TLS, DSS, and NCS(C)

As I was scanning my list of security-related posts and articles recently, my eye was drawn by the first sentence of an article on (Google security engineer) Adam Langley’s blog, indicating that Her Majesty’s Government does not understand TLS 1.3. Of course, my first thought was that since HMG doesn’t seem to understand the principles of encryption itself, it’s hardly surprising that they don’t understand TLS. However, these aren’t the thoughts of an understandably non-technical politician but instead those of Ian Levy, the Technical Director of the National Cyber Security Centre at GCHQ – someone you’d hope does understand encryption and TLS. Now normally, I would read this type of article without feeling the need to comment. So what’s different?

Well, following the bulk of the article discussing how proxies are currently used by enterprises to examine and control the data leaving their organisation, by in effect masquerading as the intended server and intercepting the TLS connection, is the following throwaway line:

For example, it looks like TLS 1.3 services are probably incompatible with the payment industry standard PCI-DSS…

Could this be true? Why would it be true? The author provided no rationale for this claim. So, again in the spirit of Adam Langley, “it is necessary to write something, if only to have a pointer ready for when people start citing it as evidence.”

Adam’s own response – again following a discussion about how the problem with proxies is their implementation, not with TLS – is that

…the PCI-DSS requirements are general enough to adapt to new versions of TLS and, if TLS 1.2 is sufficient, then TLS 1.3 is better. (Even those misunderstanding aspects of TLS 1.3 are saying it’s stronger than 1.2.)

which would seem to make sense. Not only that, but

[TLS 1.3] is a major improvement in TLS and lets us eliminate session-ticket encryption keys as a mass-decryption threat, which both PCI-DSS- and HIPAA-compliance experts should take great interest in.

In turn, Ian follows up to clarify that it’s not TLS itself that could present problems, but the audit process employed by organisations

The reference to regulatory standards wasn’t intended to call into question the ability of TLS 1.3 to meet the data protection standards. It was all about the potential to affect (badly) audit regimes that regulated industries have to perform. Right or wrong, many of them rely on TLS proxies as part of this, and this will get harder for them.

So that’s alright. TLS 1.3 is not incompatible with PCI DSS. So what is the problem?  Well, helpfully, Simon Gibson outlined this in 2016:

…regulated industries like healthcare and financial services, which have to comply with HIPAA or PCI-DSS, may face certain challenges when moving to TLS 1.3 if they have controls that say, “None of this data will have X, Y, or Z in it” or “This data will never leave this confine and we can prove it by inspecting it.” In order to prove compliance with those controls, they have to look inside the SSL traffic. However, if their infrastructure can’t see traffic or is not set up to be inline with everything that is out of band in their PCI-DSS, they can’t show that their controls are working. And if they’re out of compliance, they might also be out of business.

So the problem is not that TLS 1.3 is incompatible with PCI DSS. It’s that some organisations may have defined controls with which they will no longer be able to show compliance. They may still be compliant with PCI DSS – especially if the only change is to upgrade to TLS 1.3 and keep all else equal – but cannot demonstrate this. So what’s to be done?

Well, you could redefine the controls if necessary. If your control requires you to potentially degrade, if not break, the very security that you’re using to achieve compliance in the first place, is it really suitable? In the case of the two example controls above, however, neither of them should actually require inspection of SSL traffic.

For the organisation to be compliant in the first place, access to the data must only be possible to authorised personnel on authorised (i.e. controlled) systems. If you control the system, you can stop that data leaving the organisation more effectively by prohibiting its access to arbitrary machines in the external world. After all, you have presumably restricted access to any USB and other physical storage connectors, and you hopefully also have controls around visual and other recording devices in the secured area. It is difficult in today’s electronic world to think of a situation where a human (other than the cardholder) absolutely must have access to a full card number without (PCI DSS-compliant) alternatives being available.

So TLS 1.3 is a challenge to organisations who are using faulty proxies and/or inadequate controls already. It certainly doesn’t make you instantly non-compliant with PCI DSS.

Given this, we, as humble international payments security consultants, are left puzzled by the NCSC’s line about TLS 1.3 and PCI DSS compatibility. At worst, organisations need to redefine their audit processes to use the enhanced security of TLS 1.3, rather than degrade their security to meet out of date compliance procedures. But, of course, this is the type of problem we deal with all the time, as we’re frequently called in to help payment institutions address security risks and compliance issues. TLS 1.3 is just another tool in a complex security landscape, but it’s a valuable one that we’re adding to our toolkit in order to help our clients proactively manage their cyber defences.

When is an acceptance mark not a mark of acceptance?

