PIN on Mobile

PCI: Software-Based PIN Entry on COTS (a.k.a. PIN-on-Mobile)

Almost four YEARS ago I wrote Software PIN, the Rosetta Stone of Future Payments, then just over a year later I wrote; Mobile Authentication: Exceeding Card Present Security?

Just this month the SSC finally came out with their Software-Based PIN Entry on COTS Security Requirements v1.0.

[Ed. While I don’t have to wonder why PIN was my primary focus, I can see how pointless it was …almost. It just makes the delay on this standard that much more inexcusable.]

On with the story… Software PIN is more commonly referred to as PIN-on-Mobile (or the catchier PIN-on-Glass), and is the ‘game-changing’ technology that will; “enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet.”

What has taken them so long to make what – from my jaded perspective – is the only move that will delay their inevitable demise? It’s not like there was some miraculous innovation in mobile or encryption technology in the last couple of years! Every requirement in the standard was available/achievable long before I even wrote my blogs. As were viable solutions for that matter.

I suspect there’s lots of reasons of why they were so slow, but chief amongst these has to be their complete inability to adapt to the fast-paced innovation rampant in the FinTech industry. Especially given their hopelessly antiquated technology. It’s only their global adoption and sheer ubiquity that keeps them where they are. I blame the banks too, change for them means acceptance of liability.

Come to think of it, what an amazing coincidence that PSD2 – the biggest nail in the payment card’s coffin since …well ever, came out this month as well. Weird huh?

As far as I am concerned, PIN-on-Mobile was the card brand’s last hold-out, now they’re done. Hopefully between the XYZ-Pays (ApplePay, SamsungPay etc.) and now the entry of cardholder PIN on [almost] any CoTS device, big merchants / retail associations will finally have the balls to stand up for themselves.

How many millions have they spent in the US on EMV terminals just to find out a few years later that it was not only entirely unnecessary, but they’re now tied into an investment that will leave them lagging behind their competition who were slower of the EMV block?

I know that’s harsh, and we really have no right to judge. Have any of the following questions ever occurred to you?:

  1. If I can use my phone to pay for something, why do I have to tie that payment to a branded card?;
  2. With all of the security requirements required for the entry of a software PIN, why the Hell do I still have to use one? In other words, if it’s that bloody difficult to secure it, why not use something else?; and
  3. Isn’t there a better way!?

If you’re like the majority of the population, these questions are more like:

  1. Why doesn’t MY bank support this?! (looking at YOU Barclay Business!), or more commonly; why would I use this service when I have a piece of plastic?;
  2. What’s wrong with PIN?; and
  3. [nothing]

The fact is that the lion’s share of the cashless transactions globally are performed by those who have never known a time before payment cards. We simply can’t imagine anything else and we don’t even notice their inconvenience. We also don’t see the costs imposed by the middlemen.

But let me ask you this; Would you ever go back to using a feature phone? I’ll [almost] guarantee that you had no idea what features you wanted in a phone until you used a smartphone for the first time. And now you can’t live without it. Hell, most of us can’t even put the damned things down!

The same thing WILL happen to payments, but not until consumer indifference is overcome by something shiny and new.

Frankly this blog is boring even to me, and I really have nothing more to say about payment innovation that I have not already said a hundred times. But I simply can’t let anything so patently meaningless as PIN on Mobile to go unanswered.

Innovation my arse.

[If you liked this article, please share! Want more like it, subscribe!]

Disruptive Innovation

Enough With the Disruptive Innovation. Collaborate or Fail.

[This is taken in large part from from an earlier blog, but I feel it needs updating to include more than just payments.]

‘Disruptive Innovation’ has become a common cry for anyone wanting to displace the existing players. It is defined as; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.

Unfortunately the original concept is now grossly misapplied. But like how ‘irony’ now has several meanings, I guess disruptive innovation will have different meaning based on its context.

However, I’ve never heard anyone using the phrase ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So why is everyone so interesting in disrupting the existing ecosystems? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. In payments – as my example -, non-cash payments work [mostly], and you have a large degree of faith in your bank’s ability to protect your monetary assets. Do you really want the whole thing to change? Do you even know what it is that you want that’s different?

