On 25 January 2017, I moderated a panel discussion at Transport Ticketing Global 2017 entitled “which public transport technology solution will be dominating city centres in the next five years”.
On the morning of the event, I get together with the panellists to consider how the discussion might go. I start to think about my experience of the past as a proxy for the future. Past performance is no guarantee of the future, I know, but my mind races:
In the 1990s, things started to move from paper and plastic tokens to smart card-based solutions. ITSO was born. In 2005, we worked with ITSO and the DfT to assess the suitability of ITSO for a national travel e-purse. We were asked by the DfT to help develop Part 11 of the ITSO specification in order that ITSO could be made more suitable to an online world and not require every reader to contain an ISAM.
In 2005, we worked with DfT to help them understand how their planned new smart ID card and driving licence might be used to modernise life for citizens in the UK. In 2007 we worked with DVLA on their planned pilot of smart driving licences to be issued from their new production plan in Swansea. UK gov decided not to issue any smart driving licences.
In 2008 we worked with DfT to determine the benefits and costs of a national smart ticketing infrastructure. In the same year, we ran a trial of how ITSO tickets could be supported on the primitive NFC phones available at the time. Mobile was going to be the next big thing. Also in the same year, we started working with TfL on how Open Loop ticketing could be deployed across the whole of the London Oyster reader estate.
This was nine years ago. We worked with TfL for seven years on that project, from specification of the readers and revenue inspection devices to designing the end-to-end security.
In 2012, TfL launched Open Loop ticketing on buses. In 2017 (approximately five years later) we are seeing the large bus operators outside of London launching their Open Loop ticketing systems, as well as collaborating with Transport for the North on a multi-modal, multi-operator solution.
I’m back into the room. The panellists and I quickly agree that the answer to the panel discussion questions is, pretty much, that the same technology solutions that are dominating now will be dominating in five years’ time, because of the slow speed at which the industry moves. There is a lot of work going on under the surface, but it takes years to emerge. I am sure that Account-based ticketing is coming next and some of that will be Open Loop. Various operators across the globe are talking to us about this at present.
A final example, last year we conducted a study on beacons for Be-In Be-Out (BIBO) style transit ticketing. Our research showed that the industry has been looking at this since around 1997. There are still very few examples of it being successfully used, and yet it is still regularly cited as one of the next big things.
In April this year, Consult Hyperion is celebrating 20 years of annual Tomorrow’s Transactions conferences. I will be chairing a session on Transit ticketing on the second day about what is coming next. Confirmed speakers include:
I’m not sure if you’re supposed to have a favourite supply chain fraud or not but I do, and it is the famous case of the vegetable oil that almost bankrupted American Express (and went some way toward making Warren Buffet a multi-billionaire). The essence of the story is that a conman, Anthony “Tino” De Angelis, discovered that people would lend him money on the basis of commodities in the supply chain. His chosen commodity was vegetable oil (see How The Salad Oil Swindle Of 1963 Nearly Crippled The NYSE). Amex had a division that made loans to businesses using inventories as collateral. They gave De Angelis financing for vegetable oil and he took the Amex receipts to a broker who discounted them for cash. So he had tanks of vegetable oil and Amex had loaned him money against the value of the oil in those tanks, the idea being that they would get the money back with a bit extra when the oil was sold on. Now as it happened, the tanks didn’t much contain oil at all. They were mostly water with a layer of oil on top so that when the inspectors opened the tanks and looked inside they saw oil and signed off whatever documentation was required. Eventually the whole scam blew up and nearly took Amex down, enabling the sage of Omaha to buy up their stock and make a fortune.
Fortunately for us and unfortunately for conmen like Tino, the supply chain is one of the many industries that the blockchain is going to disrupt. As my good friend Michael Casey and his co-author Pindar Wong explain in their recent Harvard Business Review piece on the topic (Global Supply Chains are about to get Better, Thanks to Blockchain in HBR, 13th March 2017), blockchain technology allows computers from different organisations to collaborate and validate entries in a blockchain. This removes the need for error prone reconciliation between the different organisation’s internal records and therefore allows stakeholders better and timelier visibility of overall activity. The idea discussed in this HBR piece (and elsewhere) is that some combination of “smart contracts” and tagging and tracing will mean that supply chains become somehow more efficient and more cost-effective.
An aside. I put “smart contracts” in quotes because, of course, they are not actually contracts. Or smart. Bill Maurer and DuPont nailed this in their superb King’s Review article on Ledgers and Law in the Blockchain (22nd June 2015), where they note that smart contracts are not contracts at all but computer programs and so strictly speaking just an “automaticity” on the ledger. (Indeed, they go on to quote Ethereum architect Vitalik Buterin saying that “I now regret calling the objects in Ethereum ‘contracts’ as you’re meant to think of them as arbitrary programs and not smart contracts specifically”.)
