Consult Hyperion’s Live 5 for 2020

At Consult Hyperion we take a certain amount of enjoyment looking back over some of our most interesting projects around the world over the previous year or so, wrapping up thoughts on what we’re hearing in the market and spending some time thinking about the future. Each year we consolidate the themes and bring together our Live Five.

2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.

Hello 2020

Our Live Five has once again been put together with particular regard to the views of our clients. They are telling us that over the next 12 months retailers, banks, regulators and their suppliers will focus on privacy as a proposition, customer intimacy driven by hyper-personalisation and personalized payment options, underpinned by a focus on cyber-resilience. In the background, they want to do what they can to reduce their impact on the global environment. For our transit clients, there will be a particular focus on bringing these threads together to reduce congestion through flexible fare collection.

So here we go…

1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.

2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.

Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.

3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.

We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.

4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.

We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.

5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.

Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.

So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!



Ultra Wideband Payments

It didn’t get much of a fanfare, but the new iPhones have an interesting new technology in them. It’s called Ultra Wideband, or UWB, and it’s in the iPhone 11, iPhone 11 Pro and iPhone 11 Pro Max. It’s a technology used for some very interesting location-based applications. To give just one example, NFL players have UWB transmitters in each shoulder pad, part of broadcast technology used for instant replay animations. A football’s location is updated 2,000 times per second.

Anyway, it’s in my iPhone now and it will be showing up in Android phones later this year. If you look on the Apple web site, you’ll see the arrival of UWB confirmed with the interesting caveat that “availability varies by region”.

(The reason for this is that UWB is subject to national regulatory requirements that require it to be turned off in certain locations such as, to give one example, Vietnam.)

It’s not really a new technology as it’s been around for ages. The spectrum was opened up for commercial use in 2005 by the FCC for pulse-based transmission in the 3.1 to 10.6 GHz range and the IEEE (Institute of Electrical and Electronic Engineers) standard on UWB (802.15.4) came out more than a decade ago. The idea behind it was to send data by transmitting short, low-power radio pulses across a wide spectrum (the channels are ten times wider than the channels used for wifi). The data is encoded so that each bit is spread 32-128 of the nanosecond radio pulses so that you can send lots of data (say 10Mb/s) with little interference.

UWB was one of a family of wireless protocols, along with Bluetooth, ZigBee and WiFi, intended for short-range wireless communications with low power consumption. Back in the day it was assumed that, broadly speaking, Bluetooth was for a cordless keyboards and hands-free headset, ZigBee was for monitoring and control networks, while Wi-Fi was for computer-to-computer connections to substitute for wired networks and UWB was for high-bandwidth multimedia link. It never really caught on though. WiFi worked well enough and got faster, it got built in to laptops and phones and together with Bluetooth seemed to take care of most applications.

But then came the pivot.

It turned out that people found another use for UWB, because these nanosecond radio pulses have an interesting characteristic. They allow you to determine location with great accuracy. The short bursts of signals with their sharp rises and drops mean that the signal start and stop are inherently easier to measure than for wifi or Bluetooth transmissions. This means that the distance between two UWB devices can be measured precisely by measuring the time that it takes for a radio wave to pass between the two devices. It delivers much more precise distance measurement than signal-strength estimation and, what’s more, UWB signals maintain their integrity in the presence of noise and multi-path effects.

All of which means that with UWB it is possible to measure the time it takes the signal to travel from transmitter to receiver and calculate the distance in centimetres, giving much better distance information than determining distance based iBeacons and such like. Apps can therefore receive precise location data and location updates can be delivered every 100 ms if necessary. So UWB-equipped devices can determine the precise location of another UWB device and know whether it’s stationary, approaching or receding. For example, a UWB-enabled system can sense if you’re moving toward a locked door and it can know if you’re on the inside or outside of the doorway, to determine if the lock should remain closed or open when you reach a certain point.

