Leveraging the payment networks for immunity passports


As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.

I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?

It is no longer unusual for a company in the City to regularly test its employees before allowing them to work in their offices and support the additional costs of their commute avoiding public transport.

Billions are being invested in vaccine research and tests to confirm that we have the antibodies to protect us and those with whom we interact. But will that be sufficient? Will it allow you to visit your relatives in the care home, sit inside your favorite restaurant, work in close proximity to your colleagues and/or travel without the need to quarantine for 14 days when you arrive and/or return?

Experience would suggest that over the next year or so a variety of vaccinations and tests will be released, which will work to a greater or lesser extent. The question will be: ‘is the vaccination, or test, recognized by the venue (and their insurers), or country, which you are trying to enter?’

For some organizations, the fact that the COVID-19 tracing application on your phone turns green, will be sufficient. Others will only recognize specific vaccinations and tests and will want to check that the immunizations are still valid. Both will be concerned by the availability of fake immunity certificates. Thus, in parallel with the medical developments, we have to implement a robust and efficient method of sharing and remotely validating the immunity certificates or passports that they will deliver.

Those of us who regularly travel in North Africa and South America are used to handing over our yellow International Certificate of Vaccination or Prophylaxis (ICVP), with our passport, to prove that we had yellow fever vaccine. This program, which is governed by International Health Regulations, could provide the governance framework for the operation of the COVID-19 immunity passports.

Over the last few months, Consult Hyperion has proven that the contactless payment networks, which allow you to use your credit or debit card anywhere in the world, can also be used to share and remotely validate your COVID-19 immunity passport.

Our idea is that anywhere you can use your payment card you can also validate that you have the required immunity to enter the building or country. As with your payment transaction, an organization can choose whether or not to accept your immunity passport based on the:

  • Issuer of the immunity passport
  • Vaccinations and/or tests administered
  • Date when the vaccinations and/or tests were administered
  • Potential that the passport is a fake or you are not the genuine passport holder

If required, the organization can also revert to the issuer of the immunity passport to check there and then that your passport is still valid.

The consumer experience delivered by the immunity passport is similar to that of a contactless, Apple Pay or Google Pay transaction. The immunity passport is stored in a secure application in your smartphone or biometric smartcard. When asked to prove your Immunity Status you use your fingerprint to authenticate yourself to your phone/card and then touch your phone/card to a contactless reader. An application on the reader validates your immunity passport and passes only the required information to the restaurateur, owner of the care home or office or border control officer.

From the international community’s perspective, the payment infrastructure over which the immunity passports are shared and remotely validated is in place, proven and robust. It is supported by a raft of rules administered by PCI, which protect the security of personal information, at rest and in flight, within the system. There is an active marketplace for cheap, certified readers, operating secure protocols, which offer Contact Free validation of the immunity passport away from the classical point of sale locations. These include mPOS and SoftPOS solutions which allow a standard mobile phone to be used as a contactless payment terminal, and ruggedized terminals used to validate tickets in high traffic areas, such as the entrance to sports arenas and concert venues.

While the world waits to see if the science supports the ability to establish immunity to COVID-19, and society works through the implications of immune people being able to avoid restrictions which apply to others, we technologists need to prepare the infrastructure that will allow people to share and validate immunity passports.

One of the things I love about working at Consult Hyperion is that we regularly come up with, and deliver, ideas that significantly impact people’s lives – contact and contactless payment cards (worldwide), M-PESA (Kenya), Open Loop Transit Ticketing (London) and more recently SoftPOS (London), just to mention a few. Something tells me that immunity passports will be the next. If you are interested and would like to help deliver the network that will allow life to return to something close to ‘old normal’, please let me know.

2020 | Challenging our Resilience

Twenty-Twenty. What could go wrong in such a perfectly numbered year? Sadly, we all know the answer to that: Everything.

2020 has been dominated by the COVID-19 pandemic threatening our way of life, challenging our resourcefulness and resilience, on a global scale not experienced since the World War ended 75 years ago.

In 2020, some businesses with a strong digital presence have shown resilience by shifting all their operations online and moving to full-on remote working, adapting to a period of indefinite social distancing. Broadband connectivity was a key factor in keeping the lights on for those businesses. When the stay-at-home order came into full force in the UK, most feared the impact this would have on broadband performance all around. They anticipated a struggle along with their neighbours, stuck at home looking for ways to keep connected with their loved ones and colleagues, and to keep themselves entertained online. No doubt these were all valid concerns for us, domiciled warriors, called to take up arms to save lives by, ahem, manning the recliner, among other things. Yet, lo and behold, most of the ISPs in the UK had no major trouble adapting, and stood their ground as their resilient systems faced this sudden, indefinite surge in demand as the pandemic unfolded.

