Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

No Delay to SCA

Since the FCA announced a further 6 month delay in the UK’s deadline for Strong Customer Authentication there’s been a general expectation that the EBA would follow suit and relax the date for the EEA. However, it now appears that won’t happen – the 31st December 2020 remains the key date and there won’t be any further relaxation in the rules.

This hasn’t been officially announced but appears to have been the gist of a letter by the European Commission’s Executive Vice President Valdis Dombrovskis which makes clear that there’s no consideration in place for a delay and that, in the Commission’s view, the Coronavirus pandemic and the subsequent rise in e-commerce makes it more urgent to implement rather than less. It looks like the Commission is not for turning and with only a little over six months left to be prepared any merchant or payment service provider than hasn’t been planning for this is likely to be in full panic mode.

At one level it’s hard to disagree with the Commission’s position – the deadline has been shifted already from last September in order to accommodate the industry’s inability to implement in time. Although, in fairness, it ought to be noted that original requirements require a degree in semiotics to fully understand and clarifications have been fitful and, on occasion, too late. However, there’s a degree of real-world pragmatism missing from the decision – the last thing the European economy needs right now is an e-commerce cliff edge right in the middle of the busiest shopping period of the year.

The divergence between the UK and Europe also starts to raise some interesting questions. PSD2 applies to countries within the EEA and not to transactions starting or finishing outside – and as of January 1st 2021 the UK will be fully outside. PSD2 will apply within the EEA ex-UK and within the UK ex-Europe but, barring some kind of passporting agreement, not between them. One option for desperate European e-tailers may be to shift operations to the UK where the SCA deadline is a further 9 months away. Of course, the same applies in reverse: logically there ought to be a compromise, but those seem thin on the ground.

Overall, then, the message to all organisations involved in electronic payments is to assume that SCA will be  enforced from January 1st next year and any firm that can’t support it should expect to see transactions declined. Merchants and PSPs may choose or may not be able to handle SCA but issuers will be ready and won’t want to be upsetting the regulators. For any companies out there that don’t know what to do come and talk to us, we can help guide you through the process – first by helping ensure you’re compliant and then by addressing the additional friction that SCA will introduce.

It isn’t too late to do something about SCA but it does very much look like we are at the eleventh hour.

Paying for food

It feels strange to be writing about paying for food, one of the basic skills we learn in early childhood. However, these are exceptional times, when the basic notion of how we pay is being challenged. It seems we are now considering the different options for paying safely when physical contact must be kept to a minimum.

Consult Hyperion has been alerted to many requests for advice from community groups who normally rely on cash payments, so in response we have drawn up some guiding principles:

1. Maintain good practice: be aware of the vulnerability, both real and perceived, of people unable to leave their homes. Asking them to do things differently risks increasing anxiety and leaving them open to fraud.

2. Keep it simple: work with payments options people already use, and those they are familiar with. The large spike in phishing attacks over the past month highlights scammers’ eagerness to abuse this situation.

3. Maintain records: clear and consistent transaction logging is essential to protect both organisers and the people they are helping. Keep invoices for tracking and reconciliation purposes.

4. Work with existing networks: local authorities, housing associations, care providers, charities, community groups, faith groups, even village shops. The mix will vary according to the community.

5. Only allow demonstrably trustworthy individuals to handle payments: the list of people permitted to countersign passport applications could be a good starting point, but each community is different. Trust is vital in payments.

6. Keep payments and shopping separate: older readers will remember having an account with their local shop and having items added to their tally, paying the bill weekly or monthly.

7. School meals provide a good example: cards (or biometrics) are used to ensure all students have equal access to food, without the stigma attached with free school meals. Food is still served, even if the system has technical issues.

8. Take the time to discuss people’s preferences over the phone: The person receiving the shopping doesn’t have to be the person who pays. Be creative in encouraging people to contribute a little extra, or allow friends and family to pay on their behalf.

When organising payments, only use options people already have. This is not the time for a stressful sign-up process. In order of preference:

Online – PayPal, Bank Transfer, Pingit

With any new online payment, if there is a level of trust through an existing relationship, ask the account holder to send a small sum of 1p or 10p to the intended account, to check that it does arrive in the right place.

PayPal: convenient if you already have an account. Allows you to choose different sources of funds to transfer. Can be used for paying individuals as well as organisations. Includes a degree of protection.