Using the blockchain and “smart contracts” sounds like an excellent idea and there’s no doubt that supply chain participants are taking this line of thinking pretty seriously. Foxconn (best known as the makers of the iPhone) are a recent case study. In March 2017 they demonstrated a blockchain prototype that they used to loan more than six million dollars to suppliers. I should note in passing that the article didn’t make it clear why they were using a blockchain (as opposed to any other form of shared ledger) or why they were using a shared ledger rather than a database but, like Merck and Walmart and many others, Foxconn is a serious business that sees promise in the technology so we should take the case study seriously.
While I was reading about Foxconn, and a couple of other related articles in connection with a project for a client, I started to wonder just how exactly would the supply chain industry be disrupted? How would the blockchain have fixed the salad oil problem? It’s very easy to think of a fancy fintech setup whereby smart contracts took care of passing money from the lender to the conman when the tanks were certified by the inspectors but as sceptical commentators (e.g., the redoubtable Steve Wilson of Lockstep) frequently point out, transactions using blockchain technology are only “trustless” insofar as they relate to assets on the blockchain itself. As soon as the blockchain has to be connected to some real-world asset, like vegetable oil, then it is inevitable that someone has to trust a third-party to make that connection.
Trusting these third parties can be a risk. Another of my favourite scandals (I have quite a few, I should have mentioned that) is the horsemeat scandal that swept Europe on the 50th anniversary of the salad oil scandal. Basically horsemeat was being mixed with beef in the supply chain and then sold on to the suppliers of major supermarkets in, for example, the UK. One of the traders involved was sentenced to jail for forging labels on 330 tonnes of meat as being 100% beef when they were not. Once again, I am curious to know how a blockchain would have helped the situation since the enterprising Eastern European equine entrepreneur would simply have digitally-signed that the consignment of donkey dongs were Polish dogs and no-one would have been any the wiser. It is not clear how a fintech solution based on blockchains and smart contracts would have helped, other than to make the frauds propagate more quickly.
The reason that I am interested in scandals like this one is that the tracking of food features as a one of the main supply chain problems that advocates hope the blockchain will solve for us. Work is already under way in a number of areas. I understand that Walmart have carried out some sort of pilot with IBM to try to track pork from China to the US and another pilot was used to track tuna from Indonesia all the way to the US. But if someone has signed a certificate to say that the ethically-reared pork is actually tuna, or whatever, how is the shared ledger going to know any different? A smart contract that pays the Chinese supplier when the refrigerated pork arrives in a US warehouse, as detected by RFID tags and such like, has no idea whether the slabs in the freezer are pork or platypus.
If you do discover platypus in your chow mein, then I suppose you could argue that the blockchain provides an immutable record that will enable you to track back along the supply chain to find out where it came from. But how will you know when or where the switcheroo took place? Some of the representations of the blockchain’s powers are frankly incredible, but it isn’t magic. It’s a data structure that recapitulates the consensus of its construction, not a Chain of True Seeing with +2 save against poison. So is there any point in considering a form of shared ledger technology (whether a blockchain or anything else) for this kind of supply chain application? Well, yes. We think there is.
Let’s go back to the first example, the great vegetable oil swindle. Had American Express and other stakeholders had access to a shared ledger that recorded the volumes of vegetable oil being used as collateral, the fraud would have been easily discovered.
“If American Express had done their homework, they would have realized that De Angelis’s reported vegetable oil ‘holdings’ were greater than the inventories of the entire United States as reported by the Department of Agriculture. “
Interesting. So if the amounts of vegetable oil had been gathered together in one place, the fraud would have been noticed. What could that one place be? A federation of credit provider’s databases? A shared service operated by the regulator? Some utility funded by industry stakeholders? How would they work? What if the stakeholders instead of paying some third party to run such a utility used a shared ledger for their own use? It would be as if each market participant and regulator had a gateway computer to a central utility except that there would be no central utility. The gateways would talk to each other and if one of them failed for any reason it would have no impact on the others. That sounds like an idea to explore further.
