During the Glenbrook Payment Book Camp we make clear that national payments systems are domestic by definition. Each country has its own set of systems to effect payments. We point out that national payment systems differ in many of their details. Regulation, operating rules, governance, ownership, technology, and more are highly variable.

At the same time, we also point out that major components are generally similar. An overnight, batch-based system for low-cost, low-value retail payments and an instant, irrevocable wire system for high-value transfers are typical of most countries.

Across the planet, countries are planning, designing, trialing or enjoying fully deployed immediate funds transfer systems, new ones that instantly transfer lower value payments. The UK’s Faster Payments system and The Clearing House’s Real Time Payments (RTP) are two examples of this system type.

Beside increased speed of payment, a second push for changes to national payment systems is the need for a richer representation of the data surrounding the payment transfer itself. Remittance data, for example, communicates what the payment is for, which invoices a payment may be covering, and what trade terms were taken by the payor. ISO 20022 is the internationally recognized method for representing this information and support for it has become a new priority not just for system operators but for financial institutions and enterprise customers.

Generally, major upgrades, never mind deployment of an entirely new system, are performed in a step-wise manner because of the critical nature of these systems, the cost, and the difficulty of herding system stakeholders through the many stages needed to achieve broad support and usage.

Undeterred by those realities, Canada is taking on a comprehensive upgrade to multiple systems over the next few years, including its overnight settlement and wire systems while simultaneously planning for its own immediate funds transfer system, codenamed Real Time Rails. Significantly, each system upgrade will include support for ISO 20022.

Payments Canada is the non-profit organization mandated by the federal government to manage, operate, and upgrade these systems.

In this Payments on Fire episode Glenbrook’s George Peabody speaks with Justin Ferrabee, Payment Canada’s COO about his organization’s work, how its systems differ from those in the U.S., and what’s ahead. It’s a great conversation between payments geeks.

In this second discussion with First Data execs, George and Scott MacKay, Vice President, Strategic Solutions talk digital commerce in the automative space, both at the fuel pump and in the Connected Car.

The importance of full stack security, whether it’s sole sourced or the result of an integration effort, to successful deployment of mobile commerce is a theme here.

Enabling the mobile experience at the fuel pump is complex. Petro sellers have a lot of legacy gear and the cost of upgrading that equipment is very high, a fact that has, at least, inhibited the pace of the EMV upgrade.

The richness of the mobile device’s data such as device fingerprinting and back end intelligence makes it conceivable that a fuel retailer could skip EMV altogether. Maybe.

Scott also shares a look at payments and the Connected Car through the company’s discussions with automobile manufacturers.

In this, the first of a two-part podcast series with First Data executives, Ajay Guru, VP of Merchant Fraud Solutions at First Data and George discuss the impact of fraud on the merchant, what the merchant has to do to manage it, and the classes of tools and techniques available to mitigate fraud.

Ajay addresses machine learning technology’s remarkable ability to identify anomalies and makes candid remarks on the necessity of human analysis to determine whether these anomalies are indeed fraud.

Other topics discussed include behavioral analysis (how we enter our user ID and password into the browser) as well as the sophistication of today’s manual and automated attacks. There is still a lot of CNP fraud taking place over the phone.

There’s good detail on the technology and what fraudsters are up to. Take a listen.

Online trust requires a context-based understanding of who we transact with. Attributes about us are needed to build that trust, but in many transaction contexts we share more than we need to.

To pick a simple example, the law says you must be 21 to buy alcoholic beverages but our current method of proof is to show our driver’s license, an unnecessary oversharing of personal information. Why show that creepy barkeep where you live when you only need to prove you were born before 1997?

In this wide-ranging Payments on Fire podcast, George and Lockstep Technology CEO Steve Wilson discuss how we share the attributes that, in aggregate, define to the online world who we are.

Steve makes the case that security and identity professionals continue to encourage the oversharing of personal data. Now that we have sophisticated network-based fraud management tools – device fingerprinting, behavioral analytics, machine learning and AI – that generate a crisp profile of our devices and our behavior, the attributes that a user must provide could be limited to just what’s required and no more.

