Tag: views

On the 26th of November 2024, the PCI Security Standards Council (PCI SSC) published Version 1.1 of the PCI Mobile Payments on COTS (MPoC) Standard, designed to support the evolution of mobile payment acceptance solutions. It’s worth taking a closer look at the key changes which Version 1.1 delivers because, from Mypinpad’s perspective at least, it represents some but not all of the much needed rolling back of Version 1.0’s standards requirements. More work is required to make the next version of MPoC (Version 2.0) meet the right balance of cost and benefit, making it commercially competitive for most industry participants.

This article, the 12th in my current series of thought pieces, explores how innovations in authentication methods and technologies are helping to blur the line between CP and CNP transaction authentication by splitting transaction origination and authentication channels.

AI can and should be a game changer for many paytechs, but the devil is in the detail. In my latest article, I’ve decided to work up some examples of where AI is already beginning to make the difference and also look at a couple of areas where the application of AI models will generate positive results much more slowly.

This month, I’m taking a closer look at how good software providers can become great ones by looking more closely at improving the user’s and developer’s experiences of the interfaces they are creating.

Technology delivers functionality

When software engineers begin designing a new product, they first focus on what that piece of software must deliver in terms of functionality. Once the product has been coded and is found to be capable of that functionality, it goes into User Acceptance Testing to make sure it performs that function reliably, at sufficient speed, across numerous platforms and devices (if relevant). Once all these tests have been run, and it has been piloted on a small coterie of ‘alpha’ customers, it goes live.

Many tech firms now regard strong UI (User Interface), UX (User Experience) and CX (Customer Experience) as key elements in software design. However, not many go further than this to ensure they are delivering great Developer Experience and Operations Experience.

Indeed, great Developer Experience is only tackled, it seems, by the most successful fintechs who then dominate their respective spaces, such as Stripe and Adyen who both make the Developer Experience a delightful one.

Delivering great UX for everyone

The more I explore the question of really differentiating your product, the more I realise this is about building experiences for everyone into the product design from Day One.

We produce paytech solutions for three key types of users:

1.       Developers

2.       Operations teams (both internal and those of our customers including banks, payment service providers and ISVs)

3.       Users (typically merchants)

To deliver a superior User Experience for each of the above, it’s important to know precisely what superior, or just good, looks like for each type of user. Their demands are nearly always different. From our own research for a new product which we launched about six months ago – our new mobile acceptance solution called Wattle – we know some of what each of the above want and value in terms of UX.

1.       For Developers

Developers want simple tools which are easy to apply. We must offer fully tested, glitch-free code which can be simply cut and pasted to create a new solution. They want us to abstract the complexity and hold that ‘under the hood’ on our side.  What they don’t want is the need to understand all the nuances and assumptions that are inherent in an industry within which they have often never worked.

It’s got to be easy to use our tech to help build and roll out their tools rapidly and reliably, and ideally it should offer developers a seamless user experience regardless of whether they are building a solution for a POS terminal, or for an iOS or Android mobile device.

2.       For Operations teams, including those of our customers

We have all seen big control rooms in the movies and on TV run by people in lab coats looking at flashing red and green lights showing the positions of trains in the network, or perhaps illustrating processes ongoing inside a reactor in a nuclear power station; or tracking of a rocket going into space.  This is not just Hollywood but represents a valid need for operational visibility and control in real life by our customers, and by us.

We need to answer key questions like: Is the system working and if so, how well? Are backups and redundancies ready and in place in case something goes wrong? Have we established protocols with our customers to work together to troubleshoot and solve problems? Where should our customers focus their efforts to maximise their profits, geographically or otherwise? What proportion of transactions require a PIN? The questions are endless but can be summarised as follows: the need for real-time knowledge and ideally, visualisation of what is happening within every part of the system.

3.       For Users (typically merchants)

Users also want a seamless experience for their customers. Regardless of the card or device which their customers are using to enable the transaction, the interface needs to look the same at each stage of the transaction. We must design the display message accordingly. It must be familiar to the customer regardless of the device and card they are using.

Merchants also want a real-time, information rich User Experience. It’s particularly valuable for merchants to know that transactions have gone through and which customers are buying the most that day, week or month.

That’s why we’ve put badges on our product development roadmap for Wattle. Badges can be used to celebrate a specific size of transaction, a specific milestone for the merchant, and much more. After all, our products should not just be about delivering a solution, but making the UX fun along the way.

Merchants also want an interface that delivers pertinent information when a transaction has failed. For example, it would be good to know that when a customer has been instructed to put his card into the POS terminal and tap in his PIN, it is because that customer or that terminal has hit its limit of back-to-back contactless transactions. Information is key to eliminate that ‘sorry sir, your card failed’ embarrassment.

With the rising use of self-checkouts in major retailers today, it is worth remembering that payment system users are increasingly the consumers themselves. For them, it is valuable, as far as possible, to check out as rapidly as possible, ideally without the need to call an attendant over. Keeping those self-checkout queues running smoothly is key.

Another example is receipting. How many times are we handed a POS terminal receipt and asked whether we want a separate itemised one? We are working on our own flexible receipting system as an extension to Wattle – more on that front in due course.

So UX is all important. But remember, an increasingly accurate understanding of what all users need, including those not normally top of mind like developers, is the key to going to the next level for paytech solution developers.

During the second half of last month, I decided to take a closer look at Apple’s 14th August announcement that the IT giant will allow app developers to offer NFC contactless transactions using Secure Elements (SE) from within their own apps.

