Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
    o
  2. Its false and irresponsible claims to its security, and;
    o
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond, and;
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Thos may not sound all that radical, but there are two incredibly important facts here; 1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and 2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.

EMV in the US, I Still Can’t Figure Out Why?

Way back in July 2013 I wrote the blog; “Why the US Will Not Adopt EMV (Chip & PIN)“, which, given the current state of EMV adoption in the US, was wayyyy off the mark.

My broken crystal ball aside, – hey, if I was any good at predictions I’d be blogging from my yacht anchored in the Med, not from my kitchen in Barnes – I still can’t figure out why the US would spend billions upon billions of dollars on EMV without demanding that those players with the greatest vested interest in ‘plastic’ build in a more permanent ROI.

Those player are:

  1. The Card Brands: This one is a given, any move away from plastic and towards mobile is one step closer to obsolescence (yes, I am ignoring EMV tokenisation, for many reasons).
    o
  2. Issuers: Also a given, what ELSE are they going to do?
    o
  3. Acquirers / PSPs: They have the best chance of segueing their current position into bringing their merchant-base future-proofed payment innovations and value-add services designed to improve the ‘consumer journey’.
    o
  4. Terminal/PED Manufacturers: Once the US has spent billions replacing their mag stripe PEDs with Chip / Contactless, what is left for PED makers to do? When the whole world finally works out that mobile phones and wearables only need something to read them (e.g another bloody phone), why buy crappy, massively expensive, devices that do next to nothing to improve the customer’s shopping experience?

These players have been around for so long that they are seen as the de facto standard, while all along they have been intermediaries designed only to make non-cash payments safe. To make them trusted. And they did a superb job, so superb in fact that it has taken technology almost SIXTY years to find something better! We went from the first production car to landing on the bloody MOON in the same time!

But it’s here now, and it’s been here since Apple created the iPhone. A device capable of so many modes of every factor of authentication, that we can really start calling it Identity Assurance, which is the foundation of only thing on which a payment is truly based; trust.

A credit card number, regardless of where it’s stored, how it’s stored, or even if it’s tokenised, will never be able to match what my phone can do.

For years now, the functionality of mobile devices has been perfectly placed to provide alternatives to plastic; e-wallets, direct debit, merchant-side tokens, even block chains, but here we are, in 2015, and we are still spending billions on the same technology our parents or even grandparents first used back in the 60’s.

Again, why?

Let me answer that with another question; How do YOU want to pay for things in a store? If whatever you wanted in payment technology could come true tomorrow, what would it look like?

The odds are that unless you’re in the payments innovation line of work, you really have no idea. You just want it to be painless, convenient, and if you’ve had issues in the past, safe. Payment cards are so much part of our lives that we cannot even imagine anything simpler. It’s only when you know what goes on in the background that the true cost of plastic comes to light.

From interchange fees, to PCI compliance, to fraud, to PEDs, to the plastic cards themselves, taking card payments is a massively expensive undertaking, and if you think those costs are not passed down to us, the consumers, then I have a bridge to sell you.

But you really can’t blame the consumer, we are not the ones who live and die at the whim of consumers in general …but retailers do. Would Walmart be as big if they only took cash? Of course not, they NEED non-cash payments, but what if the top TEN retailers in American had told the card brands that the first one to negate the need to EMV got ALL their business, can you imagine what would have happened?

Top 10 Retailer’s Revenue in 2013

Rank Retailer                   Rev. (USD Millions)
1 Wal-Mart $ 334,302.00
2 Kroger $ 93,598.00
3 Costco $ 74,740.00
4 Target $ 71,279.00
5 The Home Depot $ 69,951.00
6 Walgreen $ 68,068.00
7 CVS Caremark $ 65,618.00
8 Lowe’s $ 52,210.00
9 Amazon.com $ 43,962.00
10 Safeway $ 37,534.00
$ 911,262.00

That’s close to 1 TRILLION USD, the lion’s share of  which was accepted through plastic.

And what could Target have done with the $100M they spent on new PEDs, or the millions they are paying in fines and reparations for their 2013 breach? I point not to their ridiculous back-end processes as the cause of their woes, but their inability to focus on the true cause of their vulnerability; their inability to innovate collaboratively.