An “attribute wallet” under the user’s control – yes, another role for the smartphone – might prove to be a valuable authentication enabler.

This episode concludes with Steve’s report on comments made by some of the deans of modern cryptography on the threat that quantum computing represents. It sounds like good news.

This episode of Payments on Fire covers two topics – payments in Atlanta and the essential challenge of online authentication and identity.

May in Atlanta – FinTech South and the Glenbrook Payments Boot Camp

Everyone in the payments industry knows that Atlanta is a hotbed of activity. Coming shortly to Atlanta are two fintech-focused events that will add to the goings-on.

The FinTech South conference takes place on May 7 and 8. With great speakers – and great sponsors like Glenbrook and the Technology Association of Georgia – the conference describes itself as “FinTech South 2018 is a global exchange of insights, innovations and trends fueling tomorrow’s financial tech industry.”

“Attracting international companies and speakers across multiple industries, FinTech South is an opportunity to engage with 400 FinTech companies employing more than 130K employees globally, generating $72B in revenues, and processing over 118B transactions annually.”

Speakers include:

• Kathryn Petralia, President and Co-founder of Kabbage
• Barry McCarthy, EVP of Network and Security Solutions at First Data
• Nuno Sebastiao, founder and CEO of Feedzai, who is also a past guest on Payments on Fire.
• Right after the conference ends, Glenbrook will host our Payments Boot Camp on May 9 and 10.

Both events draw attendees from all over North America. So if you want to expand your network, hear the latest at the conference and/or get smart about how payments work, come to Atlanta.

Authentication, Biometrics, and Banking

Authentication online remains one of the most challenging aspects of life online. Given the complete availability of personal data, account takeover has never been easier for the hackers. Knowledge-based authentication (KBA) asks softball questions like “what was your father’s middle name?” Easy stuff to find online. User IDs and passwords are even easier to find. We have a problem.

Strengthening the connection between an accountholder’s true identity – perhaps proven by a drivers license or passport – and the credentials that the user presents online is necessary and the topic of this Payments on Fire episode. George speaks with Andrew Gowasack, CEO and co-founder, of TrustStamp, an identity verification company using AI and facial biometrics to create a strong, unique digital credential. For a few use cases, TrustStamp also employs a blockchain-based database.

Andrew knows all about the Technology Association of Atlanta, too. So, take a listen and geek out in this conversation about authentication, biometrics, and how to answer the online conundrums of “who are you?” and “do I trust you?”

The rise of Chinese mobile payment systems is the top global mobile payments story of the last few years. Alipay and WeChat Pay serve hundreds of millions of users with payments, loyalty programs, merchant coupons, and more.

QR codes are used to initiate many of these interactions especially within the point of sale (POS) domain. When there isn’t a legacy payment infrastructure in place, software is easier, and cheaper, to deploy than the hardware-reliant approaches used for card-based transactions.

To serve its millions of accountholders traveling around the world, Alipay is building out its acceptance footprint. In this episode of Payments on Fire, George speaks with payments industry veteran Souheil Badran about his role as president of Alipay Americas and the company’s plans for reaching US merchants in tourist hotspots and beyond.

Mid-market financial institutions have enormously strong relationships with their banking customers. But their size makes home grown IT difficult because it is simply too hard, and too costly, to meet all the B2B finance needs of their enterprise customers.

The answer, of course, is deeper integration to third party software systems like SAP, Oracle, JDA and the growing set of fintech providers bringing point solutions to these institutions.

But that’s no simple task. These FIs often run on legacy systems, generally provided by a large bank processor. Integrating software built before the cloud and APIs and these modern point applications is not easy.

Into that gap is a new company called FI.SPAN. Led by founder and CEO Lisa Shields, the company value proposition is to act as an API orchestration platform for banks. In other words, FI.SPAN proposes to be the glue that connects legacy code or a processor’s banking platform to the growing base of fintech point solutions in the market.

The goal of becoming a one-stop shop for new tools for these B2B-focused banks will take time and focus. Connecting up nextgen software and data to older systems demands clever approaches and a lot of spade work. Maintenance of a growing set of evolving API interfaces is non-trivial, too.