Starting with iOS 18.1, developers will now be able to access the NFC and SE to offer contactless transactions from within their own apps on iPhone, separate from Apple Pay and Apple Wallet. But the big question remains: ‘Will Apple grant SoftPOS players unfiltered NFC access?’. Let’s take a closer look at the importance for the SoftPOS market.

EU Commission findings

The Commission was concerned that Apple had too much control over which mobile wallet Apple iPhone users could use because it reserved the use of the Near-Field-Communication (NFC) technology on its iPhones for its own mobile wallet solution Apple Pay. Basically, before this ruling iPhone users, which only use Apple’s operating system iOS, had to use Apple Pay for Apple Tap-to-Pay contactless transactions.

Apple controlled every aspect of its ecosystem, including access conditions for mobile wallet developers. The EU found, this behaviour prevented developers from bringing new and competing mobile wallets to iPhone users. Such behaviour was ruled to be in breach Article 102 of the Treaty on the Functioning of the European Union (TFEU), which prohibits the abuse of a dominant position.

As we know, mobile wallets allow for payments with a mobile device in shops and online. They also integrate with other services, like loyalty cards, contactless tickets for events, boarding passes and digital identity credentials. In the last four years, mobile wallet usage in shops in Europe has tripled.

In Europe, the most widely available technology for mobile payments in stores is NFC. NFC technology was not developed by Apple. It is a standardised technology which is made available for free. Compared to other technologies, like payments using QR codes, it allows for the safest and most seamless mobile payment experience. To develop viable mobile payment apps, access to NFC technology is therefore essential.

Apple iPhone opened up access to other wallets but has not extended it to SoftPOS yet

As part of its agreement with the EU, Apple made 12 key undertakings. However, it is worth beaming in on #6 of this list which I’ve highlighted in bold below:

1.       Give access to NFC functionality to third-party mobile wallets. This access will be free of charge. This access will take place in what is called Host Card Emulation (HCE) mode. This is a software solution that allows rival wallets to make secure NFC payments. Apple Pay, on the other hand, relies on access to the hardware ‘Secure Element’ in the iPhone.

2.       Enable access to important functionalities available on iPhones. This includes Double-Click and Face ID. iPhone users will be able to double-click the side button of their iPhones to launch their preferred payment application. Competing wallets will also be able to use Face ID, Touch ID and passcode to verify users’ identities.

3.       Enable users to make the wallet of their choice the standard option on their iPhones. This is also known as setting the default option.

4.       Allow developers from combining NFC payments with other use cases, for instance transit cards, access control, concert tickets and digital identity credentials. Everything that you could have in a wallet.

5.       Cooperate with a fast dispute resolution mechanism, which will also allow for an independent review of Apple’s implementation.

6.       Extend the possibility to initiate payments with HCE payment apps at other industry-certified terminals, such as merchant phones or devices used as terminal (so called SoftPOS), if this is enabled.

7.       Explicitly acknowledge that HCE developers are not prevented from combining the HCE payment function with other NFC functionalities or use cases.

8.       Remove the requirement for developers to have a licence as a Payment Service Provider (PSP) or a binding agreement with a PSP to access the NFC input.

9.       Allow NFC access for developers to pre-build payment apps for third party mobile wallet providers.

10.   Update the HCE architecture to comply with evolving industry standards used by Apple Pay, and to continue to update standards even if they are no longer implemented by Apple Pay, under certain conditions.

11.   Enable developers to prompt users to easily set up their default payment app and redirect users to the default NFC settings page, enabling defaulting with only a few clicks.

12.   Comply with the same industry standard-specifications as developers of HCE payment apps and to protect confidential information obtained in the context of an audit.

These commitments are applicable to users registered in the European Economic Area, including when they travel abroad, and will remain in place for at least 10 years. iPhone users will now be able to use their preferred mobile wallet for payments in stores. They will be able to do so while enjoying all the iPhone’s functionalities including tap-and-go, Double-Click and FaceID.

However, it’s also interesting to note (see point #6 above) that the possibility to initiate payments with HCE payment apps at other industry-certified terminals, such as merchant phones or devices used as terminal (so called SoftPOS), is not yet enabled.

Unfiltered card-read on iOS is the key for native SoftPOS support

We are seeking clarity from Apple in a few areas relevant to this point right now. For example, it’s currently unclear whether developers will be able to read payment card data without the current payment card filtering that Apple imposes. It’s important to distinguish here between being able to send data (data-send) to a payment terminal like Apple Pay, versus being able to read card data directly (card-read) on an iOS device (Apple Tap-to-Pay). For Mypinpad’s various ‘Tap-to-everything’ products, it’s critical that unfiltered card-reads on payment cards are possible.

Our overarching goal is to offer these products on iOS similar to our existing Android offerings. However, to date Apple has limited our iOS access to that of being an Apple Gateway Service Provider (GSP) certified for provision of SoftPOS services – preventing us from direct development of NFC under iOS. However, if we are granted unfiltered NFC access we will invest to adapt our kernel set for iOS and prepare our products to work on other operating systems over time.

How will our technology work with iOS if unfiltered NFC access is granted by Apple? After a card-read, the payload will be sent to the same backend used by all other Mypinpad solutions allowing us to deliver a device agnostic service to our customers. Functions such as tap-to-add, tap-to-confirm, tap-to-verify and tap-to-own-device (subject to card scheme approvals) will become much more widely available.

If our talks with Apple go well, we’ll be moving ahead to formal registration and securing necessary permissions to advance development of our ‘tap-to-everything’ features for iOS device users as quickly as we can.