I guess, in retrospect, EMV in the US was inevitable, without consumer pressure for alternatives the retail industry just followed along like sheep, perhaps assuming payment cards were some kind of ‘official’ mandate. They are not, and the retail industry in the US missed an incredible opportunity for change. Now all they’ve done is set themselves up to not only pay for the ‘new’ infrastructure (at least up front), but to pay for the fraud as well.

While not entirely appropriate, it’s one of my favourite sayings, and applies to every level in payment food-chain, including the consumer.

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

― Harlan Ellison

Tokenisation – Here We Go Again?

The concept of tokenisation has been around for centuries as a means to “reduce [the] risk in handling high value financial instruments by replacing them with surrogate equivalents.” The concept is simple, sound and proven, yet in today’s digital age, it raises questions that were previously not considered important, or even relevant. For example; If you need to tokenise something – an account number for example -, why do we expose those account numbers during a transaction in the first place?

The short answer is that we do NOT need to exposed account details, not with the dramatic advances in mobile phone authentication over the last 10 years. However, the reality is not that simple, in fact, the challenges faced by today’s organisations is enormous in both scale and complexity. From retail merchant, to acquirer, to issuer (especially the issuer!) cleaning up the detritus left by 50 years of card payments is a truly Herculean task.

But for 50+ years the global adoption of payment cards changed the course of payments forever, and did so in the right direction; away from cash. Despite the numerous benefits we have enjoyed from this non-cash pioneer, we now unfortunately see the cost of that success in the numerous and on-going data breaches involving millions of payments cards and BILLIONS of €/£/$ in fraud losses annually.

In the world of payments, even in 2015, the term tokenisation is synonymous with replacing a payment card (Visa, MasterCard, Amex, Chine Union Pay etc.) Primary Account Number (or PAN), with a token of less – or preferably no – value to an attacker. This is not a new concept, even for payment cards, as vendors have been providing tokenisation solutions for well over a decade, even longer in closed-loop payment environments.

So if solutions were available way back in 2005, why are there still countless billions of PANs floating around? The answer to this isn’t simple either, and it starts with the fact that there are at least three different types of tokenisation related to the surrogation of PANs:

  1. Acquiring / PSP / Merchant Tokens – “This token is created after the cardholder presents their payment credentials. ‘Acquiring Tokens’ may be used as part of the authorisation process, including card-on-file transactions.

    Note: These tokens were the first to be introduced, and represent a ‘distributed’ model. Providers must only maintain Payment Card Industry Data Security Standard (PCI DSS) compliance and potentially Payment Application (PA) DSS compliance (depending on the implementation).

  2. Issuer Tokenisation – “Also known as virtual card numbers or alternate PANs, issuer tokens are created by issuers to reduce risk in specific use cases (e.g. commercial card applications, and consumer-oriented services).

    Note: This solution can look almost identical to the Acquiring tokens.

  3. EMV Tokens – “Tokens compliant with the EMV Payment Tokenisation Specification – Technical Framework developed as a multi-scheme initiative by Visa, MasterCard and American Express and first published in March 2014. Ownership has now been transferred to EMVCo, who will take responsibility for further development of the framework going forward.”

    Note: These tokens were made available by the major card schemes beginning late 2014, and represent a ‘centralised’ model based on a specific standard; EMVCo’s ‘EMV Payment Tokenisation Specification’.

These solutions have their own benefits and drawbacks, depending on both your requirements and to whom you speak, but there’s one thing a tokenisation solution should NOT do, and that’s disrupt any legacy process. Loyalty programs, anti-fraud mechanisms, big data analytics and a host of others can all be tied to primary account numbers, and can all be broken if the token-to-PAN relationship is not maintained.

Perhaps the most obvious drawback of the EMV Tokens in particular is a direct result of one of its most significant security measures; a token can be assigned a ‘domain’, and only transactions in that same domain will be processed (an e-commerce token can only be used for e-commerce transactions for example). While this sounds logical, when you consider that an individual merchant can be a domain (Amazon for example), it’s obvious that just one card can have several or even dozens of assigned tokens. Every token costs the Issuers €0.20 for provisioning, then anywhere between €0.02 and €0.005 for ‘hosting and life-cycle management. An issuer who has just 5,000,000 tokens will be paying >€1M for up-front, then >€600K / annum to the Token Service Providers (currently just the card brands themselves).