How might such a ledger might operate? Would American Express want a rival to know how much vegetable oil it had on its books? Would it want anyone to know? The Bank of Canada, in their discussion of lessons learned from their first blockchain project, said that “in an actual production system, trade-offs will need to be resolved between how widely data and transactions are verified by members of the system, and how widely information is shared”. In other words, we have to think very carefully about what information we put in a shared ledger and who is allowed to say whether that information is valid or not. Luckily, there are cryptographic techniques known as “Zero Knowledge Proofs” (ZKPs) that can deliver the apparently paradoxical functionality of allowing observers to check that ledger entries are correct without revealing their contents and these, together with other well-known cryptographic techniques, are what allow us to create a whole new and surprising solution to the problem of the integrity of private information in a public space.
It is clear from this description that a workable solution rests on what Casey and Wong call “partial transparency”. At Consult Hyperion we agree, and we borrowed the term translucency from Peter Wagner for the concept. For the past couple of years we have used a narrative built around this to help senior management to understand the potential of shared ledger technology and form strategies to exploit it. Indeed, in some contexts we focus on translucent transactions as the most important property of shared ledgers and as a platform for new kinds of marketplaces that will be cheaper and safer, a position that you can find explored in more detail in the paper that I co-authored with my colleague Salome Parulava and Richard Brown, CTO of R3CEV. See Towards ambient accountability in financial services: shared ledgers, translucent transactions and the legacy of the great financial crisis.Journal of Payment Strategy and Systems10(2): 118-131 (2016).
As you might deduce from the title, in this paper we co-opt the architectural term “ambient accountability” to describe the combination of practical Byazantine fault tolerance consensus protocols and replicated incorruptible data structures (together forming “shared ledger” technology) to deliver a transactional environment with translucency. As Anthony Lewis from R3CEV describes in an insightful piece on this new environment, it is much simpler to operate and regulate markets that are built from such structures.
The reconciliation comes as part of the fact recording; not after. Organisations can “confirm as they go“, rather than recording something, then checking externally afterwards.
In this way the traditional disciplines of accounting and auditing are dissolved, re-combined and embedded in the environment. Smart contracts wouldn’t have disrupted Tino’s business, but ambient accountability would have uncovered his plot at a much earlier stage, when the near real-time computation of vegetable oil inventories would delivered data on his dastardly plot. You’d hardly need Watson to spot that inventories greater than the United States entire annual production ought to be looked into in more detail.
Perhaps we need to shift perspective. It is the industry-wide perspective of the shared ledger, the shared ledger as a regtech, that makes the disruptive difference to supply chains, just as it is the shared ledger as a regtech that will reshape financial markets by creating environments for faster, cheaper and less opaque transactions between intermediaries that have to add value to earn their fees rather than rely on information asymmetries to extract their rent. As the World Economic Forum’s report on the Future of Financial Services says, “New financial services infrastructure built on [shared ledgers] will redraw processes and call into question orthodoxies that are foundational to today’s business models”. We agree, and if you want to make this a reality for your organisation, give me or my colleagues at Consult Hyperion a call. We will provide help, not hype.
Incidentally, the brilliant Maya Zahavi from QED-it will be explaining how ZKPs can transform supply chains at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum on April 26th and 27th in London. Run, don’t walk, over to that link and sign up now for one of the few remaining delegate places and to be kept up-to-date in the future, sign up for our mailing list as well.
[Sincere thanks to my colleague Tim Richards and to my former colleague Salome Parulava for their helpful comments on an earlier draft of this post.]
A few people forwarded a link from Time Out to me last week, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way.
The latest in contactless payment – called Fingopay – uses a bartop scanner and allows customers to introduce their index finger when they’re ready to settle up. The unique patterns of the veins in each customer’s index finger – which need to be linked to their bank account in advance to make a payment possible – are electronically scanned on the spot in the aim of speeding up transactions at the bar.
I’m not sure if my repeated use of the adjective “new” in the introductory paragraph was entirely appropriate and I don’t want to be like all yeah whatever but… the first time that the technology was mentioned on this blog was almost exactly a decade ago, when I was talking about mass market uses of biometrics and the particular case study of Japanese banking, and it wasn’t new then.
Another group that includes Sumitomo Mitsui Banking Corp., Mizuho Bank and Japan Post use a similar system but it analyses fingertip vein patterns.
In addition to identifying customers at ATMs and Post Office counters the technology that they are referring to here, the Hitachi fingervein technology, has been used as an alternative to payment cards from its earliest incarnation.
Biometrics continue to advance in Japan with the news that Hitachi is teaming with Japanese issuer JCB to develop a biometric payment system based on its finger vein authentication technology that can be used as an alternative to cards and cash at the point of sale.
The technology has reappeared as a new solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…
The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.