Needs to deliver ease of use for acquirer, PSPs and merchants

Apple iOS is a big piece of the contactless payments market – of that there is no doubt. However, in order to have a payment acceptance solution with wide appeal what you really want is software which handles both iOS and Android transactions seamlessly. Sophisticated SoftPOS players, of which we are one, have built this consolidated offering across both mobile operating systems.

There is a lot of integration complexity under the hood but the power is in being able to consolidate your offering to the point that our customers – the Acquirer and Payment Service Providers (PSPs) serving the merchants – can offer one contract providing a single view of all transactions regardless of which mobile device enabled it.

It ought to be possible to have a single application using a framework which is on both platforms. Both the ‘look and feel’ at the front-end and the integration at the backend needs to be similar – and we now know this is what customers really want.

For mobile app developers, it’s also important that the way in which they are able to integrate SDKs to make a solution work, is similar for both Android and iOS. That is why we don’t just stop at the SDK-per-OS level, but rather assist Devs with a Flutter-based SDK so that they can develop a single app for both iOS and Android – providing the most seamless experience for users possible.

In summary, the ability of service providers like us to offer high quality, highly reliable and secure consolidated, multi-device, payment acceptance customer experiences is the key to extending mobile digital payments acceptance. The winners in the paytech market will be the ones that deliver a memorable, seamless, even fun user experience. Indeed, our focus today is already on making our technology easy to access and use for developers, merchants and end-customers alike.

According to Barclaycard contactless payments trends report 2024, over 93 per cent of sub-£100 transactions being completed across the UK last year were contactless. Some markets saw significant double digit growth in contactless payments in the last year. For example, the hotels, resorts and accommodation market saw 14.6 per cent growth in contactless transactions; while public transport contactless transactions volumes rose by 11.4 per cent. Take-aways and fast food transactions saw 14.9 per cent growth in the same 12 month period. The list goes on, and the volume of contactless transactions is only going one way.

Many of these transactions are enabled by the buyer’s smart phone – I’ll call this ‘m-commerce’.  Meanwhile, e-commerce penetration of total sales continues to grow rapidly as well. In the UK, 26.9 per cent of total retail sales were completed online in August 2023.

The rise of online spending is changing consumer habits. We are walking into less shops on the high street to do our purchasing. We are also not using physical banks or their ATMs nearly as much. Furthermore, particularly in younger age groups, people are not stepping out for the day with card-filled wallets at all! They want to load card details into an e-wallet such as Apple Pay and then use their smart phone or smart watch to pay. However, there are several card-related activities which still demand a trip to a shop or ATM. We think, these activities too can be carried out on the smart phone. Indeed, we are creating the technology solution for one issuer to enable this, today.

Let’s examine a couple of key examples of where card issuers are exploring ways to reduce friction still further right now:

Card activation

In the UK, we are all familiar with the card activation process right now. When you order a new debit or credit card, whether that be a replacement of an expired, damaged or compromised card; or after signing up with a new card issuer, you will increasingly receive that new card via the normal postal service.

However, that card then needs to be ‘activated’ by the person assigned to it, before they can use it to buy anything. Normally, that starts with calling or texting the number on the removable sticker placed across the front of the new card. At this point you will be able to use that new card to make an e-commerce payment within minutes.

Most card issuers also demand that to fully activate the card you have to take it to a merchant and buy something by sliding the new card into a payment terminal and putting your assigned PIN number in – thereby verifying you are the owner of that card. The alternative is to put that same card into an ATM, and again put the PIN number in to activate it.

Why is this process required? It’s a security measure: to activate the new card, the issuer must be sure that it has reached the intended recipient. The use of the correct PIN number proves that. Once the  issuer is able to verify that the card is in the right hands, they run a software ‘EMV script update’, normally via a payment terminal or ATM today, to fully activate that card for all digital transactions going forward.

Contactless transaction volume limits

Another problem is that some UK card issuers demand that as an additional security precaution, after a certain number of contactless card transactions, the physical card needs to be inserted into an ATM or POS terminal, at which time the card contactless counter is reset using EMV scripts. Normally, the card holder gets a prompt to insert their card into the terminal to complete a transaction – resetting that card’s transaction counter in the process.

This presents a real problem for someone using their card to tap in and out of the London Underground, for example. Most barriers don’t allow you to put the card into them to reset them. The customer is therefore forced to go to the ticket machine to buy a ticket. That’s inconvenient when you are in a hurry. With Mypinpad’s mobile solution, that card could be reset using the issuer’s mobile app rather than buying a physical travel ticket or going to a POS terminal.

EMV scripts in more detail

EMV scripts are stored, usually somewhere accessible to the system where a transaction is to be authorised. The script(s) will have a priority and must be applied in the order of the priority. The script(s) is added to the authorisation response and returned to the ATM or payments terminal device with the response. The terminal applies these scripts, in order if there are several, and completes the transaction. The scripts can be applied before completion of the transaction or after.

For example, Block Card or Block Application must be applied before completion; most others would be after completion. The result of the script processing and its success or not is then returned in the next transaction sent to the host. This response should be used to update the script management system and allow re-sending of scripts if this is needed.

The main EMV scripts used today are:

• Application Block and Unblock
• Card Block
• PIN Change or Unblock
• Update data, mainly increasing the LCOL (Lower Consecutive Offline Limit) and/or the UCOL (Upper Consecutive Offline Limit).

PIN number changes

So, if you want to change your PIN number – you really only have one place to go to do that today – your nearest ATM. However, what if you could activate your new card or change your PIN via your bank’s mobile app?

