Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next;
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you;
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like;
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone; and
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.

[If you liked this article, please share! Want more like it, subscribe!]

New Payment Technology: A Race to the Bottom?

In a recent article on PYMNTS.com; 68 PERCENT OF PAYMENTS PROS SAY NEW TECH INCREASES RISK; “68 percent of [payment-systems professionals] say pressure to migrate to new payment systems puts customer data at greater risk instead of making it safer, according to a new survey by Experian and the Ponemon Institute.” This relates to EMV and mobile payments, but it is unclear exactly to which technologies they refer.

What it does not say is whether the insecurity is due to the pressure of the migration itself (which is implied), or to the inherent insecurity of the underlying technologies. These are two radically different concepts, from which the reader can draw wildly different conclusions.

As in any business, the pressures of maintaining a competitive advantage can lead to some very poor business decisions, and without a robust governance function unsecure systems can easily find their way into production untested. However, if the article is suggesting that it’s the new payment systems themselves that are the issue, we would strongly challenge that argument.

There exists today payment technologies whose security is far in advance of those possible for the legacy non-cash and non-chip based payment infrastructures. Mobile devices alone are capable of multiple multi-factor authentication mechanisms through every-day use. Integration of this technology is held up by many factors, but perceived insecurity of the data should not be one of them. EMV is also far more secure than mag stripe (for example), and the combination of chip and PIN is even more secure.

It is difficult to understand how you could introduce EMV unsecurely given its self-contained nature, but mobile payments is something altogether different and is easily addressed by the implementation of appropriate products and due diligence. This may well be what is of the most concern to those surveyed.

With regards to technology in general, and retail especially, neither the payment method itself nor security are core functions. Being paid for the goods is. It’s not surprising that that; “Only 51 percent of the Experian/Ponemon respondents agreed that “the security of electronic payments is a top priority issue” for their organizations.” In fact, we suspect the only reason it’s that HIGH is because Experian/Ponemon were talking to payment-system professionals and not the CEOs.

EMV roll-out in the US was never going to be completed by this October, and even 2020 is doubtful. The reasons for this are myriad; from the expense (which is significant), to investment only in technologies that are not future-proofed, to analysis-paralysis related to loyalty and value-add services, and to a trend toward competitive edge based on customer service alone all play a part in a decision that can quite literally make or break an organisation.

A payment, in its simplest terms, is a transfer of value from one place to another. Getting those payments transferred is a multi-trillion €/£/$ industry which has yet to provide the kind of leadership merchants are looking for. In the end the only thing that matters is that the consumer is able to securely authenticate themselves and make the transfers they want, when, where, and however they want, and it’s clear that current technology falls short.

EMV and tokenisation are security patches while the payments ecosystem transitions to mobile, and delays in implementation of either of these technologies is a direct result of retail’s inability to double their investment in payment acceptance channels, as well as their inability to know which of the technology horses is going to win the race.

[Ed. Written in collaboration with www.myPINpad.com]

Payments Innovation Should NOT be Disruptive!

By now I think everyone has heard the phrase ‘Disruptive Innovation’, as defined by; “an innovation that helps create a new market and value network, and eventually disrupts an existing market and value network (over a few years or decades), displacing an earlier technology.“. This phase is especially bandied around in payments.

But how many of you have heard the phrase; ‘Sustaining Innovation’, which; “does not create new markets or value networks but rather only evolves existing ones with better value, allowing the firms within to compete against each other’s sustaining improvements.

So if you accept that a payment itself is just a way for you to access your stored value (what we call money) any time / place of your choosing, why is everyone so interesting in disrupting the existing payment ecosystem? And by “everyone” I of course mean those who are trying to either break into market, or those trying to wrest even more control for themselves. Non-cash payments work [for the most part], and you have a large degree of faith in your bank’s ability to protect your monetary assets, do you really want the whole thing to change? Do you even know what it is that you want that’s different from what you have today?

Do things even need to change? Yes, they do. Are there innovations available NOW that make the payments process easier, cheaper, and more secure for the consumer? Yes, there are. Can we expect the entire payment industry to throw out everything they have spent billions on over the last few decades, are used BY billions, just to make room for every start-up with a good idea? No, we can’t, and that’s the real issue here.

