How will we be paying in 2020 - The 12 Points by SPA's Technical Director, Lorenzo Gaston - Jan2015
...The IT revolution has created a technology breakthrough in the way sensitive data is generated, stored, transmitted and verified.
Since payment data is a special kind of highly sensitive information, dramatic changes in the way payments are processed are inevitable...
The IT revolution has created a technology breakthrough in the way sensitive data is generated, stored, transmitted and verified. Since payment data is a special kind of highly sensitive information, dramatic changes in the way payments are processed are inevitable.
While significant innovations in both retail payment instruments and systems now exist and are being utilized, these don't always benefit from the same degree of adoption by users. Cultural practices, the existence of well-proven and socially accepted payment methods, different regional perceptions in terms of risk, worldwide differences in socio-economical development and the diversity of legal frameworks are all contributory factors that explain the inconsistency in innovation take-up. .
The resulting heterogeneous landscape can make predictions an uncertain and somewhat random exercise. Even a trivial security breach can quickly bring about the rejection of a new promising payment technology – or conversely, accelerate the deployment of technologies that are not ‘tried and tested’..
In this piece, the SPA wishes to share with the Retail Payments Industry its vision on the way in which electronic payments will be initiated and processed in the coming years. This vision is based on a profound understanding of market structures, innovative technology drivers and user payment experience..
12 KEY FACTORS SHAPING THE FUTURE OF THE RETAIL PAYMENTS MARKET .
1. Card-based technology will still be the dominant form factor for both fixed and mobile retail payment instruments
Mobile devices have fueled new opportunities for retail payments. An increasing number of transactions are now being carried out on iPads, smartphones and other personal mobile devices. Apple, with its Apple Pay product, is the latest player to enter the payments market. The Apple Pay concept is a mobile architecture that supports transactions through an embedded secure element - a card-based tamper resistant component. This use of a card-based approach looks set to trigger further market acceleration in this direction.
Other technologies based on software implementations have been recently announced. And while, at present, we lack evidence that these approaches are proven to be secure, they are now fueling stand-by technologies such as tokenization. These new payment mechanisms may capture a part of the market, especially for low-risk transactions, but will not replace smart card technology for payments. The challenge for these kinds of software solutions is that while the risks remain unproven, issuers will impose payment amount limits. Naturally then these payment forms are unattractive to fraudsters. It remains to be seen if fraud will increase should limits be raised.
Card payment technology will also become available in more form factors. Despite the lack of initial success of Google Glass for example, payment technology will be incorporated in ‘wearables’ in the coming years.
2. Dematerialization of money will continue to progress
Money is essentially a transferable debt by a money issuer. The value of money is therefore directly related to the solvability of its money issuer, and a "solvable" virtual community may issue its own "money". Money will not be kept away from the evolution towards virtualization of any economic valuable asset that can be represented digitally. However, it is not apparent that virtual currencies meet the classical criteria for money unless these are accepted as a payments means.
Other than issuer solvability, there are some fundamental problems relating to virtual money: security and the challenge of defining boundaries for issuance and acceptance in such a way that does not jeopardize the stability of the “real” economy.
Bitcoin was the first serious attempt to create a digital currency adapted to a networked world, but its take off as a mainstream currency seems to be hazardous. Nevertheless, other virtual currencies will follow, even if the concept of a cashless society remains an utopian ideal.
Virtual currencies are, as yet, largely unregulated. Yet if they succeed in becoming mainstream, they will be kept under scrutiny by financial regulators. Both the US and European Central Bank monetary authorities are already in the process of establishing a limited regulatory framework for virtual currencies, which in itself is a tacit recognition on the part of regulatory authorities that this payment evolution is inevitable and should be monitored early on.
Furthermore, the extent to which these virtual currencies will compete with central bank money for payments makes the intervention of central banks in the supervision of such payment systems inevitable.
3. Policymakers will play a more direct role in retail payment systems supervision
In recent years central banks have paid increasing attention to the way retail electronic payment instruments are issued and operated, and how bank customers are authenticated online. More recently, as a result of serious card data breaches, policymakers have expressed concerns on how well the payments industry as a whole can meet the challenge of protecting sensitive customer information. This direct involvement of regulators in pursuing enhanced security is a reality that will become ever more present in the coming years, both in developed and developing regions.