Mypinpad is already working with one issuer to enable both new card activation and PIN number changes via their mobile banking app. We can do it because not only do we have the right security credentials, as certified by a security lab, but we also develop and certify our own kernels.   With this capability we can provide issuer scripting over contactless to allow, for example, a card activation or PIN number change.

Why is this likely to be useful now? Essentially, consumer behaviour studies on payments suggest that any barriers to getting live with a new card reduce its usage and therefore transaction volumes. We have all been issued with a new card which we have failed to activate immediately. We’ve just put it in our ‘valuables drawer’ and told ourselves we’ll activate it later…and then simply forgot to do so.

It is becoming increasingly clear that to drive up adoption of e-commerce and m-commerce, card issuers need to reduce the barriers to using their cards as much as possible – while at the same time continually strengthening the ‘card rails’ that I wrote about in my last article. Balancing iterative improvement of the user experience and reducing barriers to transacting, with keeping the consumer safe and their money secure remains just that – a balancing act for card issuers and paytech innovators alike.

Mypinpad has recently started working with one card issuer to implement card issuer ‘EMV script updates’ to enable new card activation and PIN changes to be completed on customers’ own devices via that issuer’s mobile apps. It seems likely that more will follow as barriers to online transacting continue to fall.

This month I decided to take a look at threats to the card issuers’ dominance of the payments landscape and explore why the numbers of transactions underpinned by card rails still continues to rise.

Global rise of digital wallets

Anyone in the payments world cannot fail to spot the rise of digital wallet-based paying. In the UK alone in 2023 £72.5 billion of leisure, retail and hospitality spending went through digital wallets. E-wallets now account for 17 per cent of UK transactions in these markets and rising. According to Retail Economics by 2033 e-wallets’ share of UK transactions will more than double to 39.7 per cent, or £210 billion.

Transaction volume of M-Pesa – one of the largest mobile money e-wallet services in Africa – has also seen unrelenting growth in recent years and is now responsible for 26 billion transactions (in the year to 31 March 2023). M-Pesa, which is run by Vodafone and Kenyan telecommunications provider Safaricom, provides payment and financial services even if a customer has no access to a bank account or smart phone. Payments can be completed on a feature phone using the messaging protocol USSD (Unstructured Supplementary Service Data).

Perhaps the most successful adoption growth curve for e-wallets has been in China which seemed to skip an evolutionary payments step by moving from cash dominated transacting straight to rapid and enthusiastic e-wallet adoption. In 2023, wallet offerings Alipay and WeChat Pay dominated the Chinese digital payments market – nearly 90 per cent of China’s online payment users used one or other of these platforms in the last 12 months.

Then there is the rise of the ‘super apps’ like Grab which are a strong competitor to Uber throughout South East Asia. Grab offers GrabPay which is its own wallet offering for buying Grab rides, take away food deliveries and more. GrabPay reported revenue of $653 million in the fourth quarter of 2023 as this NASDAQ-listed business continues to grow like topsy. GrabPay is now the most popular e-wallet where I live in Singapore – it has a 35.3 per cent market share here.

Account-to-Account payments also on the rise

Account-to-Account (A2A) payments are another growing area which, on the face of it, seem to threaten the dominance of card-based paying. A2A systems offer to move money directly from a payer’s bank account to a payee’s bank account without the need for intermediaries, such as credit or debit cards.

However, for retail transactions there are currently limited options for using A2A payments. Some providers have started offering A2A payment systems for some online stores. This has been helped by the introduction of open banking, which allows people and businesses to link their accounts with a third party offering payment services – providing a secure and cost-effective open banking can facilitate account-to-account payments for retail transactions and compete with card systems. These A2A offerings are multi-bank and in some cases they identify the bank account for receipt of the money via a mobile phone number rather than the account itself (which often remains hidden from the payer). This feels like an additional layer of security there.

However, as of today, if it turns out you have paid the wrong person – perhaps you got one digit wrong in the mobile number or you were scammed – you cannot reverse or nullify a A2A transaction. You can go to your bank and ask for them to work with the payee to recover the money. However, if he or she has already spent it then there is no simple protocol for redress.

In A2A, unwinding a transaction cannot be assured, unlike for card rails-based payments which have built in protocols for cancelling or even reversing a transaction before any money moves – either for a technical reason (e.g. the network went down midway through), or by the merchant to correct an error by the merchant, such as mistyping the transaction value.

Closed loop versus open loop payments

Closed loop e-wallets enable you to move money from one e-wallet to another. However, they offer clear limitations when it comes to transacting across country borders (in Europe, Asia and elsewhere). This is because closed loop operators tend to be nationally orientated, rather than global. The standards and communications protocols they use for transacting very often do not work as soon as you cross a border or move to a different mobile operator.

By contrast, GrabPay (like the majority of e-wallet market players today) relies on linkage to your credit or debit card for top ups prior to payments. In the jargon, it is an open loop e-wallet. According to recent market data, open-loop e-wallets account for approximately 60 per cent of the total e-wallet market in terms of both active wallets and volume of transactions. Apple Pay and Google Pay are the largest players in the open-loop e-wallet market, accounting for about 20 per cent and 30 per cent respectively in terms of active wallets and volume of transactions.

So, in fact six out of every 10 digital wallet-initiated transactions are enabled by card rails in the background and use the payments infrastructure that is regulated by the Payment Card Industry Data Security Standard (PCI-DSS) and secured using EMV, the ubiquitous payment method based on a technical standard for smart payment cards, payment terminals and ATMs which can accept them.