In the last 10 years there have only been 2 true disruptors in the payments industry; the mobile phone, and block chains (Bitcoin et al), neither of which has achieved anywhere near its full potential. Yet. Not because the technologies are flawed [necessarily], but because the introduction OF the technologies was done poorly. For mobile devices, the payments challenges included the ‘fight’ between NFC and BlueTooth, the numerous options for security on the device (Secure Elements, Trusted Execution Environments and so on), and the presumed insecurity of the technology overall. For block chains is was, and still is, the almost complete lack of understanding of how they even work in the first place. I’ve looked into them and I still find the concept nearly incomprehensible.

But even these disruptors need current context, and they represent a fundamental shift from our overly complicated view of payments back to its basics; I go to work to earn value (money), the value gets stored somewhere (a bank), and I access the value when I want it regardless of time or location (mobile payment). This would suggest that the only disruption we really need is the disintermediation of some of the players. There are simply too many middle-men whose only input to the new world of payments will be value erosion. Thank God the Mobile Network Operators (MNOs) are too busy bickering amongst themselves or this would be even more complicated!

As a consumer who has a very good idea of what he want to see change, I know that only those who help the payments industry evolve will have a lasting positive impact, and this will only be though collaboration and fair competition.

The greedy can stay home.

[If you liked this article, please share! Want more like it, subscribe!]

On Disabilities In Payments

Have you ever wondered what it would be like to go through life blind? Or with a learning disability? Or perhaps what it will be like when you’re older and your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or worse, the honesty and goodwill of complete strangers?

I readily admit, these are not thoughts that I have very often, as any disabilities I have relate to my sparkling personality. However, I am now in a position to HAVE to think about it and it’s more than a little humbling to see what those with physical or mental challenges have to go through.

For the purposes of this blog, I will restrict myself to issues related to non-cash payments, as that is my skill-set, the limit of knowledge on the subject of disabilities, and there is more than enough material to fill several blogs, lets alone this one.

The issues faced today centre on the fact that the only ubiquitous form of non-cash payment is the branded credit / debit card (Visa, Mastercard et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any legislation.

For example, according to Action for the Blind there are approximately 360,000 in the UK with ‘sight loss’ (total population ~64M), yet the number of people who can actually read braille is under 20,000. So even card terminals with braille overlays are more for marketing / image purposes than actually providing a means for expanding independence. Terminal manufacturers don’t have to spend more, so why would they?

According to Dr. John Gill, one of the UK’s leading experts in the field of disabilities, challenges for the disabled related to non-cash payments go way beyond issues with sight. The elderly, for example, not only begin to have challenges with vision, but their declining ability to handle abstract concepts, hand tremors and even an aversion to / fear of new technology means that payment innovations will be largely avoided by this group. Especially if their individual needs are not built in from the beginning.

I have posited in previous blogs that mobile devices are far better placed to enable cashless payment for those with disabilities, but it’s clear that this will only be the case if considerable thought is put into the challenges from the outset. ‘Consistency of Interface’ (Dr. Gill’s primary interest), simplification of available technologies, and setting of individual preferences across all payment front-ends will all be required before adoption of mobile technologies is available to everyone.

Well, almost everyone.

Too many technologies aimed at disabilities are nothing more than smoke-and-mirrors, and any effort on the part of manufacturers is aimed at demonstrating that they are good citizens. And while there can and will never be 100% adoption of mobile technology, it represents a significant advance over current systems which are now in their 6th decade of use.

Payment systems for those with disabilities must be able to address the following or they will simply not be used:

  1. Consistency of Interface – Terminal manufactures have some standards they need to apply to their devices, but constancy of interface is not one of them. Even as a sighted person, I sometimes have an issue with where to put my card, where the OK button is, how to apply tip (or not) and so on. However, I CAN read the total, what are the options for those who can’t?
    o
  2. Swiss Army Knife Approach – I love technology and innovation, yet even I use a fraction of the abilities of my phone. The elderly not only use even less, they want to SEE less available. The drive is for more and more functionality, but no-where is there an option for less, and until there is, adoption in the elderly will be limited.
    o
  3. Non Reliance on Biometrics – You just have to look at payment innovation and see that biometrics will be a major factor. This ridiculous concept from MasterCard for example; MasterCard, Zwipe announce fingerprint-sensor card. But what about those with deformities, injuries, mobility issues? Apparently people who work with concrete or pineapples have fingerprint issues, as do those on various forms of chemotherapy. Who knew?
    o
  4. Size of Keypad – Something as simple as this can result in the avoidance of non-cash payments. Combine a small PIN pad with low contrast fonts and you have just lost a payment.
    o
  5. Learning Disorders / Mental Acuity Challenges – How do current payment technologies handle dyslexia? Or short-term memory loss? Or the onset of dementia? The use of the PIN is about as ubiquitous as the cards they authenticate, yet even this is out of reach for some. But who says the ‘PIN’ has to be numbers, can’t it just as easily be a picture of loved ones, or some other individual preference?