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

Friends and relations

While I was sitting through a presentation (a very good presentation, I might add) on social media strategy for one of our client’s financial services businesses, it struck me that they were slightly misjudging the more interactive and transactional nature of social media, doing great stuff but treating social media as another customer communication channel. I’m naturally more interested in social media for transactions: social commerce. I’ve given a couple of talks about this recently, pointing out the opportunities that social commerce opens up.

One prediction says social commerce will top $30 billion globally by 2015 with Facebook-generated sales one of the primary drivers.

[From Infographic: The history of F-commerce | SMI]

There are many different ways that financial services organisations can exploit this. A good example, to my mind, is the way in which Amex works with Foursquare.

Just after announcing that it passed 10 million users, location-based check-in service Foursquare has said it is partnering with American Express to give members even better deals when they check in at merchants’ stores across the country.

[From Foursquare partners with American Express for deal check-ins | VentureBeat]

This is a terrific proposition and it’s well implemented (through statement credits, so no coupons or vouchers or anything are needed). And, to follow this example, Amex also has a Facebook pages where its large number of fans can come to learn about products and services, share with the community of card holders and so on. Great stuff. And it isn’t only financial services organisations that are integrating themselves into social media to create new kinds of social commerce.

That is because the well-known mobile service provider is now allowing its customers to log on to Facebook to purchase phone credit.

[From O2 details new contactless payment technique]

Wow, that’s pretty interesting.

Pre-paid subscribers will now be able to access a secure app on the social networking website, where they will put in credit card details in order to purchase top ups.

[From O2 details new contactless payment technique]

Credit card details? Not Facebook credits? But you get the picture. Something like Facebook can be used to create a more intimate transactional environment without having to develop software, making it easy for consumers to “friend” and “like” and so forth. Personally, I don’t find this sort of thing particularly appealing because to me it’s the wrong kind of social relationship: I want something more granular.

Here’s what I mean. I don’t want to be friends with my bank — after all, I’m a typical consumer so I hate banks — but I do want to be friends with my bank account. Why can’t Barclays let me friend my current account so I can see its status updates like “Premium card fee £10.00”, “Direct Debit British Gas £37.85” and “Counter Credit £5.00” and so forth? I quite like the text messages that Barclays sends me but would prefer something more immediate and more detailed (I often call this “streaming commerce”) so that I can make decisions and respond.

Similarly, I don’t especially want to be friends with MBNA, but I do want to be friends with my MBNA American Express card. I’m using “friend” generically, of course, I don’t mean to imply that Facebook is the one and only way to implement a social media strategy.

Facebook usage in the UK fell nearly 4pc in July to its lowest level since 2009, sparking concerns that the social network has hit its peak and may be declining in popularity.

[From Facebook usage falls to three-year low – Telegraph]

I don’t use Facebook that much — it’s really for sharing with my brother and sister, other family members and a few old friends — and I’ve not got a crystal ball to see whether we’ll still be using it in a couple of years.

Many of the smartest people I know are leaving Facebook as well. I predict we’ll see many people leaving over the coming months and adopting Twitter.

[From The Facebook Exodus and the Future of Human Communication « Far Beyond The Stars | Cyborgs, second selves and cybernetic yogis]

My idea would work even better with Twitter though. Suppose Twitter made a small change to their system so that a user could opt to be in “secure” mode. A secure mode user can only be followed (or searched) by users in their “secure list” or whatever. Then, my MasterCard could be secure user “mc-53XX-XXXX-XXXX-XXXX” the only name in its secure list would be “@dgwbirch”. Now, when anyone else tries to follow or search mc-53XX-XXXX-XXXX-XXXX they see nothing.

I’d love to follow my John Lewis MasterCard on Twitter in the way instead of having to log in to find out what it’s been up to. Since I use Twitter all day and every day anyway, it would be a much better channel for payment products to develop a more intimate relationship with me. And think of the practical benefits: if I get a tweet from my debit card telling me it’s just been used to withdraw money from an ATM in Belarus, I can call Barclays right away to block it from further misbehaviour. This doesn’t seem terribly complex: all Barclays need to know is my twitter name and then it can use the Twitter API to post tweets and only allow me to follow them.

If I could follow my transactional instruments, I could also (in time) feed their tweets, status updates, notifications and so on into other software for mash-ups. I don’t know what kind of mash-ups – I’m not smart enough for that – but I’m sure there are people out there who could do great stuff with the data. So a plea to my account, card and service providers: I don’t want to be friends with you, because you are corporations and not mates, but I don’t want to be friends with my stuff: my money, my cards, my phone. How hard can it be?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

State-mandated price-fixing is not the answer, but as it goes this isn’t too bad

Our good friends at Glenbrook summarised the final outcome of the Durbin process:

Debit interchange cap – $0.21 plus 5 bps (for both signature debit and PIN debit)
Fraud prevention adjustment – $0.01 (interim rule)
Routing restrictions and network exclusivity – Option A (two unaffiliated debit network)
Card Present vs Card Not Present – No distinction

[From Federal Reserve Issues Final Rule on Durbin Amendment]

Now there will be a lot of comment from people far better qualified than me on what all of this will mean for the payments industry, so I don’t want to get into those specifics here, but there’s something that bothers me about the whole thing. I went back to Steve Bartlett’s article on Durbin in the EFPLP [Bartlett, S. Announcing the death of the debit card in E-Finance & Payments Law & Policy (Mar. 2011)] and it prompted me to have another reflection on the Durbin process as it seems (to a foreigner!).

