Building SoftPOS – not as easy as you think.

selective focus photography of person holding iphone displaying white screen

For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards.  The three key messages that I took away from this year’s conversation were that:

Merchant Payments Ecosystem 2021

When we look forward to 2021, it is no surprise that COVID-19 is the dominant factor. So far as the merchant payments world is concerned, the shape of the post-pandemic new normal transaction environment must be the key strategic consideration for stakeholders and I am desperately keen to hear the variety of informed opinion on this topic that I have come to expect at Merchant Payments Ecosystem every year. At Consult Hyperion we like to contribute to these conversations by providing a useful framework for discussion: our annual “Live 5”, our yearly set of suggestions for strategic focus. This year, we choose to look at the key issue of pandemic transformation and its impact of on the three key domains where our clients operate: Payment, Identity and Transit, together with (as is traditional!) a suggestion as to a technology that the POS world may not be thinking about but probably should be.

Will Brexit make stealing bank cards attractive again?

black payment terminal

A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’

The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.

Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

Finger pay redux

A few people forwarded a link from Time Out to me last week, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way.

The latest in contactless payment – called Fingopay – uses a bartop scanner and allows customers to introduce their index finger when they’re ready to settle up. The unique patterns of the veins in each customer’s index finger – which need to be linked to their bank account in advance to make a payment possible – are electronically scanned on the spot in the aim of speeding up transactions at the bar.

From You can now pay for a pint using just your finger at a bar in Camden

I’m not sure if my repeated use of the adjective “new” in the introductory paragraph was entirely appropriate and I don’t want to be like all yeah whatever but… the first time that the technology was mentioned on this blog was almost exactly a decade ago, when I was talking about mass market uses of biometrics and the particular case study of Japanese banking, and it wasn’t new then.

Another group that includes Sumitomo Mitsui Banking Corp., Mizuho Bank and Japan Post use a similar system but it analyses fingertip vein patterns.

From Well, is this the year of biometrics? | Consult Hyperion (April 2007)

In addition to identifying customers at ATMs and Post Office counters the technology that they are referring to here, the Hitachi fingervein technology, has been used as an alternative to payment cards from its earliest incarnation.

Biometrics continue to advance in Japan with the news that Hitachi is teaming with Japanese issuer JCB to develop a biometric payment system based on its finger vein authentication technology that can be used as an alternative to cards and cash at the point of sale.

From Fingering suspects | Consult Hyperion (November 2007)

The technology has reappeared as a new solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…

The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.

From We’ll be giving Barclays the finger next year | Consult Hyperion

The truth is that this specific technology has been around for absolutely ages and the idea of using fingerprints as an alternative to payment cards at retail POS has been around for even longer. This from 2004:

The Piggly Wiggly grocery chain has announced it will begin offering a high-tech payment feature allowing customers in several stores to pay using their fingerprints.

From Grocery store goes to fingerprint payments

You can’t help but wonder what is different this time. Well, for one thing, we have PSD2. My memory of some earlier attempts may well be imperfect, but I have a vague recollection that these previous attempts at finger-based payments worked by tying the stored template to a card-on-file and then processing a card-not-present (CNP) transaction at POS (even though the cardholder was self-evidently present). Since the costs associated with CNP processing were much greater for the merchants, and the US was moving to no-signature stripe programs anyway because all of the terminals were online, the finger payments were slower and more expensive than stripe payments. Hence neither the merchants nor the consumers were greatly interested. Systems like this did make progress in closed environments (such as schools and prisons) but made no inroads into the mass market.

However, things are changing. We have strong customer authentication (SCA) and risk-based authentication at POS, we have interchange regulation and interchange plus acquiring in Europe and soon the retailers will be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for direct access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around (but I have to say I am sceptical about traction in a world where consumers have mobile phones with them all the time and can obtain Internet connectivity even in Camden).

The decision to try out the new system in a pub, by the way, did bring on a wave of nostalgia. Here I am with my CHYP colleague Kate Hughes, my fellow Visa Business School instructor Joe Di Vanna and my old friend Mark Burgess testing out some early contactless products  in the bar at Robinson College, Cambridge. Joe claimed that he could do a cash transaction faster than contactless…

 

On a related topic, it is important to note that while fingerprints are unique, and all that, they are not without issue. For one thing, you leave your fingerprints everywhere you go. For another, you do not always have complete control over your fingers…

Wife exposed diplomat’s affair by using his thumb to unlock his iPhone while he was sleeping 

From Foreign office official ‘assaulted wife when she used thumb print to unlock iPhone’ exposing affair | Daily Mail Online

This is why those of us who understand security use Wickr or Signal to communicate with confidantes and always set a passcode for the application!  The point is that fingerprint security has failure modes and those could be exploited by any seven year old. Paging Groucho Marx: someone get me a seven year old…

7-year-old Harrison Green waited for his dad to fall asleep and then hovered his finger over the sensor, thus defeating his strong fingerprint encryption choice.

From 7-Year-Old Boy Uses Sleeping Dad’s Finger To Unlock iPhone

Having had a look through the Fingopay website, I notice a clever use of this particular feature (that is, the ability to use the biometric identifier without the consent of the owner).

We have developed an “in-case-of-emergency” ICE system that can be used to assist in identifying you even if you are unconscious

From – FAQs –

This might be more of a use case in Camden on a Friday night than a new payment mechanism! I suggest they also try my alternative solution which is to store a revocable token in tamper-resistant hardware and use the biometric for strong local authentication of that token. If people in Camden really don’t want to take even a card down the boozer, and are worried about waving a phone around because it’ll get half-inched at chucking out time, well, our friends on the continent have a tried and tested alternative.

everyone’s current favourite case study for this sort of thing is the Baja Beach nightclub in Barcelona, where patrons were offered the choice between a card and a chip and some of them chose the chip… The chips are the size of a grain of rice  (1.2 millimetres wide and 12 millimetres long) and injected (by a “medically trained” person, according to the New Scientist) under the skin in the upper left arm. 

From Chip ’em all | Consult Hyperion

One of my favourite conference jokes a decade ago (first used in a presentation to the International Association for Biometrics in September 2004) was that the chip is better than a card because you really can’t leave home without it. Now, to be honest, I’d prefer an implanted chip like that to biometric identification. Why? Well, the chip contains an ID number and no personally-identifiable information (PII). If some unauthorised person scans the chip, all they get is an ID number. If I use an app on my phone to allow a particular retailer the ability to charge against that ID number at specific times, or only with strong authentication (e.g., a PIN or a fingerprint or whatever), that seems both convenient and secure.

If you’re too squeamish to have a chip implanted (I’m not – in fact I begged them to implant one on stage at a Consult Hyperion Forum but they wouldn’t do it because the chips were not licensed for use on people in the UK) then there’s an alternative I can suggest. One of my favourite conference jokes right now is that you can always have a QR code tattooed on to some part of your body. Private key vs. privates key* (geddit!).

 biometric payments

* If you know a better PKI-related joke I am literally all ears.

Retailers could take more advantage of contactless

Dgwb blog white border

There are some things that Woking station can do better than anyone else in the world. It’s a shame they are nothing to do with trains but, hey, you can’t have everything.

The latest figures show a steady rise in the use of contactless payments in the UK. Slowly and surely, consumers are starting to tap. Contactless is becoming mainstream. As a benchmark, note that now you can use your contactless bank card to ride the bus in London, TfL have decided to give up on cash altogether.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights