Friday, October 31, 2014

Chances for a successful Cashless Society

 There exists a ratio between transactions for legal goods and services and illegal goods and services. Let me represent that ratio for the sake of discussion with a term, the criminality index and represent the term with the following equation:


Where CI equals criminality index and IT equals the value of all illegal transactions and LT equals the value of legal transactions during a given time.

Typically the ratio is less than 1 and approaches equality with 1 as a region increases laws created to prevent goods and services within the population.  Since there will always be a demand for criminal activity unacceptable to the majority of people within the region then the ratio will never equal zero if the period of monitoring is sufficient.

For example there will always be a limited demand for murder for hire; modern societies will always consider it a criminal act, and so the parties to the transaction require cash for the transaction. If actual cash does not exist, then the parties to the transaction barter with goods or services to complete the transaction.

Banning barter only causes the IT/LT ratio to increase and drags people that like to barter for legal goods and services into the region of anonymous activity increasing the camouflage for parties to the original illegal act. The government response actually helps parties to complete illegal transactions by making such transactions less rare.

If a society and its government implement a cashless society then its chance for success rests on the anonymity parties to a transaction experience. Governments that log the parties to a transaction, the amount of a transaction, the location of parties to a transaction, and all other data allowing a forensic transaction analyst to determine if the transaction is a criminal act or not, will cause the cashless currency to fail, and if the government has a high criminality index then the currency will never experience ubiquitous acceptance by a population.

If governments do not log transaction activity then the chance for ubiquitous acceptance of a completely cashless region is much likelier regardless of a regional criminality index.  I say that without proof and make the assumption for two reasons, namely:

1) People recognize that future events shape their future behavior. If government monitors behavior and anonymous behaviors become usual for observers regardless of the criminality of observed activity, then observers cannot notice a change caused by potential future criminal activity.

2)  Non-criminal activity may have consequences for personal reasons such as transponder payment data from a defendant in divorce court that travels on a toll roll to conduct an extra-marital affair.

It does not matter that access to logged data is limited in scope; people react to their perception of potential threats not actual ones; witness the absurd behavior of some US State government officials reacting to health workers returning from countries experiencing Ebola outbreaks.

The chance for ubiquitous acceptance of a cashless society also rests with the criminality index. If laws only exist against assault and theft and there is no monitoring of financial transactions, then people do not care if ultimately prosecutors develop a criminal prosecution by using defendant financial data lawfully obtained with court ordered warrants.

Next Blog: Beyond issued digital currency, beyond push payments, lies a thought payment system

Sunday, October 26, 2014

Why Retailers Can’t Build Payment Systems

What is it about large retailers that make them incompetent at building efficient payment acceptance systems? It is my unsubstantiated belief that IT systems in general and payment system architecture particularly sit quite low on the retailer totem pole. I come by the belief honestly in that I have made recommendations to tweak specific applications to save retailer money and see obvious changes completely ignored resulting in losses of millions of dollars and counting. It also makes sense that organizations built by sales people, managed by sales people, and directed by sales people scorn the beanie wearing pocket protected nerds scuttling around in off-limits dungeons guarded by 3 headed dragons. That is why the latest attempt by retailers to attack transaction fees especially from Apple Pay is so amusing.

CurrentC is payment system architecture under construction by MCX (Merchant Currency Exchange) and under attack by critics near and far (see for example As the reader(s) of this blog know I believe the current payment card infrastructure is not secure, too expensive, monopolistic, and technologically archaic. In short, it is ripe for wholesale replacement, and it is natural for its chief exploited users to replace it by rolling their own. However if the description of this architecture that I read remotely resembles the planned deployment of CurrentC (see ) then once again we will witness millions wasted, angry consumers, and happy payment system providers increasing their fees.

The first mistake is disabling the near field communication (NFC) devices and replacing it with their own proprietary protocol. Payment system infrastructure requires open standard protocols for ubiquitous acceptance by the public. Any move away from an existent standard to a proprietary one is bound to fail. Worse yet, it limits payment choice by customers which sales folks know is not conducive to sales growth.