Plenty of lawmakers are anguished about their swipe fee position, but largely because they’re worried about falling out of favor with good friends in the corporate world.

[From Swiped: Banks, Merchants And Why Washington Doesn’t Work For You]

I think what this means is that they knew that government price-fixing is wrong, but that big companies (particularly retailers) spend a lot of money on lobbying. This isn’t something to be cynical about, it’s just the real world. I’m happy to offer these lawmakers a solution though. Why not go down the European route and create a regulatory framework that allows competition from non-banks? There is no reason for payments to be a banking business, and competition rather than regulation is a better way to reduce costs to the rest of the economy.

There are other ways to reduce total costs too, but these mean some short-term spending (which no-one wants to do) in order to improve the situation for the longer term (which, naturally, congressmen don’t care about).

The Federal Reserve could, and should, use the Durbin Amendment as a vehicle to move the United States onto the EMV smart card standard

[From Why The Fed Should Use Durbin To Push EMV ( – Industry Verticals )]

Why would this save money in the long term? It’s because one of the key reasons why US debit card fees are so much higher than elsewhere is that they are predominantly signature debit transactions. Moving to PIN, and offline PIN at that, and offline completely for low-value contactless transactions, ought to kill a few birds with the same stone.

the Fed has the power to change this equation. By allowing card issuers to recover some of the costs of issuing smart cards in the form of higher interchange, it could make it profitable for banks to issue smart cards. At the same time, card networks such as Visa and MasterCard could then impose a liability shift policy, similar to that deployed in other regions

[From Why The Fed Should Use Durbin To Push EMV ( – Industry Verticals )]

In reality though, none of the lobbying seemed to be about pursuing the best long-term strategy for USA Inc. It just all came down to fighting between banks and retailers. I assumed that banks were going to lose.

Lobbying on behalf of banks is a bit of a lost cause at the moment, so you can’t blame the retailers for striking while the iron is hot, but if Congress wants to reduce the fees paid by retailers for payments, then it should create a regulatory environment that allows new entrants to come in and provide (non-bank, if necessary) solutions to the marketplace.

[From Digital Money: If you don’t like cards, don’t take them]

Well, despite their (entirely deserved) lack of popular support, it looks as if I was wrong about the banks’ capacity to lobby. They mounted a serious campaign.

Last year US banks generated $536.9 billion of interest income, according to FDIC data, and while that is down from heights of the boom years, it is still a hefty amount of revenue. Non-interest income, which includes fees, climbed to $236.8 billion last year from $207.7 billion in 2008.

[From Bankers, Hear My Plea: Stop the Fee Insanity – Bank Innovation]

It’s very difficult to obtain an accurate picture as to what proportion of the non-interest income relates to payments. The last figure that I have that I believe to be reasonably accurate was 45%, but many commentators seem to think that this is too low. So let’s say that all of the “other” category of non-interest income reported is payments, and call it 50%. There was a paper published last year called “Banks’ Non-Interest Income and Systemic Risk” by Brunnermeier, Dong and Paliac that showed that the higher the proportion of non-interest income, the greater a bank’s exposure to systemic risk. In other words, the more a bank depends on income that comes from outside of the core business of savings and loans, the more exposed it is to changes in market conditions (eg, Durbin amendment, non-bank competition, that sort of thing). I read this as meaning that it’s better for the economy as whole if banks make less money from running debit card systems.

The lesson here is that if we want serious regulation of banks, we can’t trust it to be done by bank regulators.

[From The Fed Bails Out the Banks…Again – Credit Slips]

Therefore, it seems to me, that the ruling wasn’t that bad for banks. If you have to have a cap, from the banks’ perspective, it might as well be this one. Retailers wanted a cap, and they got it, but the cap is high enough that banks won’t suffer a catastrophic collapse in fee income, so the banks ended up with not such a bad deal provided that they shift signature debit to PIN debit. The banks will lose some fee income because of this, retailers will pay a bit less and customers won’t see much difference because the difference won’t be passed on them. I disagree with observers who think that Visa and MasterCard will see big trouble because of the loss of signature debit transactions. I think that Visa and MasterCard won’t be too affected because they will boost their PIN debit offerings to make them more attractive to banks and they will push PIN debit into mobile, online, retail and so on. This means that the income lost from signature debit transactions can be made up by replacing cash and other kinds of transactions with PIN debit (I think – but I’m keen to hear from others who know far more about the US market dynamics).