Bank transfer (frequently referred to as Faster Payments): Despite communication from many of our banks, the full roll out of Confirmation of Payee is delayed. There is uncertainty over whether the money will arrive in the right place, so test initially with small amounts. It is irreversible. It can be performed easily via internet banking if you have the capability. Telephone banking is currently overloaded.

Some apps enable an invoice with bank details to be presented through a link to web page. This is better than simply sending requests for payments within an email, as fraudsters can’t just intercept the email and change the recipient details. It requires more effort to set up a fraud and is more likely to get spotted.

Pingit: Less widespread but convenient person-to-person payments which can be sent to a mobile number.

Contactless at the door

Using a portable reader from companies like iZettle, SumUp and Square. Apple Pay and Google Pay are good options as they allow higher value payments without the need to touch the device, if people already have the capability. Appropriate distancing must be observed.

Cheques

The householder only has to part with a single piece of paper and does not have to receive change. Cheques will have to be paid in and take a while to clear but there is very little risk of the householder absconding.

Cash

People are encouraged to avoid handling cash and avoid touching ATMs. Keeping cash in the home makes people more vulnerable. However, some people rely on cash. Where change is to be given, this should be arranged in advance and put in an envelope.

These are extraordinary times, which force us to look differently at the way we pay. Consult Hyperion have been enabling secure payments for over 30 years and we are able to apply our own Structured Risk Analysis process to understand the threats and possible countermeasures in every situation. These threats normally relate to the security of systems but in this case also encompass the risk of infection and people being left without essential supplies.

Finally

If you are reading this from home and need help, try phoning your local shop. If they are not organising deliveries themselves, they may well be aware of groups who are. Many local stores and community groups are providing help to these who need it, providing a much needed service. Get in touch with your local group.

Raising contactless limits to allow more paying without the PIN

In these extraordinary times with the need for social distancing, the payments industry is raising the contactless limits across many countries in order to prevent the need to touch PIN Pads in order to pay for our essential supermarket and pharmacy shopping.  Indeed, such is the concern over the use of cash that contactless payments are being actively encouraged over cash, with some countries, notably China and Russia[1] now requiring that cash is sanitised before it is allowed back into circulation.

The Dutch Payment Association[2] has moved to double their contactless CVM limit from €50 to €100, similar increases are being introduced by Poland; Norway; Canada; Turkey etc.  Yesterday the British Retail Consortium[3] announced that the UK too will raise its contactless limit from £30 to £45 on the 1st April.

So why do we need to wait a week? What does it mean? What are the alternatives?

First let us explain how contactless limits work and understand the difference between contactless payments in the UK compared to most other countries.  Contactless payment terminals have 3 limits:

  • Floor Limit
  • CVM Limit
  • Transaction Limit

The Floor Limit determines if the transaction should be sent online to the Issuing bank for authorisation. In the UK the contactless floor limit has been set at £0 for some time, ensuring all transactions are sent online, preventing spend from any cards that have been reported lost or stolen.

The CVM Limit is the one which is being changed on the 1st April. Above the CVM Limit a transaction requires a cardholder PIN or biometric authentication in order to be approved, which generally means a Chip & PIN transaction is needed. We are now seeing the introduction of some biometric contactless cards, but there are very few of them in the market today. By raising the CVM limit to £45 any contactless transactions below this will be sent to the Issuer for authorisation, which should result in the need to touch the POS less by reducing the number of Chip & PIN transactions.

The Transaction Limit is the maximum value that is allowed for any contactless transaction at that Merchant. This has been badly handled in the past, creating different customer experiences at different merchants. Ideally the contactless Transaction Limit should be the same as the Chip and PIN transaction limit. This then allows a contactless transaction carried out using a mobile phone, with Apple Pay or Google Pay, to be treated in the same way as Chip & PIN transactions. In the coming weeks, most payments will be made at Supermarkets, and whilst the raising of the limit to £45 will enable a higher number of contactless transactions, a large family shop will exceed £45. To be able to Pay without PIN, people should enable their cards in Apple Pay or Google Pay, this will allow them to Pay by contactless no matter the transaction amount.