Card based transactions and card numbers are also continuing to grow rapidly

Herein lies a clue to the continue inexorable rise in the use of card-based payments even as e-wallet transacting sees major growth. The card issuers enable a big piece of the e-wallet market as well!

It perhaps explains why approximately 5.3 billion active credit cards and over 12 billion debit cards were in circulation worldwide by the end of last year – and these number just keep on rising! The monthly total value of transactions on UK-issued debit and credit cards increased by 13 per cent in the last year – rising from £73.9 million in January 2022 to £83.5 billion in January 2023. Globally, some 70 per cent of the $1.3 trillion of transactions in 2023 were still made using credit and debit cards, or cheques.

7 reasons why credit and debit card transacting is still growing strongly

1.Card Rails (the technology behind card transactions) is natively open loop:

In other words, if you have an AMEX, Discover, Mastercard or VISA debit or credit card you know you have the means to make payments all over the world, regardless of the consumer or merchant’s business or personal bank account and regardless of where that bank is based.

2. Customer experience is uniform

The customer experience, when paying with a debit or credit card, is uniform all over the world. So, even if the POS terminal is giving instructions in German or Chinese, most consumers can navigate pre-authorisation, tap to pay and/or PIN entry payment, often with the additional option to pay in the local currency or your home country’s currency, without even referring back to the merchant. The screens and layouts are extremely familiar, even if the language is not.

3. Card transactions are ubiquitous, versatile and extensible

It is worth remembering that pre-paid cards, as well as Mastercard, AMEX, Discover and VISA debit and credit cards, all run on the same card rails.

Even country-specific cards like Elo in Brazil, EFTPOS in Australia, and Rupay in India are built upon EMV standards developed decades ago. Mypinpad supports and enables transactions using all these cards and many more national players many of you will not have heard of. Card rails are ubiquitous and are in wide use globally.

4. Card rails has proven massive scalability and resilience

I gave you the numbers of debit and credit cards in use around the world. It is anticipated that before the end of this decade there is likely to rise further to more than 20 billion. That’ll be 2.5 bank cards for every man, woman and child on earth today. VISA and Mastercard are processing thousands of transactions every second of every day. The processing of these transactions is naturally distributed. All the issuers are effectively bearing the load together and contributing towards the maintenance of high levels of resilience in the global system. One issuer in one country may go down for a time but it never brings the whole system down.

However, if you have all your travel money stored in your e-wallet and that wallet’s technology platform fails, you have a big problem. By contrast, if your Mastercard debit card fails while you are trying to pay for your hotel bill abroad, you can always pull out a second card, perhaps a VISA credit card, and pay the bill with that.

5. New chip-based cards have tightened security at the hardware level

Chips on bank cards have very secure and widely understood rules which govern the interactions with those chips at a hardware level. Any security system which has a hardware as well as a software element to it, is always going to be more secure than a software-only solution.

Cards’ chip technology offers an additional authentication and encryption layer. The largest security element is that it ensures that it has not been cloned. It verifies that it is the original card and that the person using it is authorised to use it, whether authenticated via a PIN or not. Much like a well specified safe, if you attempt to break into that chip (to get into the keys inside it), you will destroy the card – making it impossible to read successfully.

6. Liability is well understood

When doing a card present transaction (i.e. using the physical card), the bearer of the liability and risk of fraud is well understood and agreed between all the parties involved, be they acquiring banks or issuers in various countries or national regulators.  If you do a chip-and-PIN transaction, liability passes to the cardholder for example, while in other cases the merchant carries that fraud risk.  Knowing who is liable when and where is vital especially with cross-border transactions.

7. Multi-layered payment terminal security

Even Mypinpad, which is a SoftPOS solution, uses the hardware security standard provided by both PCI and EMV for processing payments via terminals. So called PCI-PTS rules govern these terminal security requirements and ensure that this hardware is secure. EMV meanwhile certifies that vendors of all new payment terminals are interacting with all available cards in conformance with strict security standards at the hardware level.

There are three different levels to EMV certification to consider. Level 1 covers interaction with the chip and ensuring the NFC capability is working properly for tap to pay. Level 2 covers certification of the embedded logic kernels. For example, Mypinpad builds contactless kernels which have to pass EMV Level 2 Certification before being offered to our customers. Level 3 covers how the terminals interact with the network and that is done per scheme. Each issuer has slightly different requirements at this level. We build kernels for multiple schemes including the international ones (Visa, Mastercard, Amex etc) as well as local schemes (Rupay, EFTPOS, Elo etc).

Card rails – which is the umbrella term for all this EMV and PCI-regulated security technology – is the pre-requisite. So, all terminals must be set up in a prescribed and highly secure manner. That’s why what we do is so difficult: we have to comply with multiple layers of security and compliance standards whilst also ensuring the customer experience remains familiar and easy wherever you are in the world. The trick is to do the application of card rails security systems very efficiently in order to avoid compromising customer experience.

SoftPOS built on card rails ensures seamless & ubiquitous user experience globally

In summary, we’ve analysed that the hardware and software-based security standards governed by PCI and, in some cases certified by EMV, collectively called ‘card rails’; provide an exceptionally mature, multi-layered security infrastructure designed to protect both customers and merchants alike. That infrastructure enables us all to transact in a seamless and increasingly contactless manner in the blink of an eye, while giving us the peace of mind that if something goes wrong we can get our money back and start again.