The second mistake is the interaction (if the cited article correctly describes the interaction) requires too many data transfers presumably to enhance the security posture but actually increasing the risk of data intercepts and therefore the opportunity for a successful attack. In an earlier post (see ) I noted that Apple Pay did not reduce its vulnerability that much although it will take at least two years from the date of its deployment before an attack succeeds. I think the same is true for the CurrentC architecture regardless of the derived unique key per transaction (DUKPT) type of encryption the cited article described. I never will describe an attack method in this blog, but I think it is safe to say that MCX needs to carefully review its risk posture.

MCX exists for good reason but once again we find sales people fielding a technology that they do not understand. Perhaps they should consider using the infrastructure they already have in place and competing against Financial Institutions and their acquirers by issuing digital currency. It will be a lot safer, a lot cheaper, and it has the “gee whiz” feel that modern consumers love. More importantly, cyber currency increases consumer choices for payment and notably does not reduce consumer choice.

Next Blog: Payment tails wagging payment dogs

Friday, October 24, 2014

Movement to a Small Value Gross Real Time Payment System

I read an article in an excellent on-line publication ( ) that reported the US Automated Clearing House (ACH) (presumably under the auspices of the National Clearing House Association (NACHA) although not mentioned in the article) will develop a real time payment system (see The article seemed to indicate that the system would use a push methodology instead of the payment card pull methodology: “It is expected that the new system will route payments based on tokens that cannot be used to debit accounts, so senders and receivers will not need to provide complex, sensitive bank account details”.
This is a sea change in the payment environment in the US and perhaps the world. Questions, however, abound. Will we see connectivity between real time systems in Sweden, Singapore, and eventually Australia?  Will the mobile payment operators especially in Africa offer a real time platform also? Will we see the simultaneous development of tag based data protocol to originate transactions? How will the large payment service providers react? How will banks price the service? Will the system ensure delivery of goods and services by instituting a synchronization of delivery and payment?

Of all the questions, perhaps the most intriguing one is how the big payment services firms will react. If US politics is the same beast that brought us the “Citizens United” Supreme Court decision (stating companies are people and allowing unlimited spending on behalf of political candidates) then lobbying to prevent the development of the modern payment platform already began. I think the lobbying effort will fail and we will see a new approach. Payment services firms will start to offer digital currency and it may have the advantage to some transaction participants by providing anonymity. Sure the gauging of retailers by necessity will vanish, but the circulation of digital money for years after its purchase will allow the payment services firms an endless supply of tax free loans to compete against the registered payments present in the real time payment platform the announcement promises.

I suspect the private label cards will disappear also. The big box retailers and super stores will begin to issue virtual currency with their own corporate electronic signature and it will circulate freely; perhaps consumers will get discounts if they redeem the currency at the company of origin.

The dark side will also get into the game. As long as governments declare certain goods and services illegal then criminal suppliers will meet the demand and if electronic currency becomes the only viable medium of exchange then suppliers will create their own to meet illicit demand.

Fraud will not go away, but the practitioners of thievery will need to become a lot more sophisticated than scraping data off retail payment initiation devices.  

Next Blog: The growing schism between payment systems for the rich, the middle class, and the poor

Tuesday, October 21, 2014

Requirements for International Standards for Bank Issued Digital Currency

Once banks realize that issuing digital currency in local denominations is the same as receiving interest free loans (with surcharges paid by the lenders) for indefinite periods then there will be a rush to issue the stuff.  The major hurdle may be the lack of infrastructure for customers to spend the currency and without standards that hurdle may prove to be an innovation killer.

Issued digital currency requires a defined business object. The object needs required functions such as “Verify Currency”, “Currency Amount Remaining”, ”Currency Denomination”, ”Pay To”, “Receive From”, and “View Transaction Log”. Each function needs defined parameters. Knowing the haphazard development of innovation though and the protection of the status quo from powerful industry players, what the world will likely get is a single (probably small) financial institution (FI) creating a proprietary standard and trying to fly the beast with a small initial base of paying consumers that likely will not gain needed momentum before failure.

