Archive for the ‘contactless’ Category

August 22, 2011

Is recent EMV announcement the catalyst the U.S. needs to catch up?

During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?

http://portalsandrails.frbatlanta.org/2011/08/lessons-from-mario-brothers-finding-keys-to-fighting-fraud.html

Interesting question for the industry as we go through this transformation to a fully connected world where everything happens between our mobile phone and the merchant, friend, family, phone or cash.

 

 

This goes back to november 2010 when the announced ISIS.

 

Over the last week many of us have read and attempted to understand what are the goals and objectives of Isis and its owners AT&T, Verizon and T-Mobile.

Visa reacted, pundits speak of ISIS becoming a new payment brand/system and Google, Ericson, Apple and RIM all are embracing NFC and speaking to inclusion in the mobile phone.

To include all these links would take more space than appropriate.  A simple Google search with key words like ISIS Mobile Commerce etc. will quickly get you to more than you could digest.

In the Isis press release they speak of creating the Mobile Wallet and talk about offering their services to merchants, Banks and carriers.  Yet in what capacity?  Clearly the relationship between the citizen and merchant today belong to the merchant, carriers and banks.  So one wonders if ISIS will interact directly or if the Banks, merchants and Carriers will be the channel to market for the underlining services ISIS offers. 
 
 Of significance is Bill Gajda’s, Visa’s head of mobile products, statements which does not identify Isis as a threat or a competitor.  He speaks to collaboration.  It will be interesting to see what MasterCard will say. 
 
As I thought about what ISIS wants to be, I was drawn to reread a paper produced by GSMA and ECP Global Switch Mobile Association and European Council for Payments.  That paper is titled.
 
 Trusted Service Manager Service Management Requirements and Specifications

Doc: EPC 220-08, Version 1.0 January 2010

What occurred to me is that  Isis could set itself up as a “Trusted Service Manager” TSM, taking on a trust function supporting Issuers and Mobile Network Operators MNO and why not the merchant; who all all talk about the capabilities of the mobile phone and will want to dematerialize their cards and install their certificates, data and applets within the context of a mobile wallet.   ISIS  can then derive their revenue from fees assocaited with “Trust” and assuring the identity of the owner of the phone,.

I do not see ISIS becoming a new means of payment.  I see them becoming an enabler that helps build the business case to drive the necessary investments merchants and carriers must make to assure the consumer that they can move all their cards into their mobile phone.  Mobile Commerce is the key words that leads me to think about coupons, loyalty, rewards, push marketing …

As we all know contactless and NFC are not getting the traction one might have expected.  Mobile loyalty, Mobile commerce, services branded as a means of enhancing the customer experience those I do imagine will excite merchants and consuemrs to demand NFC capabiliites.  Imagine walking into a store and getting coupons and discounts as you tap and add to your shopping cart.  Clearly merchants appreciate that they can drive consumers to buy more it they can excite them.

So what is ISIS truly going to do, compete, collaborate or enable?
 
 

The path for the USA to EMV

http://www.finextra.com/community/fullblog.aspx?blogid=5875

EMV: Let the planning begin

 

There’s no way around it – EMV transition planning will be complicated. However, while EMV is a complex specification, the good news is that it can grow over time. Thus the key is to implement an infrastructure that lets you start with a simple, single portfolio that can expand and mature with you. Looking forward, the goal is to do it once, do it properly and avoid the pain of re-doing it when it’s time to move into mobile payments

I agree totally with this sentiment. Mobile is here. EMV addresses the requirement to include Dynamic data in a payment transaction to address questions of identity and irritability.

Update 02/22/2012

Having had a chance to sit inside EMVCo working group meeting and being fully aware of those words read every time that reminded us of our confidentiality and sharing of patent and secrets that might jeopardize the future of EMV.

What I saw was the successful release of the EMV contactless specifications and type approval processes capable of testing tap if one remembers the distance has to be 2 cm instead of 10.  Otherwise the protocol and security will last us until 2025.  Plans where underway as I left that where focusing on expanding the standardization of mobile and the development of a next generation or EMV 2.0.  They are talking about 2015 and 2017 for probably dates that these new specifications and processes would be in place to allow widespread adoption so that circa 2030.  If hey are right we have a new and transparent solution that opens and never hinders access to whatever we have the right to access.  what about the next 17 years,

Well, EMV works.  It already includes mobile and contactless.

Visa and MasterCard have said yes.  Amex is OK, discover has had lots of ads for payment people with EMV knowledge and such titles.

The Federal Reserve seems to be on-board and Global Platform, NFC and Mobey forum seem to be OK.

Looks like a plan to me.

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations

 

 

 

 

Mobile payments is being discussed in the context of “creating” a new “means of payment” or in other words a new ”Payment Brand”.  I would suggest  the expense and time it takes to create a new “Payment Brand” is significant not to ignore expensive. 

Just look at PayPal.  How long, on the backs of eBay, did it take to reach the point where they are ready to  enter into a venture with Verifone to become a “means of payment” their buyers can use at the real world stores of their sellers.