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Yet more about NFC and business models

Eric Schmidt’s very bullish comments about near-field communication (NFC) technology in the US retail market have got people talking about business models again.

Eric Schmidt, Google’s executive chairman, believes that a third of check-out terminals in retail stores and restaurants will be upgraded to allow wireless “tap and pay” from mobile phones within the next year.

[From Google’s Schmidt predicts widespread “tap and pay” within a year | FT Tech Hub | FTtechhub – Industry analysis – FT.com]

These follow a series of statements by Google executives that, whether they are true or not, seem to have legitimised the technology in the eyes of a broad range of businesses.

She added that there is a ton of activity around NFC in international markets, giving the example of a successful trial of the technology that Starbucks ran in London.

[From Google Commerce Chief: We’re Making A Huge Bet On NFC As A Company]

I’ve never heard of this Starbucks NFC trial, so if anyone can point me in the right direction I’d really like to read up on it. But that’s beside the point. The point is that lots of people are now taking NFC seriously in the retail space and the mobile operators are developing NFC strategies. But what business model will there be for them? And what options do they have?

The question will then be how operators manage to regain relevance for their role in NFC transactions (which will come later, if at all), when the first trillion NFC interactions will have bypassed them.

[From Dean Bubley’s Disruptive Wireless: What will be the business model for free NFC-based interactions?]

You can see the problem that he is alluding to, but it may not be immediately obvious why it is such a problem specifically for operators. Look at the issue from a slightly different perspective, one that stems from security. I would argue that there are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.

Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. These are what Dean means by “interactions”. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. These are what Dean means by “transactions”.

Working out how to do implement secure electronic transactions is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?

In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).

In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Nexus handset, not on the SIM). The operator has no control over the SE and can extract no “rent” for its use. I notice that in the Nilson report (#972, page 7) it says that the Nexus S is the only smartphone in the US market with an SE not controlled by the mobile operators: it might have said that it’s the only smartphone in the US with an SE, full stop. The operators (in the form of Isis) are not yet in the marketplace. Why are Google being so active then? Well, on the Catalyst Code I read a while back.

Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

Karen is, as usual, spot on about this. But I’m not so sure about this…

What’s amazing is that Google was the first to connect all of these dots

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators and from these experiences have developed (I think) a reasonably accurate map. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.”

So how come banks and operators didn’t connect the dots, then? Banks and operators have smart people in them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments but they didn’t sell any NFC tchotchkes, such as blank NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets for a gig you and your mates are running… well, hard luck. This is problematic, because we need lots of people to be experimenting, developing and playing with the new interface to create the new, open applications.

In April, Nokia’s vice president for industry collaborations, Mark Selby, speaking at the WIMA NFC conference in Monaco, contended that NFC applications not securely stored on SIM cards, embedded chips or other secure elements will account for two-thirds of the revenue that NFC technology will generate through 2013.

[From Nokia Introduces Its Second NFC-enabled Smartphone | NFC Times New – Near Field Communication and all contactless technology.]

I hope Mark won’t mind me mentioning that we discussed this over dinner a couple of weeks ago and, while I agreed with him about the market, I bored him at length with my moaning about the slow development of the ecosystem. Where are the Nokia NFC tags for kids to buy? Where are the NFC USB sticks to connect laptops and phones?

But, looking forward, there’s another issue here. This classification of open/interactive vs. closed/transactional NFC uses is too simplistic, because as the technology spreads in the mainstream, interactions will need to be secure too. When I tap my phone against an advert at the bus stop, I want to find out more about “Kung-Fu Panda 2” and not get directed to a porn site, a reverse-charge premium rate phone call to Honduras or send a text message to someone who wants to sell my mobile number to commercial organisations. I want my phone to check the digital signature on the tag and make sure that it is valid, and that it is signed by an organisation recognised by UK phone operators, or banks, or the government, or whoever. But signing the tags (which is part of the NFC standards, but no-one uses at the moment) means that someone has to distribute keys, and certificates and all that stuff. None of this exists right now, but in the future it will have to.

So… Not only is there no ecosystem for transactions, there’s no ecosystem for interactions either. Now you can see why the mobile operators are going to have to work so hard to stay in the NFC loop. A couple of years ago they could have started to roll out the handsets for open, interactive purposes and started many communities off on experimenting with the new technology while they developed the necessary infrastructure for both secure transactions and secure interactions, but they didn’t because they couldn’t see a business case. What’s the business case for selling public key certificates so that advertisers can digitally sign tags using their internally-generated private keys?