There is a way to avoid the fail fate but it requires the cooperation of a nation’s FIs, the design and publication of  standards, and the simultaneous launch of a ubiquitous service offering throughout the entire nation. Witnessing the squabbles of the Kenyan mobile payment service providers, does not give great hope that a profitable, popular, and safe digital currency will emerge within an environment of FIs competing for mobile accounts and transaction fees.  If, on the other hand, FI compete by allowing their issued digital currency to freely circulate, and use the cash paid to buy the currency for loans, then the entire economic situation improves for all the FIs within the implementing nation.

For the infrastructure to be complete the payment services community also needs to create a data protocol standard. Earlier reader(s) know of my call for such a standard based on tagged based data protocols such as ISO 20022 for a payment push from a payer account to a payee account. The same data standard developed for payment data originating from a personal electronic device (PED) can double as a data protocol moving digital currency between PEDs.

The one risk for developing financial payment standards is the homogeneous environment provided to attackers. That is why FI must customize the security modules within the digital currencies. For example, some FI may require biometric proof for authentication, while others may leave authentication completely to the PED hosting the digital currency. If the standard provides for multiple security posture it forces attackers to limit their attacks to a single FI. Such a standard naturally leads to increased chance that the issuing FI will discover the attack before an attack succeeds.

FI also mitigate risks also by adding optional insurance modules to the digital currency object. The standard will define a module whereby holders of digital currency have insurance protecting their funds from damage, loss, or theft.   The insurer thus needs access to currency they insure on a real time basis or as soon as possible after a transfer event.

The costs for assembling technical people around a table to hammer out the details of these types of standards with no immediate demand and no proof that the idea will succeed may prove to be too much for an innovative nation, but the alternative, a haphazard launch without government support, seems far riskier.

Next Blog: The poor judgment of the US issuing EMV cards

Friday, October 17, 2014

The Dialectic of Attack and Defense of Payment Systems

Designers of payment systems need to think more than the clearing, settlement, security, and marketing of these systems. Designers need to consider the evolution of attacks once a security posture is in place. The security design of Europay, MasterCard, and Visa (EMV) for example used public key interchange (PKI) and the cryptogram evolved from static data authentication (SDA) to dynamic data authentication (DDA) to combined data authentication (CDA) and yet this evolution did nothing to stop the type of attacks that compromised the cardholder data originating from card accepting devices. The designers of EMV also did not consider how to protect an attack against cardholder not present (CNP) transactions. The payment solutions of the future cannot present a security posture and dare anyone to attack it. Designers must engineer payment solutions to present different defense postures depending on the environment of their deployment and the type of current attacks.

Payment initiation software must include sensors that indicate an attacker is currently present, and shut down depending on the configuration of the payment initiating device. Software deployed in payment initiation devices must know what their environment is. If (as likely) the operating system is interrupt driven then the software must look at all of the interrupt vectors and determine if those are pointers to legitimate drivers signed by legitimate developers. Payment system software must identify every logical port and verify the legitimate uses of those ports. Introduction of new software into the payment initiation environment cannot take place without validation.   These are primitive examples of design considerations taken at the software level that do not rely on hardware to respond to evolving attacks.

As digital currency gradually replaces card base technology, the currency must include software with the payment data that recognizes its environment and responds to attacks. For example the currency will know its payer and intended payee before a transaction takes place. If the currency finds itself in an environment that it did not expect the software within the currency must invalidate the financial data present in the currency. Attackers naturally will respond by mimicking the intended environment so the software imbedded in the currency must continually update the parameters that define a legitimate payee. The logic using those parameters must also contain an ability to change although without giving a vector for an attack. These are not easy architectural problems to solve and mistakes may lead to the compromise of financial data on an unprecedented scale. However, planning a mission to Mars seems more difficult and the world embraces that challenge.