The truth is that this specific technology has been around for absolutely ages and the idea of using fingerprints as an alternative to payment cards at retail POS has been around for even longer. This from 2004:
The Piggly Wiggly grocery chain has announced it will begin offering a high-tech payment feature allowing customers in several stores to pay using their fingerprints.
You can’t help but wonder what is different this time. Well, for one thing, we have PSD2. My memory of some earlier attempts may well be imperfect, but I have a vague recollection that these previous attempts at finger-based payments worked by tying the stored template to a card-on-file and then processing a card-not-present (CNP) transaction at POS (even though the cardholder was self-evidently present). Since the costs associated with CNP processing were much greater for the merchants, and the US was moving to no-signature stripe programs anyway because all of the terminals were online, the finger payments were slower and more expensive than stripe payments. Hence neither the merchants nor the consumers were greatly interested. Systems like this did make progress in closed environments (such as schools and prisons) but made no inroads into the mass market.
However, things are changing. We have strong customer authentication (SCA) and risk-based authentication at POS, we have interchange regulation and interchange plus acquiring in Europe and soon the retailers will be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for direct access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around (but I have to say I am sceptical about traction in a world where consumers have mobile phones with them all the time and can obtain Internet connectivity even in Camden).
The decision to try out the new system in a pub, by the way, did bring on a wave of nostalgia. Here I am with my CHYP colleague Kate Hughes, my fellow Visa Business School instructor Joe Di Vanna and my old friend Mark Burgess testing out some early contactless products in the bar at Robinson College, Cambridge. Joe claimed that he could do a cash transaction faster than contactless…
On a related topic, it is important to note that while fingerprints are unique, and all that, they are not without issue. For one thing, you leave your fingerprints everywhere you go. For another, you do not always have complete control over your fingers…
Wife exposed diplomat’s affair by using his thumb to unlock his iPhone while he was sleeping
This is why those of us who understand security use Wickr or Signal to communicate with confidantes and always set a passcode for the application! The point is that fingerprint security has failure modes and those could be exploited by any seven year old. Paging Groucho Marx: someone get me a seven year old…
7-year-old Harrison Green waited for his dad to fall asleep and then hovered his finger over the sensor, thus defeating his strong fingerprint encryption choice.
Having had a look through the Fingopay website, I notice a clever use of this particular feature (that is, the ability to use the biometric identifier without the consent of the owner).
We have developed an “in-case-of-emergency” ICE system that can be used to assist in identifying you even if you are unconscious
This might be more of a use case in Camden on a Friday night than a new payment mechanism! I suggest they also try my alternative solution which is to store a revocable token in tamper-resistant hardware and use the biometric for strong local authentication of that token. If people in Camden really don’t want to take even a card down the boozer, and are worried about waving a phone around because it’ll get half-inched at chucking out time, well, our friends on the continent have a tried and tested alternative.
everyone’s current favourite case study for this sort of thing is the Baja Beach nightclub in Barcelona, where patrons were offered the choice between a card and a chip and some of them chose the chip… The chips are the size of a grain of rice (1.2 millimetres wide and 12 millimetres long) and injected (by a “medically trained” person, according to the New Scientist) under the skin in the upper left arm.
One of my favourite conference jokes a decade ago (first used in a presentation to the International Association for Biometrics in September 2004) was that the chip is better than a card because you really can’t leave home without it. Now, to be honest, I’d prefer an implanted chip like that to biometric identification. Why? Well, the chip contains an ID number and no personally-identifiable information (PII). If some unauthorised person scans the chip, all they get is an ID number. If I use an app on my phone to allow a particular retailer the ability to charge against that ID number at specific times, or only with strong authentication (e.g., a PIN or a fingerprint or whatever), that seems both convenient and secure.
If you’re too squeamish to have a chip implanted (I’m not – in fact I begged them to implant one on stage at a Consult Hyperion Forum but they wouldn’t do it because the chips were not licensed for use on people in the UK) then there’s an alternative I can suggest. One of my favourite conference jokes right now is that you can always have a QR code tattooed on to some part of your body. Private key vs. privates key* (geddit!).
* If you know a better PKI-related joke I am literally all ears.
British Airways have instituted a new policy of annoying customers like me by making them pay for coffee. Although, to be fair, it was Marks & Spencer coffee and it was much nicer than the usual BA coffee. Naturally, as is the case for most forward-looking of retailers, they do not take cash, so I paid with one of the many cards about my person. As it now takes them ten times longer to serve the coffee, I took pity on the cabin crew and decided against my experiment of buying with contact, stripe, contactless and Apple Pay to see how the different media worked in the flight, and I just opted for a single stripe-based case study.