It’s hard to work out a conventional business case around a business that simply doesn’t exist yet, and I understand that. But I think that even three or four years ago, the consumer response to the early pilots and trials was so positive that it was clear that the technology would make the mainstream. Now that Google’s activities have served, in an odd way, to legitimise both NFC technology and the business models around it, maybe the operators should adopt a more Google-like approach to business model: start building way more cool stuff, monetise what works and then be ruthless in killing off what doesn’t.

My employer, Consult Hyperion, has provided paid professional services to some of the organisations named here in connection with products and services discussed here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public

Some observations on Japan

Someone interrupted one of my rants against cash the other day by pointing out that in the last resort, cash is the only payment mechanism that society can depend on. Their trump card was reference to the aftermath of the recent Japanese cataclysm, where following a magnitude 9 earthquake and a tsunami, the nuclear reactors didn’t melt down but the payment system did.

I think this is wrong lesson to draw from it. Yes, there were some temporary problems with the card networks because of the disruption, but it’s important to note that this did not impact all cards: Japan has quite a rich retail payment landscape, as shown in this diagram (which I drew a couple of years ago, so it’s a bit dated, but you get the point).

Japan Landscape

I saw Nobuhiko Sugiura, Associate Dean of Chuo University Business School, give a good overview of the current situation at last year’s E-Money, Cards and Payments conference in Moscow. He said that e-money usage in Japan is growing rapidly but still a small fraction of total consumer spending (¥1 trillion out of a total of ¥300 trillion, a 300% increase in the last three years). A third of the population use e-money and half of them (ie, one sixth of the population) use it in their phones. It’s a competitive market, centred on non-banks because the Japanese banks have no real interest in handling small payments because or their cost base. The non-banks, as I’ve often noted on this blog, have different business models, not based on transaction fees. The railways, for example, don’t expect to earn anything from their e-money system, it’s about reducing their costs. In comparison, convenience stores want to issue e-money to reduce their cash float. The bottom line is that the of cash at POS in Japan is “already falling” because of e-money.

After the earthquake and tsunami, the offline electronic money systems (such as Edy and nanoco) carried on working so long as there was power and the backup battery systems or generators were working, so you could still pop round to 7-Eleven and buy your staples. In fact, it was people who kept their money in cash who suffered greatly.

In Japan, lots of people — especially older people — keep their life savings in cash in their homes. (The country’s banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out to sea.

[From Schneier on Security: Unanticipated Security Risk of Keeping Your Money in a Home Safe]

That’s not to say that people didn’t want cash after the event.

The tragedy playing out in Japan this past week highlighted that in times of crisis, there’s nothing like cash in hand as the universal method of payment. By all accounts the banking system in Japan survived and is functioning well after the earthquake and tsunami – such is the level of disaster preparedness.  But Mizuho, Japan’s second largest bank, reported outages in its payments and ATM networks – coincidentally as demand for cash surged.

[From The end of cash for payments? Not so fast! – Microsoft Perspectives on Payments and Core Banking in Financial Services – Site Home – MSDN Blogs]

So they wanted cash, but did they need it? In this kind of catastrophe, where the online POS network goes down but the ATM network stays up and the ATMs remain stocked with notes, you could see people going and withdrawing cash. But suppose there are no ATMs?

Imagine that there was a magnitude 9 earthquake and a tsunami in Woking (unlikely – our last natural disaster was an ice age in 18,000 BCE) and when I go round to Waitrose to buy some bottled water and rice my John Lewis MasterCard proves useless because the acquiring network is down and the ATM proves useless because the ATM has no power. The store manager at Waitrose can leave the food to rot on the shelves or he can accept a signed IOU. He could accept no sale because of flaws in the electronic payments or he could develop a rational fall-back strategy. We discussed this a couple of years ago, with reference to the famous case study of the Irish bank strike.

The owners of shops and pubs knew their customers very well and so were perfectly capable of deciding whether to accept cheques (or just IOUs) from those customers. And since the customers also knew each other very well, they too could make sensible decisions about which paper to accept.

[From Digital Money: Payments without banks]

If I was the manager of Waitrose after the Woking earthquake, then I would simply accept payment by writing down card numbers, or photocopying driving licences, or taking pictures of customers, or whatever. The core of the issue is identification and trust, not the payment instrument. As many media commentators noted, society in Japan did not collapse. My conclusion: natural disasters are not a convincing argument for cash.

