What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.

 

Froud on Fraud: Top 5 Predictions for 2016

If I was any good at predicting the future, I would be writing this from my yacht in the Caribbean, and not from my kitchen in Southwest London. That said, I do get to work mostly from home, so maybe I’m doing something right.

While my predictions for 2016 will necessarily be as narrow as my field of expertise, there is a lot going on that will eventually change we the way everyone performs many of their daily functions. Probably not this year, and maybe not within the next 5, but once they DO begin to change, there will be no looking back. This is a good thing, and well past its time.

Prediction 1: Identity Management will begin to replace single-factor authentication ANY single form of authentication is inadequate, and even multi-factor and multi-mode authentication is of limited use. For the Internet of Things, payments, or any other transaction to take place securely and accurately in the future, identities must be seamlessly and mutually introduced. Authentication only provides the what-of-you (and usually only in one direction), not the who-of-you, the full function of ‘distributed transactions’ (i.e. mobile based) requires both.

Prediction 2:Identity Management will be decentralised onto consumer mobile devices as a corollary of prediction 1, the control of identities and authentication will decentralise from individual credential stores (user databases) to APIs and/or block chain-esque distributed ledgers that create authentication and identity mechanisms on-the-fly. The level of information provided will be agreed and controlled by the consumer prior to any transaction taking place, and must be mutually assured. i.e. the receiver of the authentication must themselves authenticate, unlike almost all e-commerce today.

Prediction 3: HOW you pay will become increasingly irrelevant you have a value in the bank you want to spend, you should not have to care HOW you get to that value as long as you are getting the best deal to do so. Third Party ‘Money Management’ Services, APIs, and even regulations like the Payment Services Directive 2 (PSD2) here in the EU are forcing traditional financial institutions to open their books. You’ll open ONE application, regardless of which retail store you’re in, comparison shop against price and ratings, and your app wil choose not only the best price and rewards, but the best WAY to pay, all behind the scenes. Credit / debit / direct debit will mean little to you, nor should it, the only thing that matters is that we will eventually stop paying the price of plastic.

Prediction 4: Value-Add Services and Customer Service will be the only differentiators with the enormous competition available to the global economy, price and quality will have little impact on the purchase decisions you make, they will be much the same. Brand loyalty (even if this exists in the future) will instead be driven by the services provided around the products you want; from instant coupons, to ratings and reviews, to reward and loyalty choices, to availability and payment terms, these will be made available instantly in a multi-function app (much like, or even the same as, prediction 3) for consumers to make an educated choice of vendor. But the Customer Service provided throughout the entire consumer journey will be the ultimate differentiator, and any vendor not treating their customer like royalty will be out of the game, regardless of everything they may do well.

Incidentally, this is also why mobile payments have yet to reach anything like their true potential, they are no better than the plastic they will replace.

Prediction 5: Loyalty Programs will begin to centralise I think we can all agree that there are simply too many loyalty and reward programs out there. Every coffee shop, retailer, airline and hotel have their own points scheme, few of which are interchangeable. How many points would you say you have floating around out there that you will likely never use? It just makes sense that the single app provider (per predictions 3 and 4) will begin centralising and normalising any point scheme available. This will be very difficult, but will be their differentiator to which app provider consumers choose.

While these may seem very narrow in focus, perhaps even of little relevance to the ‘masses’, the payments industry alone is a multion-TRILLION £/$/€ industry and the opportunities for innovation and/or investment almost limitless. We already have the device upon which all of these future trends will rely, all we need now are the APIs and Third Party Providers to bring it all together.

Unfortunately we still equate our value with money, and have done for millenia. Money itself is irrelevant, and you work in order to obtain the things you need to survive / be happy, so HOW that transaction is effected should be irrelevant. The above predictions should get us back on track.

Technology and even regulation is pushing simplification down to the consumer, this can only be a good thing.

Done correctly…

The Investigatory Power Bill, Why Are We So Nervous?

This will be my first blog where I am going to a) plead ignorance; b) ask for your input, and c) actually listed to someone else’s opinion (potentially).

[gasp!]

I have just spent all day today going over parts of The Investigatory Powers Bill (IPB), the Regulation of Investigatory Powers Act (RIPA) of 2000, as well as listening to Theresa May’s statement on Parliamentlive.tv, all in an effort to find SOME evidence that it could “…allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp“.

OK, so that’s just according to The Independent, but The Guardian has their; “Investigatory powers bill: snooper’s charter to remain firmly in place“, The Telegraph has their; “Internet firms to be banned from offering unbreakable encryption under new laws” and so on.

All I could find in the IPB was this;

189 – Maintenance of technical capability

(4) The obligations that may be imposed by regulations under this section include, among other things—

(c) obligations relating to the removal of electronic protection applied by a relevant operator to any communications or data;

(e) obligations relating to the handling or disclosure of any material or data.

…as well as a reference to encryption as it related to RIPA, which states;

21 – Lawful acquisition and disclosure of communications data.

(4) In this Chapter “communications data” means any of the following—

(b) any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

So, first my ignorance; I do not speak Governmental legalese, so I have no idea is the vagueness of this is just way of saying ‘we can do anything we want’, or it’s an established-by-precedent way of saying ‘this is all we can do’.

I have also not read the whole, thing, it’s 300 pages long and makes the PCI DSS look like the last Harry Potter book,

Which brings me to the second part; your input. There will be those who have read not only the IPB, but the RIPA, the Communications Data Bill of 2012, as well as the Data Retention and Investigatory Powers Act of 2014. You also are likely to fall [mostly] into one of only two categories; for, and against.

I would love to hear reasoned thoughts from both, or at least point me to an unbiased Cliff Note version of each!

Finally, listening to someone else’s opinion; anyone who has been nice / bored enough to read my blogs over the last 2.5 years will not have read even one where I was in any way unsure of my opinion / stance. Even when it comes to security (what’s the font for sarcasm?).

In this case, I am 100% on the fence (mostly because of 1. above), but partially because any talk of ‘investigatory powers’ or ‘interception of communications’ will have significant impact on privacy, and the implementation of my real interest; Identity Management.

While my thoughts on privacy itself are public record, the impact of what these Governmental powers will have on putting true Identity Management into effect are far from clear to me. There will be no secure mobile payments, no Internet of Things, and no hiding from your wife if there is something in the middle capable of ‘reading’ my communications. Not because I don’t trust the Government, but because anything THEY have access to will eventually be available to the bad guys.

We work within established rules of decency, they don’t (the bad guys that is).

Basically, please help, all comments / thoughts welcomed.

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with www.myPINpad.com]

Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next;
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you;
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like;
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone; and
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.

[If you liked this article, please share! Want more like it, subscribe!]