In the UK, the Transaction Limit has not been uniformly implemented, in some merchants it is set to the same as the CVM Limit, meaning contactless can only happen below £30. The result has been confusion over when Apple Pay and Google Pay transactions will work and when you need to perform Chip & PIN.  POS providers and merchants need to take the opportunity of this limit change to test their systems to ensure that both the CVM Limit and the Transaction Limit are set appropriately to provide the maximum opportunity to pay by contactless.

As my fellow Principal Consultant Tim Richards points out in our video blog, other countries are using mobile apps to prevent the need for PIN – completely “Contact Free” transactions. We don’t have that capability in the UK yet, Apple Pay and Google Pay being the best options for now. We expect this to change as Open Banking progresses and payments without the need for PIN become more common.

Consult Hyperion have extensive experience in contactless and “Contact Free” payments and testing,  we will be able to help organisations ensure they optimise their payments capability to meet the needs of their customers, get in touch for more information on how we can help.

In the meantime, to avoid PIN Pads, shop below £45 or ensure Apple Pay or Google Pay is working on your mobile device, and stay safe.


[1] https://www.finextra.com/newsarticle/35509/russian-banks-act-to-decontaminate-cash?utm_medium=newsflash&utm_source=2020-3-24&member=56902

[2] https://www.finextra.com/newsarticle/35493/dutch-banks-raise-contactless-limits-for-pin-entry

[3] https://www.theguardian.com/money/2020/mar/24/limit-for-contactless-spending-to-rise-to-45-at-beginning-of-april


KYC at a distance

We live in interesting times. Whatever you think about the Coronavirus situation, social distancing will test our ability to rely on digital services. And one place where digital services continue to struggle is onboarding – establishing who your customer is in the first place.  

One of the main reasons for this, is that regulated industries such as financial services are required to perform strict “know your customer” checks when onboarding customers and risk substantial fines in the event of compliance failings. Understandably then, financial service providers need to be cautious in adopting new technology, especially where the risks are not well understood or where regulators are yet to give clear guidance.

Fortunately, a lot of work is being done. This includes the development of new identification solutions and an increasing recognition that this is a problem that needs to be solved.

The Paypers has recently published its “Digital Onboarding and KYC Report 2020”. It is packed full of insights into developments in this space, features several Consult Hyperion friends and is well worth a look.

You can download the report here: https://thepaypers.com/reports/digital-onboarding-and-kyc-report-2020

Fraudsters target loyalty schemes for easier gains

It has become practically impossible to keep up with the number of loyalty-related security breaches. In today’s edition of “Who Got Hit?”, we read that Tesco is sending security warnings to 600,000 Tesco Clubcard loyalty members following fraudulent activities[1]. The breach is suspected to be attackers trying to ‘brute-force’ their way into the loyalty system, using stolen credentials, potentially from a different breach. In recent years, fraud associated with loyalty has been on the rise. According to a 2019 report by Forter was an 89% increase in loyalty related fraud, from the previous year.

Perhaps one explanation for such a rise is that the payment industry has become increasingly effective in securing the payment infrastructure and making it harder for criminals to steal money. Additionally, the amount of value sitting in customer loyalty accounts continues to rise. For example, Starbucks has over $1.6 billion of unspent value in customer’s loyalty card and wallet accounts. Such trends are increasingly turning criminals’ focus to ‘softer’ targets such as loyalty schemes, taking advantage of weaker security of the systems to steal this value which can be converted into goods if not redeemed as actual cash.

Loyalty fraudsters can loosely be categorised, based on their motivations, technical expertise and level of access to the loyalty systems and processes. The table below outlines such categorisation:


Strong Passwords are no Panacea!

Security experts often suggest implementing stronger security features such as multifactor-authentication and the use of strong passwords to protect loyalty schemes. These are welcome suggestions; it is however not always realistic to implement expensive countermeasures just to protect loyalty points. A holistic approach to securing the systems and reducing frauds is required in order to enforce the security controls on customers and fraudsters alike.

Colleagues at Consult Hyperion have called for a closer alignment between Payment and Loyalty for years now. Card (and mobile) payments are a mature technology with relatively acceptable levels of security which has been proven over numerous decades. A seamless way of integrating loyalty into payments would allow loyalty schemes take advantage of the robustness of the payment schemes. Despite clear benefits, such integration has been limited, perhaps due to the associated costs to the merchant or the inconvenience to the customer. But a lot is changing in the world of customer authentication. Recent advances such as FIDO 2 and 3D-Secure 2.0, will allow strong customer authentication to be achieved within various contexts (including loyalty!), while maintaining a positive customer experience.