Two models for payments exist in the market today and frankly these two models have not changed, since the beginning of any form of commerce. 

The three party model and the four party model. 

Classically banks regulated and trusted to hold our moneys in accounts are fundamental to the act of payment.  They have always been key to developing and operating the payment systems. 

Unless of course we use cash. 

In both models two parties always exist - the Buyer and the Seller, the Payer and the Payee or the consumer/cardholder and the merchant.

In the four party model we add two Banks who support one of these two parties.  There is the bank with the relationship with the consumer/buyer/payer/cardholder, often called the Issuing Bank.  On the other side of the payment there is the bank with the relationship with the merchant/seller/payee, often called the Acquiring Bank.

The three party model, simply means that the Bank of the payer and the Bank of payee are the same.  The movements of funds flows from the buyers account to the sellers, as ledger entries, within a single institution.

American Express and PayPal are perfect examples of non-Banks who operate three party payment systems. 

The central bank is another example of a three party system.  All the banks within a country are clients of the central bank and have accounts at the central bank.

Clearly the three party model is the most efficient.  But, it requires that there is a monopolist who processes payments for all buyers and sellers in order for the system to truly work.  Reality dictates that a monopoly or agreement by all parties to use a single entity for their banking and payment services must exist for such a system to dominate the market.  

Therefore, the payment systems have evolved cooperatively; based on acceptance by the consumer and merchant of a recognized means of payment.  The banks work together to establish a set of rules and procedures they employ to transact payments.  Various four party models i.e. MasterCard and Visa along with checks, electronic fund transfers, dominate the payments landscape. 

Inherent to these models is  a Brand (acceptance mark), a set of rules and a clearing mechanism.  Everything works because there are agreed rules and procedures that govern how the two banks execute payments.  To complete the cycle these two banks ultimatelyexchange real money, typically through a settlement bank or the central bank representing the total value of the payments processed.

To add complexity to the landscape, the Issuer and Acquirer often contract with processors to do the work.  These to entities are identified in the graphic as the Issuing Processor and the Acquiring Processor.

Behind the term mobile payments, some think there is a more efficient method of affecting payments.  They believe inserting a new player into the game will make the whole system more efficient and therefore cheaper.  Or more appropriately they think that their new approach will allow them to earn a portion of the Merchant Discount (fee paid by the Merchant to the Acquirer) or the Interchange (fee paid by the Acquirer to the Issuer). 

The more I think, read and discuss, the more convinced I become that creating a new payment Brand is an expensive exercise and frankly believing we can create something new and more efficient than the existing four party models is irrational. 

So what does the Mobile Phone bring to the payment landscape? 

Clearly ISIS understands.  Mr Abbott states “We plan to create a mobile wallet that ultimately eliminates the need for consumers to carry cash, credit and debit cards, reward cards, coupons, tickets and transit passes.”  Key word “WALLET” by definition ”A wallet  is a small, flat case used to carry personal items such as cash, credit cards and identification documents, such as a driver’s license. “  Interesting, a mobile phone is a small, flat object that can carry a digital facsimile of cash, cards, identifications documents … . 

Next we think about NFC “Near Field Communications”, a method of transferring data between the content of the Wallet to the merchant’s Point Of Sale device “POS”.   Tap instead of swipe.  NFC replaces the  read of the magnetic stripe with the transfer of the data from the Mobile Wallet to the merchant’s POS.  To achieve this goal PayPass and the otehr contactless payment cards simply stores what is on the magnetic stripe and passes it via NFC to the POS.  Given that a mobile phone is a computer we can introduce digital certificates and do it much more securely. 

This is exactly what  EMV Europay, MasterCard and Visa defined and employ.  Debit and credit card issuer throughout the world are now employing the  trusted characteristics of a chip card to secure their credit and debit card payments using digital certificates. 

With a Mobile Wallet (remember the SIM is a chip card) a trusted component is available, inside the consumer’s wallet, capable of supporting EMV and assuring the authenticity of the content (Card) of the wallet and the identity of the owner of the wallet.

Bob Egan in a recent Forbes article The ISIS Mobile Wallet: Are Visa, MasterCard and PayPal Under Siege? writes “To me it’s quite clear the ISIS is taking matters into its own hands. I predict we will see ISIS become the issuer behind new carrier partner plastic credit/debit and prepaid cards in addition to mobile wallet capabilities for those cards become resident as applications on mobile phones.” This suggests that Isis is going to compete with Barclaycard.  If this is the case then what does the following statement in the Isis release mean “Barclaycard US, part of Barclays PLC, is expected to be the first issuer on the network, offering multiple mobile payment products to meet the needs of every customer. ” 

So what is Isis planning?  Clearly Pundits are not sure.

http://www.nfctimes.com/nfc-projects

There is nothing more to say click and explore.

