading goods with each other, there has been the potential for fraudulent transactions and the need for measures to secure payments against attempted fraud.”

Securing Retail Payments, Consult Hyperion, January 2004

Now that I myself am ancient (according to my kids, anyway) I look back on the picture we painted a decade and a half ago with a strange sense of déjà vu as I read my younger self lament the disparity in fraud levels between card present and card not present, and discuss the options for closing that fraud gap and generally making the (payment) world a safer place.  

If I’d been re-reading this white paper 5, or even 2 years ago, I’d probably have given a wry smile, contemplated how little had changed and put it back in the drawer before moving on to the next thing.  Today was different.  What I found most interesting, was that one of the ideas we presented was the concept of a distributed payment terminal for the online environment.  We suggested that the disjointed, variable experience of the online world needed to come closer the consistent, certified experience EMV provided for chip and PIN. In 2004 the prototypes we built to prove this concept involved moving the terminal logic and security onto a big grey computer hosting a web server (today we call that, putting it in the ‘cloud’).

It was a little bit of a blue sky idea at the time… using EMVCo specifications and standards to deliver a secure online checkout experience with cross industry interoperability and consistent security…Crazy huh? 

In December, the Visa Global Head of Payments Products and Platforms TS Anil described the new EMVCo’s Secure Remote Commerce (SRC) specification as EMVCo’s opportunity to create:

“…a single digital terminal that can be used to create a secure, interoperable experience when consumers check out online”

Visa On SRC As eCommerce’s Single Digital Terminal Future, pymnts.com, December 2018

And I think he’s right. What online payments have been crying out for is the industry to raise the bar.  The lowest common denominator of typing in a PAN and expiry date has to become a thing of the past and that will only happen if the entire ecosystem moves to a new way of transacting.

EMVCo has by and large succeeded in delivering this ecosystem change at retail point of sale with the introduction of contact and contactless chip payments.  Can they do the same for the online world with SRC?  Time will tell; there are other initiatives vying for the prize that we’re closely watching too, but I have to say, after 15 years of waiting, it’s nice to see them giving it a go.

Money2020 China

What an interesting experience the first Money2020 in China was. It was held in Hangzhou, the home of AliPay, and I was delighted to have been invited along to share some of our experiences in the payments and to learn first hand about the Chinese approach to the sector.

Money2020 China gets underway

The event was well-staged and with simultaneous translation from Chinese it provided an opportunity to hear about the wide variety of fintech activities in China. It was, as you might imagine, very different from the Las Vegas event last month. There was no discussion of cryptocurrency because of the Chinese regulatory context and while I did see one presentation on the use of digital signatures in smart contracts, there was little discussion of blockchain and related technologies.

Ron Kalifa talking about value-added merchant services

I particularly enjoyed Worldpay vice-chairman Ron Kalifa’s fireside chat (in which he said that people were underestimating the impact of open banking) and presentation of their annual world payments report. To a payments nerd like me this was a great opportunity to look at key trends in payments on a country-by-country basis and try to work out which trends are relevant to our clients around the world as they formulate strategies for the always-on, mobile-centric, open-banking future. Key to these strategies is, of course, security and so I always pay attention to the big picture presentations around fraud. In China, these have scary numbers attached to them, but you have to take into account the size of the Chinese economy (I think the Chinese cybercrime losses are lower than in many other countries).

Real, and scary, fraud numbers

Given the widespread use of scores of one form or another to determine trustworthiness it is no coincidence that China sees a rise in frauds relating to the manipulation of these scores. Without commenting on the benefits or otherwise of such models (most Brits, myself included, can only think of Black Mirror when social scores are discussed) it is worth making the point that preventing “gaming” of these scores while preserving individual privacy means dealing with paradoxes that might well be resolved through the use of cryptographic techniques that have no conventional analogues and are therefore difficult for policymakers to bear in mind.

Reputation fraud in action

Most of what I found thought-provoking, both in the presentations and the water cooler discussions, was to do with business models rather than new technologies. The new business models emerging in a regulated, platform-centric, dynamic market are what we should be studying. We might choose to implement some of these models in a slightly different way taking into account the varying cultural norms around security and privacy, but the idea of separating payments from banking and then turning payments into platforms, and then using these platforms to acquire customers at scale for other businesses is certainly very interesting.