BA are not alone in opting out of the overheads, annoyances and inconveniences of the industrial age cash economy. Perry Kramer, vice president and practice lead at consultant Boston Retail Partners, contends that as many as four-fifths of (US, I presume) retailers are already “largely cashless”.
“Retailers don’t really want to be banks. It’s not their sweet spot,” he says. “It is much less expensive to process credit and debit than it is cash, because cash has a lot of labor involved.”
Still, it’s a big step to go from “largely cashless” to “cashless”, as many retailers are doing. You can see the attraction. If you are largely cashless, you still need a cash register, you still need to reconcile at the end of the day and you still have to go to the night safe on the way home. To stop all of this unproductive nonsense you need to stop cash altogether. If you do, the benefits are not limited to safety, security and a quicker trip home.
The company says that employees can perform 5% to 15% more transactions every hour when they don’t have to handle money.
There’s a bigger context to the retailers’ moves away from cash, though, and that’s the moves away from POS altogether. As the payment becomes invisible, so does the card reader.
The move away from cash might also steer more people onto the Sweetgreen app. Over the last year, app use has grown 95%, says the company. Roughly a third of the business is run through the app
I’ve never been to Sweetgreen, which I understand provides salad-based offers to busy office workers, but I will make the effort to reward their futuristic stance next time I am near one and between proper meals. A great company, no doubt, but when it comes to payments, I do not see their trajectory as unrepresentative at all. Apps and chat are steadily encroaching.
Domino’s Pizza, which launched a “zero-clicks” pizza ordering app earlier this year. In the past, the company has baked ordering into Facebook Messenger, Twitter, Siri, Amazon’s Echo, Google Home, smart televisions, and even Ford Sync. In the third quarter this year, Domino’s revenue grew 16.9% year-over-year.
Back to BA. As I said earlier, they don’t take cash so I paid by card. What I didn’t mention was that the card was a BA Executive Club card and that the currency was Avios, their “rewards” points. Interestingly, when I last paid for something on board with a payment card I had to through the rigmarole of showing my passport as well as signing the transaction. But with my Gold card it was just swipe and go. Quick as you like.
At the time of writing (three days later), these 300 Avios have yet to be deducted from my account, so I suspect the system may not be real-time. I will see if I can double-spend the Avios on my next flight and then write to BA to suggest they consider the blockchain for future implementations. Meanwhile, I will use the remaining gazillion Avios to take my wife on a lovely trip to her home town this summer. Let’s go book a flight right now!
We’ve been having a lot of fun in recent months leading workshops for transport operators about account-based ticketing. Sharing our recent experience with clients such as the UK’s Transport for London (TfL) and Transport for the North (TfN), Hungary’s BKK, New Zealand’s NZTTL, Belgium’s De Lijn and Stockholm’s Storstockholms Lokaltrafik (SL) and Singapore’s LTA.
The workshops are designed to help transport operators who are new to account-based ticketing understand the issues and options, including how Open-Loop bank cards can be blended with existing smart ticketing. A typical agenda covers the following subjects:
Trends
Customer propositions should drive everything
Smart ticketing trends
Technology roadmap
Benefits of ABT and Open-Loop
Architecture
Basic architecture overview
Generic architecture
Open loop vs closed loop (the back office)
Providing for the unbanked
Open-Loop solutions
Open loop implementatons in other countries
The 4-party model for payments
Transit Transaction Models (’Models 1-3’)
Transit Charging Framework (generic, global)
Compliance
EMV
PCI DSS
Working with a QSA
Our latest workshop was sponsored by Mastercard and hosted by Swedbank in Riga, Latvia, and had an audience of 40 including:
Transport operators
Government bodies
Industry suppliers
Media
We are looking forward to leading more similar workshops in 2017 across Europe.
Riga view from workshop at 9am.Riga workshop sponsored by Mastercard and hosted by Swedbank.Discussing a ‘strawman’ solution for Riga’s needs.
My old chum Andy Ramsden wrote a nice piece on LinkedIn the other day, pointing out the difference between transactions that need identification (almost none of them) and transactions that need credentials (most of them). He used a current British case in point, which is how to come up with a scheme for preventing “health tourism” on the National Health Service (NHS) which is largely free at the point of delivery.
The receptionist doesn’t even need to know my name, all they need to verify is whether or not I am eligible for NHS treatment.
Indeed. Which is why a National Entitlement Scheme (NES) makes sense. Andy’s point is not a special case – quite the opposite, it is the general case. In almost all day-to-day transactions, who you are is not important. This is why, in our “Three Domain Identity” (3DID) model, transactions take place in the authorisation domain, not the identification domain.
