Leveraging the payment networks for immunity passports

COVID-19

As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

Give the public what they want

Well, this is interesting. On the very day of Consult Hyperion’s 20th (yes, 20th) annual Tomorrow’s Transactions Forum to discuss the future of secure electronic transactions and much besides what should fall through the internet tubes but the fifth annual “ING International Survey Mobile Banking 2017 – Cashless Society“, which surveyed nearly 15,000 people across 15 countries, and found that one in five (21%) people in Europe now rarely carries physical notes and coins, and a third (34%) would go completely cashless if given the choice.

Gin and contactless, one of my very favourite combinations

Gin and contactless is my second favourite cocktail (after the Moscow Mule).

Like those 34%, I’d like to be given the choice, but there are still places that won’t accept cards (such as the Real Ale bar in Wembley Stadium) which is why I went to the gin bar instead (as shown above). But these are becoming fewer and farther between, and not only in London.

“Dr Michael Collins, assistant professor of Social Policy at the University College of Dublin, tried to live without cash during one month to see if Ireland could become cashless in a near future and follow the example of its Scandinavian neighbour. His investigation demonstrated that almost all transactions can be done without banknotes and coins, except for some small value transactions, such as a coffee in a train.”

Cash is not replaceable

Ha! Even on Southwest Trains you can pay using contactless cards or Apple Pay and, when the new Chinese owners take over later this year, I imagine that Alipay and WeChat will be on the menu too. When do we get to wave goodbye to cash in Woking then? Well, sadly no time soon because while the trains have contactless, the ticket machines don’t (and I shouldn’t have to go to ticket machines anyway, but that’s a different point). But in ten years? 20 years?

“Gala Casino used linear regression on cash usage data from 2004 to 2014, which saw a drop from 71% to 53%, and Payments UK predictions for 2024, to arrive at its guesstimate that 2043 will be the year in which the number of cash transactions reaches zero per cent.”

Britain to go cashless in 2043?

I would imagine the graph turns out to be show cash asymptotic to zero rather than zero, but while I’m not sure that the number of “cash” transactions will ever reach zero, because some people will always want to use some form of immediate and anonymous payment system, I am sure (as I told the BBC’s “Wake up to Money” chap when he called to invite me on this morning) that William Gibson’s words in “Count Zero” are prescient: “He had his cash money, but you couldn’t pay for food with that. It wasn’t actually illegal to have the stuff, it was just that nobody ever did anything legitimate with it”. By 2043? Sure. But rather than just let it happen, we really need to set a national policy about it.

“Reducing cash doesn’t mean big savings, but removing cash does, and without an actual national policy on this, the benefits will go to the middle classes at the expense of the poor. “

via There you go bringing class into it again | Consult Hyperion

Therefore another vision for 2043 might be that cash becomes a class issue, where the middle classes never see cash from one week’s end to the next (except for the purpose of aiding and abetting tax evasion by paying the builder in £50s) but the underclass, trapped in cash, are excluded from the world of bank accounts and cards. This will be a good topic for discussion at this afternoon’s excellent expert panel on inclusion chaired by our CEO Neil McEvoy with Katie Evans (Money and Mental Health), Susie Lonie (who has years of experience in emerging markets), Elizabeth Duke from Carta Worldwide (who build pre-paid schemes for the unbanked) and our very own Paul Makin (the man who did the original feasibility study for M-PESA). Great stuff.

NFC isn’t the real reason for Apple Pay

As I am sure many of you will remember, the thing I was most wrong about – ever – on the Tomorrow’s Transactions blog was that I was convinced that Apple would not bother with an NFC interface for the iPhone. Luckily, my blog is not a blockchain, so I could go back and delete this post if I wanted to. But I am gentleman and man of integrity and I cannot do sufficient violence to my conscience to rewrite history in this fundamentally misleading way. Hence my error stands as testimony to my integrity. My reasoning at the time of this broadcast error was that since “app and pay” would eventually come to dominate “tap and pay”, I thought that Apple would focus on the big picture and ignore the age-old card/POS interface. I assumed that they would use Bluetooth, wifi and mobile to link the customer and merchant and eventually dispense with the card in the middle, whether using stripes, chips or NFC. At that time, we had already built an HCE-over-BLE app for a project that we were involved in, so I knew that we could easily obtain better-than-chip-and-PIN security without having to tap anything, and I thought Apple would just ignore it: what did they care, I reasoned, if you can’t use your iPhone to ride the bus* in London?