The pace of new technology innovation and the need to fully understand any potential adverse consequences of this, in terms of fraud and financial crime, means the traditional role of financial regulators in the monitoring of payment instruments is now being extended. New “less regulated” payment processing patterns are more complex (and therefore more vulnerable) and involve more actors - both financial and non-financial parties, who may not share the same security background. Conflicts of interest can arise over the appropriate level of effort needed to improve security, in terms of the certification of payment products or during the transaction. Such conflicts hinder the development of security standards and slow down the adoption of measures that are already tried and tested.
The availability of new worldwide payment instruments for business and consumers which use systems that do not offer the same level of protection means that regional collaboration between regulators will become even more necessary to combat fraud. As a result, the SPA considers that the role of institutions such as the World Bank will become increasingly relevant – a move that is being fueled by international government organizations such as the G20.
A key area of collaboration within the payments industry right now is the creation of standards for safe and cheap cross-border mobile remittances - the IUT-T initiative launched in last December is a first step in the right direction.
4. Non-bank entrants in the retail payments market will stay and consolidate, provided that access to payment infrastructures is enabled
Outside financial institutions, new entrants are offering payment services and taking over the primary relationship with bank customers and retailers. Sometimes this happens as a result of banks outsourcing part of the transaction processing.
Despite this new reality, nothing has fundamentally changed in terms of payments infrastructures and/or access to customer payment bank accounts by new entrants. Thus, non-financial institutions don't have direct access to clearing and settlement infrastructures. However, this situation creates a problem from a competition prospective because non-financial payment service providers have to use the intermediation of a bank in order to gain access to such infrastructures. That jeopardizes the business model for non-banking institutions and makes it difficult for them to offer real time payments.
Upcoming law in the EU is intended to regulate access to customer bank accounts by a third party such as a non-financial payment service provider, provided that these entities are properly supervised by their national regulator. As a result, we are likely to see a growth in ‘card not present’ transactions. However SPA considers, and has always advocated, that the best way to have a successful e- and m- commerce payment experience is to expand and promote the use of card technology in the online environment. Apple Pay seems to have the same approach.
In addition, non-bank entrants offer significant advantages in terms of ease of use, liability shift and fast enrollment to gain market share. All of this is challenging from a risk management perspective.
Merchants will be in a pivotal position of being able to offer goods with tailored payment instruments that minimize the risk of financial losses in cases of fraud. Knowledge of customer consumption patterns and solvability will boost new complex personalized services - resulting in a package of commercial offers, merchant-preferred payment instruments and special credit conditions, all of which will be incentivized with loyalty programs. Mobile wallets will be the great enabler of this business revolution.
5. Mobile wallets will constitute the bond between retailers and their customers
Mobile wallets constitute a good example of the way in which innovation is becoming a focal point for payment system development and enhanced competition.
Mobile wallets provide banks and non-banks with a broad range of strategic options to gain market share - for instance, by joining forces to issue co-branded wallets. These proprietary wallets - connected to proprietary platforms - will be made possible by in-house research and development, joint ventures, venture capital investment and alliances to develop a proprietary standard or a public ISO one. Each strategic option will carry, of course, its own costs and benefits, but as technology vendors the SPA is concerned that an emerging “wallet war” will lead to excessive market fragmentation. It’s a scenario that is already taking shape - witness the arrival on the market of Google Wallet, Softcard, Visa's V.me Wallet, MasterCard’s MasterPass, Apple Passbook, PayPal and American Express' Serve.
This diverse set of wallet technology offerings will continue to co-exist until users decide which business model will dominate the market. The SPA is of the opinion that a high-level standard for functional and security requirements for wallets could enable the development of mobile wallet solutions with the potential for convergence in a second step, if so required by the market.
The ability to collect huge amounts of data will be at the core of the war between different wallet implementations, and the ability to extract greater decision-power from big data will be a condition for greater consolidation in the retail payments market. As a general rule today, however, the market will privilege m-wallets that are secure, easy to use and widely accepted.
6. Commercial banks will retain the lead in the provisioning of payment services
Products and transactions managed by banks are, by nature, highly sensitive digital information - but the provision of such financial services does not require large physical facilities.
Despite the apparent substitution effect, financial institutions are still ahead – demonstrating that the virtual evolution of the economy is in line with the way banks have been operating for decades. Today, you no longer have to visit a bank’s premises in order to transact. Instead, banks offer their financial services online, using a variety of communication channels, and benefit from widespread customer acceptance.
