They’re Not Human Rights, They’re Human Privileges

This could potentially be my most contentious blog yet, but the very thing I am railing against [somewhat] is the very thing that allows me to post this in the first place; human rights, as enforced by my country’s laws and/or societal norms. MY society anyway.

My issue is not with human rights per se, they are a concept that should only become more important as the world gets smaller. Shared information available to an enormous distribution of mobile devices will, in theory, help combat the rampant ignorance across the globe, often enforced by oppressive government entities themselves. Just look at the ridiculous Twitter ban in Turkey for one of the milder examples. When everyone on the planet knows that they shouldn’t have to live under any totalitarian regime, human rights will provide the long-term road map for progress towards the freedom most of us take for granted.

My issue with human rights is the equal enforcement of them. As an extreme; why does someone convicted of multiple homicides have the same rights as someone who spends their whole life helping others? Yes, the killer may lose their freedom, but their rights as a human being are still in full effect. You take from someone everything they will ever have, and in my opinion, you are giving up some – and potentially all (depending on your crime(s)) – of your rights to be treated equally AS a human.

No, this is NOT a case for capital punishment, that’s too specific a judgment, this is about the fact that as species, there is no way we human beings will EVER reach a 100% consensus on anything, and we need to stop pretending that we can. The majority opinion must rule, as long as it’s not MOB rule, and the losing minority needs to abide by the prevailing decision. Criminals of every sort ALL have an opinion different from the majority, and it’s one they have likely acted upon. They think they are somehow exempt from doing the right thing, and in most ‘civilised’ nations those right things are instilled from childhood and reflect an accepted standard of ‘common decency’.

Do NOT steal, do NOT kill, do NOT take anyone by force and so on, but what about those countries where the established norms – if not the actual laws – are different? Can anyone reading this blog POSSIBLY justify the murder of the 11 people working for Charlie Hebdo just because they printed satirical matter and images related to their deity? Or any of the hundreds of terrorist attacks perpetrated for religious or political reasons across the globe? These things are REAL, but what makes US right? What makes US the arbiters of that common decency?

We’re the majority, that’s what gives us the right to condemn their actions. Anything other than treating everyone as you would wish to be treated yourself should be unacceptable in any society.

So we clearly need to stop pretending that as a species we are that evolved OR that civilised, and neither religion nor government should have the final say in what’s right and what’s wrong. We are all born with rights, but from that point forward they become a privilege every individual has the responsibility to maintain. All of our freedoms and all of our rights come at a cost, we must all be prepared to pay those costs.

In the end, humans are just another mammal, the attribution of instincts above layer 4 of Maslow’s Hierarchy of Needs is admirable, and certainly an aspiration, but fighting a sociopath with rules is no different than making a wish by blowing out candles on a birthday cake. I will live my life by a simple set of self-imposed laws, and would hope everyone around me does the same;

The 5 Laws of Human Rights:

  • Everyone starts out in life with the same rights.
  • Everyone may utilise their rights to their own unqualified ends as long as those actions do not violate the rights of others.
  • Violation of the rights of others will result in a loss of your rights equal to that inflicted on the other party(ies).
  • Use of rights for one’s own benefit comes with a risk of loss, everyone will accept personal responsibility for this loss.
  • No-one shall take their rights for granted.

We need to stop pandering to those living outside the globally accepted norms of common decency, they have no place here with the rest of us.

Is Your Acquiring Bank Making PCI Even More Difficult?

First a caveat; this blog is not aimed at all acquirers, nor is it aimed at every individual at any one acquirer, there are some very professional, knowledgable, and pragmatic acquiring banks out there who are providing excellent advice and guidance to their merchant base.

Then there are the others who not only seem to have no idea what they are talking about, but are actually making things actively worse in terms of both resource effort and overall expenditure for their merchants. This is suppose to be a program of APPROPRIATE security, not just compliance.

The latest, utterly inexcusable example of this is a Level 3 merchant I know who, wanting to do things properly, hired a QSA company to come in and help them prepare for the completion of their SELF Assessment Questionnaire (SAQ).

The first thing the QSA had to do was get the merchant to ask the acquirer which SAQ they wanted, as the acquirer had left that to the merchant. For those who don’t know, it’s the acquiring bank’s responsibility to determine the correct SAQ based on the merchant’s business processes and card transaction volume. The acquirer should NEVER point at a QSA for this decision, and should most certainly not be leaving it up to the merchant.

After spending a significant amount of time and money, this particular merchant completed 2 compensating controls, which were then required to be signed off by a QSA!! Are you kidding me!? It’s a SELF assessment!! You show me a QSA who will sign off on a compensating control without the context of a FULL Level 1 assessment or a million caveats and I’ll show an idiot.

