The payment industry’s responses to ongoing payment security concerns are many. We have procedural approaches and technical ones. For example, we are requiring merchants to attest to their compliance with PCI security standards that themselves include procedural requirements.

Technical solutions are also called out by PCI and are, of course, being applied across the ecosystem. Encryption of payment data in flight is one approach. In the physical POS world, semi-integrated POS terminals connect directly to the acquirer’s front end instead of passing card transaction data back through the merchant’s workstation and enterprise system.

An important technique, and the topic of this discussion, is tokenization.

Tokenization is an ancient security technique. In the broadest sense, a token is just a dummy representation of something of higher value.

In cards, that means the replacement of a PAN with a number or even an alphanumeric value that represents the underlying PAN. The mapping between the two is stored in a vault with the owner restricting access to that vault. If a hacker gets ahold of a token value, it’s useless. It’s a value that, to the payments ecosystem, is gibberish.

Tokenization is used in pull payment systems where payment credentials are given to the payee by the payer so that the payee has the information necessary to go get the money. Think card numbers or the routing and account numbers on a check.

In card payments, there are two forms of tokenization: merchant and issuer tokenization. Merchant tokenization has been around for more than a decade. A response to PCI, merchants generally outsource that token vault to a third party so they no longer store PANs themselves. When the merchant needs to do a lookup or initiate another payment, the merchant sends the token to the upstream service provider who then looks up the PAN and sends it off for authorization by the acquirer.

That’s been around for awhile.

The newer innovation is what we call issuer tokens – token values that are at the heart of Apple Pay, Google Pay, Samsung Pay and more. These token values are real card numbers, issued by your bank, but unlike a PAN that can be used to initiate a payment everywhere, issuer tokens are expected to come, for example, from specific devices or merchants.

Every card in your Apple Pay wallet is represented by an issuer token and whenever that token is presented for authorization, data about where it’s coming from is sent along too. If the token is sent from another device, for example the one the hacker has, authorization will fail.

This approach is totally compatible with the current card payment system. No changes are needed at the merchant or the acquirer and minimal ones at the issuer.

Glenbrook will be conducting an Insight Webinar on December 13 called Tokenization Fundamentals. Russ Jones will conduct that webinar.

In this Payments on Fire podcast, George talks with Russ about issuer tokenization, its role in the Pays (Apple Pay, Google Pay, Samsung Pay), in e-commerce, and the need for new entities in the payments ecosystem to support tokenization. This gets complicated. There’s now the need for token gateways.

Take a listen to the podcast and then sign-up for the webinar. Use the code POF80 to take 10% off the registration price.

In the U.S., there’s the automatic assumption that payment cards and perhaps PayPal are the way to pay online. But if you’re an eCommerce merchant trying to sell in the Netherlands, you’d better support the domestic system known as iDeal.

Connectivity into domestic payment systems is an important and complex issue. There are over 150 such systems across dozens of countries around the world. While not all are important to a given merchant, most are important to the acquirers and payment service providers serving eCommerce merchants.

Join George and Steve Villegas, VP Partner Management and Head of U.S. Office, of London-based PPRO Group, a company that provides white label connectivity to these domestic systems by serving acquirers and PSPs alike.

Knowing who you’re dealing with online is critical if you’re taking transaction risk. Digital identity is tough. To address that challenge – and it is a challenge – relying parties, those who take on risk, employ two broad categories of technology: active tools that require user interaction and passive network-based approaches.

When the user is required to explicitly provide identifying information, we use the interactive approach. The merchant or lender or website owner asks for user IDs, passwords, perhaps data generated by multi-factor authentication techniques such as biometrics, or one time passwords generated by an app or a hardware key.

If you’re an eCommerce merchant or an entity trying to sell something online – lenders included – you don’t want to ask the customer to do more than absolutely necessary to complete a good sale. Transactional friction is deadly to revenues and a main cause of shopping cart abandonment.

So, you use passive approaches that examine whatever data the customer’s device can provide. Device fingerprinting, behavioral analytics, rules engines, machine learning, and the past behavior of card numbers are among the portfolio of decisioning tools that do not interfere with the user experience.

Data is the foundation of the passive approach. In this podcast, George speaks with Ajay Andrews, Senior Director, Product, at Whitepages Pro, a data provider and analytics firm about identity verification and how the linkage of key data items influences decisioning. It turns out that particular pairs are strong indicators of potential fraud.

