Tuesday, January 27, 2015

Is a Retailer Revolt from EMV in the Near Future?

Bad group thinking created EMV and now bad group thinking is trying to cram it down the throats of reluctant retailers. Threats of fines, charge backs, increased fees, and the rest of the arsenal wielded by the major players of the payment services industry does not seem to have yielded the expected results. “Wait until fall”, say the bad group thinkers; but an unexpected reaction may revolutionize the retail payment industry.

Small retailers, such as the bodegas, convenience chain stores, and others making rapid small value sales may refuse to originate credit card transactions.  Patrons will start entering their PINs so these retailers do not have to pay for counterfeit card transactions. This natural evolutionary response creates a remarkable consequence, on-line retailers that accept EMV cards will take the brunt of fraud attacks because EMV has no protection against card not present (CNP) fraud.  The EMV boondoggle thus moves the smaller retailers to a more secure solution than EMV at a fraction of the cost. Use of a PIN accompanied by derived unique key per transaction (DUKPT) encryption is the heart of the Chip and Pin solution (the British EMV application).  Small US retailers will employ the exact same technique.

The unintended consequence of bad group thinking creates focused attacks against on-line retailers. Amazon and the rest will bear the brunt of new costs based on issuer losses and thus level the costs for on-line and traditional retailers. People will swarm to Main Street in droves.

Maybe the coming small retailer revolt will have other consequences. Since smaller retailers will not bear the costs of upgrading their point of sale (POS) equipment, and will not pay obscene fines for payment industry stupidity, they will become competitive again with the large national chains. If a hammer costs the same at Joe’s as it does in the Humongous, why not buy it at Joe’s. Walking down the street is healthier than a 20 minute car ride anyway.

Payment technology has advanced beyond the plastic solution and the knee-jerk response to adopt the EMV boondoggle sounds the final death knell for an obsolete solution. Vested interests cannot prevent the Federal Reserve (the US central bank) from creating a modern small value payment solution, much as the lobbyists may try. Maybe if the politicians could stop the Fed as they stopped single payer health solution then EMV would succeed in the US. But the Fed is independent, and lobby proof (although they do seem receptive to new and creative ideas).  Internet and phone companies soon will become the infrastructure providers for payments and the retail world rejoices with lower fees and increased sales.

Next Blog: The new payment system attacks

Sunday, January 25, 2015

8583 is Obsolete; So Why Don’t Payment Networks Replace It

Using a bit mapped data protocol in an HTML world is a bit like using candles to light a house. The candles only light parts of the interior; the occupants must carry a candle around from room to room; and wax drips on every surface with the slightest breeze. ISO 8583 similarly requires data remain in a precise location; requires a maximum length; cannot allow different data attributes; and does not allow the growth of new fields easily. In today’s rapidly evolving payment infrastructure, the use of such a dinosaur as 8583 increases transaction costs, increases the risks of badly formed messages, and slows innovation.

There is a good reason why the payment services industry does not use a tagged based data protocol (such as 20022); it may make many players in the industry obsolete.  If a data protocol can be accessed easily and free from anywhere on the net; have fields added by anyone that needed to add one (by use of schema links attached to messages); and use HTML; then payment messages to issuers need not originate from acquirers, forwarders, or gateways. Any personal device has the ability to transmit a payment order using a common tagged based protocol and it is simple for financial institutions (FI) to write sending and receiving applications using the data protocol.

Enhanced security may cause this shift away from the current status quo. All transactions will need approval in real time, originate from a known device, use a derived encryption key unique to the device, and contain a meaningful origination location. Issuers can create many varied security methods using different logic for validating users. This diversity of approach minimizes the gain from any one successful attack.

There will be no difference in paying a person, or a business, or a government.  Payers can pay the fees associated with use of such a system, which issuers may waive to encourage the use of their institutions, especially for large value accounts. Issuers also may be able to collect sales taxes depending on the interpretation of the data and immediately move the money to the government entities benefitting from a particular transaction.

Apple Pay and the grousing about interchange fees may also start the move to a better data protocol. How long will it take before the internet industry gets tired of moving payment data through the likes of First Data? When will Google negotiate with the big issuers, create their own links, use their own modern data protocol, and become their own authorizing agents?  FIs can stop worrying about courts limiting their interchange fees and make any deals they want until true competitors force fees south.  The first step: create the data protocol and place it on an easily accessible site and see what happens.