So if you have a UWB phone and a UWB tag of some kind, then the phone can work out where the tag is. Now, I already use something like this, because I’m a big fan of Tile. If you haven’t used Tile, it’s an app on your phone that can locate Bluetooth tags. You buy these tags and then attach them to things (I’ve got one on my keys, one in my wallet and one in my notebook) so that you can find them. I can’t tell you how many times — maybe this is something to do with age — that I’ve misplaced my keys and saved hours of searching around the house by using the app.

Anyway, for the moment Apple only uses UWB to connect its own devices but there are standardisation efforts underway to interconnect devices from different manufacturers. An example use case (where Apple already has patents) is for keyless car unlocking.

(Apple is a charter member of the Car Connectivity Consortium, which created the Digital Key Release 1.0 specification in 2018.)

So why am I telling you about UWB now? Well, it’s because it has started to make inroads into the world of payments. In Japan, NTT Docomo has teamed up with Sony and NXP Semiconductors (their UWB chipset was announced last September) to trial technology that lets shoppers make NFC payments without having to take their phones out of their pockets. They are using UWB to follow user movement and positioning with location accuracy of a few centimetres

Pretty cool stuff! So if you are thinking about a fun payments skunkworks project, you might do worse than have a look at what UWB can do to transform your customers’ experiences at point-of-sale and then ask the Hyperlab team at Consult Hyperion to help you to put something together.

MaaS Solutions Using Mobile Wallets

I was delighted to have the opening speech at the Transport Card Forum (TCF) in London in which I talked about Mobile Wallets. At the previous meeting there was a presentation about mobile ticketing and a member of the audience asked why there was no mention of the use of mobile wallets. I tended to agree since most of our mobile ticketing projects have been about clever ways of using mobile wallets to get around the technical barriers associated with barcodes, HCE and the like.

There is a problem which Transport Scotland have termed the “Glasgow Conundrum”. Within one city or region, a passenger door-to-door journey might consist of several legs and each of these legs might be services by a different transport operator. Each operator might use a different ticketing technology and accept payments in different limited ways. From a customer point of view, it stinks; integration is what they need. But it is clear that there are two distinct questions:

  1. 1. How can the customer pay for travel rights?
  2. 2. How can the customer prove they own travel rights when travelling?

Payments

Ideally the payment mechanism would be decoupled from the type of travel rights and the transport operator. MaaS Providers should be free to accept payments from whatever means suit the customers. If you are interested in this aspect of things, download our white paper: MaaS Payments, a billion dollar opportunity. The download includes a discount code for Transport Ticketing Global 2020 where I will be chairing a panel again in January and judging the awards entrants.

Travel rights

The multiple legs that make up the end-to-end journey might be thought of as what the rail industry called ‘split ticketing’. Rather than having a single ticket, you can buy single tickets for each part of the journey and sometime (usually where Train Operator boundaries are crossed) this can work out cheaper. Mobile apps are very good at hiding this sort of complexity from the passenger and one can imagine that, using geolocation services, the app can decide which ticket should be presented when in order to sail through the gates and turnstiles. And all the split tickets could be stored in the mobile wallets.

Meanwhile, the sales of tickets are diminishing as the areas offering Pay As You Go (PAYG) continue to expand. Project ‘Oval’ round London is seeing the imminent expansion of PAYG contactless bank cards as far as Reading on the new Elizabeth Line from January 2020. For various reasons, Oyster will not be able to be used as far out. So, once again we are seeing contactless bank card technology reaching further than Oyster. There are government plans (election permitting) to add hundreds more rail stations to the TfL PAYG scheme.

London is not the only game in town, and we see other PAYG schemes around the UK. The continued expansion of PAYG represents improved customer experience but is not great news for retailers of travel rights unless they can find a way to sell PAYG and make a profit.