These new models, of course, centre on data and value-adding using that data. When people pay for everything with their mobile phone, they lay down a seam of data that is waiting to be mined. Despite this, the convenience of the mobile-centre platforms is so great that people are clearly willing to put privacy concerns to one side. I chaired a great session on privacy with CashShield, Symphony and eCreditPal with, I think, gave out a very comforting message: if you build services with privacy in the first place, then actually complying with GDPR and other global regulations is actually not that much of a problem.

 

One more thing that struck me about the context for these developments that it seems to me that China is making its e-money regulation more like the EU’s. With an EU electronic money licence, the organisations holding the funds must keep them in Tier 1 capital and are not allowed to gamble the customer’s money, whereas in China there was no such restriction. Now the People’s Bank has said that from January 2019 the Chinese operators will have to hold a 100% reserve in non-interest bearing deposits at a commercial banks, a decision that will likely cost the main players (Tencent and Alipay) a billion dollars or so in revenue.

It was interesting spend a few days inside the mobile-centric, QR-everywhere, always-on, app and pay world of the future and picking up some useful lessons for our clients. A very interesting week.

Cyber Monday is here – and SRC is on its way

With estimates of the sales over the Black Friday weekend in excess of £7bn in the UK and $90bn in the USA, retailers are currently focused on getting shoppers into their stores and through their checkouts as seamlessly as possible. As was apparent at last week’s US Payments Forum, the last part of that process, payment, is probably the one area that the retailer believes it has the least control over. Online the problem is even greater; consumers have a variety of ways to authenticate themselves to their bank and to their retailer, many of which leave something to be desired.

75% of sales on Black Friday are online and Cyber Monday is set to be the biggest yet. Many of these online sales depend on consumers having to manually enter card details, or log-in using dimly remembered passwords. Those who are not blessed with the memory of an elephant may have to undergo password reset processes that can involve checking rarely used email addresses or having to remember the incorrect spelling of their answers to a wide variety of questions about their past history. Having apparently completed the process, the percentage of remote transactions that are then declined by the Issuer is around 10 times greater than those completed in the store. Not all these declines will be valid, with legitimate customers being turned away in the name of fraud prevention. Even so  millions of pounds of the approved transactions in the UK alone will still turn out to be fraudulent, further undermining the trust of the merchant and consumer alike.

Isn’t it strange that we live in a world where there is significant growth in online sales, but the mechanisms used to pay for those purchases are more cumbersome, less secure and less reliable than those used to buy on the high street? The good news is that the Payment Brands think that this is strange too and have a plan to fix it!

Earlier this month they published a draft version of their Secure Remote Commerce specification, which outlines an approach to promote security and interoperability within the card payment experience in a remote payment environment. The specification is currently out for public consultation. The Payment Brands are looking for feedback from those organizations which will deliver, interact with or use such solutions. (I know a few people who have read them and can help you to shape your reply if you are interested.) We may not see commercial solutions deployed in time for next year’s Black Friday event – these things take time. However they do offer the potential for interoperable payment solutions, with common authentication processes and levels of data security similar to those currently experienced on the high street.

In the short term, I really need to update the TV. So, in preparation for a flurry of holiday season internet shopping, I have cleared funds on my payment cards, cleaned the fingerprint readers on my tablets, found my long paper list of passwords and a similar list of answers to security questions. However, I can’t remember; was my first dog called Fido or Fenton?

And Relax …

According to a reputable news source well, the (Daily Mail) the Royal Mint is casting (sic) around to find things to do when the Treasury caves to the inevitable and tells them to quit wasting everyone’s time and money by minting coins. They’ve come up with the idea of making a credit card out of real gold. This isn’t the Royal Mint’s idea, of course. They stole it wholesale from 30 Rock a few years ago.
 
The cards will have the owners signature engraved on the back (I’ve no idea why, since the card schemes are discontinuing the use of the pointless signature panels on cards) and will apparently be worth $3,000 each which (as a number of Twitterwags immediately pointed out) will greatly increase the number of fake ATMs in the streets around Belgravia after midnight. They are apparently working on ways to get these 18-carat gold cards to work in ATMs and, of course, at contactless terminals.
 