Banks are now developing innovative new ways to enable financial transactions. For example, banks are increasingly using electronic signatures to create a complete financial transaction model that is compliant with the applicable legal framework – making it possible for them to offer a full range of online banking services (account opening, a loan application, or a credit transfer order) accessible from personal devices. Electronic signatures, generated by a mobile device using private keys stored in a secure element, will become the accepted norm – but if the secure element is issued by a third party, then a business agreement will be required between the third party (such as a mobile telecom operator) and the financial institution.
Authorizing payments is a risky exercise and the banks’ core expertise is risk management. At the end of the day, consumer behavior when it comes to payment is conservative: given a choice, consumers will tend to select the payment option that minimizes risk.
7. Central and commercial banks will lead financial inclusion policies and drive this market growth
The provision of inclusive mobile financial services requires the close collaboration between governments and private undertakings, especially mobile telecom operators. Indeed, governments hold the ultimate responsibility for the regulatory framework for mobile payments. Furthermore, governments are often the source of funds that finance the purchase of basic goods and services, and also have the authority to negotiate with other governments in relation to specific provisions for the efficient cross-border transfer of funds.
Several African governments have now mandated their central bank to assume the responsibility of monitoring the operation of mobile payment systems; this includes Kenya, where m-PESA is the reference model for mobile financial inclusion – a model that, in our opinion, will spread.
The classic bank financing model remains highly relevant for emerging and developing markets, where micro and very small businesses constitute the core of the economic activity. This classic model successfully accommodates the financial profile of such populations: large numbers of small customer deposits which are individually quite variable in their balances and characterized by the need for the immediate availability of deposit balances in cash (volatility of funds) - but with an aggregated value that may remain stable. This gives access to quality financial services at affordable prices.
Facilitating financial inclusion, mobile payments will continue to change the lives of the people in the developing word. 8. Fraud patterns will be a moving target and banks are likely to undergo "stress testing" to prove resistance to cyberattacks Statistics prove two basic facts: first, where smart card technology is adopted, fraud for card present transactions falls to almost zero; second, fraud is moving to online acceptance payment contexts. At the present time there is a wide diversity in the level of security offered by payment solutions for e-commerce and m-commerce. Yet, as the recent data breaches proved, card payment databases offer different levels of protection, despite the fact that PCI-DSS in theory applies.
Payment service providers and retailers are in the process of implementing two technologies for the protection of card payment data using cryptographic mechanisms: (1) the end-to-end encryption of data over the communication channel between the terminal and the card issuer, and (2) the tokenization of card data so that the database only contains payments tokens which are useful to keep track of transactions, but useless for fraudsters.
Because the adoption of these mechanisms will take time and will depend on the region of the world considered, fraud will move towards those infrastructures identified as vulnerable. Fraudsters have a strong incentive to commit payment fraud and will test security access controls in a bid to bypass these. As a result, where a fully protected payment chain exists, attacks will tend to be concentrated on the retailers’ facilities – for instance, within the vault of a token service provider or even in the payment service providers involved in the transaction.
Last month, the New York State Department of Financial Services (DFS) announced that regulated banks would be examined on a regular basis; areas to be checked include protocols for the detection of cyber breaches, penetration testing, and defenses against breaches, including multi-factor authentication.
The SPA would like to point out that at the present time no successful attack has been published proving the ability to introduce a worm or virus in a smart card or secure element to disclose secrets useful for fraud purposes. SPA members offer mobile device technology that combines Secure Elements (SE) and a Trusted Execution Environment (TEE) to protect payment credentials – and the integrity of the mobile device user interface - during a transaction.
9. The shared economy will drive mobile person-to-person payments
The sharing economy is developing at a pace and is expected to grow to hundreds of billions of dollars by 2025. Enabled by smartphones with GPS chips and internet connections, new intermediation businesses are looking to use this technology to connect a vast market that’s willing to pay for convenient interactions with small businesses or people seeking flexible work. Today’s mobile technology makes sharing a localized peer-to-peer experience possible enabling, for instance, the discovery of locally-based items to rent or services. In this way, persons with shareable assets and access to a significant level of demand may become small business owners.
At present, the shared economy is largely funded by online payments (for example, by connecting to a financial institution and providing a credit transfer order). But new P2P mobile platforms, accessed through resident payment applications in the mobile device, are going to be proposed. Classic viral uptake of the mobile P2P service may facilitate growth, but this growth may be limited depending on the nature of the shared service. A "gardening tool" rental service, for example, would be physically constrained within a geographical area – and "closed-loop" communities may also be created.