If the PAYG area accepts contactless bank cards (like London), then mobile wallets can be used to allow passengers to travel seamlessly in these areas. Citymapper launched a plastic prepaid Mastercard for this purpose for residents of London only in April 2019. It has recently become available as a virtual card using mobile wallets on both Android and Apple iOS devices. By contrast, the UK smart ticketing standards, ITSO, has partnered with Google and Google Pay wallet has been customised for ITSO so that now ITSO tickets can be loaded into the mobile wallets of Android phones only.

So, lots of choices. And the Glasgow Conundrum continues to some extent, though I can see MaaS Providers apps being able to hide this complexity if they get it right. I was very happy to recently have Ben Whitaker round at Chyp towers explaining Masabi’s take on automatic fare collection using mobile apps. We made a podcast about their Fare Payments as a Service and Ben’s views on where MaaS is going which I found very interesting.

At Consult Hyperion we have a lot of experience with smart ticketing, mobile ticketing and, in particular, mobile digital wallets. If you would like to learn more, give us a call.

Technology and Trust @ Money2020

Online trust is a pretty serious issue, but it’s not alway easy to quantify. We all understand that it is important, but what exactly is the value in pounds, shillings and pence (or whatever we will be using after Brexit) and how can we use that value to develop some business cases? It’s one thing to say (as you will often hear at conferences) that some technology or other can increase trust, but how do we know whether that means it is worth spending the money on it? At Consult Hyperion we have a very well-developed methodology, known as Structured Risk Analysis (SRA), for managing risk and directing countermeasure expenditures, but we need reasonable, informed estimates to make it work.

The specific case of online reviews might be one area where trust technologies can be assessed in a practical way. In the UK, the Competition and Markets Authority (CMA) estimates that a staggering £23bn a year of UK consumer spending is now influenced by online customer reviews and the consumer organisation Which has begun a campaign to stop fake reviews from misdirecting this spending. According to their press office, with “https://press.which.co.uk/whichpressreleases/revealed-amazon-plagued-with-thousands-of-fake-five-star-reviews/“, fake reviews are a very serious problem.

Unscrupulous businesses undoubtedly find fake reviews an incredibly useful tool. There are millions of examples we could use to illustrate this, but here is just one.”Asad Malik, 38, used fake reviews and photographs of secure car parks hundreds of miles away to trick customers into leaving their vehicles with him when they flew from Gatwick [Airport parking boss jailed for dumping cars in muddy fields].

So how can we use technology to make a difference here? When you read a review of an airport parking service, or a restaurant or a Bluetooth speaker, how can you even be sure (to choose the simplest example) that the reviewer purchased the product? Well, one possibility might be to co-opt the payment system: and this can be done in a privacy-enhancing way. Suppose when you pay the bill at a restaurant, and you have told your credit card provider that you are happy to be a reviewer, your credit card company sends you an unforgeable cryptographic token that proves you ate at the restaurant. Then, when you go to Tripadvisor or wherever, if you want to post a review of the restaurant, you have to provide such a token. The token would be cryptographically-blinded so that the restaurant and review-readers would not know who you are, so you could be honest, but they could be sure that you’ve eaten there.

Such “review tokens” are an obvious thing to store in digital wallets. You could easily imagine Calibra, to choose an obvious case study, storing these tokens and automatically presenting them when you log in to review sites. This would be a simple first step toward a reputation economy that would benefit consumers and honest service providers alike.

This is one of the cross-overs between payments and identity that we expect to be much discussed at Money20/20 in Las Vegas this week. I’ll be there with the rest of the Consult Hyperion team, so do come along to the great, great Digital Trust Track on Tuesday 29th and join in the discussions.

SRC enters the secure digital commerce arena

Secure Remote Commerce (SRC) officially launched in the US last week,
supported by a limited set of merchants, with more to launch by year-end and into early 2020. We’ve been tracking SRC for some time now as it moved through the specification development process within EMVCo. It has emerged at launch as a customer-facing brand called “Click-to-Pay,” unless you’re using an Amex card, where it’s also called “Online Checkout” in confirmation emails received after registering a card.