IMG_0299

By the way, I case anyone was wondering about the origami cranes that I was giving out in Chicago this morning… My wife is a teaching assistant in a primary school in Surrey. The seven year old brother of one of the boys who was in her class (they boys have a Japanese mother) has been spending two hours every day for the last month making these (they are a symbol of peace in Japan) to raise money for the British Red Cross appeal for Japanese tsunami victims. Consult Hyperion have purchased a hundred of these beautiful and special cranes, so if you come to our office anytime over the next couple of weeks, please feel free to pick one up with our compliments.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Innovation is technology-enabled

Around the world, when faced with new products in the payments space, banks naturally crank up their innovation departments and produce super new products and services to wow customers back. I’m joking, of course. What they actually do in many countries is to going whining to the regulator and force competitors to use the banks’ legacy infrastructure. This is what just happened in India, which really ought to be a huge and dynamic market for e-, m- and new payments of many kinds.

Consequently, from 1 March, the eBay unit says merchants in India cannot receive payments from abroad of over $500 per transaction. In addition, merchants will no longer be able to use any balance in their PayPal accounts to buy goods or services. Instead all payments must be transferred into Indian bank accounts first.

[From Finextra: RBI forces PayPal to restrict payments to Indian merchants]

Now, I’m not saying that banks are the only people who react to innovation in this way: that is, by trying to stop it. This goes on all the time.

For the last fifty years, hard disks have been increasingly super-charged gramophone records: at their heart, there is still a real disk rotating very fast on a real spindle. That’s not the only way to store data, as the memory stick revolution shows, but until now, solid state drives (which have no moving parts) have been too small and expensive to replace traditional hard disks as the main storage device for a computer. Now that’s changing, with real advantages for users as a result… Seagate’s response is to threaten to sue all the new entrants for patent infringement, while insisting that their existing market is not threatened.

[From Public Strategy: Innovator’s irony]

At the dawn of the industrial revolution, the steam engine delivered the fundamental business school case study in this topic, something that I wrote about when I was invited to speak at the European Patent Forum back in 2009.

In his keynote address, the Czech Prime Minister Mirek Topolanek said that we had to find a balance in the intellectual property system, that it was right to let Stevenson patent his steam engine but not the screwdriver he used to build it (he didn’t explain why..).

[From Patent error | 15Mb: yet another blog from Dave Birch]

In fact, as I discussed in this post, history teaches the opposite lesson because the patent system held back the evolution of the steam engine for a generation! But back to our business. What kind of innovation is relevant to the payments industry? This is not clear to me. On the one hand, it seems reasonable to say that…

What would be refreshing is if the focus of innovation could be pegged to the value that it delivers to the entire ecosystem, not just the engineers who get a kick out of building cool new toys.

[From Payment Gadgets at The Catalyst Code]

But is this true? When Apple put together the iPod, it didn’t benefit the “entire ecosystem”. The disruptive innovations in fact devastate parts of the ecosystem, like forest fires that allow new shoots to grow. I hate to harp on about the M-PESA example, but I think it illustrates this point well. The banks complained about M-PESA and tried to stop it but fortunately failed. Now that M-PESA has 13m customers and 20,000 agents, the banks are able to deliver new services to new customers using the platform. Were they devastated by the forest fire? No: it gave them space for new shoots as well.

Where do we look for the next new shoots then? Not in banks, generally speaking, but elsewhere in the ecosystem. The payment innovations to come will be technology-enabled, which is why it’s important for businesses throughout that ecosystem to understand the new technologies relevant to payments and, just as importantly, understand the business model ramifications of seemingly dreary technology architecture decisions being made by nerds right now. While they will be technology-enabled, though, it’s the sustainable new business model that is the key. A good example of this is Square.

..if Square can provide just enough added-value with their app to get traction in the small business sector (they are already processing a million dollars a day), then when new payment technologies come along (eg, NFC phones that can accept payments from contactless cards) the merchants will just expect Square to handle them for them. We have long been advising clients that the key disruptive role of mobile phones in the payments world is the ability to take payments, not to make them.

[From Digital Money: Hip to be Square]

And we still do, in fact. I think Square is an interesting innovation case study. It does not compete with existing acquirers, but opens up the market so that more people can accept card payments.

So where is Square seeing the most traction? Without a doubt, small businesses, independent workers and merchants comprise most of Square’s rapidly growing user base. The technology only requires its tiny credit card scanner that fits into your audio jack and Square’s app. The device and the software are free, but Square takes a small percentage of each transaction (2.75% plus 15 cents for swiped transactions).

[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

In a way, this is a real-world PSP and an fascinating niche play in a large volume-driven acquiring market, one that can be seen to adumbrate mobile disruption and our projection that the mobile-phone-as-POS meme will be more revolutionary than the mobile-phone-as-card meme. But there’s something else to it as well. Conventional acquirers use conventional methods to assess applications.