Well, I was wrong. Apple implemented their own sort-of-NFC (they did not implement the full NFC standard) and they locked down the interface so that third-parties could not gain access. They implemented just enough to get the banks to spend gazillions on the tokenisation infrastructure that was needed to bring that better-than-chip-and-PIN security to online and mobile commerce. Well, it worked. They have created a secure and convenient payment platform. As I wrote before…

Select Apple Pay, thumbprint, done. Why isn’t all in-app purchasing like this. Come to that, why isn’t all purchasing like this. Actually, it soon will be…

From Don’t judge mobile payments by the way they work now | Consult Hyperion

This indeed where Apple is heading, and I’m not the only one who thinks that perhaps people who were focused on the NFC interface at retail POS (and complaining that not enough retailers take it and therefore Apple Pay is a bit of a flop) were missing the bigger picture.

He says Apple Pay is appealing, but he wouldn’t switch banks just to access that one feature. “Not over that. There’s too much work involved just for tap-and-go,”

From Early days, but Apple Pay struggles outside U.S. | Reuters

You can see the point. If you already have a contactless card that works everywhere, it’s not that exciting to be able to tap your phone instead of the card. So people don’t. They already had a perfectly good solution to the card payments problem: a contactless card (or, in my case, a contactless sticker). But the fact that it’s not exciting to tap the phone just does not matter. It’s not the play. There are reasons why I love Apple Pay (especially because I have on more than one occasion forgotten my wallet when going to the office) but when I dropped my iPhone in the toilet and was on an old phone for a couple of days, it didn’t really matter that much because of my contactless Curve card in my back pocket.

The thing is: paying with a plastic credit card isn’t really that difficult. With Apple Pay, the bigger point is that it’s also a way of paying for stuff online.

From Who Cares About the New iPhone Camera? The Real Change Is Apple Pay | WIRED

Brian Rommele, who I always take very seriously about this kind of thing, says that it is already clear that Apple Pay in the browser will be a very big deal indeed. I already find it frustrating when I go to pay in-app and I have to enter a CVV against a card-on-file just as if it were 1996 all over again (I’m talking about you RingGo) instead of just thumbing it so I can see that the in-app and online experience will be transformed.

In my early testing I can confirm that the checkout abandonment rate for websites that use Apple Pay Safari will be reduced significantly.

From The Apple Pay Safari Vs. PayPal Battle For Web Transactions Is An Invalid Argument. — Medium

Who won’t use this? For Apple Pay, Android Pay, Samsung Pay and every other pay, #appandpay is way more important than #tapandpay and way, way more disruptive. Note also that it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware alongside the revocable EMV payment tokens…

* I use my iPhone to ride on London underground, buses and Dockland Light Railway all time. All the time. 

 

 

A funny thing happened on the way to the Forum

The Tomorrow’s Transactions Forum, that is. I arrived in good time (it’s always best to add on a few minutes to give yourself time to buy a ticket) for the 7.39 Flying Glacier to Waterloo via Misery and Degradation. 

 

Of course, Woking station has changed a lot since this picture was taken. There’s a Flying Coffee Bean on Platform 2 now.

Hurrah! When I got into the ticket hall I discovered that they have installed machines to allow you to pick up a ticket that you have purchased online. Great. I have the excellent The Trainline app on my iPhone and it is integrated beautifully with Apple Pay. So you look up the tickets you want, hit “Pay with Apple Pay”, thumb it and away you go. When you get to the station you just thumb it again and tap your iPhone on the machine, it shows you the list of tickets you have purchased, you choose the ones you want and hey presto your tickets pop out.

Brilliant.

Except it isn’t. The machines don’t work this way. You have to take a payment card with you and insert it into a slot and then type in a confirmation number that you were sent by e-mail. It’s actually quicker just to go to one of the other machines and buy your ticket in the usual way.

Joined Up Thinking (Not)

The new machine on the block.