So now we know SRC has launched as Click-to-Pay, but what is it? As the card brands have positioned it, Click-to-Pay is intended to solve the challenges that come with guest checkout (i.e. the first time a customer shops with a merchant, or when a customer prefers not to let the merchant store their payment details). SRC itself is a specification that acts behind the scenes to provide a secure and interoperable card acceptance environment
and covers both web-based and native app-based transactions. EMVCo has suggested that by having a simpler integration for merchants to access a consolidated brand wallet through a single buy button, it can enable a smoother process for consumers to access their payment cards and shipping details without having to manually fill out payment details for these types of transactions. This is not the first attempt by the brands to solve this problem (e.g. Visa Checkout, Masterpass, and Amex Express Checkout), but previous attempts struggled with adoption by both consumers and merchants. This new iteration under SRC has all the brands working together under EMVCo to coordinate efforts, so if implemented correctly, and if it does simplify the process for merchants and consumers, the momentum of this joint effort might help enable broad adoption.

Naturally, as all intrepid payment consultants are inclined to do, we went out and tested SRC with the launch merchants to see how it’s working and what we could learn for our clients. We bought some chocolate, movie tickets and also donated to the Movember charity. Based on these payments we found a few peculiarities to note so far:

• The checkout experience across the three launch merchants varies quite a bit, which can be expected for different types of goods or services (i.e. donations vs. goods that need to ship). However, even the experience after returning to the merchant checkout from the SRC checkout varied. Sometimes there was a “Payment Review” screen before confirming payment, and others the payment was submitted immediately after clicking a button to “Confirm” payment on the SRC screens.
• The flows for desktop web and mobile web varied slightly as well when returning to the merchant checkout. Interestingly, there were more steps to complete on a mobile browser after returning from the SRC checkout.
• On subsequent payment attempts after initial registration, more cards appeared without needing to register each one. It’s not entirely clear how these were loaded or where they came from, though we believe it could be due to past use of Visa Checkout, or registration of cards within Apple Pay using the same email address. Even though these cards appeared, they still needed to be authenticated (with a card security code or a one-time passcode) before use.
• While a registered SRC profile contains the customer’s shipping address, the merchant checkout flow forced manual entry of shipping information since payment method selection comes after entering shipping details. As solutions mature, this flow may shift to bring Click-to-Pay earlier in the flow.
• There is a trusted device process, but it doesn’t appear to be recognized by subsequent attempts as even after using Click-to-Pay as a “Returning User”, we were forced to enter a one-time passcode sent via email.

Some of these variations can be expected in early iterations of SRC, and some of them are by design. Jess Turner, executive vice president of digital payments and labs of North America at Mastercard told PYMNTS.com,
“…the way a merchant deploys SRC will depend on their chosen verticals, consumer bases, and how large or small the merchant may be.” This flexibility, in the long run, should actually provide merchants with more choice about how they implement SRC, and which features are most important to them. At this time, the only thing that SRC seems to save for a customer is entering their card details. As adoption expands, we expect to see the checkout experience optimized and simplified for everyone involved.

Speaking of merchants, what’s in it for them? If a consumer is going to enroll any payment cards into a wallet, historically, merchants have preferred this be in a merchant wallet under their control, rather than a scheme wallet. However with SRC there is no merchant card on file “honey pot” to be breached, so for many merchants this is an appealing security feature that reduces their risk of becoming the next credit card data breach in the news like Home Depot, Target, TJX, Marriott, British Airways, Macy’s, Lord & Taylor or Saks Fifth Avenue. For consumers who do not regularly shop with certain merchants, SRC could help reduce the checkout friction while also simultaneously securing the cardholder’s payment details.

There are a variety of ongoing developments attempting to make the experience of guest checkout more convenient and more secure for both consumers and merchants. These include different approaches like storing payment details in your device’s browser (W3C Payments Request API in Safari, Chrome, Firefox, etc.) or leveraging digital wallets like Apple Pay, Google Pay or Samsung Pay for in-app payments. While the technologies available today are still early to the market and need time to mature, they each are striving to enable universal acceptance, increased security, and a common checkout experience, but do we need all these solutions? Are we going to just confuse consumers? Which solutions will gain traction and survive? Which solution works best for different merchant types? The answer to these questions may well depend on the consumer experience a merchant wants to provide on their website.