Next Blog: The consequences of diverging payment methodologies

Thursday, October 16, 2014

Use of Government ID cards for Emergency Payments

What good is disaster funding if the people targeted for the funds cannot get it? Government ID cards can serve as emergency cash during disasters regardless of the state of the infrastructure supporting payment systems.

A natural disaster may destroy checkbooks, cash, and payment cards. However, people generally tend to hold on to their government issued ID cards from habit. When governments declare an emergency, it is possible to give a value for payments originating from a government ID.

The cost of adding a magnetic stripe to an ID is miniscule compared to the potential suffering alleviated by the action. Additionally the ID might contain a punch-out token for cases when loss of power or communications prevents the initiation of payment from card accepting devices. The value of the tokens will be set during the declaration of the emergency. Each token will contain the unique identifier that ties the token back to the citizen using it.

Governments can configure the emergency payment system differently so it meets the requirements of differing policy makers. For example, some governments may invalidate the tokens if not redeemed within a specific time. Other governments may forbid the purchase of specific goods or services (although enforcement of such bans may prove to be quite difficult). 

After the disaster the government can recoup the payments through various methods such as sending a bill to the user, or (if the address no longer exists) charge the citizen when they come to renew their ID. In some cases government will never recover the emergency payment but their citizens will have food, shelter, or clothing. The alternative, looting, rioting, and general mayhem cost governments far more.  It also prevents payees from gouging people by limiting the price charge for specific items (although in practice enforcing a not-to-exceed price will be difficult at best).  

Governments may be tempted to charge for the potential use of emergency cash before issuing the ID. This practice quite likely will cause the political failure of the government ID emergency solution because it will seem like a new tax without cause.

Preparing for emergencies before they occur is a critical government function. Preventing hunger and the other ill effects of natural disasters also falls under the authority of government. Using a non-emergency function such as id issuance seems a reasonable approach to mitigate the suffering caused by nature’s wrath.

Next Blog: A review of current innovations in payment systems

Friday, October 10, 2014

Concept of a Large Value, Non-Fiat, Digital Currency

So far in this blog I discussed digital currency as values stored in a personal electronic device (PED) denominated in local fiat currency. Conceptually the architecture depicts walking around money; it is cash for use for purchase of goods and services and not for investments such as a ship’s cargo or a factory or a business. In this post, I want to design a different type of digital currency, one that primarily transfers large values and denominated in a non-fiat currency although still issued by financial institutions (FI).

The purpose of creating non-fiat currency is to eliminate the perils of foreign exchange (although the currency will float in value against different world currencies). It does not need conversion to a fiat currency for deposit to an account. There are other advantages to such a currency, (call it the Wampum) such as it does not need to use a gross real time payment system to safely transfer it instantaneously because interception of the data by unauthorized recipients renders it worthless.
Both the payer and payee devices form the electronic signature and so another device receiving it automatically invalidates the signature. If an attacker knows both device values forming the signature a counterfeit Wampum is still worthless because the attacker will never know the other elements of the signature that only occur once for any given transaction and automatically form part of the encryption used during transfer. Finally insurance for each transfer will cost less than fees charged by operators of large value transfer systems. The insurance will be less because if an attacker does manage to counterfeit a Wampum transaction, no entity will accept it without first validating it with their insurance company, which will determine quickly that its history is suspect.

Wampum allows corporate treasuries to store large sums outside of banks within the confines of a tamper resistant storage device in the presence of more than 1 person at all times. Although no interest accrues on a Wampum stored outside a FI, conversion of Wampum to a fiat currency at any specific instant almost guarantees a successful bet. For example if a company buys 1 Wampum for $100,000 and at that instant a dollar was worth .8 Euros, .62 Pounds, and 108 Yen, and later the company wishes to convert the Wampum to a fiat currency, then conversion to any of those currencies worth more at that later time will constitute a winning bet.   In some cases conversions will create more profit than any interest payment.

So why have no banks tried this concept? Is there vulnerability or laws that make such a scheme unworkable? I encourage comments from knowledgeable readers so many may understand the impracticality of the Wampum.  