I don’t get it. Surely the Apple Pay token used to buy the ticket can be matched to the Apple Pay token presented at the machine? You should only need to put the card in if you’re forgotten your phone or it is out of battery (and even then they should do it by implementing PARs properly).

Surely South West Trains, when they were planning these machines a few years ago, had at least heard about mobile phones even if they hadn’t actually seen any. And surely they had noticed that something was going with contactless technology? Perhaps one of the South West Train’s Executive Board had overhead their servants talking about “tapping” cards to ride the bus in London and never asked what they meant? Or did they just take it be a some new lingo below stairs, a slang term for writing out a cheque?

They must just have thought that contactless was something happening to other people.

This left me wondering if other train-like options are adopting contactless. I thought I’d give it a try at Heathrow, so I downloaded the Heathrow Express and tried a couple of times to buy a ticket to see if I could use Apple Pay, but the app asked me to scan in my credit card (presumably for some hello-1996 card-not-present transaction) then crashed, so I never to got to see it in action.

So much for joined-up thinking. The whole world is moving to contactless and mobile and the most up-to-date technology on the newest machines installed (I see they got rid of the machine for connecting by video link to customer service) is the decade-old chip and PIN reader. Come on.

Queue at Woking

OK, so sometimes there’s a bit of queue.

Why can’t we buy our tickets on our phones while riding the bus on the way and then just tap and collect when we get to the station?

The only improvement in the ticket purchasing experience at Woking station since it opened on 21st May 1838 — you still stand in line, they still take cash, they still give paper tickets — is that you no longer have to fill out a “reason to travel” form, and I wouldn’t put it past Theresa May to have these re-introduced in time for the next election.

Barclaycard contactless mobile is up and running

I can’t remember if I told you about this cool project that Consult Hyperion has been helping out with over the last year or so. One of our very favourite clients, Barclaycard, decided to exploit the Host Card Emulation (HCE) technology in Android mobile phones and make a payment app so that customers could pay with their phones at any of the 300,000+ contactless terminals in the UK.

Barclaycard is set to become the first financial services provider in the UK to introduce contactless payments from any NFC enabled Android phone via its app

[From Mobile App Transforms Android Phones | News | Home.Barclaycard]

Well, they started rolling it out to customers, and it’s great. It’s the Barclaycard Contactless Mobile app, and it has some interesting features that you should know about.

  • While the contactless limit in the UK is £30, with the Barclaycard app you can perform transactions up to £100 by entering you card PIN on the phone.

  • The app works with Transport for London (TfL) so you can use it to ride the bus and get on the tube.

  • Customers can choose to have “PIN to Pay” on, in which case you have to enter your PIN before all retail payments, even below £30 (except at TfL gates – even with “PIN to Pay” you can just tap and ride).

It’s been designed to be very simple to use, just a single card enabled at any time (no card clash!) and just requires the screen backlight to be on to work for payment. Here’s what it looks like.

Barclaycard HCE

You can choose between your cards and select the one that you want to be active.

Barclaycard HCE

And here’s our very own Matt Barker using the app to buy an actual coffee. When you try the app, you’ll be surprised by how fast and convenient it is.

Barclaycard HCE

And just to prove it – here’s the receipt.

Barclaycard HCE

One of the features I rather like is that they have a real-time replacement service.

Barclaycard customers will be able to use the host card emulation (HCE) function being added to the bank’s app to have lost or stolen plastic cards instantly re-issued to their mobile devices

[From Barclaycard to use HCE to instantly replace lost and stolen cards • NFC World+]

So well done to all the team up at Barclaycard. It’s a great app, and it works really well, and I’m genuinely not just saying that because we helped out. I said from the beginning that HCE would make for some interesting developments. Remember this, from a couple of years ago?

Visa’s support for cloud-based payments follows the introduction of a new feature in the Android mobile operating system called Host Card Emulation (HCE); HCE allows any NFC application on an Android device to emulate a smart card, letting users wave-to-pay with their smartphones, while permitting financial institutions to host payment accounts in a secure, virtual cloud.

[From Visa to Enable Secure, Cloud-Based Mobile Payments | Business Wire]

Now, as we said about it at the time, HCE was an earthquake. It shifted the tectonic plates (the banks, the schemes, the mobile operators, the retailers in my clumsy metaphor) and created new fault lines between them. It’s not as if we were the only people that noticed. Again, from a couple of years ago.