Clearly I am only scratching the surface here, and while there is no solution that will ever make everyone happy, there is a LOT more that can be done to make life easier for those with disabilities. Mobile devices are not perfect, but they represent a  considerable advantage over current payment technologies in terms of adapting preferences to an individual.

All we need is the attention this deserves.

 

[Note: A very special thank you to Dr. John Gill who was very generous with his time and his guidance. Please see http://www.johngilltech.com for more on this subject.]

GUEST BLOG: Thoughts From the PCI Trenches

[Ed: I am very pleased to present a guest blog for a good friend of mine. He and I have spent more time in the PCI trenches than we would either care to admit;]

“I read your blog somewhat religiously and I find myself thinking about my feelings towards PCI both from an assessor and client perspective and moreover as a security professional.

With breaches now on the rise, it is time to reflect a bit on how did we get here? Why are things this way? Is PCI working?

We got here because of money. The all mighty dollar (pick your currency). Greed, my friends, has fueled this issue, and for years and will continue to do so.

Greed by the card brands has pushed them to promote acceptance so wide that the only way anyone even thinks about non-ash payments is with a card. This push for acceptance came in the early 1990’s and continues today. At that time, very little was thought of PCI other than a little fine print that was quietly overlooked until breaches began to result from this push.

At that point, the card brands felt that the public – being sufficiently hooked on the drug of convenience – was finally ready for enforcement of compliance with standards. Shortly thereafter the PCI SSC was born, and the real greed and corruption was to begin.

Below are a few points that have been smoldering quietly in the back of my head that are now demanding to be shared.

  1. Unless it’s my core business, it will never be my core competency. You cannot make merchants into military. They won’t go, they never will, stop trying to make them. Realize this now and move on.
    o
  2. The card brands have created the problem by pushing their acceptance channels as hard as they have, and then attempted to throw security on top of the pile long after the fact. Security first, acceptance of cards later.
    o
  3. The card brands added insult to injury by creating the PCI SSC. This is a self serving group that dictates a set of documents and charging fees, then completely and utterly fails to enforce its own assessor quality assurance program.
    o
  4. The SSC has, through their actions and inaction, contributed to the creation of a scandalously corrupt cottage industry of PCI QSACs. These companies are selling assessor services for a flat fee and assigning work at a rate of 35 to 45 PCI assessments a year per QSA. This volume is horrific and does not serve the client, or the card brands. The delivery of an appropriate assessment is simply not possible. You can have two of the three, “cheep”, “fast” and “good” but only two. Cheep and fast does not make for good, yet the SSC has allowed the QSAC’s to promote and aggressively sell just that.
    o
  5. The SSC has allowed the same QSAC and QSA to assess the same environments year after year creating complacency and further corruption. If you care about compliance, rotate assessors. Assessors make bad calls, and in order to maintain the client, must live with them year after year. Fresh eyes are critical to maintaining integrity.
    o
  6. The card brands have failed to adopt more secure methods of moving funds. The clear text account number adhered to the back of a piece of plastic via technology rivals that of the 8 Track player in my mother’s 1976 Mercury Cougar. This is criminal.

I could go on and on, but the key points remains the same, the card brands are the cause of the problem, and have made it worse by setting up an unrealistic security program rather than focus on their own flawed methods.

The reality is this; PCI is a way to shift the burden of securing the otherwise insecure from the card brands to the merchants, banks and service providers. God forbid the card brands pick up the tab??

As long as I am ranting, how is it that Moore’s Law drives down the cost of all technology except when it comes to transaction processing?

Will my rant change anything? No, but I do feel a bit better sharing with you all.

Regards,

Frustrated Assessor”