Square’s qualification rules are more relaxed than those of standard credit card processors, There are no initiation fees, monthly minimums, and when merchants apply for a reader, Square doesn’t just focus on a credit check, but also takes into account the influence a company holds on Yelp, Twitter or Facebook.

[From Square Now Processing Millions Of Dollars In Mobile Transactions Every Week | TechGoo]

That, it seems to me, is more of a window into the coming economy based on the reputation interweb (or web 3.1, as I propose to call it, to avoid clashing with web 3.0). Can you imagine Barclays Business or Streamline giving you a merchant acquiring account according to the number of twitter followers you have rather than your trading history or bank references?

By the way, I can’t remember if I’ve blogged this before but one of my favourite stories about accepting merchants for acquiring accounts goes back more than a decade to the hazy days before the LastMinute flotation. I was doing some work over at what was then NatWest Capital Markets, who had invested millions in Lastminute, when they went beserk because NatWest Streamline wouldn’t give LastMinute a credit card acquiring account because it didn’t have two years’ trading history!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Licensed operators

France has been in the forefront of the NFC revolution, with an early commitment to cross-industry co-operation, considerable work on standards and models and an aggressive timetable for getting phones into the market. Remember this?

A dozen French cities plan to launch wide-scale contactless payment and information service on mobile phones with the backing of the ministry of industry, reports Les Echos. The city projects approved under the initiative will receive state assistance for consultancy and engineering, but no other subsidies are planned at this stage.

[From Aid from French Ministry of Industry for mobile contactless cities. « Contactless & NFC City League]

You will undoubtedly recall that a few months later, the French mobile operators decided to get together with a processor and form a mobile payments proposition to launch a serious assault on the banks’ retail payment franchise.

Orange, SFR, Bouygues Telecom et Atos Origin créent une société commune pour proposer une plate-forme unique de paiement en ligne, sécurisée par le mobile.

[From Union sacrée des opérateurs mobiles dans le paiement sur Internet – OPERATEUR DE TELECOMMUNICATIONS SERVICES INFORMATIQUES ATOS ORIGIN FRANCE TELECOM SFR BOUYGUES TELECOM]

Well they’ve made their first assault on the enemy positions and have been granted a PI licence. Why would they bother, you might wonder, when polls show that the majority of consumers don’t want to use mobile payments?

The 59% of consumers who were against the idea, meanwhile, gave their reasons as: Security (79%)

[From Most French consumers not in favour of mobile payments • NFC World]

The answer is, of course, that consumers don’t know what they are talking about and it’s a waste of time asking them about anything new. Whatever they might say a priori, in all of the pilots and trials that we have been involved in, they really, really, liked mobile proximity.

But there are some real issues, and we need to address them.

Dead phone batteries. Wrong merchant terminals. Terminals turned off. Terminals unrepaired. No terminals at all.

These and other, less obvious glitches suggest contactless technology may not be the mobile payments panacea for tattered magnetic stripes and other problems with plastic cards.

[From Mobile Payments Inheriting the Problems of Contactless – American Banker Article]

Well, yes and no. (I am a consultant, after all). Let’s have a look at these

Dead phone batteries. NFC is interoperable with the existing contactless payments and ticketing systems. As you may have noticed, your Oyster card doesn’t have a battery in it: that’s because it is powered through the electromagnetic field of the terminal you touch it to, and the same is true for the NFC interfaces in phones: if the phone has no battery you may not be able to access your m-wallet to check your transactions, redeem coupons and so on, but you will be able to to use it pay in a shop and ride the subway.

Wrong merchant terminals. I don’t think this will an issue. Right now there are some problems with some cards not being accepted in some terminals, but this is the result of standards problems three or four years ago. The contactless EMV standard should interoperate seamlessly. Some of the terminals are certainly “wrong” from the point of view of consumer experience, but that’s a different thing.

Terminals turned off. Fair enough, I do see this from time-to-time. But it’s a teething problem. There is a problem with terminals being turned off after the merchant has rung up the purchase and then having press some more buttons to turn it on, but that’s an implementation issue.

Terminals unrepaired. I don’t think this is a long term problem. Contactless terminals (since they have no slot or contacts) are considerable more reliable in practice than contact or stripe terminals. Experience from other sectors suggests to me tha tthe cost of maintaining an estate of contactless terminals is less than half the cost of maintaining an estate of conventional terminals.

No terminals at all. This, I think, is the real problem. When I was last in the US, I saw contactless terminals in places where they didn’t really have much impact, like in CVS. But in the places where contactless would have really helped and speeded things up — BART machines, airport carts, Coke machines and so on — nothing.

The point is, that those are real issues that do need dealing with, whereas what the public says are their concerns, such as about the security are, in my opinion, not real issues and it should be handled through marketing communications. Oh, wait…

85% of users said they considered the protocols for operating with the NFC system to be sufficiently secure.