Our clients often require us to look at business continuity and resilience planning for the critical information systems supporting their services. Resilience describes the ability to adapt and recover from disruptive trends or adverse events, like those caused by COVID-19 or a cyber attack. These occurrences have the potential to dramatically impact service delivery and operations, which sometimes can translate to an existential crisis for an organisation, in turn impacting their customers. For instance, there is heavy disruption in the transit sector, as airlines and public transport continue to incur losses due to the presence of the virus and imposed defensive measures. This has severely limited their actions and recovery strategies.

But what constitutes good resilience planning?

In the words of Lord Baden-Powell, founder of the scouts movement: be preparedfor any old thing. He probably did not have a pandemic in mind, when he uttered that scout motto the first time, but nonetheless being prepared is what gives us that fighting chance. In practice, to be prepared translates into having a strong, proactive understanding and control of the different factors affecting the outcome of any survival situation, as outlined in Figure 1. Moreover, as much as we would like to prepare for any eventuality, resilience planning involves choices. And you can only make the best choices if you have a proper understanding of risk and cost.

Factors influencing resilience potential
Figure 1

There is more to resilience planning than just infrastructure

All this brings us to an important point. There is more to resilience planning than just infrastructure. In fact, resilience planning should be embedded in the culture of an organisation, and its people, particularly if they are providing a critical service to the nation, such as healthcare, telecommunications, financial, postal, or ensuring essential supplies are available.

Resilience planning gives an organisation a strong foundation to face disruption and adversity. This increases their chances of survival, ensuring they can react appropriately, readily accept and adapt to the situation, and eventually recover their operations in a cost-effective manner. Here is what it entails:

Organisational culture and communication arguably constitute the backbone of resilience

You must ensure that the people in your organisation can readily get their act together when faced with the unexpected. Everyone must be aware of their responsibilities. This includes the leadership and external stakeholders who must clearly understand what is expected of them. Their role is critical in determining the priorities and strategy. All this requires buy-in from all stakeholders to ensure the team remains cohesive and productive through adversity. This can be challenging in a continually evolving situation, demanding alternative strategies. If not careful, it is easy to lose buy-in along the way, create division and make key decisions using outdated information, all of which could break you. As such, it is crucial that communication is succinct and unambiguous, which helps maintain the necessary team dynamics and continuous situational awareness for informed decision-making.

A positive attitude can help you readily accept a difficult situation, so that you can focus your effort on recovering from adversity

You should promote a positive attitude, thereby fuelling the will and drive to achieve the objectives and implement the strategy.  When facing adversity, it is necessary to refrain from dwelling on negative thoughts that undermine productivity, teamwork, and your capability to overcome the crisis.

Creativity and an open mind allow you to increase the solution space to your problems

You need to be creative, but grounded. You must be ready to waive or compromise on unfounded beliefs and preconceptions, which would usually prevent you from trying out alternative options. You should be open to trying new things. You should seek to fail fast, where possible, and pivot to other options, when the chosen course is not conducive to the intended results.

The shift of the whole workforce to working remotely during the pandemic is a great example. Many employers would not have considered such a move previously, citing security and lack of productivity as potential hurdles. However, this change was forced on companies overnight, and many are now acknowledging that there are significant advantages, suggesting that remote working is here to stay.

Your timely and effective response to adversity is dependent on your capabilities, expertise, and the honed skills of the organisation

You should develop and optimise capabilities in support of your strategy and operations, contributing to a quicker and more effective response. For example, this could be by leveraging technology that enables alternative ways to automate operations or deliver services and engage with consumers, for instance, through eCommerce, mobile, IoT or Machine Learning-enabled solutions.

Furthermore, the skills, knowledge, and experience of the workforce are a key part of your operational capabilities. Therefore, you should continuously develop and expand the workforce expertise, with the goal of boosting their confidence, maximising their strengths, whilst circumventing weaknesses.  To maximise resilience, it is fundamental to train a cohesive workforce that can operate as a team, rapidly reacting in an efficient and effective manner, exhibiting high expertise capable of overcoming adversity.

Moreover, you must gauge these capabilities for an early indication of what is working and what is not. These key indicators should measure and track performance in line with your objectives. This is true for normal operations, but even more important in a time of crisis. Key performance indicators provide bearings, feeding into building the situational awareness to make informed decisions.

Protect your people and other key resources at the heart of the operations – without them you are dead in the water

Your people and material assets, such as hardware, software, and data, together with procedures, make up the various information systems at the heart of your organisation. These systems enable you to keep functioning as a business. An adversity can impact the confidentiality, integrity, or availability of these resources. Therefore, it is crucial that operational resources are protected and sufficiently resilient. To maximise the resilience of your information systems:

  • the right resources must be acquired and deployed,
  • the resources must satisfy the necessary non-functional qualities (as applicable),
  • appropriate contingency measures must be implemented, depending on the requirements, risk appetite, and available budget of an organisation.

Resilient information systems will be secure, modular, highly available, scalable, interoperable, maintainable, sustainable, and probably a few more qualities as required. Over the past years, cloud-based services have become popular as they provide and manage resilient resources on behalf of an organisation. Having said that, their increased use has also become a systemic risk, prompting calls for regulating these providers to ensure high standards of operational resilience.