A fintech startup serving fintech startups, incumbent bank processors, and mid-tier banks has a lot of work to do. Lisa is no stranger to the start-up world; she also founded Hyperwallet. Take a listen to this conversation about the technical challenges, the business model, and the goals Lisa has for her customers and for her company.

“Digital cash” has been a dream of the internet age for, well, almost the entire internet age. That goal requires instant payment settlement. It’s more than just sending a message that a payment has happened; it means the money has actually moved.

In this wide ranging conversation with Laurence Cooke, founder and CEO of nanopay, he discusses the platform his firm has built to move value between parties in both real-time and, when necessary, offline modes. More distributed than blockchain systems, nanopay is designed for multiple uses cases including B2B payments using ISO 20022 representation of the payment data.

If you’re at all curious about payment security, blockchains, distributed ledgers, or the instant payment systems now being deployed, take a listen to this conversation between Laurence and Glenbrook’s George Peabody. It’s quite a story and we touch a lot of bases.

Episode 69 is all about how the PCI Security Standards Council is responding to changes in security technology and how it is expanding its role and technology coverage across important new geographies. If payment security is on your screen, join Glenbrook’s George Peabody, partner and host of Payments on Fire, and Troy Leach, CTO for the PCI Security Standards Council as they discuss standards under development like PIN Entry on COTS, other new tools to mitigate data breach risk, and the Council’s work in Latin America, Asia, and India.

A little background…

We don’t need any more evidence for how difficult data security is. In payments alone the number of system components is so high that hardening them all has been functionally impossible. But we’re are making progress. There’s EMV. Data devaluation through encryption and two forms of tokenization – security tokens and payment tokens – reduces the amount of hack-worthy information available.

Guiding, steering, nudging, and corralling the payment card ecosystem toward stronger security is the PCI Security Standards Council. The PCI SSC has developed a 12 step standards program for the secure treatment of payment card data that goes well beyond data devaluation. Various enterprises looking to protect their own data assets, not just card data, use PCI DSS to guide their security program.

The Council’s activity is expanding along with the threats we face. As technologies emerge that benefit security, the Council considers how to employ and deploy them. For example, the Council has a certification program for the token service provider function that handles payment token vaulting and other life cycle management tasks.

Another example is its soon to be released PIN Entry on COTS standard. Commercial Off the Shelf (COTS) devices include the smartphone that’s by your elbow or in your hand right now. The standard makes clear that, with the right card acceptance hardware, PIN entry via a software-driven screen, rather than a physical encrypting PIN pad, is secure.

As you’ll hear on the podcast, this is an exciting time in payments security development. Broad deployment of many important tools will take many years. That’s the real news. As they come online, however, there’s already reason for optimism. We just have to use what we have and get others to do the same.

Digital identity is a crisp sounding term that belies a complex layer of concepts. There is identity proofing, identify verification, identity assurance. Each addresses one element of the many questions raised by digital identity.

• How does a bank really know the digital presence at its banking portal is associated with the accountholder?
• How can you, as an individual, release only the amount of data necessary to satisfy the parties to the transaction? We share more than we need to. I still get carded at a bar to prove I’m over 21 (what a waste of time!). When I show my license, the barkeep also sees my address, license number, and more. Definitely a case of oversharing.
• If parties such as utilities, government, and financial institutions vouch for that digital presence, should any of them be responsible for proving that digital presence is right and true?
• Simplifying complex problems for multiple stakeholders should be a formula for success. SecureKey is a long time player in the identity ecosystem, having built a federated identity platform linking Canadian citizens to government resources using bank-issued credentials.

SecureKey has evolved its system to make use of a mobile app as well as a blockchain-based database that securely points to data stored by banks, utilities, and government entities, all in a zero liability arrangement.

This conversation between Glenbrook’s George Peabody and SecureKey’s chief identity officer Andre Boysen dives into identity concepts, how SecureKey’s Verified Me system works, and its use of blockchain.

For more on digital identity concepts, look at NIST’s excellent set of Digital Identity Guidelines.