Card rails provide the security standards upon which SoftPOS providers like Mypinpad must enable that rapid, familiar and frictionless customer experience when consumers reach a merchant’s card terminal. It is our job to make sure that there is no faffing, no fiddling with your mobile device and no delay in completing every digital transaction. User experience at the terminal, increasingly enabled by a personal mobile device, is at the heart of card schemes’ continued and growing appeal.

We’ve learnt that the world has spoken and open loop payment systems are what consumers want, whether that’s via physical cards, or open-loop e-wallets which still rely on card rails.

Loyalty tokenisation as a vital enabler of low cost, frictionless, yet highly secure digital loyalty schemes which could turn many of your occasional customers into loyal regulars.

Loyalty schemes not always driving loyalty in the past

Loyalty schemes have seen quite a lot of change over the last few decades. Before digitisation it was all about paper-based vouchers and swapping spend-based credits, which you normally collected in a book, for prizes.

Many UK readers remember the famous sets of glasses available for loyal Esso fuel customers. Some older readers may remember Green Shield Stamps – a UK nationwide sales promotion scheme (borrowed from the US, as ever) that rewarded shoppers with stamps that could be exchanged for a range of household goods such as toasters, garden furniture and toys once pages of stamps had been collected.

These paper-led schemes demanded the unflinching diligence of the customer to store the stamps, stickers etc and bring them in when sufficient credits had been gathered and they’d worked out what prize they wanted to redeem. It was also administratively intense for the merchant. Whole teams of people looked after these schemes for retailers back in the day.

It’s a little bit different today. If you are a coffee lover, you will have been numerous bank card-shaped pieces of paper for collecting stamps from various cafes. The idea is generally that your tenth coffee is free. Job done – the coffee shop has encouraged you to stay loyal and you’ve been rewarded with a free coffee after two weeks of daily visits.

This type of café loyalty card scheme is much cheaper for merchants to run than the more complex bulk buying and prize booklets that are gradually being phased out. They are far easier to administer and cheaper to pay out on. Indeed, the loss of revenue from running these loyalty card schemes is more or less invisible to the merchant’s CFO. However, do any of these types of schemes really make your customers more loyal?

Indeed, aren’t they simply rewarding the already loyal customers which are prepared to keep your loyalty card with them and collect your stamps dutifully?  Those customers on the margin may end up with three or four forgotten partially stamped cards in the corners of their wallets.  In my view, great loyalty programmes need to be low cost, easy to administer and successfully convert occasional customers into loyal believers.

Tokenisation offers route to winning new loyal customers seamlessly

As the world of mobile apps expands and we learn more about what types of people use them, Mypinpad is beginning to see an opportunity for loyalty credit tokenisation as a natural extension to the network token-based payments that I wrote about back in February.

In that earlier piece, I wrote about the merits of using tokenisation to enable seamless ‘multi-matching’ (using different cards to pay the same merchant) for payments. So that, if you decide to do a business meeting in your favourite café, you can pay for your client’s coffees for that meeting on your added business credit card (associated with your existing record), instead of your personal current account card which normally handles that payment.

But why does it make sense to extend tokenisation to loyalty credits? From a business perspective it’s sensible to put PCI DSS-level security around these schemes because points have a clear monetary value. Those able to hack into mobile apps could, in theory, steal these credits and resell them. Others might choose to simply boost loyalty accounts so that they suddenly have many full cards providing them with free coffees for weeks.

However, the bigger benefit goes beyond improving customer experience and securing credits better for both parties. Loyalty tokenisation offers a powerful and low cost way of hooking those marginal customers. You know the ones: they have been in once on the way to work but their routine varies and they have not come back for many weeks, even months.

So, if this is powered by a bank grade-certified payments provider such as Mypinpad, the merchant can enable loyalty point giving and redemption right off the bat, even as part of the very first ever payment settlement with a merchant. The experience at the payment terminal might go something like this: You tap your card or phone on the terminal to pay.

The terminal screen offers the option of redeeming any credits on this transaction immediately or going through with the full payment now. If that card is new to the merchant’s system, the terminal could add the question: ‘Do you want to enrol – Yes or No’. This offers the potential for instant onboarding if they press Yes.

Inspiring loyalty from the very start

If the new customer volunteers some personal information as they are being enrolled, they might immediately gain access to a loyalty bonus: perhaps because they have provided their date of birth and the transaction is within that same month, they might get £2 off that transaction. They shouldn’t need to download the mobile app to redeem that bonus– it should be possible to do that right there on the terminal in a frictionless manner.

That’s vital. It offers the potential for an occasional customer to become a loyal regular. If they are prepared to provide more information about themselves for your CRM system, who knows what other loyalty incentives they may receive next time they visit? This ‘hook and haul in’ customer acquisition strategy is definitely aided if your mobile app is capable of tokenising both payments and loyalty points.

The key thing here is that tokenisation technology enables smaller merchants to roll out a very low cost loyalty scheme which is still highly secure and highly effective in turning those occasional customers into loyal regulars which could begin raving about your company within days of coming in for the first time. Now that’s the sort of loyalty scheme small merchants are likely to be queuing up for.

This month I decided to look more closely at what some governments around the world are demanding by way of access to, and in some cases control of, data associated with transactions and the processing of those transactions.

After all, governments need access to financial data for a range of purposes including stopping tax evasion and money laundering.  While most governments have a policy that gives them access to data without stifling innovation or raising costs, not all have done so, let’s take a closer look.