And, do not forget to protect your financial resources as well

Your resilience is also crucially dependent on the financial resources at your disposal, especially, during a crisis. Therefore, you must plan contingency measures around these financial resources, including taking out insurance, establishing emergency reserve funds and seeking alternative sources of financing that can be easily tapped into during a crisis.

Learn to leverage your operational environment to seek opportunities and boost your resilience potential, whilst addressing potential threats

You must profoundly understand your operational environment, including the consumer demographics and behaviour, competition, technology and market disruptive trends, and other aspects of the environment in which your organisation operates, especially during a survival situation. Acquiring the right information in a timely manner can determine the reaction and recovery speed from a disruption or an adversity. An organisation must have mechanisms in place to continuously gather intelligence on their operational environment, feed it into its risk management process and assess its impact. This process relies on the culture and communication, capabilities, and resources of the organisation to efficiently, and effectively, build that foresight into how opportunities can be leveraged, and the risk of threats mitigated.

United we stand, divided we fall – look out for collaboration opportunities and alliances that will help you withstand adversities

You should seek to build alliances with external support systems that could be leveraged, especially, during an adversity. This is particularly important in overwhelming adversities, which would need the intervention of these support systems to increase the chances of survival. This could manifest in various forms, including a collaboration agreement with other players, support from the government, open data platforms, outsourcing opportunities, reliance on other ecosystems (e.g. identity management systems), standards and associations that provide stability in the environment. For instance, locked-down restaurants were able to scale up their food take-away service through sharing economy-based logistics services, like Deliveroo and Uber Eats, highlighting the importance of online-to-offline logistics services. In another example, several governments have stepped in to help businesses cover wages for their employees, who were at risk of losing their jobs due to the imposed lockdown measures. Perhaps the increased risk of pandemics, over the years, should warrant that joint emergency fund schemes, between the government and private industries, should be formally established to cushion the economic blow, when the world is next placed on lockdown.

Master your limitations, policies, and relevant rules and regulations, as they will constrain the type of response to adversity

Organisations operate according to certain rules and within certain constraints. The rules and constraints could be due to resource limitations, policies within an organisation or regulations imposed by third parties, e.g. government, central bank, or other regulators. These rules and constraints define the boundaries of possibilities of an organisation to react and recover from an adversity. Therefore, you should gain a strong understanding and be aware of them.

Your information system resources have their own limitations, which constrain the capabilities and operations of your organisation. These limitations are exacerbated in times of crisis. For instance, COVID-19 quarantine measures have further reduced, already limited, personnel to carry out business functions. In another example, system architectural designs have known limitations that are accepted under normal circumstances, but what is the impact of those during a disruption or adversity.  You need to understand those limitations, and the associated risk. You can either accept them as is, try to mitigate them or seek to remove them. Resource limitations have a habit of coming back to bite, especially during an ongoing crisis.

With regards to rules and third-party regulations, they aim to provide many benefits, including order and stability, setting standards, ensuring fair game for all players, reducing or preventing the perpetration of crime, supporting innovation, protecting the consumers and their privacy.  However, some regulations have the unintended consequence of stifling innovation and creativity. Therefore, you must look towards ways of continuously monitoring these rules and regulations, so that you can assess their implications and ensure that their intended effect is being realised.

You must build trust and promote an open dialogue with policy makers and regulatory authorities to make sure rules and regulations are there to serve and protect, rather than being detrimental. That trust and dialogue will become even more important during a crisis, where timely relaxation of rules and regulations, with the right mitigation in place, could give breathing space to struggling organisations, and enable lifesaving opportunities. A recurring topic in COVID-19 is the potential trade-off between data privacy and enabling technologies that could aggressively flatten the disease spread, hopefully, eradicating it completely, which has been extensively discussed in our webinar series. Another example featured during the pandemic is the increase in contactless limits on card payments to minimise contact that could spread the disease.

Resilience planning is a probability affair, so make sure you assess and manage your risks and costs carefully

Your choices and actions during resilience planning are driven by a solid understanding of the risks to the organisation, and the resulting impact of not being prepared for an adversity. Those risks are then weighed against the probable cost of implementing proactive measures. As such, risk management is crucial to any organisation, especially during a survival situation. The risks should be communicated clearly to relevant stakeholders, ensuring they all know what is at stake, especially the hard decisions and difficult scenarios, which would need to be considered because of those risks. Furthermore, risk management is also key to informed decision-making whilst reacting to an adversity, ensuring resources and effort are directed in a cost-effective manner to increase the chances of survival and recovery.

Lastly, be prepared by contacting us, of course, to learn more on how you can maximise your potential for resilience

If you would like to know more on how your organisation can maximise its potential for resilience, feel free to contact us. We look forward to discussing your needs and helping you understand your risks, using our tried and tested Structured Risk Analysis (SRA) method. Furthermore, we are planning a webinar that further explores the concept of resilience, with real-world examples from guest speakers. So make sure you are registered, if you don’t want to miss out.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.