At Consult Hyperion, we are continually working with our clients to make payments simple and secure. Based on what we can see so far, SRC should make paying online more secure for everyone while reducing integration and enrollment roadblocks for the merchant and consumer respectively, however the current implemenatations are somewhat clunky and need to be more streamlined to succeed. The real test will be the adoption rate and the brands’ responsiveness to feedback from participants in the ecosystem to ensure a beneficial approach for everyone involved. If you’d like to learn more please contact us for a copy of our latest digital commerce material at sales@chyp.com.

4 Essential Trends in Money for your Business

By Sanjib Kalita, Editor-in-Chief, Money20/20

This article was originally published on Money20/20.

We are in the midst of seismic societal changes of how people interact and transact.  Across societies, geographies and segments, digital is the new norm. Change has accelerated, placing greater value upon flexibility and speed. Historically, money and finance have been among the more conservative and slower changing parts of society, but this has changed dramatically over the past decade by viewing money as an instigator of change rather than a lagging indicator.

Whether you are a marketer in shining armor conquering new territory, a financial wizard casting spells upon the balance sheet, or the queen or king guiding the whole enterprise, here are 4 trends about money that you should keep in mind for your business.

Platforms are the new kingdoms

Platforms are the base upon which other structures can be built.  For example, App stores from Apple and Google provide the infrastructure for consumers to complete commercial transactions and manage finances through their mobile phones.  While these companies develop their own digital wallets, they also enable similar services from banks, retailers and other companies.  Building and maintaining the platform enables services that they would not have created on their own, like Uber or Lyft, which in turn, have created their own platforms.

Marketers trying to address customers’ needs can plug into platforms to broaden offerings or deepen engagement with target markets. Platform-based thinking implies that product and service design is ongoing and doesn’t stop with a product launch.  Jack Dorsey didn’t stop when he built the Square credit card reader.  The team went into lending with Square Capital.  They got into consumer P2P payments with Square Cash.  Their ecosystem has grown through partnerships with other companies as well as in-house development.

Digital Identities open the gates

How do your customers interact with you?  Do they need to create a username and password, or can they use a 3rd party system like Google or Facebook?  Are security services like two-factor authentication or biometrics used to protect credentials?  Is your company protecting customer identities adequately?  The importance of all of these questions is increasing and often the difference between being forced into early retirement by a massive data breach or surviving to continue to grow your business.

While identity management and digital security might not be top of mind for most marketers, they are table stakes for even the most basic future business.  History is full of tales of rulers successfully fighting off armies laying sieges on castles and fortresses, only to fail when another army gets access to a key for the back door.

Context rules the experience

Credit card transactions moved from predominantly being in-store, to e-commerce sites accessed from desktop computers, and now to mobile phones.  As the point-of-purchase expanded, so did the consumer use cases and thought processes. In tandem, mobile screens presents less information than desktop computer screens, which in turn presents less information than associates in a brick-and-mortar environment.  Companies best able to understand context and deliver the right user experience within these constraints will build loyal customer relationships.

Apps or services created for a different use cases on the same platform, such as Facebook and Messenger apps, can help achieve this. Banks and have different apps for managing accounts or for completing transactions or payments. On a desktop, you can access these services through a single interface but on the mobile, forcing users to select their use case helps present a streamlined experience on the smaller, more time-constrained mobile screen.  The use of additional data such as location, device, etc. can further streamline the experience. Marketers that don’t think about the context will lose the battle before it even begins.