Next Blog: What happened to the anticipated data scraping attacks over the holidays, shhhh

Thursday, January 22, 2015

Importance of Anonymity For Accounts Used By Students

Linking nutrition to intellectual growth does little good however if access to a needs based nutrition account creates stigma for the users. Stigma prevents poor students from participating in nutrition programs (see for example: Mirtcheva, D. M. and Powell, L. M. (2009), Participation in the National School Lunch Program: Importance of School-Level and Neighborhood Contextual Factors. Journal of School Health, 79: 485–494. doi: 10.1111/j.1746-1561.2009.00438.x; Found at http://onlinelibrary.wiley.com/doi/10.1111/j.1746-1561.2009.00438.x/abstract ). 

Anonymity prevents stigma, and any payment token masks its funding source, or at least has the capacity to do so. Giving everyone in a community equal access to the necessities required for public education including access to nutritional foods, books, and transportation increases the pool of educated people needed to lead and serve their societies in future generations.  That makes creating a payment token that masks the origin of its funding source and making that token the sole medium of exchange for all purchases made while in the loco parentis of a school system vital for social mobility and a strong middle class.

Each independent school system typically issues a student identification card associating a unique number with a student enrolled in the system. School systems can map that unique number to a payment token in ubiquitous use within the same local area as the school.  Diagram 31 depicts the concept.

Diagram 31; Masked Funding for Student Payment Systems

The flow of funds from the student to the points of purchase must be the same for all students, regardless of the funding source. A school payee can only accept one form of payment which is the token issued by the school system. If (inevitably, when) an ID is lost, or stolen then manual entry of the ID must be available (accompanied by a real-time check for last use).

The standardization of payment for access to all the necessities of education will eliminate stigma of needs based recipients permanently and societies will benefit from the growing confidence of the next generation.

Next Blog: Busting Retail Payment Monopolies

Saturday, January 17, 2015

Will the New US Relationship with Cuba Create the First Cashless Society

Looking at the new rules for US citizens traveling to Cuba prompts questions about what a remittance is or if access to money is the same as money. Can a US traveler to Cuba give a potential local business associate a payment card with an associated large value limit? Can a US traveler create an account on an African phone and fund it with large value and give it to a Cuban national for business development purposes? Do US citizens need to take such steps at all since US banks can now create Cuban correspondent accounts and thus effectively create gross real time payment access (although “real time” may be a bit optimistic in this case)? Will the Cuban tourism industry now accept payment cards issued by US financial institutions (FI)?

The Cuban Government intends to unite its dual currency system and make other reforms. However, requiring Cuban FIs to comply with BASEL II, instituting a large value real time payment system, or a deferred netting system (regardless of the periodicity of settlement), and generally providing a financial infrastructure allowing Cuban citizens to amass wealth from outside sources will not sit well with revolutionaries in Havana. Perhaps the distrust of the capitalist system that fomented the Castro Government will lead to the development of a new type of fiat currency and a new type of payment system that will resolve several issues at once.  

Instead of forcing business to exchange foreign currency to Cuban Convertible Pesos the government may allow their citizens to keep the currency in their original denominations if the government can pool that money into an account and issue digital currency strictly backed with the foreign reserves. Effectively such a system will give Cuba three types of currency, but likely not for long. The limiting factor of such a system is the availability of modern cell phones and other like equipment capable of storing, transmitting, and receiving digital currency securely. If the Cuban government promotes the ubiquitous flow of digital currency backed with hard fiat currency then the creation of a cashless society may be a step away. The Cuban central bank issues and redeems the digital currency; there is no foreign exchange (since the issuance is in the currency pooled at the central bank); the other two Cuban currencies will quickly fail to be used and be converted to the digital currency as fast as the foreign currency is amassed.

The Cuban Central bank redemption activities will soon dwindle to nothing and once both versions of pesos move into a digital form then there will be no impetuous to keep any non-digital currency at all. Certain activities such as insuring that all Cuban citizens have access to a personal electronic wallet; making clear transparent regulations on the audit of foreign currency pools; and limiting the power of the government severely to revoke the certificates embedded in digital currency will ensure the success of the endeavor and make the Cuban cashless society the envy of modern governments worldwide.

