Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

The best definition of Digital Identity

red lights in line on black surface

Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.

Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:

Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.

In one sentence I was trying to capture several points:

  • Digital identity is a means to an end not an end in itself
  • It’s bi-directional – in any transaction both parties need to have confidence in the other party
  • It’s about the information you need to share, which will vary considerably between contexts.
  • It protects privacy by only sharing the information (or claims) necessary.

Contact-free and App Clips in Apple’s iOS 14

pexels-photo-887751.jpeg

The Use of Contact-free is Accelerating

At Consult Hyperion, we have already seen the pandemic accelerate the adoption of contact-free payments in the face to face environment as customers have become wary of catching COVID by touching shared devices, such as self-service terminals and PIN pads.  The use of personal devices for payments is hardly new but the attraction of an in-app/in-store version of mobile payments, whereby the consumer uses an app on their own device to interact with the retailer or service provider and pay for services, has just increased dramatically. Solutions for parking (RingGo) and for restaurants (like the Wahaca app, powered by Judopay) were already demonstrating the benefits of such an approach for customers and businesses before COVID struck.

DIACC announces launch of the Pan-Canadian Trust Framework

flag of canada

The Digital ID & Authentication Council of Canada (“DIACC”) announced the launch of the Pan-Canadian Trust FrameworkTM (“PCTF”) this week, a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. Its launch marks the shift from the framework’s development into official operation and will begin alpha testing by public and private sector members in Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program  (“Voila Verified”), set to launch next year. 

4+4 | Strategic thinking for post-pandemic payments

mountains nature arrow guide

Early on in the pandemic my colleagues at Consult Hyperion and I did a lot of research to explore how it might impact our customers and our customers’ customers, just as I am sure every other organisation in the payments sector did. We looked at a lot of speculative forecasts, we looked at research and analysis from quite a wide range of organisations in the financial sector and beyond, we spoke to a number of people in the industry and we took part in a fair few discussions and debates on the topic. As a result of this, we identified a number of strategic areas where stakeholders in the payment space should be developing or at least preparing their strategies and where they should be planning for some changes to take them through and beyond the COVID-19 crisis.

Travel Broke and Broken

The ongoing COVID-19 crisis has been ruthlessly exposing fragile business models and weak balance sheets across a whole range of industries but perhaps never more so than in the travel business. In fairness, no one could have anticipated a global, government dictated total shutdown and no business models could ever be flexible enough to support such an improbable scenario. Still, it’s become clear that many travel industry companies are effectively broke and that the payments model they rely on is broken. Going forward we need a better and more sustainable approach to payments in the industry.

Most travel industry payments rely on payments cards so it’s worth starting by recapping on how most card payment models work. When a cardholder makes a payment to a merchant – either in store or, increasingly, on-line, this is routed to the merchant’s card acquirer. The acquirer has a direct relationship with the merchant in the same way that a card issuer has a direct relationship with cardholders and the acquirer will route the payment request to the relevant issuer – usually by sending the request to a payment scheme who uses the card number to identify the correct issuer. If the issuer approves the transaction then the response is routed back through the same path and the purchase completed. This is no different from any other card payment, although there are hidden complexities where the merchant is an online travel agent sourcing flights, hotels, etc from multiple underlying vendors. However, that’s a detail.

The tension in facial recognition

Facial recognition camera

The rise of facial recognition technology and the erosion of privacy

In the 2002 movie Minority Report, Tom Cruise’s character has his eyes surgically replaced so he can avoid being identified by the all-pervasive retina scanning system that the state uses to track people… and of course, uses to show targeted ads to people. This is a rather dystopian view of the broad application of biometrics technology.  However, judging by a lawsuit targeting Macy’s for their use of Clearview AI’s facial recognition technology in their stores, it seems that staying anonymous in the bricks and mortar world is becoming a little more like the movie. Whilst you may not require surgery, you may soon require something akin to glasses and a fake beard to avoid being tracked. The issue here is that Clearview AI has been scraping images from publicly viewable sources on the web for a while, enabling them to create a database of facial biometrics against which to match captured facial images. Amongst the sources of this data are Facebook, Twitter, LinkedIn, YouTube and Vimeo, with some of these companies having sent cease and desist letters to Clearview AI for breach of their terms of service.  The aim it seems is for Clearview AI to create a one-to-many facial recognition solution that can identify an individual from only an image of their face from anyone who is in a photo or video on the web.  Based on a report on Buzzfeed, they were working with over 2000 companies as of February 2020, and they are probably not alone, so perhaps we should be concerned.