[From Sitges trial results: Consumers pay more often and spend more with NFC phones than with cards • NFC World]

This must be a translation from Spanish, because I’m not sure that “protocols for operating with the NFC system” translates properly in English, but it’s good news all the same. I’m not saying that everything is perfect in the NFC world. Even in France, where progress has been slow despite the commitment of major banks and operators. It’s still a new technology.

The problems are one of the main reasons bank Crédit Mutuel-CIC has held back on launching its m-payment service, according to Patrice Hertzog, payment systems manager for Crédit Mutuel-CIC. He said it has been difficult for the bank’s trusted service manager, Gemalto, to set up and manage the bank’s PayPass application on SIM cards produced by other vendors, such as Oberthur Technologies.

The problems have occurred despite much standards work by the French Association Française du Sans Contact Mobile, or AFSCM, and prior trials involving multiple French banks, mobile operators and vendors.

[From ‘Open’ Battles Break Out Among NFC Vendors Over Android | NFC Times – Near Field Communication and all contactless technology.]

To be honest, this suggests that vendors are not building TSMs from scratch based on the new standards but are putting wrappers around their existing card personalisation systems. That sort of thing is, to me, more of a real issue than incorrectly worrying about what the public think, but whatever. Things are moving. Even in the US, the new technology is getting a foothold and there will soon be TSMs there too.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011

[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

There’s plenty of activity in the US as elsewhere, and since I’ve been looking at the US for clients recently I was interested to read about the work done by the Federal Reserve Banks of Atlanta and Boston. This work suggests that the success factors for the US will rest on the evolution of an open eco system for NFC.

The mobile infrastructure would likely be based on Near Field Communications (NFC) contactless technology resident in a smart phone and merchant terminals.

Ubiquitous platforms for mobile should leverage existing rails, including the ACH network for non-card payments, and support new payment types that meet emerging needs.
Some form of dynamic data authentication would be at the heart of a layered mobile payments security and fraud mitigation program.

Standards would be designed, adopted, and complied with through an industry certification program to ensure both domestic and global interoperability, including a standard to ensure that devices used to facilitate mobile payments do not create any electronic interference problems.

A better understanding of a regulatory oversight model should be developed in concert with bank and non-bank regulators early in the effort to clarify compliance responsibilities.

Trusted Service Managers should oversee the provision of interoperable and shared security elements used in the mobile phone.

[From Mobile Payments in the United States Mapping Out the Road Ahead – Boston Fed]

On that final point, things are already moving.

The joint venture formed by U.S. mobile carriers to launch NFC-based mobile payment… has selected France-based Gemalto to download and manage payment and other secure applications on NFC phones to be used in pilots expected to be held in three to four cities during the second half of 2011

[From U.S. Carrier Joint Venture Chooses a Trusted Service Manager | NFC Times – Near Field Communication and all contactless technology.]

So there’s plenty of activity in the US as elsewhere and plenty of organisations are looking at how the move to mobile proximity may impact their businesses.

A white paper that outlines the survey findings, including how the most forward-thinking financial institutions are building a business case for mobile payments, is available at http://www.fiserv.com/mobilestrategy.

[From Forward-Looking Financial Institutions Focused on Mobile Payments Business Case, Says Fiserv Survey – pymnts.com]

I couldn’t help but think, as I read this, that the very act of building a business case for something like this is fundamentally backward-looking, trying to shoehorn something that is the basis of a new value network into the existing business models. The report says that the factors that the FIs evaluated across these business lines included customer retention and profitability, cost reduction, revenue generation and retention, increased customer engagement and competitive parity. When I looked at the revenue generation part of it, though, it only referred to revenue generation in terms of debit card transactions and keeping the connection to the DDA. This isn’t how forward-looking organisations are thinking about revenue generation from mobile payments, they are thinking about delivering entirely new products and services that are simply not possible in conventional (ie, card) environments, generating revenue from things that banks don’t do.

Google is to run tests of mobile payments at stores in New York and San Francisco in the summer, according to anonymous sources cited by Bloomberg. The search engine giant will pay for installation of thousands of NFC cash-register systems from VeriFone Systems at merchant locations, one source told the wire.

[From Finextra: Google to run commercial trials of NFC at the POS – Bloomberg]

Well, well. So while financial institutions are agonising over the business case, Google is giving out the terminals for free. It’s not hard to see why: they don’t care about the miniscule margins on the payment transaction and arguing about how to slide and dice the merchant fee, they care about building new business around knowing who is buying what and where. So leadership in the NFC space is may well shift away from the payment incumbents. Perhaps the answer to the age-old question about whether banks or operators would control the mobile payments space is… neither.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.