But do things even need to change? Well yes actually, they do. And are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. However, can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true [potential] disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be through collaboration and fair competition.

I’ve used payments as an example, because that’s what I know the best, but the same can be said for almost every other industry sector. The drive to take away what others have, instead of providing a better service for the common good, is capitalism at its worst. And no, I’m not proposing some sort of socialism, it’s just logic; What’s easier? Completely replacing something, or improving what we have in collaboration with multiple players?

It’s not like there isn’t enough to go around.

[If you liked this article, please share! Want more like it, subscribe!]

What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.

 

EMV in the US, I Still Can’t Figure Out Why?

Way back in July 2013 I wrote the blog; “Why the US Will Not Adopt EMV (Chip & PIN)“, which, given the current state of EMV adoption in the US, was wayyyy off the mark.

My broken crystal ball aside, – hey, if I was any good at predictions I’d be blogging from my yacht anchored in the Med, not from my kitchen in Barnes – I still can’t figure out why the US would spend billions upon billions of dollars on EMV without demanding that those players with the greatest vested interest in ‘plastic’ build in a more permanent ROI.

Those player are:

  1. The Card Brands: This one is a given, any move away from plastic and towards mobile is one step closer to obsolescence (yes, I am ignoring EMV tokenisation, for many reasons).
    o
  2. Issuers: Also a given, what ELSE are they going to do?
    o
  3. Acquirers / PSPs: They have the best chance of segueing their current position into bringing their merchant-base future-proofed payment innovations and value-add services designed to improve the ‘consumer journey’.
    o
  4. Terminal/PED Manufacturers: Once the US has spent billions replacing their mag stripe PEDs with Chip / Contactless, what is left for PED makers to do? When the whole world finally works out that mobile phones and wearables only need something to read them (e.g another bloody phone), why buy crappy, massively expensive, devices that do next to nothing to improve the customer’s shopping experience?

These players have been around for so long that they are seen as the de facto standard, while all along they have been intermediaries designed only to make non-cash payments safe. To make them trusted. And they did a superb job, so superb in fact that it has taken technology almost SIXTY years to find something better! We went from the first production car to landing on the bloody MOON in the same time!

But it’s here now, and it’s been here since Apple created the iPhone. A device capable of so many modes of every factor of authentication, that we can really start calling it Identity Assurance, which is the foundation of only thing on which a payment is truly based; trust.

A credit card number, regardless of where it’s stored, how it’s stored, or even if it’s tokenised, will never be able to match what my phone can do.

For years now, the functionality of mobile devices has been perfectly placed to provide alternatives to plastic; e-wallets, direct debit, merchant-side tokens, even block chains, but here we are, in 2015, and we are still spending billions on the same technology our parents or even grandparents first used back in the 60’s.

Again, why?

Let me answer that with another question; How do YOU want to pay for things in a store? If whatever you wanted in payment technology could come true tomorrow, what would it look like?

The odds are that unless you’re in the payments innovation line of work, you really have no idea. You just want it to be painless, convenient, and if you’ve had issues in the past, safe. Payment cards are so much part of our lives that we cannot even imagine anything simpler. It’s only when you know what goes on in the background that the true cost of plastic comes to light.

From interchange fees, to PCI compliance, to fraud, to PEDs, to the plastic cards themselves, taking card payments is a massively expensive undertaking, and if you think those costs are not passed down to us, the consumers, then I have a bridge to sell you.

But you really can’t blame the consumer, we are not the ones who live and die at the whim of consumers in general …but retailers do. Would Walmart be as big if they only took cash? Of course not, they NEED non-cash payments, but what if the top TEN retailers in American had told the card brands that the first one to negate the need to EMV got ALL their business, can you imagine what would have happened?