What does Apple’s purchase of Mobeewave mean for SoftPOS?

Apple acquires Mobeewave

Using mobile devices for securing payments has been, and continues to be, a key area of interest for Consult Hyperion and our customers.  We have helped many of our clients in this space from: providing advice on the market landscape, advising on security, testing security, developing security architectures, and building solutions.  Apple’s purchase of Mobeewave a couple of weeks ago has caught our, and everyone else’s, attention.  This gives us some time to reflect on this and consider what it means for the SoftPOS industry and ecosystems.

City Currency

The pandemic has revised interest in a topic that has surfaced repeatedly in Tomorrow’s Transactions events over the years, and that is the issue of local and complementary currencies. The Bristol Pound, the Brixton Pound, the Lewes Pound and many other experiments have sprung up around the country (indeed, around the world) to try to stimulate and regenerate local and regional trade and prosperity in response the changing economic circumstances. We tend to think of currencies as being instruments of the nation state but that’s actually a recent invention in the great scheme of things. There’s no reason to see optimal currency areas as inviolable laws of nature rather than transitional borders under prevailing monetary and financial arrangements.

Back to the future – QR codes are coming

QR codes are coming

Who’d have thought that the humble barcode – reimagined in 3D – would have posed a genuine threat to the global behemoths that are the international card payments schemes?  And, of all the times, why now? Well, as always, there’s no single answer. We’re seeing multiple trends coalescing to drive uptake of QR code initiated payments, but the announcement by PayPal that they’re rolling their solution out to all CVS stores is perhaps a critical moment:

PayPal and InComm on Thursday (July 30) unveiled a QR code payment system that will enable touchless checkouts by PayPal and Venmo users with their mobile phones at brick-and-mortar stores.

Paypal teams up with CVS to offer touch-free payments

It’s not so much that it makes QR codes mainstream, it’s more that it validates the point that they’re a perfectly viable way of making in-store payments, and then tying it to a e-comm type payment method: now that’s replicable. Four things are coming together to drive the adoption of QR codes:

  1. Smartphones: The widespread availability of smartphones makes them a perfect solution for retail payments. If everyone has one then creating a pervasive alternative to card payments is possible.
  2. Connectivity: In fact it’s not absolutely necessary to always have mobile data connectivity to allow QR code based payments, but I helps managing the risk. And even where mobile data isn’t available a lot of mainstream retail chains are providing in store WiFi or Bluetooth capability.
  3. COVID-19: Suddenly contact-free payments are the way to go – and QR Code initiated payments are a guaranteed way of ensuring that payments can be made without touching merchant equipment.
  4. Integrated retail experiences – “omnichannel”: Merchants with a good omnichannel experience are having a better crisis because the ability to order and pay on one channel and fulfil on another is critical. Increasingly merchant POS estates have API based access to backend systems which can be used to access QR code authorisation or approval channels.

The pay-by-app model, we’ve been touting for years is actually, finally, coming to fruition. Lots of individual merchants – and probably every major supermarket chain in the world – has its own app that allows QR code based payments. Those apps allow a range of other functions to be integrated, including scanning, checkout, automated loyalty redemption and real-time customer data analytics.  The ability to make the customer relationship sticky is attractive and with the average supermarket basket value increasing as customers shop bigger and less often ensuring that you’re the retail destination of choice is critical.

Behind this, however, is another change – and one that the PayPal deal with CVS lays bare. There is nothing that forces one of these QR code initiated payment apps to use payment cards as the means of transaction. Sure, they’ll be there as a backup but any API-based payment solution – and there are hundreds, if not thousands – can be integrated. As direct to account payment APIs, such as the PSD2 payment initiation API that’s mandated in Europe, become more widespread, it will be possible to go direct to the payment account in order to authorise payments.

This trend has other, major implications for other aspects of payments such as settlement and refunds but, as we can see from our own clients, a lot of thought and effort is going into resolving those issues. For retailers who can see lower cost of payments, reduced fraud, significant reductions in the cost of handling chargebacks and faster settlement this is a win-win-win-win situation.

As you might surmise, here at Consult Hyperion, we are heavily involved in all aspects of this change. From helping to develop and secure the apps, to advising on the business and governance models, through to designing and developing the solutions, and providing regulatory advice. We’re leaders in the field. If you’re interested come back to the future with us, QR codes are coming…


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.