Now, in the NHS case I imagine that for most people giving out your real name is probably not a barrier to seeking treatment (although I can easily imagine cases where it is – what does James Bond’s NHS card say, for example?) but I can think of plenty of cases where giving out your real name is not only a barrier to transactions taking place, it’s downright crazy. Adult services are an obvious case and they are a case that I like to use because they are a useful example for focusing security, privacy and commercial issues that apply to a wide range of services. What do I mean by adult services? Well, to fork one of my favourite jokes from one of my all time favourite TV shows, Greg the Bunny, I don’t mean voting. I mean services that grown up people might want to use that they do not necessarily want other people to know about: gambling, fantasy football leagues, dungeons and dragons discussions groups and so on. If we can fix the problem for adult services we can fix it for most other things.
Ofcom’s guidance on age checks for online video content suggest a range of options – from confirmation of credit card ownership to cross-checking a user’s details with information on the electoral register.
Both of these ideas are bad and are certain to lead to disaster, because both of them require the adult service provider to know who you are. This means that when they get hacked, as they inevitably will be, the personal details of the customers will be available to all. And, as actually happened in the case of the Ashley Madison hack, people will die. It’s not funny. Whether its adult web sites, or counselling services, or gay dating, or drug addiction helplines or whatever, where I go online is my business. We need a better solution than some dumb mandate to accelerate identity theft and foist its consequences on everybody.
Now, we already know what to do (that is, to have a functional identity privacy-enhancing infrastructure) but as yet there’s no sign of it coming into being. Therefore in the shorter term we have to come up with some workable alternative. It seems to me that a rather obvious way forward would be for banks, who have invested zillions in tokenisation services, to issue John Doe tokens to customers over 18. So, I can load my Barclays debit card into my Apple / Samsung / Android (* delete where applicable) wallet for free, but for £5 per annum I get an additional Privacy-Enhancing Token (a PET name). This stealth token would have the name of “John Barleycorn” and the address (for AVS purposes) of “Nowhere”.
Now, I can go online to the UK Adult Gateway Service or whatever it ends up being called and use the PET name to obtain an adult passport. Then I can use this adult passport to go and log in to Lovelies in Leather Trousers (which I only read for the gardening tips). Now:
Lovelies in Leather Trousers know that I am adult passport “John Barleycorn” and that they can charge to that passport (when they do, Apple Pay pops up on my phone and asks for authorisation).
When Lovelies in Leather Trousers gets hacked, the hackers find the adult passport John Barleycorn but they can’t use it to find out who I am. Even if they could log in to the Adult Gateway Service, it only knows that I am John Barleycorn and that the token comes from Barclays. Since there are tens of thousands of Barclays PETs with the name John Barleycorn, who cares.
If the hackers get into Barclays and discover that the particular PET name belongs to me, then Barclays have a far amount more to worry about than the £100,000 compensation they will be paying me for breaching my privacy.
Meanwhile, if the adult passport John Barleycorn is used in some criminal activity, the police can simply go to Barclays with a warrant and Barclays will tell them it is me.
Simple. Incidentally, there’s another aspect to all which means that the networks and the banks might want to invest in this kind of infrastructure. Since adult payments are lucrative, and since an effective privacy-enhancing age check would increase the use of such services, and since a tokenised approach would also reduce fraud and chargebacks, there are real incentives for the stakeholders to get out their and put something in place.
The Digital Economy Bill already includes measures to bring in age checks and the power to withdraw payment services from sites which do not implement the controls.
I really don’t like the idea of using the payment system as a policeman, but it makes sense as an interim solution until such time as we actually have a working identity infrastructure with pseudonymous virtual identities that can be used for adult transactions, just as they will be used for all other transactions. Including getting hospital treatment if you are entitled to it.
As I am sure many of you will remember, the thing I was most wrong about – ever – on the Tomorrow’s Transactions blog was that I was convinced that Apple would not bother with an NFC interface for the iPhone. Luckily, my blog is not a blockchain, so I could go back and delete this post if I wanted to. But I am gentleman and man of integrity and I cannot do sufficient violence to my conscience to rewrite history in this fundamentally misleading way. Hence my error stands as testimony to my integrity. My reasoning at the time of this broadcast error was that since “app and pay” would eventually come to dominate “tap and pay”, I thought that Apple would focus on the big picture and ignore the age-old card/POS interface. I assumed that they would use Bluetooth, wifi and mobile to link the customer and merchant and eventually dispense with the card in the middle, whether using stripes, chips or NFC. At that time, we had already built an HCE-over-BLE app for a project that we were involved in, so I knew that we could easily obtain better-than-chip-and-PIN security without having to tap anything, and I thought Apple would just ignore it: what did they care, I reasoned, if you can’t use your iPhone to ride the bus* in London?