The Future of Money

I took offence when I looked at the picture included in the article published on Wired.

http://www.wired.com/magazine/2010/02/ff_futureofmoney_move/

The arduous path that he has carved out for a card transaction assumes a lot of unnecessary intermediaries that have included themselves within the picture.

For me the story can be simplified.

Credit card processing involved a minimum of five parties.  The Issuing bank and its technology arm, the acquirer and its network and the scheme (Visa, MasterCard … ).  Everyone else is about the realities of the ISO marketplace and the proliferation of parties offering added value services along the transaction path.

 

 

Remember a credit card transaction is simply

 

Swipe/Tap/Dip/PIN.

Add transaction amount, time, merchant etc.

Ask Acquirer for approval.

Acquirer passed to scheme

Scheme routes to Issuer

Issuer approves and sends back the authorization.

then if necessary sign receipt

That night batches of requests for payment are sent from the acquirer to the Issuer with the Scheme, reconciled and settled.

 

Then there is ACH.  Yes the technology needs a modernization the functionality must be stream lined and ubiquity must be embedded in the pricing model.

Electronic checks that are facsimiles of hand written checks cleared through the Check 21 system should not be eliminated, they are efficient and provide a great personal audit trail.  handling the paper should be pushed as close to the original transaction as possible so that personal accountability is induced.  The person I handed the check to has the check.  So if there is a problem I have to deal with him.

Otherwise all the necessary transactions are possible and with the move to STP “straight through processing” the ability to assure availability of funds can be assured.

What are most of the other schemes.  First like American Express they are three party solutions with a man in the middle holding funds on account in a pre-paid scenario or capable of submitting as your proxy transactions into the ACH and card systems.

Yes the three party system is the most efficient.  Unfortunately it has one problem, it is not open.

Visa and MasterCard, although viewed as restrictive, are open systems.  They accept; any properly sanctioned bank as a member willing to abide by the rules and maintain sufficient reserved.  For a new system to acquire this status either means they become a bank and meet those incremental regulations or they focus on building critical mass as American Express has proven can be done.

So as this next article concludes, what is can improve and probably is better than something new.

http://www.wired.com/magazine/2010/02/ff_futureofmoney/all/1

The Future of Money: It’s Flexible, Frictionless and (Almost) Free

This is what I have done as the following snapshot indicates:

www.andreae.com/presentations

In a paper recently published by the Federal Reserve they begin to consider what actions the FRB should take to drive the further adoption of P2P electronic payments and the reduction in paper checks.

http://www.bos.frb.org/economic/ppdp/2010/ppdp1001.pdf

Their introduction speaks to the differences in adoption of electronic payments in the USA and Europe.  Intriguingly they include privacy concerns as a key issue.  This being said, having lived in Europe for 15 years, I am not sure the desire for privacy is greater in America.  What can be said is that the moment when the underlining infrastructure was developed defines the ideas and feature sets.  Newer systems learned grew as other economies embraced and proved the viability of innovative ideas.

They go on to discuss the fate of eCash (Mondex, VisaCash) and the need to create ubiquity in order to assure success.    Clearly, as they outline, the major adoption issue in the field of payments is achieving a density of merchants willing to accept a particular means of payment  and simultaneously demonstrating a significant number of consumers willing to employ said means of payment.

Unfortunately for the inventors of neat solutions the reality is that without figuring out how to assure ubiquity the new idea they will not be a success.  If we look at contactless, MasterCard clearly recognised this reality and funded the initial investment in equipment.  Without this investment one wonders if PayPass would have reached the low levels it has.

The interesting thought that emerges from this paper is that the wide spread deployment of mobile phones means that an infrastructure that both merchants and consumers have is in place and if one can find an intuitive means of exploiting this installed base, part of the deployment problem is mitigated.

In my heart, I believe mobile will allow the establishment of new ways of paying,  The next question can today’s infrastructure support P2P payment instructions and will the issuers and acquirers figure out how to make money without cannibalizing existing revenue streams.

The New York Times, in the previous post, looks at the issue from the obvious perspective.  The result is as one would expect.  Remember when France first introduced smart cards 1984or mandated then back in 1992 and the acceptance nightmare.

In the past I have written on the idea - 

Push PCI/EMV into one coherent electronic and secure smart card reader and PIN Pad. 

Mandate all new 1 July 2010; with the understanding that the reality -  every piece of equipment will be replaced in a reasonable period, say 7 to 10 years. 

VARs should easily be able to do that.

The incremental ($8/device) on the device side goes down over time, as equipment becomes more affordable.

On the system side, most international providers have a solid EMV implementation they can port over to the US platform over that same 7 year time frame. 

At the Network switches, gateways and IPSPs; data formats should be changed sooner, say three years from day one.

Issuers can then decide, when to embrace one  global two factor authentication solution; using contact and contact-less EMV  cards to support card authentication [Factor 1] and card holder verification processes (eg. Chip and PIN) [Factor 2] . 

Biometrics were understood when EMV was created.  The mechanisms are in place to introduce an agreed, more secure, biometric verification process [Factor 3].