Mobile P2P payments feature properties that are adapted to the context of the social inequality characteristics of a shared economy - meaning low or no transaction cost, immediate availability of funds for the payee, along with payer control, security and "universal" acceptance. Three distinct models for mobile P2P payments have so far emerged: a non-bank-centric model (which may be convenient to unbanked persons), a bank-centric model and a card-centric where the overall processing takes place through a card payment system.
Naturally close to the peer-to-peer nature of the shareable economy, a standard mobile P2P solution may generate a sufficiently high number of transactions to make a mobile P2P services profitable (or rather a person-to-small business mobile payment service). ISO 12812 part 4 is a first attempt to establish an interoperable framework for the provision of mobile P2P payments.
10. Interoperable real-time payment infrastructures will be the rule, not the exception
But this migration will take time and will again be largely dependent on the region of the world considered. The UK has pioneered implementation of an almost instantaneous settlement of a payment order service. The US meanwhile, with its chronic problem of low payment systems, is now in the process of speeding up its retail payment systems by studying alternative architectures for more effective payment infrastructures. Australia is at a similar stage, while within the EU SEPA framework, an initial study period of business requirements for real-time payments has been launched.
Beyond these initiatives, the "be paid right now is better than later" principle is no doubt appealing. The millennium generation has grown up in an interconnected real-time world and social networking, and payments - especially person-to-person payments - should not constitute the exception to this rule.
However, there are problems to overcome: (1) significant investment is required to upgrade existing payment infrastructures, but how to incentive such evolution (2) how will the different payment instruments accommodate and benefit from this evolution, and (3) how to address the wide diversity of user need for real-time payments?
Despite the difficulty of identifying the business case, it is more than likely that future payment systems will increasingly provide a real-time experience for end users and will act as a driver for new payment instruments and financial services, both in a fixed and mobile context. Shortening the time required to execute a transaction will constitute a driver for innovation as a positive side-effect. Because completion of the payment is a desirable objective, this major evolution towards instantaneous settlement will have a direct impact on the way payment risk management is conducted.
11. Mastering effective e-payment risk management will be a key strategic advantage
Effective and comprehensive real-time risk management integrates covenant tracking, counterparty management, financial spreading, probability of default, loss given default, limits checking, product proposals and pricing, back office activities, and guidelines such as the “Principles for effective risk data aggregation and risk reporting” issued by the Basel Committee on Banking Supervision.
Real-time risk management in particular will represent a challenge for non-financial payment service providers and those entities involved in payments transactions that may represent a high level of risk (financial, operational, legal) for cross-border money transfers over a certain amount.
Added to this, real time fraud monitoring is likely to concentrate payments in huge digital companies, and will disturb the competitive environment within secure element-based payments that we see today. Smaller and mid-sized entities will simply be unable to afford to invest in real-time monitoring.
Those that succeed in addressing this challenge will take an increasingly dominant position in the retail payments market; in Money 2020, PayPal claimed to have the most efficient payment risk management system of the industry.
In this area we will be assisting a more interventionist policy by the regulators, both in terms of the mandatory processes to apply and the direct monitoring that these requirements are effectively applied. The ability to anticipate these legal requirements will constitute a strategic differentiator for payment service providers.
12. EMV next generation protocols will overcome their present drawbacks
EMV cards were never designed to be connected to customer PCs, even if smartcard readers were available to conduct internet transactions that emulate a cardholder present payment. As a result, attackers moved to the online world when EMV cards were rolled out and 3DS was the first serious attempt by EMVCo to stop card not present fraud.
Being aware of the need to strength collaboration between schemes in the context of aggressive competition, EMVCo will be leveraging its role for the development of common specifications in the area of big innovation (tokenization, e-commerce, m-commerce, and software emulation of payment instruments). This policy will help to quickly resolve the inevitable technical and operational problems intrinsic to new protocols and payment technologies.
Given this context, it is not surprising that the recent announcement by EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – will now be responsible for further developing the EMV 3DS 2.0 specification and associated certification programme.
A world of change
As we have outlined, the traditional payment system will be turned on its head. The entry of new players, and new ways to pay, may trigger greater adoptions of alternate payment types, but the market impact and indeed the potential challenges are yet to be truly seen.
That payment card technology will continue to remain relevant, and will drive innovation and the alternative market forward, is not in doubt.
Similarly, whatever the models, relationships and technologies, the consistent need to bullet-proof technologies against the threat of fraud or information leakage remains critical.Here strict oversight will be key - with government, regulators and central banks playing an ever greater interventionist role in new ways to pay.