According to Visa head of Digital Solutions for Developed Markets Sam Shrauger, the new cloud-based implementation of its payWave service will free up the NFC payments from a few specialty digital wallets, allowing any developer to embed point-of-sale payment options into their apps.

[From Visa, Mastercard just made it much easier to buy stuff with an Android phone — Tech News and Analysis]

Sam was spot on. Anyone can use HCE to add payments to apps for retailers. But as we’ve seen since that “KitKat” announcement, organisations can also use HCE to add loyalty, ticketing, travel, coupons, access control and all sorts of other fun stuff to their apps! So if you want to take your Android app and figure out how to add secure, reliable tap-and-go magic, give us a call!

Should customers be charged more to use chip and PIN? Yes!

Now that more than one in ten retail card transactions is in the UK is contactless, I think we’re beginning to approach a tipping point around the technology. This is important, because I think it’s a tipping beyond contactless cards and towards mobile and then in-app. I make it my business to collect and collate the weak signals for change around POS, so with that in mind, here’s a recent story from the UK newspapers. A customer was outraged to be surcharged for making a low-value payment with chip and PIN in a fast food outlet.

Bill was faced with this charge at Subway in Brislington, Bristol, where customers were being asked to pay 10p more for using a debit card that wasn’t contactless.

[From No contactless card? That’ll be 10p extra – the Subway charging people MORE to use Chip and PIN – Mirror Online]

I don’t have a problem with this at all and I don’t understand why the readers comments were negative. For one thing, I love Subway sandwiches and for another thing it makes complete sense from any informed perspective for both retailers and customers (almost all of whom have contactless cards anyway and those who don’t can always use Apple Pay, Samsung Pay, Android Pay, a sticker, a watch, a wristband or whatever else). Contactless debit card payments cost the retailers less (and since most low value card payments are debit, that means most low value card payments cost the retailer less) and putting your chip card into a reader and then punching in a PIN wastes time your time and everybody else’s too. I wouldn’t be at all surprised to see more retailers surcharging people who do not pay contactlessly or, any day now, who do not pay in-app.

Overall, 83% of consumers use less cash than they did a year ago with 19% saying they are annoyed if they cannot pay using contactless cards or devices.

[From Bar news | Contactless payments at bars and pubs nearly double]

I wrote about this couple of years ago when I pointed out how illogical it was for retailers to have signs that said they would accept card payments only for transactions above a certain level when it would have been more logical to have signs that said that below a certain level they would accept only contactless card payments. 

It baffles me that some retailers ban you from paying with cards for transactions below £10 when it would be more logical for them to say that transactions below £10 must be contactless

[From Retailers could take more advantage of contactless | Consult Hyperion]

Now, since the acquirers have to price contactless debit payments below their price for contact payments (otherwise they are not a viable cash replacement product) retailers are therefore incentivised to steer to contactless. If you are buying a £5 sandwich, the contactless interchange is only 2p and there’s a limit to how much the acquirers can add on top in a competitive market, hence Subway’s entirely logical structure. Incidentally, this is nothing new. Subway in the UK have always been at the forefront of payment technology. Here’s Forum Friend Julian Niblet writing about them back in 2013:

At least Subway (I really do eat better than this) have a sign which allows you to pay by contactless for any value but has a minimum spend for credit and debit. Somebody there has at least done some maths and realised that they ought to use the nice new kit they have installed.

[From A fresher way to pay? | Consult Hyperion]

Personally (as some of my Twitter correspondents observed) I think Subway should charge 10p more for cash as well, since when customers pay by cash they rarely have the correct change. This means that the person serving has to open up the register and count out the change. But the main issue is how the retailers choose to configure the POS and set the floor limits. Here’s what someone who says they were a Subway employee had to say about the matter.

Standing at the till with a que of 30-40 people you would long for them to pay in cash as subway do not have their card machines connected to the tills. Therefore you have to input the cost, wait for the customer to insert their card,( only after you imputed the price or the machine would crash) and then wait painful minutes on occasion for the machine to contact the bank and have a reply sent. When it comes to contactless it does it immediately.