Wait, what?
 
Contactless?
 
How do you make metal cards work in contactless terminals? The metal card messes with the magnetic jiggery-pokery that makes contactless cards work. I know this because Consult Hyperion’s awesome contactless robot test rig (below) has a frame for the card, terminal or card under investigation that is made from wood so the there’s no metal in the field when testing.
 

 
The metal contactless cards that I’ve seen before are made using a plastic laminate or by cutting a segment from the metal and replacing it with plastic, so I discounted this report on the Royal Mail’s bold ambitions and filed it away and went off to enjoy Money20/20 in Las Vegas with my Consult Hyperion colleagues.
 

 
I had a great time in Las Vegas chairing the “Around the World of Identity” session on the first day, and then I enjoyed the tremendous privilege of interviewing Jed McCaleb and Adam Ludwin of Interstellar on the main stage on the third day. Interstellar is the crypto giant formed by the takeover of Adam’s Chain by Stellar’s Lightyear. This was particular fun for me because I’d visited both Stellar [here] and Chain [here] for our “Tomorrow’s Transactions” podcast series some time ago (we rather pride ourselves on helping clients to spot what’s coming next) and had noted that both of these guys were really smart and really nice. As they proved on stage.
 

 
During a break from conference sessions, business meetings and blackjack I went for a stroll around the exhibition floor to catch up with old friends and see what sort of fun fintech things are heading our way. You could have knocked me down with a feather when spotted a stand from Amatech, who are based in Galway in Ireland. They were prominently displaying the bold claim that they had working contactless metal cards. Naturally, I went to investigate, it turns out that they were telling the truth. They’ve developed a clever manufacturing process that combines multiple layers of metal with different elecromagnetic characteristics so that the metal card now helps the chip on a card to communicate contactlessly instead of blocking such communications. Wow. Very cool (and they can do it with graphite too). I saw it working with my own eyes…
 

 
For all the talk about changing business models in the self-sovereign identity world to orient around data sharing, re-imaging AML with AI to change the cost-benefit around the regulations and on using cryptocurrency to transfer value across borders, you just can’t beat talking with someone who has made something that you didn’t know existed until you saw it. The satisfying clunk of a metal card on a glass counter was the highlight of the day for me. Apart from running into Shaq in the green room, of course.
 

 
Money2020 was exhausting, because all of our clients (and a great many of our prospective clients) are all there and I loved meeting all of them, but I wouldn’t miss it! I’m already looking forward to flying the CHYP flag at the inaugural Money2020 China next month. See you all there!

Securing Payments in a Post-EMV Chip World

Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.

Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).

Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.

Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.

Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.

Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.

In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.

Definitely a case of whack-a-mole.

Avoiding Costs Abroad

Vacation season is upon us! In a few weeks’ time, you could be leaving your home country for some relaxation. Perhaps to the Mediterranean for some sun or somewhere further afield off the beaten track. In full holiday mode, as the sun shines high and mighty, you’re about to indulge in another sundowner. Just only one last hurdle before you can quench your thirst, as you hand over your credit card and are promptly presented with the mobile POS, whilst being asked politely “Would you like to pay in Sterling or local currency?”.

What will you choose?

It is a familiar situation experienced by many of us who have ventured abroad. In that instance, we must decide our fate without fully comprehending the ramifications of our choice. EUR or GBP? And with seeming enlightenment, many rookie fingers have floated reluctantly towards the more familiar currency, GBP, sheepishly smiling, whilst not knowing whether it was the right choice and perhaps not thinking further of the implications (because after all, there is only one cardinal rule during vacation time – no stress allowed!). Was it the right choice though? Well, not according to Starling Bank who have shed some light on the matter through an experiment on Dynamic Currency Conversion (DCC), as reported by This is Money in the article (http://www.thisismoney.co.uk/money/news/article-5784137/The-proof-pay-local-currency-never-pounds-holiday.html).

