Community

Smoke and mirrors? May be, maybe not.........

The vision is there, but it seems that there is a big leap in the delivery and in the realisation of the strategy to deliver this vision.

a) BIOMETRICS - not everyone will have an electronic biometric reader, now or in the future, whether it is a Nymi wristband of an iphone with its iTouch fingerpring reader (increasingly more common now). In these instances 'someone, somewhere' needs to link the biometric reader with the card number (or the token for the cardholder) at the merchant. This will be the area of challenge. And then when that is done, the challenge is also how to manage/update the registration and links associated with these devices in a way that is controlled and away from fraudsters. Remember also, that this would need EVERYONE who wants to buy something on-line, to be 'set-up' this way.

b) DYNAMIC PASSWORDS - nothing here in the article on where these would come from or how they would be transmitted. So very much a vision without any details and far, far away from a technical specification! Again, everyone paying on-line needs a facility to access / create such passwords - and this leads us (in the first instance) to the mobile device that everyone has and to SMA messaging as the conduit. This would require the mobile number to be then associated with the card number (or token) and a registration somewhere too.

Seems a little way off yet, but whenever we estimate timing of these things they arrive sooner.

Or is this just MasterCard laying down some vision to help evolve the thinking and/or to 'advertise' their work in biometrics' trials?

Time will tell.

This all brings home to me the serious risks involved to the stability of these systems, and the underlying 'governance' of them and governance of 'what goes through them'; when there 'heavy debates and consultations' that are going on at the FCA and at the new Payment Services Regulator relating to:

a) Breaking up or selling organisations like CHAPS

b) Somehow treating them like water-pipes rather than critical world-winning business solutions.

c) Somehow opening them up to and passing control of them from the BoE and onto new small payment organisations who will surely make this sort of disaster a regular event.

d) Believing that smaller financial organisations should have free access to this architecture, or that they do not have enough access to it today.

It does all need looking at, and hopefully the BoE will make a series of evolutionary strategic plans to evolve the systems - and with greater stability; but at the same time be able to pacify the FCA PSR civil servants that this is too dangerous to start tinkering with.

Indeed, MasterCard is pushing CHIP & PIN and Visa is in a campaign towards CHIP + Signature. This should change the direction and put people/everyone on the same clear direction towards a sound CVM that works. Going down a CHIP + Signature route that has been abandoned everywhere els in the world (including by VIsa everywhere else too) is nonsensical. 

@John Candido - not disappointing at all - quite the contrary. The reason that he is alluding to when he remarks that he has not used the system - is NOT that he uses cash, but that he does not pay for anything himself at all. His personal identity/footprint does not exist whilst he executing the office of president of the United States. As part of this, I understand that he relinquishes all his cards etc. He does not have a personal life anymore!

This has to be one of the worst infiltrations and financial crimes ever. And I mean the one committed by Home Depot, not by the criminals. 

- PCI DSS has been around for a decade and big merchants think that they can use their muscle to delay and avoid implementing solutions.

- Home Depot are the sort of size of organisation that shoudl have led the way into EMV (Chip and Pin) years ago and not left it to others to drive forward.

- Why did they leave it to discover this on 2nd September. It must have been going on for ages, and known about at Home Depot for months. 

- When they saw the Target losses, this shoudl have immediately (at least a year ago) led to action by the people at Home Depot to ensure that they were not exposed.

- Many might say that the company has 'lost the plot', that the executives have either been 'totally incompetent' or focused upon the wrong things - so also incompetent. Which is it? Can you see the incompetence?

- There will be a lot more of these things because others will be doing the same.

- The banks are also culpable too, for having invented EMV 20 years ago and then letting the ENTIRE world excluding the USA implement it to prevent cards that are compromised in this way being used thereafter; with only stupid excuses as to why not to implement in the USA.

Let's be clear 56million compromised cards = at a sale price on the dark-web of $50 each, the theft of customer/bank cards of $2.8 billion. If the average loss on a compromised card is $1,000 - then the consequential losses will be $56Billion.

