Almost four YEARS ago I wrote Software PIN, the Rosetta Stone of Future Payments, then just over a year later I wrote; Mobile Authentication: Exceeding Card Present Security?
Just this month the SSC finally came out with their Software-Based PIN Entry on COTS Security Requirements v1.0.
[Ed. While I don’t have to wonder why PIN was my primary focus, I can see how pointless it was …almost. It just makes the delay on this standard that much more inexcusable.]
On with the story… Software PIN is more commonly referred to as PIN-on-Mobile (or the catchier PIN-on-Glass), and is the ‘game-changing’ technology that will; “enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet.”
What has taken them so long to make what – from my jaded perspective – is the only move that will delay their inevitable demise? It’s not like there was some miraculous innovation in mobile or encryption technology in the last couple of years! Every requirement in the standard was available/achievable long before I even wrote my blogs. As were viable solutions for that matter.
I suspect there’s lots of reasons of why they were so slow, but chief amongst these has to be their complete inability to adapt to the fast-paced innovation rampant in the FinTech industry. Especially given their hopelessly antiquated technology. It’s only their global adoption and sheer ubiquity that keeps them where they are. I blame the banks too, change for them means acceptance of liability.
Come to think of it, what an amazing coincidence that PSD2 – the biggest nail in the payment card’s coffin since …well ever, came out this month as well. Weird huh?
As far as I am concerned, PIN-on-Mobile was the card brand’s last hold-out, now they’re done. Hopefully between the XYZ-Pays (ApplePay, SamsungPay etc.) and now the entry of cardholder PIN on [almost] any CoTS device, big merchants / retail associations will finally have the balls to stand up for themselves.
How many millions have they spent in the US on EMV terminals just to find out a few years later that it was not only entirely unnecessary, but they’re now tied into an investment that will leave them lagging behind their competition who were slower of the EMV block?
I know that’s harsh, and we really have no right to judge. Have any of the following questions ever occurred to you?:
- If I can use my phone to pay for something, why do I have to tie that payment to a branded card?;
- With all of the security requirements required for the entry of a software PIN, why the Hell do I still have to use one? In other words, if it’s that bloody difficult to secure it, why not use something else?; and
- Isn’t there a better way!?
If you’re like the majority of the population, these questions are more like:
- Why doesn’t MY bank support this?! (looking at YOU Barclay Business!), or more commonly; why would I use this service when I have a piece of plastic?;
- What’s wrong with PIN?; and
The fact is that the lion’s share of the cashless transactions globally are performed by those who have never known a time before payment cards. We simply can’t imagine anything else and we don’t even notice their inconvenience. We also don’t see the costs imposed by the middlemen.
But let me ask you this; Would you ever go back to using a feature phone? I’ll [almost] guarantee that you had no idea what features you wanted in a phone until you used a smartphone for the first time. And now you can’t live without it. Hell, most of us can’t even put the damned things down!
The same thing WILL happen to payments, but not until consumer indifference is overcome by something shiny and new.
Frankly this blog is boring even to me, and I really have nothing more to say about payment innovation that I have not already said a hundred times. But I simply can’t let anything so patently meaningless as PIN on Mobile to go unanswered.
Innovation my arse.
[If you liked this article, please share! Want more like it, subscribe!]
On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.
Anyone know what ‘apply’ means in this context?
On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.
All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.
So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.
For example, the most pressing questions are:
- If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
- What happens to ASPSPs if they aren’t ready? Are there penalties?
- When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
- Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
- Does the FCA have final say in liability?
I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.
Of the 50 people I trained in those 3 days:
- PSD2 knowledge was very low;
- So far they have received little guidance from senior leadership;
- 85% were more scared than optimistic;
- Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
- Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;
Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?
No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.
All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.
Here’s what senior leadership at ASPSPs could be doing:
- Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
- Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
- Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
- Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
- Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.
The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:
- Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
- Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
- Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.
The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.
[If you liked this article, please share! Want more like it, subscribe!]
In a recent CSO Online article; “The National Retail Federation is dead wrong about PCI“, the author made, in my opinion, one the most reprehensible defences of PCI I’ve ever seen. Even the SSC have not been so bold as to make these kinds of off-the-mark and clearly self-serving assertions.