It can be assumed that this cost will be off-set by the reduction in card fraud, but this further assumes an almost global adoption of the tokenisation service, and a seamless interface to the consumers. Consumers will simply not accept any additional complexity in the payment process.

So while the concept of tokenisation is a good one, it not only raises the question posed in the first paragraph; ”If you need to tokenise something why do we expose [those account numbers] during a transaction in the first place?”, the fact that tokenisation will be most prevalent in mobile transactions (like Apple Pay) raises a concept even more fundamental; why is there anyone in the middle?

A payment is a movement of value from one place to another, so it follow that there are only 4 stakeholders involved; the consumer and their bank, and the merchant and their bank, right? However, for a branded payment card transaction, you can add an Issuer (of the plastic), an acquirer (not necessarily your bank), potentially a Payment Service Provider (PSP) and of course, the card brand itself. All of whom take a piece of the transaction.

The card brands have performed this intermediary function for 5 decades, and their success was entirely justified. They put the trust into non-cash payments when none could possibly exist in a global market. Yes, there is fraud, fraud in the billions, but the volume of traffic across the card brand rails is in the multi-TRILLIONS.

Nothing could match the card brand’s acceptance, security and sheer ubiquity …until now. The smartphone we all take for granted has the capability to match the assurances represented by the card brand logos, all while bringing payments back to its original foundation; a representation of trust.

We are a long way from being able to disintermediate anyone in the current payments ecosystem, but tokenisation [for example] should only be seen as a patch on something broken as opposed to a solution in and of itself.

Anyone looking for solutions needs to learn to ask the right questions or their payment solutions will be out of date before they accept the first transaction.

The Inherent Limitations Of The Contactless Card

This week saw an announcement from the UK Cards Association that the transaction limit on contactless cards had been raised from £20 to £30 to cover the average supermarket spend of £25. This is also in response to the news that the first half of 2015 saw £2.5bn spent on contactless transactions, compared with £2.3bn for the whole of 2014. Apple Pay has followed suit, although some retailers are considering scrapping the limit altogether given the authenticated nature of the transaction.

This remarkable growth is to be welcomed as it demonstrates the willingness of consumers to embrace new payment methods. Contactless is a swift and easy way to make payments and it is clear that consumers are, finally, adopting the technology, albeit mostly with the continued use of ‘plastic’.

Yet, a closer look at the statistics shows that the use of contactless is still limited and far from reaching its full potential. Figures, again from the UK Cards Association, show that the average spend on a contactless transaction is £6.98. Yet, the average debit card purchase in 2014 was £43.45, over SIX times greater!

Contactless is used, by and large, for small purchases. Even before the raising of the transaction limit to £30, the average spend represented just over a third of the transaction limit. Consumers use it to buy their morning coffee and lunchtime sandwich, and while contactless is growing in consumer popularity and  merchant acceptance, there are still significant gaps in capability distribution.

A look at a list of the companies that accept contactless payments is an impressive who’s-who of household names, but with the exception of Waitrose and Marks and Spencer, large supermarkets are noticeable in their absence.

In part, this could be due to the fact that supermarkets are focussed more on securing consumers’ higher value weekly shops rather than smaller baskets on grocery essentials, but not all PED/terminal estates are even capable of accepting contactless. Just about all new terminals are Near Field Communication (NFC) capable, but older models are not. Cost of replacement must be in line with infrastructure end-of-life, not desire for new capability.

Mobile Commerce (or m-commerce) has also added significant complexity to the retailer’s decision-making process. Traditional (and most legacy) terminals are built for purpose; the acceptance of branded payment plastic. The enormous flexibility and functionality of the MUCH cheaper mobile payment acceptance devices can significantly improve the entire consumer shopping journey, something that no retailer can afford to ignore.

Contactless cards don’t require any initial authentication to use them with the exception of mandatory PIN entry after a specified number of uses (usually 5 in the UK). This limits their usefulness to brick & mortar retail as the risk of fraud and chargebacks is fairly significant. With the use of contactless via a consumer mobile device, the number of authentication factors and modes can make contactless payments as secure as chip & PIN.

When consumers have the ability to seamlessly authenticate themselves to make a payment, the limits on how, and how much they spend, are removed.

So, while it is encouraging to see contactless payments become more popular, it is inevitable they will only reach their true potential via consumer mobile devices, and not plastic cards.

[Ed. Written in collaboration with www.myPINpad.com]