We discuss where the data linkage approach fits in the overall portfolio, what drives merchants to adopt, and how the tool is integrated into automated decisioning and case management.

Alexa. Siri. Cortana. We’re talking to or at our machines. I walk into my office and say “Hey Google, what’s the weather?” or “Hey Google, when’s my first appointment?” When I’m driving in a strange town, it’s “hey Google, navigate to the [fill in the blank] hotel.”

This kind of hands-free access to information is hugely helpful and hugely popular. But there’s a long way to go toward a general purpose voice interface for every task we want to accomplish.

That said, we’re getting there. In this conversation with Central 1’s Alex Chan, we discuss the process of voice-enabling access to the high volume queries that credit union members make, i.e. balance inquiries, balance transfers, etc.

We cover what it takes to build an Alexa skill, the code that links Alexa’s natural language processing to the underlying application that executes the action.

Voice design, the process of imagining and codifying how the user interaction proceeds, is at the heart of a successful voice-enablement project. Alex takes us through that process. It sounds like fun.

While payments are a tiny fraction of today’s voice-based interactions, they’re coming along, too. Better design and broader participation is needed. As a recent (failed) demo proved, Siri can’t send me money if I’m not an Apple Pay Cash user.

Take a listen and get in touch if you’ve questions or comments. We’d love to hear from you!

During the Glenbrook Payments Boot Camp we make clear that national payments systems are domestic by definition. Each country has its own set of systems to effect payments. We point out that national payment systems differ in many of their details. Regulation, operating rules, governance, ownership, technology, and more are highly variable.

At the same time, we also point out that major components are generally similar. An overnight, batch-based system for low-cost, low-value retail payments and an instant, irrevocable wire system for high-value transfers are typical of most countries.

Across the planet, countries are planning, designing, trialing or enjoying fully deployed immediate funds transfer systems, new ones that instantly transfer lower value payments. The UK’s Faster Payments system and The Clearing House’s Real Time Payments (RTP) are two examples of this system type.

Beside increased speed of payment, a second push for changes to national payment systems is the need for a richer representation of the data surrounding the payment transfer itself. Remittance data, for example, communicates what the payment is for, which invoices a payment may be covering, and what trade terms were taken by the payor. ISO 20022 is the internationally recognized method for representing this information and support for it has become a new priority not just for system operators but for financial institutions and enterprise customers.

Generally, major upgrades, never mind deployment of an entirely new system, are performed in a step-wise manner because of the critical nature of these systems, the cost, and the difficulty of herding system stakeholders through the many stages needed to achieve broad support and usage.

Undeterred by those realities, Canada is taking on a comprehensive upgrade to multiple systems over the next few years, including its overnight settlement and wire systems while simultaneously planning for its own immediate funds transfer system, codenamed Real Time Rails. Significantly, each system upgrade will include support for ISO 20022.

Payments Canada is the non-profit organization mandated by the federal government to manage, operate, and upgrade these systems.

In this Payments on Fire episode Glenbrook’s George Peabody speaks with Justin Ferrabee, Payment Canada’s COO about his organization’s work, how its systems differ from those in the U.S., and what’s ahead. It’s a great conversation between payments geeks.

In this second discussion with First Data execs, George and Scott MacKay, Vice President, Strategic Solutions talk digital commerce in the automative space, both at the fuel pump and in the Connected Car.

The importance of full stack security, whether it’s sole sourced or the result of an integration effort, to successful deployment of mobile commerce is a theme here.

Enabling the mobile experience at the fuel pump is complex. Petro sellers have a lot of legacy gear and the cost of upgrading that equipment is very high, a fact that has, at least, inhibited the pace of the EMV upgrade.

The richness of the mobile device’s data such as device fingerprinting and back end intelligence makes it conceivable that a fuel retailer could skip EMV altogether. Maybe.

Scott also shares a look at payments and the Connected Car through the company’s discussions with automobile manufacturers.

In this, the first of a two-part podcast series with First Data executives, Ajay Guru, VP of Merchant Fraud Solutions at First Data and George discuss the impact of fraud on the merchant, what the merchant has to do to manage it, and the classes of tools and techniques available to mitigate fraud.