Data is gold

While a marketer’s goal is to generate sales, data has become a value driver.  In the financial world, data about payments, assets and liabilities has become critical in how products and services are delivered.  PayPal, a fintech that began even before the word ‘fintech’, has recently been using payments data from their platform to help build a lending business for their customers.  Similarly, an SME lender named Kabbage has grown to unicorn status by using data from other sources to make smarter lending and pricing decisions.  In the payments industry, Stripe distilled a previously complex technology integration into a minimal data set, accessed via API, to easily build payments into new digital products and services.

Those that are able to harness the power of data will be able to predict what customers want and more effectively address their needs.  In some cases, it might be using data from within your enterprise or from other platforms for targeting, pricing or servicing decisions. In other cases, it might be using data to reimagine what your product or service is.

Looking for more insights on key trends in money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and attend visit us.money2020.com.

This article was originally published on www.money2020.com.

GDPR: Consequences, Fines and Responses

The UK’s Information Commissioner’s Office (ICO) has finally done what it’s been threatening to for a while and levied enormous fines on British Airways’ parent International Consolidated Airlines (£183 million) and Marriott Hotels (£99 million).  While subject to appeal, these are the first signs of how the ICO now has real teeth and is prepared to use them. The question is, what lessons can we learn from this?

Well, firstly, we can observe that card payments aren’t optimised for the internet.  The BA breach looks like it was at entry point – i.e. it wasn’t that the data was breached while stored in a database but that someone managed to get hacked software to intercept payments in flight and capture the details. The point here, of course, is that the paradigm of giving your card details to the merchant so they can pass them to your issuer originated in the 20th century when we didn’t have a choice. Now, given that we have this internet thing it makes more sense to contact our issuer directly and tell them to pay the merchant. Realistically, this may be the only way we can be sure merchants won’t lose our card details – don’t give them to them.

This points to push payments a la PSD2 APIs. But given that these won’t be pervasive for a while then the next best option is to tokenise cards to either limit their use to a single merchant or even a single transaction. Both of these are areas we’re seeing lots of interest in, and ought to be high on the agenda of heads of IT security and payments everywhere.

Secondly, we can note that static credentials are a sitting target. Seeing email addresses and passwords breached opens up companies to all sorts of horrible consequential damages under GDPR – let’s face it, most people reuse the same combinations across multiple sites so a breach on one site can lead to exposure on another. Any company relying on static credentials should basically assume they’re going to get some level of breach.  

Fixing this requires two factor authentication and we have a ready-made, state-of-the-art, solution here in the EU. PSD2 SCA is about as strong an approach as you could ask for and we have banks and authentication providers drowning in relevant technology. There simply is no excuse for a company using static credentials if they get breached.  We’ve been working closely with providers to look at how to take these solutions into the wider authentication market, because there’s been a certain inevitability about the way a lot of companies have dealt with their data breach protection.

Finally, note that the point that BA have made – that they haven’t seen any impact due to their breach – needs to be quantified: “yet”. Hackers tend to sit on breach data for 18 months before using it, waiting for the identity protection schemes that are often engaged post these events to expire. GDPR allows affected companies and individuals to sue – up until now the costs of a data breach have been borne by banks having to deal with fraud and issue new cards and consumers having to sort out identity protection. The ICO fines may yet be just the be tip of a very expensive iceberg as GDPR ensures that the costs more appropriately allocated to the offending parties.

SCA: the end of merchant liability, and other authentication factors

The EBA’s recent Opinion on the elements of strong customer authentication under PSD2 was, apart from moving the goalposts on when SCA will be enforced, full of interesting information about what constitutes a valid SCA element. It closes some doors, opens others and ends any notion that merchants can take liability and not do SCA themselves.

Taking the final point first, there’s been a view that Article 74(2) of PSD2 permits merchants to carry on without implementing SCA as long as they take liability. We at Consult Hyperion have long argued that that is an optimistic and overly legalistic reading of the regulations and this has now been confirmed. The EBA states:


In addition, even if there were a liability shift to the payee or the payee’s PSP for failing to accept SCA, as articulated in Article74(2) of PSD2, this could not be considered an alleviation of PSPs’ obligation to apply SCA in accordance with and as specified in Article 97 of PSD2.