Well, I was wrong. Apple implemented their own sort-of-NFC (they did not implement the full NFC standard) and they locked down the interface so that third-parties could not gain access. They implemented just enough to get the banks to spend gazillions on the tokenisation infrastructure that was needed to bring that better-than-chip-and-PIN security to online and mobile commerce. Well, it worked. They have created a secure and convenient payment platform. As I wrote before…
Select Apple Pay, thumbprint, done. Why isn’t all in-app purchasing like this. Come to that, why isn’t all purchasing like this. Actually, it soon will be…
This indeed where Apple is heading, and I’m not the only one who thinks that perhaps people who were focused on the NFC interface at retail POS (and complaining that not enough retailers take it and therefore Apple Pay is a bit of a flop) were missing the bigger picture.
He says Apple Pay is appealing, but he wouldn’t switch banks just to access that one feature. “Not over that. There’s too much work involved just for tap-and-go,”
You can see the point. If you already have a contactless card that works everywhere, it’s not that exciting to be able to tap your phone instead of the card. So people don’t. They already had a perfectly good solution to the card payments problem: a contactless card (or, in my case, a contactless sticker). But the fact that it’s not exciting to tap the phone just does not matter. It’s not the play. There are reasons why I love Apple Pay (especially because I have on more than one occasion forgotten my wallet when going to the office) but when I dropped my iPhone in the toilet and was on an old phone for a couple of days, it didn’t really matter that much because of my contactless Curve card in my back pocket.
The thing is: paying with a plastic credit card isn’t really that difficult. With Apple Pay, the bigger point is that it’s also a way of paying for stuff online.
Brian Rommele, who I always take very seriously about this kind of thing, says that it is already clear that Apple Pay in the browser will be a very big deal indeed. I already find it frustrating when I go to pay in-app and I have to enter a CVV against a card-on-file just as if it were 1996 all over again (I’m talking about you RingGo) instead of just thumbing it so I can see that the in-app and online experience will be transformed.
In my early testing I can confirm that the checkout abandonment rate for websites that use Apple Pay Safari will be reduced significantly.
Who won’t use this? For Apple Pay, Android Pay, Samsung Pay and every other pay, #appandpay is way more important than #tapandpay and way, way more disruptive. Note also that it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware alongside the revocable EMV payment tokens…
* I use my iPhone to ride on London underground, buses and Dockland Light Railway all time. All the time.
I’ve been reading a lot of comment about the US EMV migration recently and there seems to be pretty universal condemnation of the process (some of it from me). In the UK, we had chip and PIN day (St.Valentine’s Day 2006) and that, pretty much, was that. But in the US, the migration has been piecemeal, confusing and fraught with problems. But why?
Critics have told me that banks opted for a signature versus a PIN code because it saves them large amounts of money by not having to store PIN codes for everyone. Banks, on the other hand, say they feared that their customers would have a difficult time remembering a four digit code.
As far as I know, neither of these is true. Some issuers preferred chip and signature because it has higher interchange, not because US consumers are morons who uniquely amongst the nations of the Earth cannot remember a four digit personal identification number (PIN) that they use several times every day. Merchants wanted PIN because the fraud rate on PIN is two orders of magnitude less than with signature. Consumers wanted speed and, since they were given that by the no-signature online-authorised stripe transactions that they were familiar with, there was no traction for contactless (which delivers speed and convenience in an EMV environment and provides fertile ground for mobile payments).
The typical US consumer approaches a POS with some trepidation, I imagine, since it is completely opaque as to the experience that awaits them. Tap, swipe, dip, PIN or sign, hand over the card or keep it… every transaction is an adventure. I suppose many stakeholders take the position that it doesn’t really matter because mobile and in-app are going to steadily erode card transactions (Jupiter is reporting that almost half of US consumers already use some form of contactless payment, and a fifth already use it every day – mostly Starbucks I’d imagine). At some point in the imaginable future, “tap and pay” and “app and pay” will together exceed both EMV and magnetic stripe transactions at retail point of sale (POS) and at this point (the plastic singularity or, as I prefer it, #cardmaggedon or the #cardocalypse) signature versus PIN will seem to our children something of a medieval argument along the lines of angels on the head of a PIN. Right now, though, it is still a live debate.
My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”
However, until such time, we should probably make an effort to improve the user experience (UX) for the typical consumer and make cards work better for the merchants. As I recall from the excellent NYPAY discussion on the topic, US merchants are particularly aggrieved by the rise in chargebacks that they have seen over the past few months.