DCC is the capability that allows a purchase or cash withdrawal to be done either in the local currency abroad or in the home currency associated with the debit or credit card being used. If the home currency is selected, then the POS terminal does a currency conversion on the spot from the local (e.g. EUR) to the home currency (e.g. GBP) at an exchange rate decided by the merchant. The merchant could potentially add their own commission to that conversion operation, resulting in a more expensive purchase than it would be if the local currency were selected. Whereas, in the case of the latter, the purchase or withdrawal is carried out in the local currency, following which a currency conversion is done by the issuer bank or credit card provider at an exchange rate defined by the card scheme network, which is invariably about as good as you can get.

As an example, in their experiment, Starling Bank have found out that an ATM cash withdrawal of EUR 200 costed £195.18 when GBP was selected, meaning that the withdrawn amount was converted on the spot to the home currency (i.e. GBP) by the local bank. In comparison, when EUR was selected whilst keeping all other factors alike, the same withdrawn amount costed £177.44 since it got converted later by the Issuer bank or credit card provider at a better rate. Indeed, that is £17.74 in savings when carrying out the transaction in local currency (EUR) rather than converting it on the spot to the home currency (GBP). This was also true for all the purchases made; albeit the difference was much less (in pence) for each individual purchase. Yet, we all know that the cumulative amount of these smaller differences over purchases made during an entire week’s holiday could potentially result in significant savings. The bottom line from the experiment, and the article, is that you are much better off almost always paying in the local currency.

Understanding the workings of DCC is only one part of the puzzle when trying to save costs for card usage abroad; but there are additional “hidden” costs, which we need to be aware of. More specifically, Issuer banks or credit card providers could charge a fee per transaction for purchases or withdrawals abroad (on top of the conversion rate), which could accumulate during a holiday stay and set you back considerably. Personally, I prefer to completely avoid these costs by opting for payment cards (prepaid, debit or credit) tailored for frequent travelling that do not charge for usage abroad and can offer additional features. However, you do need to be familiar with the terms and conditions for using these cards, since the card providers could restrict their usage, for instance, by limiting the total daily spend, or the number of times you can withdraw cash from an ATM in a day. Most of these restrictions align with typical leisure spending behaviour abroad, including mine so I never had an issue, but every person has different needs. The advantage is that the majority of these travel-specific payment cards come with a companion mobile application that allows you to manage your card, including various features such as viewing your transaction history, topping up your balance (in case of prepaid), blocking your card if stolen or lost, requesting emergency cash, etc.

Prepaid travel cards are quite popular for usage abroad since they allow you to manage spending overseas with ease. An advantageous feature of prepaid travel cards is that they can be associated with different currencies. So, I could load the balance on the prepaid card with a choice from various popular currencies such as GBP, EUR, USD, etc whilst potentially locking in the exchange rate at the time of loading. This gives you total control (and certainty) over planning your holiday spending budget allowing you to make significant savings when compared to using any payment card not tailored for usage abroad. There are many prepaid travel card products available with different features and costs, so it is important to choose the right product that suits your needs and demand. Also, be aware of other costs that prepaid card providers might impose such as card inactivity fee. There are various comparison web sites that table out the different fees and limits associated with the various prepaid products, and of course always refer to the terms and conditions for each card product. For more information on different types of prepaid travel cards I suggest checking out a web site like the following https://www.moneysavingexpert.com/credit-cards/prepaid-travel-cards.

Although prepaid travel cards are ideal for daily spending abroad, I still recommend that you take other types of payment cards, preferably from different card network schemes, only as a fall-back. Unfortunately, a prepaid card might not be accepted in certain situations that would require pre-authorisation such as petrol stations, car rental deposits or hotel reservations, so it is best to have other travel specific debit or credit payment cards in hand. Also, as witnessed recently with the service disruption of one of the international card scheme networks, it is best to diversify the scheme network as a contingency measure.

Working for Consult Hyperion, I’ve had the opportunity to work for the kind of payments innovators who identify areas like this where customers get a bad deal and there are opportunities to make things better. It is thanks to the work of those striving to improve payments, with the support of people like us, that in today’s world we have different payment products to choose from. It is just a question of finding the right product for you, whilst making sure that you fully understand the terms and conditions, such as fees and limits for operating the product. Understanding DCC and carefully planning for the right payment instruments before travelling abroad could help you avoid certain costs, ultimately having more funds available to spend on that well-deserved vacation. So, start looking for the right payment instrument, so you can fully enjoy a stress-free summer vacation! Oh, and if during your vacation you have a great idea for a new payments product, we’d love to hear from you and help you turn the idea into reality.