Basically, Article 97 takes precedence – PSPs (aka Issuers) must apply SCA so if the merchant chooses not to then rather than end up with a payment for which they’re liable they’ll end up with no payment at all. Which, you’d imagine, would rather miss the point of being a merchant.

Beyond this point the Opinion has lots of interest to say about inherence, possession and knowledge elements.

On inherence two points stand out. Firstly the Opinion unambiguously states that behavioural biometrics can be a valid factor: this opens up a world of possible low friction SCA, and we expect to see lots of innovation in this area. Secondly it states that 3DS-2 does not support inherence as none of the data points being gathered relate to biological or behavioural biometrics but – and we view this as important – 3DS-2 is a valid means of supporting SCA.

This is critical because the dynamic linking process behind 3DS-2 is not straightforward and there have been differences of opinion over whether this is compliant. Given that 3DS-2 appears to be the only game in town for CNP transactions having a statement that it’s OK is mighty important.

On possession, the EBA clarifies that OTP SMS is valid and also that mobile app based approaches can be – but only if the app is linked to the device. We’ve been arguing that this is obviously the case for a while, so it’s good to see this confirmed: although there are going to be a few app developers out there that need to revise their approaches pdq (we can help, of course!).

Also on possession the EBA has stated something that really should have been obvious to anyone taking more than a moderate interest in the topic – printed card details such as PAN and CVV or user ids and email addresses are not valid possession or knowledge elements. As a number of prominent industry players have been taking the opposite approach this could lead to some interesting developments in the coming weeks, particularly as the Opinion states that if the CVV is not printed on the card and is instead sent on a separate channel, then it is a valid knowledge element.

Overall, the analysis and discussion in the Opinion on valid SCA elements is welcome, if a trifle tardy. To be fair to the EBA, we don’t see anything in their analysis that a proper reading of the RTS wouldn’t have produced. However, it’s been clear for some time that many industry players have been making a highly liberal interpretation of the requirements usually based on a legal opinion. But PSD2 and the RTS are about principles, not rules: if you need advice on this you need to talk to the people who understand this stuff. Which, by the way, is us, not law firms.

The EBA blinks first …

EDIT: since posting this blog the UK’s FCA has confirmed our expectation that it won’t be enforcing SCA on the 14th September as long as the participants are aiming to comply with a soon to be announced migration plan. In the meantime it’s “working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible”.  See: https://www.fca.org.uk/news/statements/fca-response-european-banking-authority%E2%80%99s-opinion-strong-customer-authentication

The doom-laden headlines appearing in the press have, it seems, worked and the EBA has decided to replace the 14th September deadline for the introduction of SCA with … another deadline. Only they won’t tell us what it is, presumably we have to figure it out for ourselves.  

So, let’s see what the EBA has done now …

Firstly, they haven’t actually changed the date as they can’t, it’s written into EU law. But given dire warnings of a collapse in online payments they’ve come up with a fudge:

The EBA therefore accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, CAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

https://eba.europa.eu/documents/

Let’s summarise that. National regulators – competent authorities (CAs) – may work with PSPs (Issuing and Acquiring banks) and unregulated actors (merchants, consumers) to agree to delay the introduction of SCA. Which presumably means unprepared merchants and confused consumers are breathing a sigh of relief. Unfortunately, as this is now in the hands of local regulators there’s no guarantee at all that this will be applied evenly, opening up the possibility that some countries will enforce and others (notably the UK and France) will not.

On top of that, there’s no guarantee that Issuers won’t apply SCA anyway, even if their local regulator permits them to not do so. So merchants who are unprepared may still find themselves suffering random declines. And, furthermore, if Acquirers haven’t implemented the necessary changes then even if the merchants are compliant they may still have transactions irrevocably declined.