Chargebacks for card-present transactions increased 50% following the Oct. 1 EMV liability shift,
You understand why this, I’m sure. It’s because before 1st October, if you spotted a $3.95 charge at Starbucks on your statement and you knew that you couldn’t possibly have made that transaction, then you would call up your issuer and complain and they would just eat the charge because it would have been more trouble than it’s worth to go back to Starbucks, pull the receipt, check the signature if there was one etc etc. However, after 1st October, if you spot a bogus $3.95 charge on your account and call up, the issuer will check the transaction codes and, if you had a chip card but it was swiped by a merchant who didn’t have (or didn’t use) a chip reader, then the $3.95 is charged back to the merchant. The net result is — entirely as expected and as it should be — that merchants see big increases in card-present chargebacks as previously hidden magnetic stripe fraud is revealed.
A good way to reduce that previously hidden fraud would be to simply give customers the option to block magnetic stripe transactions from cards with a chip on them. Why are the banks not giving consumers the option to disable stripe transactions? My debit card has embossing and a magnetic stripe on it for absolutely no reason that I can fathom since I never use it a non-chip ATM and in practice I don’t need it when abroad. I’ve just returned from trips to Rome and Munich where I never once used cash and never needed an ATM (I used my Caxton FX pre-paid card in shops and ticket machines and I used Uber for transport).
Proof that I was in Rome and that it’s not empty blog rhetoric.
I want my bank to auto-decline any magnetic stripe transaction made using my chip-enabled contactless debit card and I want the ability to set that parameter from my excellent mobile banking app. Why is this so difficult? Meanwhile, back in the US, the mounting annoyance with chip and PIN continues. Perhaps it’s time for the networks to announce the sunset date for magnetic stripes: perhaps 1st January 2019, after which time no new cards will be issued with magnetic stripes or embossing?
We’ve been working with ITSO on how to implement ‘ITSO with HCE’ since January 2015. In January 2016 we presented at Transport Ticketing in London about the work that we had done to date and this was also summarised in an article in the BCS ITNow magazine.
We have since produced a Functional specification for how ITSO with HCE will work in Phase 1. In addition we have produced minimum security requirements that will have to be met by ITSO with HCE implementations. Currently we are helping ITSO determine how ITSO with HCE implementations will be tested and certified by ITSO to ensure that they are secure enough to be allowed to be used on live ITSO schemes.
We continue to work with ITSO on moving ITSO with HCE forward. Here is the latest from ITSO about plans to pilot ITSO with HCE on a live ITSO scheme in West Yorkshire.
Working together with West Yorkshire Combined Authority, Transport for the North, Ecebs, Penrillian and Consult Hyperion, ITSO will be leading on a trial, due to commence in September 2016, which uses HCE-enabled mobile phones on a live ITSO scheme.
You’ve probable heard about Bluetooth Low Energy (BLE) Beacons being used to help the visually impared navigate on their own around public transport systems. This has been trialled in Bucharest on buses and in London Underground. These are examples of relevant information being pushed to users’ smart phones based upon their location. Other similar use cases might include telling passengers when they are approaching the stop at which they plan to get off, or telling them that their selected vehicle is about to arrive.
The use case I am more interested in is the one that allows passengers to travel without paying upfront and be charged afterward based on the journey that they took. We implemented this with TfL in London using contactless bank cards and it has become known as ‘Aggregated Pay As You Go’. This works well, but relies upon the passenger rembering to ‘tap in’ and ‘tap out’ to mark the end point of each leg of the journey in order that the back office can calculate the journey taken. Appropriate charges are made to the passenger’s bank card account at the end of the day.
Beacons could be used in implementations for this use case. Such a beacons trial is to be carried out in 2017 in West Yorkshire as part of the Transport for the North’s Integrated and Smart Travel (I&ST) programme.
The aim is to automatically determine the bus journey taken by the passenger and charge on a PAYG basis. Therefore, we need to know accurately where the passenger gets on and off the bus. This information will be determined by a smart phone app by interacting with beacons and sent to the back office where the charge is calculated and payment taken.
The trial, commissioned by West Yorkshire Combined Authority (WYCA), will be used to determine:
whether the passenger experience is favourable;
whether BLE technology can deliver sufficient location accuracy; and
how the journey timestamp and location information sent to the back office in such a way that can be trusted and not open to fraud.
Subscribe to our newsletter
You have successfully subscribed to the newsletter
There was an error while trying to send your request. Please try again.