London taking contactless for half of PAYG

Four years ago Consult Hyperion completed a transit project which changed not only the way people paid for their travel, but cemented contactless in the vocabulary of the masses.  We were focussed on getting contactless bank cards to work for pay-as-you-go (PAYG) transit payments. This was a significant undertaking since it had not been done before and the customer proposition included a fair-price promise. This fair-price promise required the contactless bank card solution to mimic the existing Oyster “capping” which allows customers to travel without knowing the tariffs, trusting that they will only be charged the best price they could have got had they bothered to research it all beforehand. It required adding contactless payment card acceptance to all TfL readers and the building of a bespoke back office to support this new Account-Based Ticketing (ABT) where no travel information is stored on the card.

Convenience is king in mass transit. And our task was to meet the demands of one of the world’s busiest transit environments but make it cheaper to operate. The long-term vision was that by 2018, Oyster cards would be migrated to use the ABT back office and the legacy Oyster system would be turned off. The Oyster brand would remain alongside bank cards for those not using bank cards, but the technology powering this, would be changed to be ABT.

TfL and Consult Hyperion worked closely with the payment schemes to define the process of card acceptance and with the UK Card Association to establish a harmonized set of rules to balance risk between TfL and the card issuers.

The system launched on buses in 2012 and on the rest of the TfL Oyster network in 2014. Later in 2016 the privately-run river buses were added.

Fare collection costs were reduced from 14% to less than 9% of fare revenue. In 2016, 34% of TfL PAYG journeys were made using contactless bank cards (56% were Oyster and 10% were paper tickets). Is this good, bad or indifferent? Well, this figure needs to be understood in context:

  • Contactless bank cards were still rolling out. In 2015, less than half[1] of UK bank cards were contactless.
  • Not everyone has a bank account. In 2015, about 5%[2] of UK adults were unbanked and half of these did not want a bank account.
  • Loss of government subsidy and a mayor-imposed TfL fare freeze meant that the vision of turning the legacy Oyster system off had to be reconsidered. Existing Oyster users have no incentive to switch over to using their bank cards.
  • Not all foreigners arriving in London are keen to use their bank cards since they may be subject to bank charges back home, making Oyster the better choice for them.

Despite these barriers to the uptake of contactless bank cards, by April 2016, 9% of all UK contactless transactions took place on TfL services.[3] By 2018 (year 4 of acceptance of bank cards on the full Oyster network), the percentage of PAYG journeys made using bank cards (or their emulations on phones or wearables) has risen from 34% to approximately 50%.

Consult Hyperion were uniquely qualified to help TfL deliver their ambition.  Bringing in-depth knowledge and a heritage of working with the major payment networks and their detailed specifications for three decades, a solid understanding of proprietary transit technologies and practical experience of delivering innovative payment methods, outside of the retail community.

The team at Consult Hyperion is now involved across the globe working with transit agencies looking to emulate the success of London in their own cities. As well as Transport for the North in the UK, these projects have included working in countries where contactless success has outpaced the UK, such as Australia to territories where contactless payments are still emerging, like India and Colombia. Our US team has been working for a number of agencies who, today are developing systems capable of accepting contactless payment cards, even though issuance is less than 0.01%, in the hope that transit will drive banks to start issuing cards. There are early signs of success.

It is clear, that the success of TfL’s Future Ticketing Project has helped drive a sea-change in the payments and transportation industries that can save money in one industry and drive transaction volumes up in another. With our help, we are confident this success will continue.

 


[1] UK Cards Association Summary Statistics

[2] Financial Inclusion Commission 2015 Report

[3] UK Cards Association Contactless Transit Project Briefing – May 2016

 

TLS, DSS, and NCS(C)

As I was scanning my list of security-related posts and articles recently, my eye was drawn by the first sentence of an article on (Google security engineer) Adam Langley’s blog, indicating that Her Majesty’s Government does not understand TLS 1.3. Of course, my first thought was that since HMG doesn’t seem to understand the principles of encryption itself, it’s hardly surprising that they don’t understand TLS. However, these aren’t the thoughts of an understandably non-technical politician but instead those of Ian Levy, the Technical Director of the National Cyber Security Centre at GCHQ – someone you’d hope does understand encryption and TLS. Now normally, I would read this type of article without feeling the need to comment. So what’s different?

