On Disabilities In Payments

Have you ever wondered what it would be like to go through life blind? Or with a learning disability? Or perhaps what it will be like when you’re older and your mental acuity is not what it once was?

What must it be like to be almost totally reliant on loved ones, or worse, the honesty and goodwill of complete strangers?

I readily admit, these are not thoughts that I have very often, as any disabilities I have relate to my sparkling personality. However, I am now in a position to HAVE to think about it and it’s more than a little humbling to see what those with physical or mental challenges have to go through.

For the purposes of this blog, I will restrict myself to issues related to non-cash payments, as that is my skill-set, the limit of knowledge on the subject of disabilities, and there is more than enough material to fill several blogs, lets alone this one.

The issues faced today centre on the fact that the only ubiquitous form of non-cash payment is the branded credit / debit card (Visa, Mastercard et al), and both the cards themselves and the infrastructure necessary to accept them is geared almost entirely to those without any sort of disability. In fact, even if you wanted to make changes to the infrastructure, the effort would be entirely prohibitive given both the limited return on investment and the absence of any legislation.

For example, according to Action for the Blind there are approximately 360,000 in the UK with ‘sight loss’ (total population ~64M), yet the number of people who can actually read braille is under 20,000. So even card terminals with braille overlays are more for marketing / image purposes than actually providing a means for expanding independence. Terminal manufacturers don’t have to spend more, so why would they?

According to Dr. John Gill, one of the UK’s leading experts in the field of disabilities, challenges for the disabled related to non-cash payments go way beyond issues with sight. The elderly, for example, not only begin to have challenges with vision, but their declining ability to handle abstract concepts, hand tremors and even an aversion to / fear of new technology means that payment innovations will be largely avoided by this group. Especially if their individual needs are not built in from the beginning.

I have posited in previous blogs that mobile devices are far better placed to enable cashless payment for those with disabilities, but it’s clear that this will only be the case if considerable thought is put into the challenges from the outset. ‘Consistency of Interface’ (Dr. Gill’s primary interest), simplification of available technologies, and setting of individual preferences across all payment front-ends will all be required before adoption of mobile technologies is available to everyone.

Well, almost everyone.

Too many technologies aimed at disabilities are nothing more than smoke-and-mirrors, and any effort on the part of manufacturers is aimed at demonstrating that they are good citizens. And while there can and will never be 100% adoption of mobile technology, it represents a significant advance over current systems which are now in their 6th decade of use.

Payment systems for those with disabilities must be able to address the following or they will simply not be used:

  1. Consistency of Interface – Terminal manufactures have some standards they need to apply to their devices, but constancy of interface is not one of them. Even as a sighted person, I sometimes have an issue with where to put my card, where the OK button is, how to apply tip (or not) and so on. However, I CAN read the total, what are the options for those who can’t?
    o
  2. Swiss Army Knife Approach – I love technology and innovation, yet even I use a fraction of the abilities of my phone. The elderly not only use even less, they want to SEE less available. The drive is for more and more functionality, but no-where is there an option for less, and until there is, adoption in the elderly will be limited.
    o
  3. Non Reliance on Biometrics – You just have to look at payment innovation and see that biometrics will be a major factor. This ridiculous concept from MasterCard for example; MasterCard, Zwipe announce fingerprint-sensor card. But what about those with deformities, injuries, mobility issues? Apparently people who work with concrete or pineapples have fingerprint issues, as do those on various forms of chemotherapy. Who knew?
    o
  4. Size of Keypad – Something as simple as this can result in the avoidance of non-cash payments. Combine a small PIN pad with low contrast fonts and you have just lost a payment.
    o
  5. Learning Disorders / Mental Acuity Challenges – How do current payment technologies handle dyslexia? Or short-term memory loss? Or the onset of dementia? The use of the PIN is about as ubiquitous as the cards they authenticate, yet even this is out of reach for some. But who says the ‘PIN’ has to be numbers, can’t it just as easily be a picture of loved ones, or some other individual preference?

Clearly I am only scratching the surface here, and while there is no solution that will ever make everyone happy, there is a LOT more that can be done to make life easier for those with disabilities. Mobile devices are not perfect, but they represent a  considerable advantage over current payment technologies in terms of adapting preferences to an individual.

All we need is the attention this deserves.

 

[Note: A very special thank you to Dr. John Gill who was very generous with his time and his guidance. Please see http://www.johngilltech.com for more on this subject.]