Within Consult Hyperion, our subject matter experts bring a deep understanding of the relevant payments technologies, as well as decades of experience in assessing and designing secure systems. If you would like to know more, feel free to give us a call.

More detail can be found here

Transport Ticketing Global 2020

We were at TTGlobal (28-29 Jan 2020) this year for the fifth year running. It was a much bigger event in Kensington Olympia, London, with around 30% more attendees. This blog is a summary of how the two days went for us.

Day 1

The Plenary session had a surprise guest in the form of the Future of Transport Minister, George Freeman. He spoke eloquently about subjects very close to our hearts:

  • Seamless end-to-end ticketing
  • Integrated PAYG
  • Sustainability: he explained that the emissions of the transport sector are expected to double by 2050 unless something radical is done.

I have written before about a shift in government thinking about mobility that seems to be taking place. Let’s hope this signals more of the same and is followed with positive, decisive action.

Our CEO, Neil McEvoy, moderated the plenary panel on ‘the role of ticketing and urban transport policies in delivering MaaS,’ with panellists from:

  • Visa
  • Mastercard
  • Government of the city of Buenos Aires, Argentina
  • Dallas Areas Rapid Transit, USA
  • Uber

It was felt that to meet public policy objectives on congestion, air quality and CO2 emissions, facilitating multi-modal, door-to-door, everyday journeys would be key. Facilitating journeys outside of a traveller’s home city or region is welcome but won’t meet wider goals alone.

Highlight of the rest of Day 1 included:

  • An update on the Future of Oyster from Transport for London. There are still no plans to turn it off, though the uptake of bank cards by the travelling public continues to rise steadily.
  • The Masabi presentation about Fare Payments as Service which was the subject of a recent podcast I made with Ben Whitaker.
  • Contactless bank card ticketing has come of age. There were lots of presentations about cEMV roll outs. Visa announced that they have solutions to the classic problems with bank cards (they don’t work for the unbanked or family groups). Contact them if you want to learn more.

Day 2

I moderated a panel about the future of ticketing technologies with panellists from:

  • Deutsche Bahn, Germany
  • GVB, Netherlands
  • The Human Chain, UK
  • Department for Transport, UK

We made a whistle-stop tour of up and coming technologies relevant to the different actors in the Mobility ecosystem, ranging from big data and augmented reality for Data Providers to Open Banking and distributed ledger technology for Maas Providers.

Other highlights for me from Day 2 included:

  • The UK’s Rail Delivery Group’s presentation on developing insight from barcode data, linking tickets sold with tickets scanned to inform revenue protection.
  • An update from Transport for the North on their Integrated and Smart Travel activities.
  • A presentation by MOTC about the difficulties faced by Qatar which currently is massively dependent on the private car and their plans to address the congestion problems they face.

Exhibition

I spent most of my time in the exhibition hall talking with contacts and vendors. I wish there had been time to attend more of the presentations.

I took the opportunity to record another podcast while at the event. This time with Eric Reese, CEO of ByteMark over from New York.

Awards

Once again, I was delighted to be one of the panel of judges for the awards presented at the Gala Dinner and Awards held at the Science Museum and hosted by comedian Phil Wang. It was decided by the judges to introduce a Highly Commended tier this year within each award category. This is in recognition that the standard or submissions was generally high. So, while Moscow won the Best Smart Ticketing Programme 2020, both of the following were Highly Commended:

  • Flowbird Transport Intelligence & Lothian Buses for their smooth role out of contactless payments card acceptance in Edinburgh in time for the Edinburgh Festival dramatic rise in population and bus usage;
  • Rail Delivery Group & Cubic Transportation Systems for the delivery of barcode ticketing under budget and achieving collaboration between 19 Train Operating Companies.

Overall, the event was a great success and great fun to be part of. Here’s to next year.

At Consult Hyperion we have experience globally with transport and mobile ticketing and deploying the latest technologies. If you would like to learn more, give us a call.