Now try to imagine this merchant’s frustration  when he knows another similar merchant had just filled out an SAQ by themselves, got an ASV scan, and received no questions from the same acquirer? The original merchant tried to do it properly, tried to ensure they could answer every question properly, and were even honest about the things they could not do. Their reward for this was additional expense getting another QSA to come in and help them translate the PCI rules back to the acquirer.

Here I am now 4 short weeks later and I have another merchant being told that the acquirer would “accept a SAQ D” for their reporting requirement. Bear in mind that this client is an e-commerce merchant who has implemented a full redirect to a PCI compliant service provider and you can again imagine the frustration. Add to this that the merchant, who will be reporting full compliance within a month, was also “encouraged” to complete a Prioritized Approach Tool spreadsheet as well, and the whole thing becomes a farce.

I have a lot of sympathy for acquirers, their PCI  headaches are multiplied by as many merchants and service providers they acquire for, but this is no excuse to provide anything but the most pragmatic guidance as they can. PCI cannot be driven from behind a desk, and practical guidance can only come from those who have been in front of a client as a QSA. I can read a book on emergency appendectomies for example, but I would suggest you go to a real doctor.

Merchants: If you do want to do PCI properly, hire a good QSA or industry expert for ONE day to set the game-plan with your acquirer and your internal teams, then get on with it.

Acquirers; Hire ex-QSAs with good reputations to run your merchant-facing PCI Programs, you’ll save yourselves and your clients a Hell of a lot of pain.

Anyone Else Getting Sick of Biometrics Hype?

I am in no way against biometrics, they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management in general. What I’m completely sick of is the “Password is dead, biometrics is here!” hype perpetrated by those with a blatant self-interest.

If the password was dead, we would not have a multi-TRILLION £/$/€ industry currently predicated on the 4 digit PIN; the branded payment card. Organisations up and down the payment card food chain, from the schemes to the end merchants would not be spending billions on the perpetuation of the technology if the password was actually dead.

The payments industry is not trying to reach the < two billion people with biometric-enabled smartphones, they are  trying to reach the SEVEN billion people with money, half of whom have no access whatsoever to formalised banking as we know it, let alone a £400 mobile device.

Yes, there are ongoing fraud issues, and yes there are viable alternatives, but ask the average person on the street if they need mobile payments authorised through some form of biometrics and they will simply ask what’s wrong with their credit card? Too many biometrics companies are trying to change the world without applying common sense to the real issues. They are not solving a problem, they are trying to create a demand.

The challenges the payments industry face are myriad, and include;

  • Enormously complex and expensive infrastructure geared towards current payment methods and protocols [There’s no starting over from scratch]
  • Global acceptance of current operational standards by all country’s financial authorities [Requires amendments to most laws and regulation]
  • Older technology that does not port securely onto consumer controlled mobile devices [You cannot exclude the card brands from this move.]
  • Difficult transition path from legacy infrastructure to new [Where do you start, and what direction do you go in?]
  • Increasing pressure from retail to provide improved customer journey / experience [Retail and consumers expect more.]
  • …and so on.

Fraud due to poor authentication is not the problem, it’s an inconvenience, the real problem is that payments are heading from ‘plastic & PIN’ to ‘mobile and multi-factor’ whether we like it or not, and the only practical and secure way of doing so is to do it properly from the beginning. This will be an industry wide effort or it will fail, and no biometrics company on the planet has the answers alone.

Battling fraud is not just about proving that you are the one attempting a transaction, it’s about being able to attribute your entire identity into the desired result. Just because I can prove I’m trying to buy a TV does not mean I have any intention of paying back the loan.

So smart phones have the ability to turn the industry standard Personal Identification Number (PIN) into a Personal Identification Vector (PIV), one that is not only TRULY personal (i.e. fully consumer customisable) but builds in a multitude of other authenticators into each transaction. It is here that biometrics really comes into its own; being able to seamlessly add the something-you-are authentication factor to EXISTING processes.

Biometrics tells us what you are, is does not define WHO you are, and it’s the who-of-you that defines the future of your payment options.

How Smart Watches Will Offend My Generation

I could not help but laugh while having drinks with a friend of mine yesterday. He kept looking at his watch, and before I understood why I was starting to get annoyed he said that he had an incoming call.

To people of my generation and above (not many of those left) looking at your watch frequently is a sign of impatience, and that you have somewhere you need, or would rather, be. For those sensitive to these non-verbal clues, it signals the end of a conversation, date, meeting, and so on, often resulting in stilted conversation and perhaps even resentment.