GUEST BLOG: Thoughts From the PCI Trenches

[Ed: I am very pleased to present a guest blog for a good friend of mine. He and I have spent more time in the PCI trenches than we would either care to admit;]

“I read your blog somewhat religiously and I find myself thinking about my feelings towards PCI both from an assessor and client perspective and moreover as a security professional.

With breaches now on the rise, it is time to reflect a bit on how did we get here? Why are things this way? Is PCI working?

We got here because of money. The all mighty dollar (pick your currency). Greed, my friends, has fueled this issue, and for years and will continue to do so.

Greed by the card brands has pushed them to promote acceptance so wide that the only way anyone even thinks about non-ash payments is with a card. This push for acceptance came in the early 1990’s and continues today. At that time, very little was thought of PCI other than a little fine print that was quietly overlooked until breaches began to result from this push.

At that point, the card brands felt that the public – being sufficiently hooked on the drug of convenience – was finally ready for enforcement of compliance with standards. Shortly thereafter the PCI SSC was born, and the real greed and corruption was to begin.

Below are a few points that have been smoldering quietly in the back of my head that are now demanding to be shared.

  1. Unless it’s my core business, it will never be my core competency. You cannot make merchants into military. They won’t go, they never will, stop trying to make them. Realize this now and move on.
    o
  2. The card brands have created the problem by pushing their acceptance channels as hard as they have, and then attempted to throw security on top of the pile long after the fact. Security first, acceptance of cards later.
    o
  3. The card brands added insult to injury by creating the PCI SSC. This is a self serving group that dictates a set of documents and charging fees, then completely and utterly fails to enforce its own assessor quality assurance program.
    o
  4. The SSC has, through their actions and inaction, contributed to the creation of a scandalously corrupt cottage industry of PCI QSACs. These companies are selling assessor services for a flat fee and assigning work at a rate of 35 to 45 PCI assessments a year per QSA. This volume is horrific and does not serve the client, or the card brands. The delivery of an appropriate assessment is simply not possible. You can have two of the three, “cheep”, “fast” and “good” but only two. Cheep and fast does not make for good, yet the SSC has allowed the QSAC’s to promote and aggressively sell just that.
    o
  5. The SSC has allowed the same QSAC and QSA to assess the same environments year after year creating complacency and further corruption. If you care about compliance, rotate assessors. Assessors make bad calls, and in order to maintain the client, must live with them year after year. Fresh eyes are critical to maintaining integrity.
    o
  6. The card brands have failed to adopt more secure methods of moving funds. The clear text account number adhered to the back of a piece of plastic via technology rivals that of the 8 Track player in my mother’s 1976 Mercury Cougar. This is criminal.

I could go on and on, but the key points remains the same, the card brands are the cause of the problem, and have made it worse by setting up an unrealistic security program rather than focus on their own flawed methods.

The reality is this; PCI is a way to shift the burden of securing the otherwise insecure from the card brands to the merchants, banks and service providers. God forbid the card brands pick up the tab??

As long as I am ranting, how is it that Moore’s Law drives down the cost of all technology except when it comes to transaction processing?

Will my rant change anything? No, but I do feel a bit better sharing with you all.

Regards,

Frustrated Assessor”

What’s Next For The PCI Security Standards Council?

I don’t think anyone in the payments arena has any doubt that credit/debit cards, in their current form, will die over time in favour of mobile devices. It’s a natural next step to replace something ubiquitous with something even more ubiquitous.

So where does that leave the SSC, and the card schemes themselves for that matter?

You only have to look at Visa Europe’s website Visa Vision to see that they are moving towards mobile (and other innovations), and articles like The Revolution is Here, do not even mention EMV, and the only reference to plastic is in a future past-tense.

It also begs the question as to why the card schemes are pushing EMV when they themselves see an end to their reign-of-plastic. But the answer is obvious, the cost of fraud over the next 5 – 10 years far outweighs the cost of the transition. The US alone saw $7.1B in credit card fraud in 2013 (according to Business Insider), and I have estimated that the cost of EMV transition in the US is ‘only’ $12B (Why the US Will Not Adopt EMV (Chip & PIN), EMV in the US, a 12 BILLION Dollar Mistake).

So why am I so anti-EMV? Because there are technologies NOW that can replace it, are in more hands, and more widely distributed than cards ever were. Your mobile phones.