Consult Hyperion’s Live 5 for 2020

At Consult Hyperion we take a certain amount of enjoyment looking back over some of our most interesting projects around the world over the previous year or so, wrapping up thoughts on what we’re hearing in the market and spending some time thinking about the future. Each year we consolidate the themes and bring together our Live Five.

2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.

Hello 2020

Our Live Five has once again been put together with particular regard to the views of our clients. They are telling us that over the next 12 months retailers, banks, regulators and their suppliers will focus on privacy as a proposition, customer intimacy driven by hyper-personalisation and personalized payment options, underpinned by a focus on cyber-resilience. In the background, they want to do what they can to reduce their impact on the global environment. For our transit clients, there will be a particular focus on bringing these threads together to reduce congestion through flexible fare collection.

So here we go…

1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.

2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.

Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.

3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.

We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.

4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.

We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.

5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.

Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.

So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!



Ultra Wideband Payments

It didn’t get much of a fanfare, but the new iPhones have an interesting new technology in them. It’s called Ultra Wideband, or UWB, and it’s in the iPhone 11, iPhone 11 Pro and iPhone 11 Pro Max. It’s a technology used for some very interesting location-based applications. To give just one example, NFL players have UWB transmitters in each shoulder pad, part of broadcast technology used for instant replay animations. A football’s location is updated 2,000 times per second.

Anyway, it’s in my iPhone now and it will be showing up in Android phones later this year. If you look on the Apple web site, you’ll see the arrival of UWB confirmed with the interesting caveat that “availability varies by region”.

(The reason for this is that UWB is subject to national regulatory requirements that require it to be turned off in certain locations such as, to give one example, Vietnam.)

It’s not really a new technology as it’s been around for ages. The spectrum was opened up for commercial use in 2005 by the FCC for pulse-based transmission in the 3.1 to 10.6 GHz range and the IEEE (Institute of Electrical and Electronic Engineers) standard on UWB (802.15.4) came out more than a decade ago. The idea behind it was to send data by transmitting short, low-power radio pulses across a wide spectrum (the channels are ten times wider than the channels used for wifi). The data is encoded so that each bit is spread 32-128 of the nanosecond radio pulses so that you can send lots of data (say 10Mb/s) with little interference.

UWB was one of a family of wireless protocols, along with Bluetooth, ZigBee and WiFi, intended for short-range wireless communications with low power consumption. Back in the day it was assumed that, broadly speaking, Bluetooth was for a cordless keyboards and hands-free headset, ZigBee was for monitoring and control networks, while Wi-Fi was for computer-to-computer connections to substitute for wired networks and UWB was for high-bandwidth multimedia link. It never really caught on though. WiFi worked well enough and got faster, it got built in to laptops and phones and together with Bluetooth seemed to take care of most applications.

But then came the pivot.

It turned out that people found another use for UWB, because these nanosecond radio pulses have an interesting characteristic. They allow you to determine location with great accuracy. The short bursts of signals with their sharp rises and drops mean that the signal start and stop are inherently easier to measure than for wifi or Bluetooth transmissions. This means that the distance between two UWB devices can be measured precisely by measuring the time that it takes for a radio wave to pass between the two devices. It delivers much more precise distance measurement than signal-strength estimation and, what’s more, UWB signals maintain their integrity in the presence of noise and multi-path effects.

All of which means that with UWB it is possible to measure the time it takes the signal to travel from transmitter to receiver and calculate the distance in centimetres, giving much better distance information than determining distance based iBeacons and such like. Apps can therefore receive precise location data and location updates can be delivered every 100 ms if necessary. So UWB-equipped devices can determine the precise location of another UWB device and know whether it’s stationary, approaching or receding. For example, a UWB-enabled system can sense if you’re moving toward a locked door and it can know if you’re on the inside or outside of the doorway, to determine if the lock should remain closed or open when you reach a certain point.

So if you have a UWB phone and a UWB tag of some kind, then the phone can work out where the tag is. Now, I already use something like this, because I’m a big fan of Tile. If you haven’t used Tile, it’s an app on your phone that can locate Bluetooth tags. You buy these tags and then attach them to things (I’ve got one on my keys, one in my wallet and one in my notebook) so that you can find them. I can’t tell you how many times — maybe this is something to do with age — that I’ve misplaced my keys and saved hours of searching around the house by using the app.