Note also the “limited additional time” clause. Frankly, introducing SCA prior to the critical holiday shopping period was foolish anyway (but was an unintended consequence of the 18 month implementation period following the adoption of the RTS), so we can assume that the date will be pushed out at least into early or mid 2020. The EBA adds (but not in the actual Opinion):

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

And that’s the catch:

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner. CAs should monitor the execution of these plans to ensure swift compliance with the PSD2 and the EBA’s technical standards and to achieve consistency of authentication approaches across the EU.

Basically, Issuers and Acquirers need to publish what they’re going to do including how they’re going to communicate the requirements to consumers and merchants respectively. Quite how this is all going to be co-ordinated is unclear – no sensible merchant is going to disadvantage themselves by unilaterally turning on SCA when its competitors aren’t. Issuers may take the same approach, as they probably don’t want their cardholders switching to other banks: but there’s no requirement on them to do so.

The rest of the opinion focuses on the validity of various authentication factors. That’s interesting too, but we’ll look at the implications of it another day.

The one thing this does allow is for 3DS-2.2 to be made ready. That’s an advantage to smart merchants who can at least develop a proper, low friction SCA strategy. In the meantime, we’re looking forward to getting involved in lots of migration planning.

Friday the 13th: PSD2 SCA Cometh

On Friday 13th September this year, the full force of PSD2 Strong Customer Authentication (SCA) comes into force. Anecdotally the lack of readiness of the card payment industry is beginning to suggest that the immediate impact may well look like the aftermath of a dinner party hosted by Jason Voorhees.

To summarise: after 13th September 2019 (yes, that’s in just over 3 months) account holding banks must require two factor authentication compliant with PSD2 SCA on all electronic payments, including all remote card payments, unless an applicable exemption is triggered. There are no exceptions allowed to this, there is no concept of merchants choosing to take liability and avoiding SCA. In the event that a merchant attempts a transaction without SCA and the issuing bank determines that no exemption applies or that there is significant risk associated with the payment the bank must decline and request the merchant to perform a step-up authentication.

Currently, the only real option open to merchants for performing SCA for online card payments is 3DS. To support all of the PSD2 exemptions – which are needed to provide a near frictionless payment experience – the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2 will not be ready, so the initial implementation of this will be sub-optimal.

So, come 14th September this year what will happen?

Figures are hard to come by, but within Europe we believe that 75% of merchants don’t implement 3DS today. We also believe that about a fifth of large issuers are taking a hard line in order to be compliant with the regulations and will decline all non-3DS transactions. Even where the issuer is taking a more subtle approach they will request step-up SCA on somewhere between 1 in 5 and 1 in 10 transactions.  On top of this, if the merchant does not support 3DS and the issuer authorises anyway any fraud is the merchant’s responsibility: for non-complying merchants this is a lose-lose-lose proposition.

Given this woeful state of preparedness there’s some industry hope that the regulators may take a relaxed view of compliance come September. Certainly there are representations being made in Brussels, but we think it’s unlikely there’ll be any relief from that direction: (1) the migration date is written into law, national regulators cannot alter it and (2) many issuers will implement PSD2 fully regardless of any softening of the implementation. We suspect that there may be some movement from national regulators since the alternative may be unthinkable, but travelling hopefully doesn’t look like much of a strategy, especially if you’re an e-com retailer or PSP.

Going forward there are a wide range of solutions being developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS is not the only solution, but it is the only pervasive one and it certainly is the only one available in the current time frames.

What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.

Here at Chyp we’ve spent the last two years helping Issuers, Schemes, Acquirers, PSPs and merchants prepare – so although the impact across the payments industry may be patchy, we know there will be winners as well as losers. If the worst case comes to pass then the only merchants likely to escape the bloodbath come September are those taking action now. And there’s unlikely to be any downside to immediate action – PSD2 has been in the works for over five years, the SCA implementation date has been known for over a year, and there’s little indication that the European Commission intends to undo or loosen the regulations.

Friday 13th is coming, best make sure you’re prepared …


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.