Expansion of financial regulation

Governments have been expanding their regulatory footprints across the globe. Examples include the relatively new personal data legislation such as GDPR as well as laws designed to prevent money laundering (AML) and check on people’s taxable affairs wherever transactions associated with them take place. A notable example of the latter is the US Foreign Account Tax Compliance Act (FATCA) which went live in the States during June 2014 and, as a result of a wave of Intergovernmental Agreements (IGAs), was extended right around the world.

FATCA demands detailed financial information reporting. It is a prime way that national tax revenue collection authorities can ensure that their citizens are paying the right level of tax, regardless of where their assets are, and where there income is being generated. So far, so sensible given the pressure on governments to increase their tax receipts and the increasingly global nature of doing business.

The need for regulation is understandable – given the risks and amounts involved.  However, governments rarely seek to find a balance between the need for information and the costs involved since they universally pass those costs onto the industry participants and ultimately end users.

Payments data protection

Where industry standard creators do have an advantage over governments is their understanding of costs within the industry. The Payment Card Industry Security Standards Council (PCI SCC) which was founded by American Express, Discover Financial Services, JCB International, MasterCard and Visa back in September 2006, gave the payments industry nearly a 12 year head start in terms of developing and managing its Data Security Standard (PCI DSS) before personal data protection legislation – most notably EU General Protection Regulation (GDPR) – was enacted in various forms around the world during 2018.

As such, the PCI has very sophisticated standards and protocols for ensuring cardholder data is appropriately secured and protected during processing and storage. In other words, all these systems are very mature and strike a sensible balance between data protection and innovation.

However, the next stage of evolution is potentially much trickier for global paytech innovators like Mypinpad. It also threatens to stifle steady migration from cash to digital transacting which most countries want to stimulate. Let’s take a closer look:

Level 1 transaction data control

Increasingly, governments want transaction data stored only inside their jurisdictions since it is much more convenient for them. The issue here is not so much having a copy of the data within a jurisdiction, but rather that it is the only copy.  Having databases distributed across each country, that a company such as Mypinpad operates in, eliminates the ability to enjoy economies of scale by centralising data processing systems with modern cloud technologies.

The financial service industry has understood and accepted now that the use of well-designed cloud technologies provides great benefits to companies and individuals alike, at low cost.

Mypinpad is inevitably using processing transactions via one or more cloud providers. The same is true for Mastercard and VISA-based transactions which are all, by their nature, processed across multiple borders. Most of the payments world can live with Level 1 Transaction Data Control.

Level 2 transaction processing & data storage ‘Total Control’

However, more worrying is the emergence in recent times of a Level 2 Transaction Data Control. Level 2 countries build on the data requirements by also requiring the processing of all transactions within their borders.

This means that if Mypinpad and other payments providers want to process transactions from citizens of some countries, we will need to set up dedicated data processing environments in each of those countries, each of which will require PCI-DSS compliance frameworks to be in place. Our economies of scale collapse if we are having to set up processing and data storage systems and infrastructure in each of these countries. Our only solution if we want to do business in these countries is to try to negotiate often expensive exemptions or not support transactions by people working or resident in those countries.

There is real potential for those requesting Level 2 transaction data control to inadvertently experience adverse economic consequences. The cost of digital transacting is likely to rise substantially. Inevitably, citizens will be driven to transact more in cash, when governments around the world are pushing to increase the percentage of transactions completed electronically, so they are more trace-able (and taxable). Paytech innovation is stifled and inevitably that acts as a brake to economic development as money supply is squeezed.

Transaction data protection and access, not total control

In summary, the framework for securing data collected in the processing of transactions and stored as a record of that transaction is already very strong thanks to very mature international financial regulations and PCI DSS. Transaction data can be shared with relevant government departments for the purposes of preventing the proceeds of crime being laundered to buy legitimate goods and services. FATCA and AML legislation should prevent money getting into the wrong hands and, of course, enables governments to collect optimal tax receipts.

However, governments need to be wary of demanding ‘within country’ processing and storage of that transaction data. It is not necessary, it prevents transaction costs falling, stifles progress towards digital-dominated transacting and will only serve to drive economies backwards longer term. What price total control?

Verification has its place

Mypinpad has been working with a major European transport operator to enable it to verify that all their passengers have valid tickets before travelling. In this system, you pre-buy your train ticket and download it onto the operator’s consumer app, attaching a credit or debit card to your account to complete all ticket purchases.

Then, instead of showing a valid electronic train ticket to a reader at the gate or turnstile, you simply tap the credit or debit card that you bought that e-ticket with. In this way, the operator not only knows you are the person that bought that valid ticket, but also that you have the payment card which paid for it.

If the valid e-ticket has not been purchased in time, it’s still possible to buy a ticket via the operator’s consumer app at the point of travelling, again using that same pre-verified card attached to the consumer app.

Verification is adequate when you are validating relatively small, recurring and often highly repeatable transactions. I call this ‘1.5 factor’ authentication as the operator or merchant is able to establish that the customer has a valid ticket and also holds the card that paid for it.

Multi Factor ‘Strong Customer Authentication’

Readers will know from their own experiences the rapid roll out of ‘2FA’ (second factor authentication) and ‘MFA’ (multi factor authentication) is required to access their bank account and other high value accounts.  The idea behind this is not to rely solely on username and password whenever logging into sensitive accounts.  The ‘factors’ can be classified into:

• Something you know (such as a PIN, a password, or the answer to a security question)
• Something you have (such as a credit card or a device, such as a smartphone or a credit card), and/or
• Something you are (a biometric such as a fingerprint, face pattern, voice pattern or gait)

Quite simply, the more factors involved in an authentication process, the more likely someone is who they claim to be. So, as part of necessary increased digital security in our daily lives, Strong Customer Authentication (SCA) is increasingly demanded.