So back to my point; what WILL the cards brands and the SSC do once the plastic dies? Clearly the brands have an enormous leg-up on any new player in the cashless game, and have massive amounts of capital to invest in meeting every aspect of this [so-called] disruptive innovation; research on innovation, testing proofs-of-concept, garnering adoption within the finance community, and of course, rolling it out to end users.

Mobile phone companies made a small play, and missed, banks could have done it, and didn’t, and large retail could have had a huge impact, and haven’t. Probably because in these three case – even banks – payments is not a core function. Being PAID is core, making the payment is not, so only the card schemes have payments as their entire reason-to-be, and therefore the most motivation.

OK, so if we assume that the card schemes are going to make a huge play in every cashless payment innovation from this point forward, where does that leave the SSC? Probably in exactly the same place, with only one change in title; From Payment Card Industry Security Standards Council, to Payment Industry Security Standards Council.

Regardless of the form of payment there HAS to be a security standard around the protection of the data. Not that the current standards are anywhere near adequate, even for cardholder data, but the SSC has significant experience adopting and implementing standards globally. From mobile apps, to software PINs, to identity management (for KYC, AML etc.) to crypto-currencies, everyone developing technologies must adhere to a minimum set of protective baselines.

So am I really proposing, after so many less-than-positive blogs related to the PCI DSS and the SSC, that they be a standards body for every form of payment globally? Well, no, I’m not, but I think that if they don’t TRY to be just that (with the card brand’s backing), there is no-where else for them to go.

Despite my voluble criticisms of the card brands and the SSC alike, they ARE well placed to do good. I hope they take the opportunity now, because it won’t come again.

[If you liked this article, please share! Want more like it, subscribe!]

Digital Anarchy? Not Without Identity Management

I read a rather long but very interesting article the other day (thank you nephew) titled ‘The Coming Digital Anarchy‘ by Matthew Sparkes (Telegraph). Despite the rather dramatic title (I have done this egregiously myself from time to time), the concept regarding the future of ‘blockchains’ is sound, and is a far better researched and a far more encompassing version of my earlier article ‘On The Irrelevance of Money‘.

However, with the exception of one fairly cryptic phrase; “In [his] version of the future, identity and reputation will be the new currency.” the means by which this new order will be usable has not been addressed. Nor have I seen it addressed in any other articles of its ilk.

Regardless of the manner in which our data is stored, either the current file/database method, or the de-centralised / distributed method of blockchains (written for the crypto currency Bitcoin, but has much wider implications), we, the owners of the data, need to access its function securely, and put it to use in any scenario we choose.

If you can assume for the sake of argument, that the concept of the block chain is a valid method of storing and securing data, how can we access the data’s benefits in a method that’s equally secure? Your computer, mobile phone, static knowledge (username / password etc.), physical tokens (credit cards, RSA Tokens) are what we use now, and seeing as they are based on current methods of authentication, inherit their flaws. It is a hard enough stretch to get people to accept that their entire ‘Internet Worth’ (trying to coin this phrase) is not maintained by any institution, but to grant access to this without ensuring your identity is protected in the same way goes too far, even for me.

Your identity is all you have that’s truly yours, everything else is a universally agreed representation of value (money for example), so until such times as we can bring our full identity to bear we are reliant on small, and very specific elements of it. Elements that are relatively easy to steal, and duplicate.

It follows therefore, that the more of our identity were can securely distribute, the harder it will be for anyone to pretend they are us. Even in a scenario like Invasion of the Body Snatchers where they completely take over our physical bodies, unless the entirely of my life was instantly at the impostor’s disposal, AND they were able to duplicate my personality precisely, my family and friends would know there was something wrong. And if I’m honest, might actually prefer the new me.

Which brings me to the true value of your identity; Trust. You would not lend a stranger a £1,000 without significant rules in place, but you would think nothing of lending it a family member (assuming they’re not a douche-bag). Why? Because you have a lifetime of trust built up behind you.

How then do we duplicate a lifetime of trust in an electronic form, between two complete strangers? Well, if you’re reading this YOU can’t, probably it’s too late for most of us, but it’s NOT too late for those young enough to begin the process. All we need is the technology.

Oddly enough, I think that block chains provide the answer here too, but I am making a huge assumption based on limited knowledge of how they work. However, from what I know already, they are an ideal medium as their very nature is to record everything that ever happens from the beginning. It just needs to be worked out how to accept the input from everyone with whom the individual comes into contact, and how to represent that in terms of levels of trust. Much like a credit rating, but infinitely more difficult to explain.

