PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond; and
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years to write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Those steps may not sound all that radical, but there are two incredibly important facts here:

1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and

2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.

[If you liked this article, please share! Want more like it, subscribe!]

The Next Best Thing to Innovation?

…is the appearance of innovation.

Well, it certainly seems that way; Can’t sell services over the Internet? Call them The Cloud. Can’t sell Risk Assessments and Vulnerability Management? Call it Operational Resilience. Can’t sell data management and access control on mobile? Call it BYOD.

When it becomes clear that there is no-where left to go with your existing product or service, the appearance of innovation seems to be the go-to place for institutions staring down the barrel of obsolescence. Instead of working on their customer service, value-adds, or – God forbid – actually improving their offerings, too many organisations resort to smoke and mirrors to stay competitive.

And the worst part? We let them.

The payments sector is perfect target for this blog, especially given the fact that I know little else. Take these two examples from the last few month; There’s a New Way to Pay With a Selfie, and TD, MasterCard and Nymi Pilot Heartbeat-Authenticated Contactless Payments.

Where is the innovation here, we’ve had biometrics for years? The only thing new is the ability to actually bring the biometrics to bear, which is an advance in mobile technology, not payments. The payment itself  hasn’t changed, we’re still stuck with the same primary account number (PAN) being used by the same intermediaries (Acquirer, Issuer & Card Scheme), over the same systems we’ve had for decades. Even if you build in tokenisation with these systems they’re still mapped to a PAN in the back-end somewhere.

If you accept that a payment is just a transfer of value from one place to another, true innovation must involve the complete disintermediation of almost every player in the current ecosystem except the banks. Sure, there can be service provider intermediaries, but they will be providing true benefits to consumers and banks alike in the fields of identity management / authentication, anti-fraud, customer service, loyalty and reward programs, ratings and reviews, big data analytics and host of others services of which I can barely conceive.

To be worthy of the term ‘innovative’, any service or product offering must have the following attributes:

  1. Be of practical use, and not just theoretical
  2. Provide long-lasting benefit to all stakeholders
  3. Cannot knowingly stifle or exclude competition

For payments, there are a few more:

  1. Be available to the largest portion of the population possible (including those with disabilities)
  2. Be frictionless to the average consumer, or better yet, invisible
  3. Maintain appropriate confidentiality, integrity and availability of all underlying sensitive data, to meet – or exceed – all current legislation, regulation and best practices

Not one, or even ALL of these things at once should be too much to ask, but it’s never that simple. There will always be those existing players whose power and position can make some of these requirements all but impossible for newcomers. And the newcomers themselves rarely do themselves any favours; disruptive innovation, competitive advantage, and blatant greed all prevent true innovation from reaching the mainstream.

In payments, like most industry sectors, collaboration is the key to significant and beneficial change, and in a market worth tens of TRILLIONS of £/€/$, I would have thought there was enough to go around.

 

Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next;
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you;
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like;
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone; and
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.

[If you liked this article, please share! Want more like it, subscribe!]

No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

[If you liked this article, please share! Want more like it, subscribe!]

Vision Statement, and Guiding Principles

First, an admission; this is NOT all about Fraud, it’s about data security in general …very general. I chose ‘Fraud’ because every spell check I’ve ever used autocorrects my name to it, people even pronounce my name as it, and it’s considerably more catchy that ‘Froud on Data Loss Risk Mitigation in Line With Business Goals’, which is actually more accurate.

My vision for this blog is; “To translate security concepts into a language usable to the business.” In other words, to simplify its application to help businesses grow responsibly.

The security industry is fast becoming as complex and specialised as the law, making the business saving techniques it can provide inaccessible to the people and organisation who need it the most. While this is good for the security professional, and the bad guys, it’s not good for the businesses struggling to keep everyones data safe.

The best analogy I’ve heard is [paraphrased]; “Why do cars have brakes?” The answer; “So you can go faster.”

While paradoxical, it’s absolutely true, and the perfect analogy for how security is perceived. The security professional is not there to stop the business from doing something, it’s there to help the business do something properly. Too often security is compared to buying insurance; you don’t want to spend the money, but you know you have to. The true benefits of security are subsequently lost.

This blog will attempt to bring to light as many of the latest security mis-concepts, and hot topics, and put them into a manageable perspective. This will include; PCI, EU Data Privacy Directive, BYOD, Cloud, Big Data and so on.

While I am an inch deep and a mile wide in my approach, I will bring to bear others’, far more profound knowledge on these and other subjects, so that the end consensus is not driven by my own [far from] humble opinions. I will moderate, and translate, I will not dictate.

The forum will only be as successful as the input from you, the audience, so I will also be posting ‘Guest Blogs’ to keep things interesting, and to delay the day when you all realise I have no idea what I’m talking about.

I am composing a Glossary of Terms so that we can all speak the same language. Security professionals all seem to derive tremendous pleasure from coining a new phrase, or the next ubiquitous acronym, but all this does is confuse. We all need to start dealing with concepts, not labels, or our message will either be lost, or worse, misinterpretted.

And finally, in words attributed to Aristotle; “Those who can, do. Those who understand, teach.”, it is our duty as security professionals to show our clients HOW we do what we do, and not to just do it for them, only then can we ever truly call ourselves trusted advisors.

I welcome any and all feedback, comment, suggestions, so please be as active as your time allows.