Earlier this year we were delighted to be part of the Consult Hyperion webinar on Request to Pay. A common thread in post-event conversations that followed was an interest in the parallel developments of the UK and European flavours of Request to Pay and how they might work together. With the launch of the European version on June 15th, we thought it an ideal time to signpost the bigger differences.
Every year Consult Hyperion publishes our Live 5. We try to shine a lens on the year ahead and think about what will be impacting our clients. The themes for 2021 are:
Today I want to explore the topic of micro location from the point of view of (mostly) Apple ecosystem, and how developers can leverage application programming interfaces (APIs) to build useful apps. In order to understand that, first we should visit the topic of location in general – how do devices know where they are?
For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards. The three key messages that I took away from this year’s conversation were that:
This weekend marks an anniversary. Although Consult Hyperion’s romance with smart cards had started many years before that, it will be fifteen years on Sunday that chip and PIN went live in the UK. I remember St. Valentine’s Day 2006 as if it was yesterday!
Today marks the 10th anniversary of Safer Internet Day in the UK. Each year Industry, Educators, Regulators, Health & Social Care workers and Parents rally to raise awareness and put into action, plans to tackle findings from significant research on the topic of trust and safety on the internet. This year one of the research pieces talks of the challenge ‘An Internet Young People Can Trust’. As a mum of two school age children, I am sat here wondering if the internet will ever be safe … for them or me.
If I think about life BC (before COVID), my eldest used social media for broadcast communications to her friends. She was guided on the appropriateness of certain apps and our acid test on the content she was posting, was always ‘would you go up to a stranger in the street and give him your name, age, location and a photo of you in a bikini’ … her reaction was always ‘err, no’. My youngest had never been online apart from BBC Bitesize for homework assignments. We’re not online gamers so have never had constant nagging to go online. Additionally, you have to remember the internet (and mobile internet) has been significant in my work world since 1990 so I have a heightened understanding of the pitfalls and have seen many fall foul of their online reputation, tarnishing their in-person reputation.
Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.
The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:
- Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
- Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.
The Use of Contact-free is Accelerating
At Consult Hyperion, we have already seen the pandemic accelerate the adoption of contact-free payments in the face to face environment as customers have become wary of catching COVID by touching shared devices, such as self-service terminals and PIN pads. The use of personal devices for payments is hardly new but the attraction of an in-app/in-store version of mobile payments, whereby the consumer uses an app on their own device to interact with the retailer or service provider and pay for services, has just increased dramatically. Solutions for parking (RingGo) and for restaurants (like the Wahaca app, powered by Judopay) were already demonstrating the benefits of such an approach for customers and businesses before COVID struck.
This post was written in collaboration with Neal Michie, Director, Product Management, Verimatrix.
Banks are facing massive disruption and change from many directions. The rise of app-only banks has made the need for traditional banks to have compelling app services an imperative. Banks have of course been building mobile apps for several years. If not already, they will soon be the most important channel for engaging with and serving customers. However, mobile banking apps will also become the primary focus of hackers, intent on getting access to other people’s information and money.
Predictions from 1909
This essay is about a work of science-fiction, of which many features have come to pass. I re-read it this week, as it seemed that even more might be, and not necessarily to our advantage, in the world of Covid-19, and I wanted to confirm or deny my memory. In any case, science-fiction is a great background for technology strategising, helping to get beyond limited thinking based on incrementalism.
I took my English Literature ’O’ Level in 1974 and three works from the syllabus have stayed with me since: Macbeth, Lord of the Flies (which I had read a couple of years earlier) and one that no-one’s ever heard of: a science-fiction short story, The Machine Stops, by E.M Forster. That’s right, E.M. Forster, better known for acute observation of middle-class Edwardian manners (A Passage to India, A Room with a View, Howard’s End…). Apparently, he wrote it to demonstrate how easy it was to generate science-fiction akin to H.G. Wells. Indeed, it bears a certain resemblance to The Time Machine, except for an inversion: in Forster’s dystopian far-future, the effete leisured class live underground, while the rough outlaws live on the surface.
Forster’s ‘civilised’ tribe live in a world of pure ideas, only loosely connected, if at all, with sensory perception. I think what I found shocking was the protagonist flying over the Himalayas, glancing out and immediately shutting the blind, with the dismissive thought “no ideas here”. Having shuttled back and forth between England, Australia and America for much of my life until then, at a time when few did, I was appalled. I used to strain to remain awake, whenever it was even half-light, in order to take in everything, and speculate (and later research) on the physical make-up of the land and the people it supported. In fact, I still do!
Air travel was by fleets of airships, so Forster backed the wrong aeronautical horse, so to speak. Although, he explicitly stated that civilisation had given up the dream of beating the sun in Westward travel, as we have, having attained it in a limited fashion with Concorde, for not quite three decades. For the same reason, partly: the availability of real-time electronic communication.