[From No contactless card? That’ll be 10p extra – the Subway charging people MORE to use Chip and PIN – Mirror Online]

Now you can see why the retailer has the surcharge in place. And, as an aside, cash also also means that at the end of the day the manager has to cash up, reconcile the register and then deposit the cash, wasting even more time and money. Good on you, Subway.

Contactless, eh?

Well here I am in Canada getting ready for the terrific Toronto Tomorrow’s Transactions Unconference 2015 (you can follow it using the hashtag #TTTU2015). It’s such a great country! I love it here. You don’t need cash for anything. The taxi took cards, the coffee shop took cards, everywhere takes cards. And better still, they take contactless cards and so far all of the UK contactless cards that I’ve tried in the terminals here have worked perfectly. What a country.

Tap and pay eh

So everything was going swimmingly until, rather late in the day due to old age / jet lag / blockchain-induced exhaustion, I pottered out to get some breakfast. When I went to pay, I found this.

Tap and tip

I asked the guy at the counter what was wrong with the contactless terminal and he told me that there was nothing wrong with but that they had turned it off because it was causing so many problems. Naturally, I couldn’t resist asking what the problems were and delving into the issue a little more…

It turns out that the problem is tipping. Because of the way that the POS terminal is set up, the customer does not get a chance to enter a tip amount or tip percentage until after a card has been inserted into the contact slot or swiped via the stripe. At this point a menu comes up, the customer chooses the tip and then OKs the total. After they have OK’d it (when the contact card is still in the slot or the stripe data is still in the POS) then the transaction proceeds. There is no mechanism to pre-enter the tip amount or tip percentage before you tap a contactless card and in a restaurant this is of course a major problem because it’s in Canada and is a consequence most of the patrons, including me, both a) want to tip and b) don’t have cash.

As I had not really thought about this before, I was wondering (while using my contactless card entirely successfully to buy a cup of coffee) what should be done. New software and reconfiguration for tens of thousands of terminals in restaurants probably isn’t going to happen, so I was left to conclude that the specific issue of tipping is yet another nudge away from “tap and pay” towards “app and pay”. An app on the phone that is triggered by manual entry of a table number (or some other identifier), by Bluetooth or even by a tap on something is a much better way of allowing the customer to set the tip amount, confirm payment with a thumbprint and then just walk out.

I was reminded of my son’s enthusiastic response to his discovery of a Wagamma app. I think this is more representative of the general public’s response to new payment technology than it appears at first glance and is unlikely to remain a niche for early adopters and teenagers with iPhones. Adding contactless at POS doesn’t change any processes (which is why it frustrates me in some retailers) but getting rid of the POS and having the payment vanish inside an app absolutely does, which is why it is one of the topics that I’m looking forward to discussing at tomorrow’s unconference. See you there.

From haute couture to HCE

My keen interest in fashion is widely known and my role as a facilitator and intermediary between the worlds of payments and fashion is widely respected. I stand as bridge between style and secure elements, between haute couture and HCE.

LFW

On which topic, I’m sure you’ve all seen this from Associated Press, concerning adding a Barclaycard “bPay” contactless payment chip to a sleeve to make a wearable payment device:

Contactless payment technology has been applied to fashion to create the “world’s first” contactless jacket… The jacket – which is going on-sale online and in the brand’s Carnaby Street store – has space in the cuff for a contactless payment chip,

Well, once again I am confirmed in role as trendsetter. I had my first contactless wearable shirt a decade ago (and it still fits me today, so there) and, as I mentioned when I wrote of this topic for Visa Europe, I was even thinking about buying a contactless suit down under last year, but didn’t.

I remember thinking at the time that I wished that the pocket was in my suit rather than in my shirt.

[From Contactless innovation in wearables (nothing new!) | Consult Hyperion]

Only a decade later and my wish has come true. Of course, not only can you put those bPay chips into your jacket cuff, you can put them anywhere else you like. I heard that someone put one in the end of a magic wand that they tap on the reader at TfL gates, presumably while simultaneously shouting out “flipendo” to the bemusement of baffled foreign tourists. I am desperately tempted to offer a prize for a video of the most interesting way to open a TfL gate using a wearable bPay chip, but I’m afraid corporate standards on taste and decency (not to mention relevant local laws) prevent me from doing so.