Top 10 Retailer’s Revenue in 2013

Rank Retailer                   Rev. (USD Millions)
1 Wal-Mart $ 334,302.00
2 Kroger $ 93,598.00
3 Costco $ 74,740.00
4 Target $ 71,279.00
5 The Home Depot $ 69,951.00
6 Walgreen $ 68,068.00
7 CVS Caremark $ 65,618.00
8 Lowe’s $ 52,210.00
9 Amazon.com $ 43,962.00
10 Safeway $ 37,534.00
$ 911,262.00

That’s close to 1 TRILLION USD, the lion’s share of  which was accepted through plastic.

And what could Target have done with the $100M they spent on new PEDs, or the millions they are paying in fines and reparations for their 2013 breach? I point not to their ridiculous back-end processes as the cause of their woes, but their inability to focus on the true cause of their vulnerability; their inability to innovate collaboratively.

I guess, in retrospect, EMV in the US was inevitable, without consumer pressure for alternatives the retail industry just followed along like sheep, perhaps assuming payment cards were some kind of ‘official’ mandate. They are not, and the retail industry in the US missed an incredible opportunity for change. Now all they’ve done is set themselves up to not only pay for the ‘new’ infrastructure (at least up front), but to pay for the fraud as well.

While not entirely appropriate, it’s one of my favourite sayings, and applies to every level in payment food-chain, including the consumer.

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

― Harlan Ellison

The Inherent Limitations Of The Contactless Card

This week saw an announcement from the UK Cards Association that the transaction limit on contactless cards had been raised from £20 to £30 to cover the average supermarket spend of £25. This is also in response to the news that the first half of 2015 saw £2.5bn spent on contactless transactions, compared with £2.3bn for the whole of 2014. Apple Pay has followed suit, although some retailers are considering scrapping the limit altogether given the authenticated nature of the transaction.

This remarkable growth is to be welcomed as it demonstrates the willingness of consumers to embrace new payment methods. Contactless is a swift and easy way to make payments and it is clear that consumers are, finally, adopting the technology, albeit mostly with the continued use of ‘plastic’.

Yet, a closer look at the statistics shows that the use of contactless is still limited and far from reaching its full potential. Figures, again from the UK Cards Association, show that the average spend on a contactless transaction is £6.98. Yet, the average debit card purchase in 2014 was £43.45, over SIX times greater!

Contactless is used, by and large, for small purchases. Even before the raising of the transaction limit to £30, the average spend represented just over a third of the transaction limit. Consumers use it to buy their morning coffee and lunchtime sandwich, and while contactless is growing in consumer popularity and  merchant acceptance, there are still significant gaps in capability distribution.

A look at a list of the companies that accept contactless payments is an impressive who’s-who of household names, but with the exception of Waitrose and Marks and Spencer, large supermarkets are noticeable in their absence.

In part, this could be due to the fact that supermarkets are focussed more on securing consumers’ higher value weekly shops rather than smaller baskets on grocery essentials, but not all PED/terminal estates are even capable of accepting contactless. Just about all new terminals are Near Field Communication (NFC) capable, but older models are not. Cost of replacement must be in line with infrastructure end-of-life, not desire for new capability.

Mobile Commerce (or m-commerce) has also added significant complexity to the retailer’s decision-making process. Traditional (and most legacy) terminals are built for purpose; the acceptance of branded payment plastic. The enormous flexibility and functionality of the MUCH cheaper mobile payment acceptance devices can significantly improve the entire consumer shopping journey, something that no retailer can afford to ignore.

Contactless cards don’t require any initial authentication to use them with the exception of mandatory PIN entry after a specified number of uses (usually 5 in the UK). This limits their usefulness to brick & mortar retail as the risk of fraud and chargebacks is fairly significant. With the use of contactless via a consumer mobile device, the number of authentication factors and modes can make contactless payments as secure as chip & PIN.

When consumers have the ability to seamlessly authenticate themselves to make a payment, the limits on how, and how much they spend, are removed.

So, while it is encouraging to see contactless payments become more popular, it is inevitable they will only reach their true potential via consumer mobile devices, and not plastic cards.

[Ed. Written in collaboration with www.myPINpad.com]