In just the last few days Ghash has thrown a huge spanner in the works by controlling the magic ‘51%’ of Bitcoin, thus completely ruining the whole concept of de-centralisation. They have said that we should not worry, and to trust them, but so do the banks. There is clearly a lot of work left to be done.

Until people MUCH smarter than me can work out these issues, and we completely redefine the concept of Privacy (that’s the easy part, right?), this is all theory and speculation, but I cannot see any safer way to get where we are headed. Things change, whether we are ready or not.

Your identity as a baseline is both irrefutable, and cannot be duplicated, but it DOES mean you have to be a decent citizen your whole life or be ostracised. Is that such a bad thing if we have a global consensus on right and wrong?

[If you liked this article, please share! Want more like it, subscribe!]

On The Irrelevance of Money

OK, so money isn’t irrelevant …yet, but it will be. Like so many things that are in existence, they are only still used because they have either achieved global ubiquity, or there is nothing better to replace them, or both.

Money, in all its forms, is probably the definitive example of this, but I can actually see a time in the not too distant future when it will be replaced with what it has always represented; Value.

Let me take a step back here and say that this subject is wayyy too complex for me to do true justice, and I have no intention of reading any books on economics to ensure it’s factually accurate, but by its very nature, money is limiting to the continuation of globalisation. Like it or not, the world is getting smaller and less unique across traditional borders both physical and political. People are starting to want the same things, and while not all of things they want are good, the common ground between them is once again driven by value.

Money simply cannot keep up with the changes, and the massive complexity of producing cash, providing debit and credit services, exchange rates, inflation, and a plethora of other things I have made it my goal to never understand, will eventually drive a requirement for something new;

I’m calling it ‘Digital Identity and Virtual Value Management’.

Errr, what?

Another step back; In the past, if you were a wheat farmer and needed meat, you would exchange wheat for meat at a ratio you agreed directly with the person standing right in front of you. You would then each go on your way happy that you have received fair value for your goods. However, if you wanted dairy products, carpentry skills, metal working skills or a whole host of services, you had to repeat this process, and of course, the representative values would always change depending on your immediate needs.

Now, in a massively over-simplification of history and probably fact, it was decided in the year [mumble-mumble] that it would make sense to replace the bartering system with a universally agreed (i.e. by the ‘government’) meaningless object (money), which would represent the VALUE of every commodity so that the holder of this meaningless object was owed the value of it in any commodity they chose.

Great, so now instead of carrying around huge quantities of wheat, our farmer can now walk up to any provider of goods and exchange their meaningless objects for whatever they want.

Eventually these meaningless objects became paper-based, then plastic, and now it’s digital, but it’s still meaningless. Only the VALUE of what it represents means anything, and you SHOULD be able to spend that any time, any place, anywhere, without the need for a meaningless object.

Your identity should replace the meaningless object, and your value should replace money in all it’s forms.

But who sets your value? Who is to say that the services of a lawyer are more valuable than those of a plumber?

You do.

Currently, if you accept £50,000 / year for your employment, YOU are the one who set that value, not your employer. If you think you’re worth more, go somewhere else, or, what you should do is increase your value by improving yourself in some way (education, experience, work harder, you name it). And herein lies one of the biggest mistakes people make their whole lives; focussing on money when what they SHOULD be focusing on is improving their own worth, their VALUE to others.

So, what is Digital Identity? It’s the unequivocal ability for you to prove that you are you, to anyone, anywhere. If everyone in the world KNEW that you were you, then you would not need money, passports, or any physical form of identity. Whether this is effected by biometrics and knowledge verification or [more likely] a combination of these and other yet-to-be invented factors is unclear, but the digitalisation of everything will continue until this form of Identity Management is commonplace.

And Virtual Value? This you can see happening already with Bitcoin and its brethren. What’s missing is the input of non-monetary value, or in other words, I have no way of entering my self-determined worth into a virtual environment, then have others validate it for my actual work in a way that I can spend on something else. But this is coming too, it almost has to.

I can imagine a time when I perform a piece of work for someone, immediately be ‘credited’ with the agreed virtual value, then be able to walk into a store, pick up what I want and walk out again without performing any manual payment transaction whatsoever. My Digital Identity will be confirmed the second I walk into the store, the value of the goods will be automatically calculated based on my choices, and the value of those good will be deducted from my virtual net-worth (or Internet-worth! :)) as soon as I step back out into the street.

Seems rather ridiculous that we still use credit cards, doesn’t it?