Will I spend £150 on a jacket just so that I can take the chip out of a Barclaycard band or keyfob and put it in the jacket’s cuff? Probably not (but if they want to send me one I will of course give an entirely unbiased and fair review of said garment on this very blog) but I may be unusual. According the figures, the wearables market is set for serious growth.

According to statistics from IDTechEx, the wearable electronic business will grow to more than $70billion by 2024.

[From Why fashion is set to change the future of payments – » Business Reporter]

Right now wearables means watches, but as any of you who saw the presentation by the very talented artist Heidi Hinder at Tomorrow’s Transactions 2014 will recall, there are people out there working on far more interesting and imaginative solutions!

Contactless limits

So the “contactless limit” (i.e., the maximum amount that a contactless no-PIN transaction can be for) went up to £30 today. This is a reflection of the popularity of contactless in the UK. The latest month for which figures are available (June 2015) shows continued strong growth in such transactions.

  • 81.2m contactless transactions were made this month. This is an increase of 9.6% on the previous month and 240.9% over the year. The volume is split between debit (£70.7m) and credit / charge cards (£10.5m).
  • 259,074 bank-owned terminals are available in the UK where contactless cardholders can make a contactless transaction. This is an increase of 5.6% on the previous month and 35.9% over the year.
  • On average, each contactless transaction is for £6.98. This is split £7.02 on a debit card and £6.73 on a credit / charge card.
[From Contactless statistics]

More was spent on contactless in the first half of this year than the whole of 2014 and that comes after a 300%+ growth in contactless numbers through 2014 itself. The growth is strongest in food and quick-service retail (QSR) as you would expect.

Other sectors leading to the growth in contactless includes supermarkets and food retailers, which accounts for 46% of all contactless transactions, the hospitality sector is close behind with 38% taking place in bars, coffee shops and takeaways. However, the rest of the retail sector has a long way to go, however, accounting for just 13% of contactless transactions across the UK.

[From Contactless payment transactions pass the magical 1bn mark – Retail Gazette]

One of the reasons for the rise to £30 is that use in supermarkets, where the average basket size is (as I understand it) over the existing £20 limit. Just for comparison, in Australia where the contactless limit is $100 (about £50), more than two-thirds of all supermarket transactions are now contactless, so we still have plenty of room for growth.

Note also that London alone accounts for more than a third of all contactless transactions in the UK and this is largely because of TfL’s decision to accept contactless credit and debit cards at the gate. That’s also had a knock-on effect for wider usage. I think the dynamic was that lots of people has contactless cards that they hadn’t used but once they’d used them to get on the bus then they began to use them for cups of coffee and then sandwiches and then the supermarket and such like.

According to Barclaycard data, 30% of card payments in London in 2014 were contactless,

[From Contactless payments taking off in the UK in 2015 | Mobile Transaction]

I use my contactless card (well, the contactless sticker on the back of my phone actually) all the time and so I’m very happy to see the limit rise as I find it super convenient to pay in Marks & Spencer with the phone that is already in my hand.

Stickers are the future

It’s fascinating to me that over the last decade that it has taken contactless to get to the mainstream (the first contactless product that Consult Hyperion worked on was in the US more than ten years ago) the relationship between contactless and mobile has always been strong but convoluted. I think we’re now seeing it stabilise though and the path from tap-and-pay to app-and-pay is becoming clearer. With Apple Pay strengthening, Android Pay and Samsung Pay launching and the boom in in-app solutions, the limit to contactless growth is no longer inherent conservatism, press scare stories or the continued use of chip and PIN but its replacement by mobile solutions (for whom the £30 limit doesn’t apply anyway).

Everybody panic, part 97: contactless cards

Oh no! Shock horror! Something must be done! It’s an outrage! Thank goodness we have a free press to expose this egregious, calamitous, nefarious episode! Questions must be asked in Parliament. Yes, it turns out that a famous author (J. K. Rowling who wrote the tedious “Harry Potter” series of children’s books) has been trimming her hedge.

Shock! Horror!

Oh, and on the front page the non-issue of contactless card security has come up once again, following a report from the consumer organisation “Which?”. They reported that contactless cards work according to their specifications. Using a standard reader they were able to interrogate standard cards and obtain the standard details, which do not include either the cardholder’s name or the security code. You cannot use the details to make a clone contactless card or a clone chip and PIN card or a counterfeit magnetic stripe card.