The 2019 EU Revised Payment Services Directive (PSD2) required that a minimum of two factor authentication be applied for purchases across Europe and the UK. And as of last year, PSD2 was extended to all online card payments within the European Economic Area (EEA). So, even if your business isn’t based in Europe, you’ll still have to comply with PSD2 legislation if you do business with European companies or have a presence in the EEA.

As a quick reminder, some of the specific strategies merchants and card issuers are using to authenticate payments today include:

• Sending a one-time password (via email or SMS) which the customer must enter to complete the transaction, or issuing a push notification perhaps to the card issuer’s mobile app.
• Requesting the customer enters the PIN code or password for their mobile banking app or the account they hold with the merchant.
• Biometric verification: requesting that the customer scans their fingerprint, face, or speaks into their device to authenticate the payment.

Where mistakes are made though is when factors may on the surface look independent, but in reality are not.  If a person is logging into a website on a phone using standard username and password, an SMS sent to that same phone must be considered quite weak security in the scenario that the attacker has control of that device. Furthermore, when implementing security systems, one has to understand when they are actually authenticating a device rather than the human user.

Those factors which are temporary in nature and change frequently (such as a one-time code that is valid for 30 seconds), are inherently stronger than data that is permanent as well as widely known and stored (such as an address, mother’s maiden name or phone number).

Authentication user journey

So, what does the typical authentication journey look like today? You go to your favourite online retailer. You log into your pre-registered account using your email address and PIN or password (proof of knowledge), before the retailer sends a one-time code via SMS. This arrives on your iPhone (proof of possession) before you go back to the online basket to checkout.

Before the transaction goes through, you are asked to verify your identity through the facial recognition technology on your phone (proof of inherence i.e. proof that is inherent to you). You oblige and the payment goes through.

Typically, merchants and card schemes don’t use all these strategies – or ask for all three factors to be satisfied in a single transaction. However, they’ll use at least one, and – unless they’re SCA-exempt – will be obliged to employ a minimum of two of the above factors in combination. SCA requires you to authenticate your customers using at least two of the three authentication factors we discussed above: knowledge, possession and inherence.

Protocol landscape

Let’s unpack some of 2024’s most widely used payment authentication protocols in a little more detail. They are 3-D Secure (3DS), Address Verification System (AVS), and Card Verification Value (CVV).

3DS

3DS or 3-D Secure – is a payment authentication protocol developed by major card networks such as Visa (Verified by Visa) and Mastercard (Mastercard SecureCode).It’s the most common form of SCA. So, it’s a way of complying with PSD2 regulations, and verifying your customers in a way that reduces both fraud and friction simultaneously.

AVS

AVS stands for ‘Address Verification System’. It’s a form of payment authentication that verifies whether the billing address the cardholder provided matches the address the card issuer’s records for that customer.

When you perform an AVS check, you essentially compare the numeric portion of the billing address (street name and post code) the customer entered when attempting to make a purchase with the address associated with that bank account.

The AVS check then generates a result code, indicating either an exact match, a partial match, or no match at all (an AVS mismatch). Based on the outcome, you can either pass the transaction as legitimate, or request further authentication from your customer.

AVS is a basic tool in fraud prevention and is not foolproof.  AVS checks only verify the numeric portion of the address – not the postal town or street name. What’s more, AVS only applies when the cardholder’s address is in the US, the UK or Canada. So, it’s not as effective a fraud detection tool if you do a lot of your business overseas.

CVV

CVV stands for ‘Card Verification Value’. CVV is a form of payment authentication that helps verify a transaction’s legitimacy by looking at the three- or four-digit security code located on the back of most credit and debit cards (including Mastercard, Visa, and Discover), or on the front of American Express cards.

CVV checks are particularly important in card-not-present transactions, where – unlike with card-present transactions, such as those made in store – it’s harder to verify that the person making the payment actually has access to the card.

Similarly to AVS checks, asking your customer for the CVV code on their card when they come to make a purchase allows you to cross-reference the code they’ve provided with the one their bank has on file. If there’s a mismatch, it could indicate potential fraud – although the CVV response code provided will give you more information as to the underlying reasons behind the check’s outcome.

Step-up Authentication

However, what is interesting about the way authentication is evolving is the increasing dynamism of authentication systems that we are now configuring for some of our major customers.

Step-up Authentication (SA) is a proven way to strike a balance between security and friction. It ensures users can access some resources with one set of credentials but will prompt them for more credentials (normally requiring a third authentication factor) when personal transaction ‘behaviour’ norms are breached.

So, in most cases where transaction size looks to be in the ‘normal range’ and it is being completed via a smart device which is located in the country it is normally in, then two factor authentication (2FA) suffices. However, if  you were to make a request to wire several thousand dollars to a bank account in North Africa from a device located in a country you are not normally in, that might trigger ‘Step-up Authentication’ (SA) resulting in a request for another factor of authentication to prove you are who you say you are, and that your phone hasn’t been stolen or hacked into. That may include one of the above ‘proof of inherence’ factors like facial, iris or fingerprint scan, or by requiring secure PIN entry.

We are seeing increasing demand for SA deployments to dynamically adjust authentication levels according to the degree of risk associated with specific transactions. It’s a relatively new development which makes sense in a world where device thefts, combined with digital identity theft is sadly becoming more common place; while transaction history analysis can be run ‘on the fly’ using AI to spot potential transaction anomalies and increase authentication requirements dynamically to combat the increased risk associated with those anomalous transaction.