Well, following the bulk of the article discussing how proxies are currently used by enterprises to examine and control the data leaving their organisation, by in effect masquerading as the intended server and intercepting the TLS connection, is the following throwaway line:

For example, it looks like TLS 1.3 services are probably incompatible with the payment industry standard PCI-DSS…

Could this be true? Why would it be true? The author provided no rationale for this claim. So, again in the spirit of Adam Langley, “it is necessary to write something, if only to have a pointer ready for when people start citing it as evidence.”

Adam’s own response – again following a discussion about how the problem with proxies is their implementation, not with TLS – is that

…the PCI-DSS requirements are general enough to adapt to new versions of TLS and, if TLS 1.2 is sufficient, then TLS 1.3 is better. (Even those misunderstanding aspects of TLS 1.3 are saying it’s stronger than 1.2.)

which would seem to make sense. Not only that, but

[TLS 1.3] is a major improvement in TLS and lets us eliminate session-ticket encryption keys as a mass-decryption threat, which both PCI-DSS- and HIPAA-compliance experts should take great interest in.

In turn, Ian follows up to clarify that it’s not TLS itself that could present problems, but the audit process employed by organisations

The reference to regulatory standards wasn’t intended to call into question the ability of TLS 1.3 to meet the data protection standards. It was all about the potential to affect (badly) audit regimes that regulated industries have to perform. Right or wrong, many of them rely on TLS proxies as part of this, and this will get harder for them.

So that’s alright. TLS 1.3 is not incompatible with PCI DSS. So what is the problem?  Well, helpfully, Simon Gibson outlined this in 2016:

…regulated industries like healthcare and financial services, which have to comply with HIPAA or PCI-DSS, may face certain challenges when moving to TLS 1.3 if they have controls that say, “None of this data will have X, Y, or Z in it” or “This data will never leave this confine and we can prove it by inspecting it.” In order to prove compliance with those controls, they have to look inside the SSL traffic. However, if their infrastructure can’t see traffic or is not set up to be inline with everything that is out of band in their PCI-DSS, they can’t show that their controls are working. And if they’re out of compliance, they might also be out of business.

So the problem is not that TLS 1.3 is incompatible with PCI DSS. It’s that some organisations may have defined controls with which they will no longer be able to show compliance. They may still be compliant with PCI DSS – especially if the only change is to upgrade to TLS 1.3 and keep all else equal – but cannot demonstrate this. So what’s to be done?

Well, you could redefine the controls if necessary. If your control requires you to potentially degrade, if not break, the very security that you’re using to achieve compliance in the first place, is it really suitable? In the case of the two example controls above, however, neither of them should actually require inspection of SSL traffic.

For the organisation to be compliant in the first place, access to the data must only be possible to authorised personnel on authorised (i.e. controlled) systems. If you control the system, you can stop that data leaving the organisation more effectively by prohibiting its access to arbitrary machines in the external world. After all, you have presumably restricted access to any USB and other physical storage connectors, and you hopefully also have controls around visual and other recording devices in the secured area. It is difficult in today’s electronic world to think of a situation where a human (other than the cardholder) absolutely must have access to a full card number without (PCI DSS-compliant) alternatives being available.

So TLS 1.3 is a challenge to organisations who are using faulty proxies and/or inadequate controls already. It certainly doesn’t make you instantly non-compliant with PCI DSS.

Given this, we, as humble international payments security consultants, are left puzzled by the NCSC’s line about TLS 1.3 and PCI DSS compatibility. At worst, organisations need to redefine their audit processes to use the enhanced security of TLS 1.3, rather than degrade their security to meet out of date compliance procedures. But, of course, this is the type of problem we deal with all the time, as we’re frequently called in to help payment institutions address security risks and compliance issues. TLS 1.3 is just another tool in a complex security landscape, but it’s a valuable one that we’re adding to our toolkit in order to help our clients proactively manage their cyber defences.