Anyway, for the moment Apple only uses UWB to connect its own devices but there are standardisation efforts underway to interconnect devices from different manufacturers. An example use case (where Apple already has patents) is for keyless car unlocking.

(Apple is a charter member of the Car Connectivity Consortium, which created the Digital Key Release 1.0 specification in 2018.)

So why am I telling you about UWB now? Well, it’s because it has started to make inroads into the world of payments. In Japan, NTT Docomo has teamed up with Sony and NXP Semiconductors (their UWB chipset was announced last September) to trial technology that lets shoppers make NFC payments without having to take their phones out of their pockets. They are using UWB to follow user movement and positioning with location accuracy of a few centimetres

Pretty cool stuff! So if you are thinking about a fun payments skunkworks project, you might do worse than have a look at what UWB can do to transform your customers’ experiences at point-of-sale and then ask the Hyperlab team at Consult Hyperion to help you to put something together.

MaaS Solutions Using Mobile Wallets

I was delighted to have the opening speech at the Transport Card Forum (TCF) in London in which I talked about Mobile Wallets. At the previous meeting there was a presentation about mobile ticketing and a member of the audience asked why there was no mention of the use of mobile wallets. I tended to agree since most of our mobile ticketing projects have been about clever ways of using mobile wallets to get around the technical barriers associated with barcodes, HCE and the like.

There is a problem which Transport Scotland have termed the “Glasgow Conundrum”. Within one city or region, a passenger door-to-door journey might consist of several legs and each of these legs might be services by a different transport operator. Each operator might use a different ticketing technology and accept payments in different limited ways. From a customer point of view, it stinks; integration is what they need. But it is clear that there are two distinct questions:

  1. 1. How can the customer pay for travel rights?
  2. 2. How can the customer prove they own travel rights when travelling?

Payments

Ideally the payment mechanism would be decoupled from the type of travel rights and the transport operator. MaaS Providers should be free to accept payments from whatever means suit the customers. If you are interested in this aspect of things, download our white paper: MaaS Payments, a billion dollar opportunity. The download includes a discount code for Transport Ticketing Global 2020 where I will be chairing a panel again in January and judging the awards entrants.

Travel rights

The multiple legs that make up the end-to-end journey might be thought of as what the rail industry called ‘split ticketing’. Rather than having a single ticket, you can buy single tickets for each part of the journey and sometime (usually where Train Operator boundaries are crossed) this can work out cheaper. Mobile apps are very good at hiding this sort of complexity from the passenger and one can imagine that, using geolocation services, the app can decide which ticket should be presented when in order to sail through the gates and turnstiles. And all the split tickets could be stored in the mobile wallets.

Meanwhile, the sales of tickets are diminishing as the areas offering Pay As You Go (PAYG) continue to expand. Project ‘Oval’ round London is seeing the imminent expansion of PAYG contactless bank cards as far as Reading on the new Elizabeth Line from January 2020. For various reasons, Oyster will not be able to be used as far out. So, once again we are seeing contactless bank card technology reaching further than Oyster. There are government plans (election permitting) to add hundreds more rail stations to the TfL PAYG scheme.

London is not the only game in town, and we see other PAYG schemes around the UK. The continued expansion of PAYG represents improved customer experience but is not great news for retailers of travel rights unless they can find a way to sell PAYG and make a profit.

If the PAYG area accepts contactless bank cards (like London), then mobile wallets can be used to allow passengers to travel seamlessly in these areas. Citymapper launched a plastic prepaid Mastercard for this purpose for residents of London only in April 2019. It has recently become available as a virtual card using mobile wallets on both Android and Apple iOS devices. By contrast, the UK smart ticketing standards, ITSO, has partnered with Google and Google Pay wallet has been customised for ITSO so that now ITSO tickets can be loaded into the mobile wallets of Android phones only.

So, lots of choices. And the Glasgow Conundrum continues to some extent, though I can see MaaS Providers apps being able to hide this complexity if they get it right. I was very happy to recently have Ben Whitaker round at Chyp towers explaining Masabi’s take on automatic fare collection using mobile apps. We made a podcast about their Fare Payments as a Service and Ben’s views on where MaaS is going which I found very interesting.

At Consult Hyperion we have a lot of experience with smart ticketing, mobile ticketing and, in particular, mobile digital wallets. If you would like to learn more, give us a call.