However all these cards will not be sold-on and used in this way because banks will cancel them an re-issue them at costs far exceeding the costs to Home Depot, and 56 million customers will be inconvenienced at no cost to Home Depot (or their insurers).  

Now can you see the incompetence?

@Hari - Careful - 

1. Software MUST differentiate between e-com and POS - it is in the scheme rules, and MUST be treated differently in so many ways. This is not opinion - but clear fact / rules/mandates and very heavily punished by the schemes with penalties for not doing do.

2. The only reason why Apple is going to get concession on the interchange rates, is BECAUSE they are submitting these transactions as POS / CP - and proving the security involved with 2FA / 3FA - Geolocate and Device profiling; tokenisation with encryption key, and adoption of the prevailing NFC and EMV standards.

3. The problem with the QR code thing is that it can transmit or facilitate ANY of the above in (2).

4. AND ABSOLUTELY NOT - the POS transactions will be treated as CP - and the e-commerce as CNP. It is the rules, and each will attract the correct interchange.

I am sure that you understand some of the software issues, but the rules and the scheme engagement is just as important to get right.

@Hari - but this article was about POS implementation. NOT about e-commerce processors and their implementations. So not about online payment processing.  NFC is NOT something that can be used with online payments. So it is not possible because POS is NOT the same as CNP e-commerce.

Interesting but not convincing at all. Indeed - this cannot happen. Ever. So why not? Technically, this is possible, but of course technical possibility and a good idea like this, won't stop people thinking about this.

The problems rest in:

a) The EMV Co and NFC standards, which require that there is a 2-way hand-ske and communication with the device and the scure element and a decryption porocess. 

b) The card schemes, who will have required the NFC to be adopted as the communication vehicle for the transactions to be permitted,

c) The issuers to allow the transaction to attract the interchange concession, to be transacted using the EMV Co / NFC standards and a channel that can be used to validate the transaction and ensure closed security.

QR codes were only a transient interim technology, that only had a place in small ways to bridge the gap that has now been theoretically bridged. 

We have heard a LOT about the impact of the ApplePay announcement on who/what will be affected, but one thing is sure: It has killed the QR code as a payment vehicle - so it will live on ONLY in the very good informational applications where it has been used thus far - i.e. to stop people needing to type various things into a device.

Adopting QR code developments with access to secure elements is NOT an option, and it is VERY VERY VERY VERY VERY unlikely that the access to the secure element (i.e. the underlying security) will be accessible to TP developers in this way either.

Nice thinking, but a complete non-starter as it breaches the security, card scheme rules and card standards in every way.

There is no way (logically) that the secure element will or can be relaced by 

@Jim - absolutely! Wallmart and others have tried to break this in the courts - but this is slow and only leads to a 'Wallmart win'. But Apple will hopefully open things up. The danger is that this will only be an 'Apple win' - again because of the size of Apple.

@Nick - I cannot help agreeing with you too. We do not know which way this will lead. I would say though that the schemes are still run by the issuers in every decision/ruling/new rules/new mandates etc. and in the USA, but the absence of an EMV solution based upon many, many issuer focussed objections. The retailer lobby can be dangerous, I agree, but I do not think that they are getting a big enough voice in these issues at the moment. But I am maybe blinded a little by all the problems that I am seeing workning with acquirers, big merchant groups and schemes - where things look this way. Acceptance / Acquiring representation in VE has been all but anihilated in the recent changes there, and scheme rulings and member letters from all schemes favour expressions and talk of protecting the cardholders/issuers rather than protecting the integrity of the payment systems or points of sale.

In the case here, the costs of all these appeals and the underlying case is all about trying to protect the ISSUER revenues from interchange after all - whereas MasterCard 'could' have been accepting this and lowering rates further (reversing them) if they had an eye on the acquirer / retailer community. 

Again, it is incredible that the Apple announcements are talking about taking fees from issuers and not charging merchants anything. That will surely ring the changes. And as you say, this will allow market / commercial forces to start to drive change. The problem has been that the presence of the strong and invincible duopolies has prevented the market/commercial forces from being free to act.