Yet the Which? researchers managed to buy a £3,000 TV set using one of the cards.

[From Banks want us all to have ‘tap and pay’ cards even though they’re a godsend to fraudsters | Daily Mail Online]

No, they didn’t. They did not use one of the cards. What they did was to use the card number and expiry date with a merchant who does not check the name, address or security code. Retailers are entirely free to do this, it’s up to them. The point of the card system is to protect consumers, not retailers. If retailers decide to deliver a £3,000 TV to a block of flats in Hoxton on the basis of a card number and expiry date (without checking the name, address or security code) then that is their look out. The customer will spot the unusual transaction and charge it back. The bank will charge it back to the merchant. The merchant will be out of £3,000. But it was their choice, so who cares? Anyway, the researchers were surprised that some merchants would behave in this fashion.

We doubted we’d be able to make purchases without the cardholder’s name or CVV code, but we were wrong.

[From Thieves use scanners to steal account details even when contactless card is in your wallet | Daily Mail Online]

Remember, this is the same information that a fraudster could obtain just by looking at your card. Luckily, the newspapers have also had some useful advice for customers concerned about card security.

James keeps his debit card at home and the PIN is still in the sealed letter. That way, if a fraudster takes money from his account, he can easily prove to the bank that he hasn’t used it.

[From There’s nothing James Freedman doesn’t know about fraud … so why won’t HE use contactless cards? | This is Money]

Had the researchers glanced at any or our blog posts about contactless security, starting back in 2006, they would have known about this uninteresting risk. It isn’t news. I’ve suggested before that rather than panic about the non-issue of contactless security, their energies might be better directed toward educating the public about the technology and the distribution of liabilities.

The traditional way of educating the mass market in the UK about anything is to pester the BBC to include it as an EastEnders story line.

[From Crime and contactless]

You may think that I was being flippant with that remark last year but I wasn’t. In fact, the soap opera route has been tried, albeit on the other side.

Coronation Street and Emmerdale will feature Visa’s contactless payment technology from February.

[From TV signs Visa product placement deal for Coronation Street and Emmerdale – Coronation Street News – Soaps – Digital Spy]

Sadly, I have never watched either Coronation Street or Emmerdale, although I know what they are because Harry Hill used to make fun of them on “TV Burp”, so I’m not best-placed to suggest appropriate plot lines. But perhaps one of the characters spotting a £3,000 charge to Currys on their statement and then charging it back might be far too dull.

Now, you might imagine that these stories are so trivial as to be utterly uninteresting. And on the one hand they are. But on the other hand I find them intensely annoying, because they are so insulting. “Fraud alert” over a payment architecture that has been under development for a decade? That’s a headline that suggests that I am a moron. As are the experienced risk analysis and payments architecture experts at Consult Hyperion. As are the risk management experts at retail banks. As are the strategists at Visa and MasterCard.

What are the media thinking? That there is no point over the past decade when it occurred to anybody that because the EMV standard involves the passing of unencrypted data between the card and the point of sale terminal that anyone with a standard reader would be able to obtain the card number and expiry date? That the thousands of people involved in the planning, design, launch and management of contactless cards were as thick as planks? That the issuing banks were so dumb to accept full liability for the fraudulent use of contactless cards that they are going to go out of business? That merchants who accept card numbers and expiry dates without a valid cardholder name or address are simply too dense to understand the liability shift?

Just to be clear. The actual figures (from the UK Cards Association) are that fraud losses from contactless cards are less than for contact cards, for the obvious reason that card numbers are, by and large, stolen online in vast bulk (see, in the Daily Mail, for example “Benson bought stolen credit card details from Russian gangsters”) and not obtained by individual fraudsters waving phones around peoples’ arses (although that would work, as this video shows).

You can tell from the Nokia 6131 used in that video that it was made a good few years ago but, as yet, the gangs of pickpockets in London seem to prefer the old fashioned methods, so you’re much better off carrying a contactless card (that can be refunded in the event of loss) rather than cash (which cannot).

Don’t panic. Unless you spot someone holding their mobile phone a little too close to my backside on the tube, that is.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.