Ironically, if he had been looking at his phone that frequently, I would not have thought twice as I do the exact same thing myself. We are both busy, he the CEO / Founder of a successful security company, me an insecure addict of social media affirmation (please like this).

I have tried to figure out why I found this so amusing, but have not reach a conclusion yet, but seeing as this would be a very short blog otherwise, here are some thoughts:

  1. My laughter contained at least a hint of nostalgia, it’s clear that I was remembering a simpler time. And by ‘simple’ I mean utterly disconnected from anything not immediately in front of me. A time without mobile phones. A time when the ‘Like’ button was a smile on your friend’s face.
  2. My laughter also contained chagrin. I thought I was as up to speed with technology and innovation as anyone, but clearly my values and reactions to everything around me were formed in a time very different from this one. I now know that part of me will always stay there.
  3. Jealousy that I didn’t have one because I have not seen one I like, and I have the wrists of a 7 year old girl.
  4. Frustration that ALL of this can’t be replaced by a contact-lens-driven heads-up display.
  5. Several large Woodford Reserve bourbon and ginger ales.

I don’t think anyone can deny the enormous impact mobile devices (especially smart phones) have had on both work and personal interactions. And we mostly agree that because this change has been so profound in so remarkably short a period of time indicates that we are actually only at the beginning of bigger changes to come (Internet of Things for example). Where people differ is their reaction to it; from abject fear and utter rejection, to excitement and complete embracement. Most of us are somewhere in-between.

What I do know is that to reject this change is to be left behind, and to stick with traditional concepts of privacy will exclude you from the conveniences to come. I’m not judging this in a negative way, I’m sure you are perfectly happy to BE ‘left behind’, and to do things the ‘old way’ but I’m also saying that I will not be one of those, I’m too bloody lazy not to have as many things done for me automatically as possible.

I am also happy to accept the consequences, and I will likely be laughing all over again when it all goes horribly wrong! :)

Shopping Cart Abandonment, Authentication to the Rescue

According to Business Insider, approximately $4 TRILLION worth of merchandise will be abandoned in online shopping carts this year, of which only 63% is recoverable for those retailers with the necessary “savvy”.

The reasons behind this abandonment are as myriad as the individuals making the purchases, but to truly understand the root cause, you must examine the people themselves. From an online purchasing perspective, they fall roughly into these 5 categories:

  1. Mind-Changers – People change their minds all the time, which is much easier when you’re online than when you’re face-to-face with a sales rep. The longer the purchase process, the more time retailers are leaving open for this category to have second thoughts.
  2. Distractors – For those who don’t really care about their purchase, the slightest distraction will cause them move on. Long and complicated check-out processes will see these folks following the next shiny thing.
  3. Impatient – Again, long check-out processes will see the impatient group give up fairly quickly even though it means starting again. The issue is that they will undoubtedly start again on a competitor’s site.
  4. Private – Asking a significant number of questions unrelated to the transaction itself, or forcing them to create an account first is not an option for this category.
  5. Frustrated – Too many steps and customers become frustrated and lose interest in purchasing the item.

Other reasons include hidden fees, unreasonable shipping & handling cost, loss of bandwidth and a multitude of others, but these are mostly issues with the merchant, not with the buyer.

The simplest and quickest checkout process helps mitigate these all-too-common behavioural flaws. However, it’s just not that easy when both the merchant and their underpinning acquiring bank(s) have responsibilities that go far beyond customer convenience.

Anti-fraud, anti-money laundering, and significant numbers of industry specific regulations mean that sellers must be reasonably sure that the purchaser is who they say they are. Currently this is performed by authentication; payment card details including the Card Verification Value (CVV) etc.

However, as a direct result of increasing online fraud rates banks now require digital shoppers to prove who they are with more than just their card details. For example, 3D Secure was introduced in 2005 to help combat this fraud by adding another layer of authentication, but the oft-quoted “significant abandonment rates” experienced as a direct result have forced many e-commerce retailers to turn the service off during peak seasons (e.g. Christmas), or even cancel the service altogether.

So far the uncertain balance between convenience and security has only been good for the bad guys.

The Holy Grail of digital commerce is a frictionless checkout. This is only possible if the many disparate inputs are seamlessly integrated and made invisible to the consumer. The only device that has a chance to combine all of this into a process that basically mirrors the every-day behaviour of the consumer is the mobile device. It also just happens to be the one thing that can combine many forms of authentication that far exceed every regulation in the industry.

No-one doubts that e-commerce and m-commerce will continue to enjoy enormous growth, but it is only by getting the convenience vs. security balance right that the full potential of these markets can be reached.

Only authentication holds all the cards.

[Ed. Written in collaboration with]