Next Blog: Comments on Comments

Thursday, October 9, 2014

Adding Details to FI Issued Digital Currency

Adding a bank signature to bundled financial data does not make digital currency immune from counterfeiters. Nothing prevents the recipient from receiving issuance from a financial institution (FI), duplicating the data, and spending it multiple times. Trusted software must receive and dispense electronic currency from a personal electronic device (PED) and invalidate the data and revoke the signature in the case of a data breach outside the confines of trusted software.

 A certificate authority (CA) or some other trusted entity signs software running on the PED.  The issuing FI validates the software with access to the digital currency using any of a number of methods including a challenge with a cryptogram and a legitimate response. If satisfied the trusted software challenges the FI and only receives an issuance of currency after validating the response to the challenge. This double challenge and response (or other verification methodology) then is replicated (preferably using an industry standard) between payer and payee for as long as the currency circulates.

There are still multiple vulnerabilities presented by the storage of digital currency on a PED regardless of the care used to store and move value from PED to PED. Ingenious attackers will ply their trade. Issuing FI may cease to exist. Theft (along with the user access codes), loss, or destruction of the PED threatens the currency. In short, issued digital currency will not gain acceptance without users having confidence that they will not lose their money.

There must be insurance for the digital currency with fees based on real risk. A regulation E (protects cardholder accounts in the US) approach does not work with a circulating digital currency because FI will not control access to the currency after issuance. Can risk have a price based on aggregate value stored on the PED? Is the risk linear? Is the cost for a small value stored on a PED the same as a large value stored on a PED? My hope is that companies think about insuring digital currency so when there is a rush to the exits of card technology the infrastructure supporting digital currency exists.

Governments also will address certain aspects of digital currency. Will users with PEDs containing large values need to declare such at border crossings or will the movement be the same as a check book moving across borders? Equally important to users is anonymity of purchases (not really possible with signed values), so acceptance will depend on limited government interference of value transfers and the preservation of the illusion of anonymity, Governments need warrants before review of stored payment activity logs. Current laws seem to offer adequate protection for users of digital currency, however, knowing the predilection of governments to know of large value transfers, some new laws are almost inevitable.  I only hope that excessive lawmaking zeal will not nip the bud before it blooms.

Next Blog: Digital currency in war zones

Tuesday, October 7, 2014

Building an Altruistic Payment Architecture

Occasionally when I purchase groceries at the supermarket the card accepting device asks if I want to give some money to various causes. I usually decline for several reasons but the overwhelming one is that if I organize my charitable contributions I receive a tax deduction whereas if I impulse give, I do not get that tax write-off.

If the design of payment systems allowed payers to automatically give an amount to the charity or charities of their choice with values of their choice then I suspect that the amount of charitable gifts will increase significantly. If we look at the data protocol standards such as ISO 8583 we see there is room for various amounts and for various fees (not to mention superfluous data that have nothing to do with a financial transaction) but only one payee. By creating payment data protocols with multiple payees and specific amounts for each payee then it is possible to designate charities as co payees. It is also possible to designate sales tax recipients, which may relieve payees of the administrative burden of collecting and paying sales tax.

It is possible to automatically give to charity with the current cumbersome protocols but it too expensive to utilize unless the payment networks allowed a charitable transaction to trail a regular purchase with no extra charge. If they did so then they no doubt would receive a tax deduction and payment service providers could gain good will because they facilitate charitable giving. However, if we could convince the various players involved in a single transaction not to charge for a trailing charitable message, the probability of agreeing to more than one charitable is next to nil.

If buyers used an e-check application (see ) then it would be possible to cut as many checks to charities as the buyer wanted with no extra overhead unless the financial institution charged a fee for each check or for too many checks. However, as the reader(s) of this blog know, I have frequently advocated for the creation of a data protocol specifically for movement of financial data from a personal electronic device (PED) to a point of presence (POP) and from there to a FI with no translation needed.  If that protocol allowed for multiple payees then it would be common practice for payment applications to allow users to configure payments to go to the charities of their choice without needing to do so for each transaction or by planning each contribution. The payment applications keep track of payment so end of the year accounting becomes a simple matter of importing the charitable amounts to the tax preparation process.