After an innocuous 2 paragraph preamble, the author(s) state;
“Despite NRF assertions to the contrary, the payment card industry has asserted that their card security standards are voluntary. Merchants have a definite choice if they want to accept credit and debit cards or not. It’s quite safe to say if retail establishments couldn’t accept payment cards; most would see massive sales reductions, and a large number would simply go out of business.“
How can he possibly say that merchants have a choice, when he says it himself that most would see “massive sales reductions”!? Call that a choice!? That’s right up there with ‘face or gut?’!
The fact remains that the card brands STILL have merchants by the short-and-curlies when it comes to non-cash payments. You only have to look at the anti-competition or unfair business practice suits that card brands have had to fight over the years to see how distastefully are their business practices perceived.
And quite frankly, this all shows a complete lack of understanding of the NRF’s main issue; They don’t CARE how they receive payment, payments are NOT core to their business. Being paid for their product / services is.
The author goes on to say;
“Given the significance of payment cards, we would have expected the NRF to be at the forefront of PCI advocacy and compliance. Yet the reality is that they have an extremely disdainful view towards PCI.“
Seriously? Ask me to pick up the cost of fixing your crappy service and I’ll be equally ‘disdainful’. Sod that, I’d be thoroughly pissed-off, but I still wouldn’t have a choice, not if I wanted to stay in business.
The NRF have every right to expect the card brands to do something more appropriate, THEY are the ones providing the service and THEY (and their associated middle-men) are the ones who’ve made billions through merchant transactions over the course of 50+ years.
But it’s the merchants who are the ones who are paying the interchange rates. And it’s the merchants who have to spend billions on infrastructures that do absolutely NOTHING to help them improve their customer’s shopping experience.
Guess who pays for this in the end? Yep, us, the consumers.
As I have written (or at least allude to) many times in the past, the very technology behind payment cards is past its usefulness. Anyone trying to prolong this ancient, inherently insecure, and zero-value-add technology clearly has a vested interest in doing so. Card Brands, Issuers, Acquirers, Payment Service Providers (PSPs), and Terminal Manufacturers are obvious stakeholders. However, QSA companies exist to a large degree on the budgets that PCI compliance extorts. Call them PCI War Profiteers if you wish, I’ve heard worse, and I have also benefited.
In the card brand’s defence, they have done a truly astonishing job over the course of 5 decades in bringing trust into non-cash payments. That’s what their logos are; a symbol of trust. The next generation of payment providers owe them an enormous debt of gratitude. That said, we didn’t keep horses around because we felt sorry for the ferriers, we jumped head first into the automobile.
Mobile phones are now more ubiquitous, and can be infinitely more secure and ‘value-add’ than branded plastic (even while tokenised in ‘[X] Pay’ services). All we need now are the banks to get their acts together and provide the trust and there will be little need for the innumerable middle-men.
Which brings me to my final point on the article; yes the NRF and all other retail associations have the right to be angry, but they have done next to nothing to help themselves. They played a game whose rules were set by the card brands and used none of their extraordinary power and influence to tip the balance in their favour.
For example, I have estimated that the Top 10 retailers in the US alone account for almost 1 TRILLION USD in branded transactions. If we assume an average of 1.75% interchange, that’s 1.75 BILLION in fees the retailers have paid to ‘middle-men’. How much influence would you exert over those middle-men if it was your business?
So in summary;
QSA Companies: Keep your opinions of retail to yourselves, your self-serving diatribes are inappropriate. Serve your clients, don’t brown-nose the brands.
Card Schemes/Issuers/Acquirers: Use your incredible knowledge and combined talent-pool to lead the way in the removal of plastic, and therefore the need for PCI. It’s time to move on.
Retailers: Put aside your differences, stop bitching to the wrong people in the wrong way, and do something useful with your power. Focus on what you WANT, not want you DON’T want.
All of this boils down to one thing; what do consumers want? Most have no idea, but I do, as do thousands of others like me. Ask us.
…and it had better not involve yet another piece of plastic.
I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.
Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.
Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).
Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.
The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;
Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.
I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.
But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.
So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.
I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.