The civilised world is run by ‘the Machine’; a kind of internet, with mechanical appendages; imagine the Internet of Things is an established reality. FaceTime has been invented, and so has Zoom: people’s time is mostly spent in isolation in their identical cells, giving or receiving webinars, on abstruse but useless topics. Alexa will pick up on any expression of discomfort and diagnostic kit and treatments will be lowered from the ceiling, in the manner of oxygen masks in planes. People never travel to things, but things to people, as if by Amazon. “And of course she had studied the civilization that had immediately preceded her own — the civilization that had mistaken the functions of the system, and had used it for bringing people to things, instead of for bringing things to people. Those funny old days, when men went for change of air instead of changing the air in their rooms!”. Not all predictions were correct in 2020; Google was just a big book, which everyone had, principally as a manual for getting the machine to satisfy all reasonable wants.
The natural atmosphere was supposed to be not capable of supporting human life and a respirator was needed at all times, in the unusual event that anyone had—how shall we say—a reasonable excuse to leave the home. I re-read the story partly to determine why that was, imagining disease. Actually, the supposition was either false or greatly exaggerated; what was the case was that the atmosphere stimulated the senses in a way that overwhelmed those used, and possibly adapted, to the sterile air produced by the machine. Notwithstanding the lack of a pandemic, it was certainly the case that humans physically repelled each other and social distancing was the norm.
The denouement has an increasing level of seemingly random and, at first, minor breakdowns in the operation of the machine. In my mind, these were because the machine’s designers could not anticipate all changes in its external environment.
There is, however, a ‘mending apparatus’ which automatically patches the machine. But when that starts to malfunction… The moral is that society should not, by becoming completely dependent on its own creations, become detached from understanding the nuts and bolts of technology. That is something your favourite consultants will never do!
Back to the story. It is clear that the Chinese had taken over the world at some earlier time. Perhaps when, as now, they concerned themselves with acquiring and applying the whole gamut of technical skills.
The Second Payment Services Directive, aka PSD2, contains much that is admirable, some that is debatable and yet more that is downright mysterious. As we await the forthcoming final version of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), putting everyone on a 21-month implementation cycle, I thought I’d cast an eye over one of the, as yet, largely undiscovered areas of the directive; namely the exclusion from SCA for direct carrier billing (DCB). Like so much in PSD2 no exemption comes without penalty.
It’s the directive itself that excludes direct carrier billing from regulation, in Article 3, where it specifically excludes:
(f) payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service:
(i) for purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the related bill; or
(ii) performed from or via an electronic device and charged to the related bill within the framework of a charitable activity or for the purchase of tickets;
provided that the value of any single payment transaction referred to in points (i) and (ii) does not exceed EUR 50 and:
— the cumulative value of payment transactions for an individual subscriber does not exceed EUR 300 per month, or
— where a subscriber pre-funds its account with the provider of the electronic communications network or service, the cumulative value of payment transactions does not exceed EUR 300 per month;
If you care to deconstruct this it means that PSD2 doesn’t apply to direct carrier billing – payments made using a subscriber’s existing mobile account – if the subscriber doesn’t spend more than €300 a month or pay more than €50 on any single payment. Which is a useful exclusion for network operators and providers of DCB services, but does rather put a limit on any ambitions to extend and grow these services into genuine competitors for consumer payments. The exclusion also doesn’t apply to physical goods, limiting any expansion plans in that area.
Fail to meet those conditions and DCB automatically falls into the jaws of the RTS on Strong Customer Authentication, requiring two factor authentication to be applied, subject to the normal exemptions not being invoked. Given that banks, who have a track record of applying authentication to consumer payments, are finding meeting the SCA requirements challenging it’s not immediately obvious how mobile operators are going to address this, although you’d imagine that they could use the mobile handset itself as the possession factor. Nonetheless, forcing customers to enter passwords or implementing a handset based biometric through an app isn’t going to do anything for the customer payment experience which hitherto has largely been invisible.
The problem is that doing nothing is not an option. Not implementing SCA means capping the amount customers can spend each month and failing to do that will mean customers have the automatic right to apply for a refund as payments over the limit will, in PSD2 terms, be unauthorised. T&Cs will need to be rewritten to make sure the operators can get their money back, although in the absence of regulatory guidance it’s not clear that the directive might not override that – if PSD2 is about one thing it’s about the pre-eminence of consumer rights. Oh, and go over that limit and the operator will find themselves considered a payment service provider under the regulatory conditions of PSD2 with all that it entails.
Some DCB providers have already taken the initiative and become Electronic Money Institutions, which means they don’t have to worry about the restrictions but do have to suffers the slings and arrows of Strong Customer Authentication, outrageous or otherwise. Others seem so far less bothered, although no doubt the proposed regulatory penalties when published will concentrate minds. What’s really interesting is that the other side of PSD2 – the so called XS2A, Access to Account, via bank implemented APIs – actually opens up a real opportunity for any mobile operator or DCB player smart enough to spot it. After all, if you can connect to any consumer’s bank account to draw funds or examine their spending patterns you’re halfway to a pervasive retail consumer payments solution.
As for the other half, well that’s what we at Consult Hyperion are paid to solve. We think that the elements to allow this are already in place, all it needs now is someone with the foresight to take advantage of them. At that point the European Commission may well get the kind of innovation and competition in consumer payments that it desires, but in the meantime we’ll just continue twiddling our thumbs waiting for the RTS.