Future payment architecture no doubt will allow for multiple payees; however that does not prevent the current payment system providers from allowing the free donation of funds to charities. With a little imagination payment system providers could use the additional amounts field in the ISO 8583 message to accomplish the same goal seamlessly, no trailing transaction needed.

Next Blog: A small equity distribution architecture

Saturday, October 4, 2014

The Promissory Note in an Electronic Age

Is there demand and supply for an instant loan system based on unregistered promissory notes? Does the Uber model work with loans? Consider a broker that sets up a clearinghouse that allows borrowers and lenders to get together and complete transactions. A reasonable design certainly is possible, so I thought I might make a back of the napkin sketch.

Lenders in such a system must be gamblers; they must be willing to risk complete loss of the bet. However, if the value of the loan is small, and the potential payoff large, then the concept might sell.

Lenders push any amount they want to risk to the clearinghouse and specify the terms. The clearinghouse aggregates the various loans and notifies the loaners when a borrower accepted their terms. Lenders may specify the total aggregate value of their loan coupled with others that the loan cannot exceed. Lenders may request a payoff instantly and the clearinghouse can try to replace the loan amount with another lender and in lieu of that call the loan and immediately pay off all the lenders if the call succeeds. If the call does not succeed then debt collectors or court are the only option and the clearing house not the lenders may take those options.

The borrowers may request specific terms such as timing of payments and no call options during an initial period. As always the greater the risk, the greater the reward, and lenders plunking down hundred dollar chips on the outcome of the roll of dice might not care if the potential reward is great enough. The real draw for borrowers is there is no credit check, although borrowers may have a past unpaid debt with the clearinghouse, which would disqualify them for any future loan. Competing clearinghouses may wish to share their list of deadbeats.

The clearinghouses profit from the float before the loan and collecting loans that failed. For example suppose a borrower could not pay off a called loan. The clearinghouse sells the debt to a debt collector and keeps the payment; the actual lenders get nothing. Clearinghouses may operate differently, some may want to register the promissory notes (especially large value ones) or have them notarized (if such an action is possible electronically otherwise clearinghouses need to invent the electronic equivalent).

That is the rough sketch, the only question remaining does the activity violate gambling laws?

Next Blog: The Promissory note as an electronic bearer bond

Wednesday, October 1, 2014

A Real E-Check Application

What prevents a payer from creating an e-check within a personal electronic device (PED), electronically signing it, and transmitting it to a payee? As far as I can tell the check is valid as long as it contains the routing number, account number, date, and had the signature placed last on the payment data. Why then have we not seen an abandonment of card technology, which is expensive for the payee, vulnerable to attacks, and requires expensive processing equipment? There are a lot of reasons why the world does not adopt this superior method for payment but the primary reason (with absolutely no evidence for this statement) is bankers do not understand that an electronic signature makes the e-check impossible to repudiate later.

The implications of a real e-check are profound. A good design for the routing and clearing of an e-check will allow merchants to receive funds in their accounts the next business day (just like a payment card transaction) without an interchange fee. Merchants do not need acquirer services to deposit the e-check in their account. Financial Institutions (FI) can easily build portals to receive and process e-checks and payees that have an account with an FI should be able to cut deals based on volume that makes alternatives seem like the payment stone ages.

Merchants are not the only ones that benefit from a common e-check infrastructure. Any class of payee can have access to an application hosted by a PED that allows receipt, validation, and deposit of an e-check in real time if there is a network connection or a delayed deposit if a network is not present.

Why stop at checks? People can transmit, receive, store, and redeem all types of financial instruments, without undue processing charges. Will we see the elimination of paper and plastic in the next few years? We will if FI find their collective backbones.

Next Blog: A payment infrastructure without network access