22 October 2014

Beyond TEDIPAY

Alexander Peschkoff - TEDIPAY

103 | posts 380,450 | views 484 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

What can kill EMV

16 September 2012  |  4225 views  |  5

For those in a hurry, here is an executive summary: ISO 9798, assisted by the likes of Verayo (as well as femtocells and in-store Wi-Fi).

Anyone remotely familiar with EMV knows that it's a mess. EMV is a global standard that covers inter-operations of "chip" bank cards and compatible devices (POS terminals and ATMs). There are 16 (!) variations of EMV implementation when it comes to card authentication, transaction authorization and cardholder verification. EMV is at v4.5 and runs into over 700 pages. It represents interests of just four companies - I don't count the merchants and the issuers here (a subject for a separate blog post). The main purpose of EMV is to provide secure authentication of transactions.

There is another global standard for secure authentication of remote transactions, used over 10bn times every day. It is concisely spelled out on just seven pages and represents interests of over 800 companies. Like EMV, it relies on the use of "chip" cards. Unlike EMV, it does not require secure/approved/certified equipment - any mobile phone will do. Secure POS card terminal based on this standard costs less than $10. Including NFC.

I am, of course, talking of GSM - more specifically, ISO 9798 (which GSM authentication protocol was derived from).

EMV is "curated" by Visa and MasterCard - the global, universally accepted, payment channels. They are known within the payment industry as the "schemes" and that is where the problem with EMV lies. Well-intended desire to be universally accepted forced Visa and MasterCard to work with merchants even at remote locations where no means of communications were available. For that purpose, offline authentication was included into the EMV protocol specifications.

That was fine twenty years ago, but the world has since moved on. Telecom and the internet have become omnipresent phenomena. There are very few "unconnected" places left out there, with no fixed or mobile telecom facilities. Hence, there are no longer any strong reasons for not using online-only authentication. Allowing offline authentication for the sake of offering EMV acceptance in a few "off the grid" places drags the whole EMV concept down.

When - not "if" - payment transactions move to online-only authentication, the role and importance of EMV (and, potentially, of Visa and MasterCard) could be greatly diminished. I don't want to oversimplify things here, but one of the key functions of the schemes is to act as a "gateway/router" for channeling the transactions between the parties involved (acquirers, issuers, processors). That is something that Cisco has been doing efficiently and successfully, on a much larger scale, for years. Without charging any, let alone percentage-based (!), "interchange fee".

If the "schemes" do not become a "network", somebody else will take that space. There are several players - big and small, both insiders and outsiders - who are eyeing that opportunity. For example, the Mobino's CEO who worked with Tim Berners-Lee on HTTP and HTML is planning to bring the same logic to payments.

I am at the NFC World Congress in Nice next week where I am moderating the "Transport and Ticketing" session as well as taking part in the "World's Smart Cities" panel, representing London - will no doubt get some material for more thought-provoking blog posts.

TagsMobile & onlinePayments

Comments: (6)

Philip Harrison - VocaLink - London | 16 September, 2012, 12:27 Great commentary, Alexander. While Visa and MC do offer far more than just network management (eg. regulation, arbitration, global branding etc), the ice on which they are skating in the world of mobile payments is getting thinner.. Philip Harrison
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 16 September, 2012, 12:41 @Philip - Absolutely: I only touched the "rails" part of the schemes. As for the regulations etc, surely they play an important role there. At the same time, the payments can be viewed as a "two-party" process that involves the issuing bank and the acquiring bank, and those parties can already interact well without any intermediaries.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
John Dring - Intel Network Services - Swindon | 17 September, 2012, 09:06

Great blog and insight. But history shows 2 things (that come to mind) - Betamax did not displace VHS, and Mobile Operators and Banks don't sit easily together!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott - Wincor Nixdorf International GmbH - Bracknell | 17 September, 2012, 11:53 I think the Offline component was also intended to reduce the strain of OLTP on Acquirer and Issuer Systems as, at the time, this was projected to sky-rocket well beyond the capabilities of the (then) current systems. As it happens most EMV issuers set their initial chip parameters with very low offline floor limits (often zero) as confidence in the technology was particularly low.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 19 September, 2012, 12:39

I've generally thought of mobile payments to be a solution chasing a problem. By pointing out its "auto authentication" capability, you've highlighted a very different - and valuable - side of mobile payments. Props for doing that!

However, I've a feeling that only the mobile POS use case of mobile payments - a la SQUARE and iZettle - can provide EMV-equivalent authentication. In the mobile wallet use case, 'who you are' (i.e. IMEI #) and 'what you have' (i.e. card details) both reside on a single device (i.e. smartphone). The loss of this device can pose a far bigger security hazard than losing an EMV card where only the cardholder knows the PIN (this assumes that smartphone users generally don't set a lockscreen password). 

Even in the first use case (mobile POS), you've pointed out correctly that EMV only enjoys the support of four companies. But, the problem is, these four companies enjoy the status of judge + jury + executioner when it comes to the card rails. So, as long as mobile POS services use card rails, their providers will forever be at the mercy of these four companies. Haven't we already seen a glimpse of their hegemony when Visa banned iZettle from accepting Visa cards (if I'm not mistaken, for violating EMV device connection rules)?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 19 September, 2012, 14:48 I am sure Visa's decision was purely down to EMV rules & regs and nothing ti do with Visa Inc.'s shareholding in Square... Remember that a Wallet app could enforce passcode security and most phones have a remote kill/wipe function which mitigates the risk somewhat. I think the fact that Apple is launching the Passbook app with QR Barcodes is quite telling of their confidence in NFC. Really it should be driven by the major cardschemes (Visa, MasterCard, China UnionPay) to define a Mobile Wallet standard to help boost adoption rates worldwide.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alexander

To those who still don't get it...

09 September 2014  |  2254 views  |  0  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Cash is king, but of which kingdom?..

09 June 2014  |  2562 views  |  2  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Checking my crystal balls

02 June 2014  |  1522 views  |  1  |  Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services

Apple's Siri - iPhone security hole

23 May 2014  |  3336 views  |  2  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

Colonic irrigation for payments

04 April 2014  |  1674 views  |  1  |  Recommends 0 TagsMobile & onlineInnovationGroupInnovation in Financial Services
name

Alexander Peschkoff

job title

CEO

company name

TEDIPAY

member since

2012

location

London

Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changin...

Alexander's expertise

What Alexander reads
Alexander writes about

Who is commenting on Alexander's posts

Richard Sanders
Brett King
S S
Matt Scott
Sian Bentley
Bjorn Soland
Bo Harald
Martin cox
Andrew Smith