Ajay addresses machine learning technology’s remarkable ability to identify anomalies and makes candid remarks on the necessity of human analysis to determine whether these anomalies are indeed fraud.

Other topics discussed include behavioral analysis (how we enter our user ID and password into the browser) as well as the sophistication of today’s manual and automated attacks. There is still a lot of CNP fraud taking place over the phone.

There’s good detail on the technology and what fraudsters are up to. Take a listen.

Online trust requires a context-based understanding of who we transact with. Attributes about us are needed to build that trust, but in many transaction contexts we share more than we need to.

To pick a simple example, the law says you must be 21 to buy alcoholic beverages but our current method of proof is to show our driver’s license, an unnecessary oversharing of personal information. Why show that creepy barkeep where you live when you only need to prove you were born before 1997?

In this wide-ranging Payments on Fire podcast, George and Lockstep Technology CEO Steve Wilson discuss how we share the attributes that, in aggregate, define to the online world who we are.

Steve makes the case that security and identity professionals continue to encourage the oversharing of personal data. Now that we have sophisticated network-based fraud management tools – device fingerprinting, behavioral analytics, machine learning and AI – that generate a crisp profile of our devices and our behavior, the attributes that a user must provide could be limited to just what’s required and no more.

An “attribute wallet” under the user’s control – yes, another role for the smartphone – might prove to be a valuable authentication enabler.

This episode concludes with Steve’s report on comments made by some of the deans of modern cryptography on the threat that quantum computing represents. It sounds like good news.

This episode of Payments on Fire covers two topics – payments in Atlanta and the essential challenge of online authentication and identity.

May in Atlanta – FinTech South and the Glenbrook Payments Boot Camp

Everyone in the payments industry knows that Atlanta is a hotbed of activity. Coming shortly to Atlanta are two fintech-focused events that will add to the goings-on.

The FinTech South conference takes place on May 7 and 8. With great speakers – and great sponsors like Glenbrook and the Technology Association of Georgia – the conference describes itself as “FinTech South 2018 is a global exchange of insights, innovations and trends fueling tomorrow’s financial tech industry.”

“Attracting international companies and speakers across multiple industries, FinTech South is an opportunity to engage with 400 FinTech companies employing more than 130K employees globally, generating $72B in revenues, and processing over 118B transactions annually.”

Speakers include:

• Kathryn Petralia, President and Co-founder of Kabbage
• Barry McCarthy, EVP of Network and Security Solutions at First Data
• Nuno Sebastiao, founder and CEO of Feedzai, who is also a past guest on Payments on Fire.
• Right after the conference ends, Glenbrook will host our Payments Boot Camp on May 9 and 10.

Both events draw attendees from all over North America. So if you want to expand your network, hear the latest at the conference and/or get smart about how payments work, come to Atlanta.

Authentication, Biometrics, and Banking

Authentication online remains one of the most challenging aspects of life online. Given the complete availability of personal data, account takeover has never been easier for the hackers. Knowledge-based authentication (KBA) asks softball questions like “what was your father’s middle name?” Easy stuff to find online. User IDs and passwords are even easier to find. We have a problem.

Strengthening the connection between an accountholder’s true identity – perhaps proven by a drivers license or passport – and the credentials that the user presents online is necessary and the topic of this Payments on Fire episode. George speaks with Andrew Gowasack, CEO and co-founder, of TrustStamp, an identity verification company using AI and facial biometrics to create a strong, unique digital credential. For a few use cases, TrustStamp also employs a blockchain-based database.

Andrew knows all about the Technology Association of Atlanta, too. So, take a listen and geek out in this conversation about authentication, biometrics, and how to answer the online conundrums of “who are you?” and “do I trust you?”

The rise of Chinese mobile payment systems is the top global mobile payments story of the last few years. Alipay and WeChat Pay serve hundreds of millions of users with payments, loyalty programs, merchant coupons, and more.

QR codes are used to initiate many of these interactions especially within the point of sale (POS) domain. When there isn’t a legacy payment infrastructure in place, software is easier, and cheaper, to deploy than the hardware-reliant approaches used for card-based transactions.

To serve its millions of accountholders traveling around the world, Alipay is building out its acceptance footprint. In this episode of Payments on Fire, George speaks with payments industry veteran Souheil Badran about his role as president of Alipay Americas and the company’s plans for reaching US merchants in tourist hotspots and beyond.