Next Blog: Contraband: the destroyer of a cashless society

Tuesday, January 6, 2015

Is NPR the Latest EMV Boondoggle Shill

The payment card industry push for EMV has little to do with security and everything to do with increasing profits from retailers and ultimately consumers. The costs to implement EMV far exceed the benefits (see http://paymentnetworks.blogspot.com/2014/05/the-regressive-movement-to-europay.html ) and yet the main stream media continue to trumpet the industry line without really examining their true motives.  The fact that using the current infrastructure and requiring PIN entry fixes the problem of skimming, scraping, and card not present (CNP) fraud does not seem to matter to anyone. Lazy reporting, and promoting a corporate agenda are the feed for today’s media and that is not a surprise to anyone.  There are still  some jewels in the tarnished media crown that take the time to unearth real news and discover the dialectic pulse that vibrates across all human endeavors. Their numbers dwindle and recently National Public Radio (NPR) published a puff piece that demonstrates how problematic any reporting from the most venerable of media outlets has become.  

The NPR report on EMV conversion naturally discussed the completely discredited defense against fraud motivation, but then almost hit on the truth. In the article (see: http://www.npr.org/blogs/alltechconsidered/2015/01/05/375164839/u-s-credit-cards-tackle-fraud-with-embedded-chips-but-no-pins ) the reporter (Jim Zarroli) almost came close to the truth but ultimately spouted the corporate line “PINs would actually turn off U.S. customers” without so much as a look at the supposed marketing survey that produced such malarkey.

So the listening public gets the false impression that EMV protects against modern day financial data intercept attacks and that the expense for this needless conversion to an expensive infrastructure that functions exactly the same as the current infrastructure (in key aspects) is due to issuers looking after the public’s well-being.  Is this really the same network reporting on the Central Intelligence Agency (CIA) and the National Security Agency (NSA) antics while waging the terrorism war?

The story in the Halcyon days might have brought light to the payment services industry lobbying efforts in Congress, their loss of fees because of Dodd Frank, their loss of monopoly due to mobile payments and other innovative approaches to payment? However now the long suffering public hears a puff piece sounding a lot like the industry’s PR shills. Real reporting does not pay anymore however NPR used to have a reputation for good reporting.  Let’s hope this report is an aberration and not the coming trend.

Next Blog: Payment Trends in the Coming Year

Friday, January 2, 2015

Needed: Weapons to Attack Payment Card Attackers

Underground bazaars selling payment card data seem to operate with impunity. The financial services industry, law enforcement officials, and issuers, seem to relegate the monitoring and discovery of thefts to private researchers such as Brian Krebs and his krebsonsecurity.com web site. When a pawn shop openly sells stolen goods, or an arsonist announces a plan to set a fire, or a mugger attacks a victim in a camera’s view, society reacts and moves to stop the activity. Law enforcement captures the offenders, prosecutors prove violation of unambiguous laws, and judges sentence the offenders. Yet the financial data bazaars operate without fear of justice, and sell their stolen data without hindrance and feed a blossoming market for thieves.

Perhaps there is room for controlled internet vigilantes. If any private entity attacks a rogue web site they risk arrest and prosecution for violation of a number of federal statutes. Law enforcement officials cannot arrest, victims cannot attack, and countries hosting the sites do not seem to care. The situation generally is not without precedent. Governments winked at the activity of privateers or openly gave them license to attack enemy merchants on the open seas. Perhaps an internet privateer is a concept that works on the electronic open sea.

Governments can grant licenses to private entities to attack a web site. If a would-be internet privateer (or a privateer’s sponsor) presents evidence to a duly constituted court that a web site outside the jurisdiction or reach of the court causes harm to citizens under the jurisdiction of the court, then the court can grant an internet privateer license that gives the holder immunity from prosecution for attacking the specific rouge web site. There may be various levels of licenses. One level may be for simple denial of service attacks, while other licenses may allow the tracing of data, while others allow the deletion of data, and others allow the destruction of hardware.

If such a privateer license exists then an industry of attackers may meet the criminal enterprises head-on. The financial services industry may offer large bounties for privateers willing to permanently (or for a specific time) eliminate a financial data bazaar. The methods for attack may become as varied as the original attacks that steal financial data.  Privateers will create methods for proving that they disabled the site and not their competitors.  Governments will create specialized courts to handle the requests and fund them with license fees, ensuring efficient and timely license grants.  Card holders and retailers at last will not feel that they are the only ones under a cyber siege.

Of course there are lobbies that will not want internet privateer licenses. Acquirers and others that receive good income from bad traffic (especially when the card is not present in the fraudulent transactions) may argue that vigilantism does not work for a society built on observance of laws, not the wholesale breaking of them for a profit. However, ultimately no politician will want to side with international mobsters, and with just a bit of coddling, cyber vigilantism will become as normal as a tweet on a sporting event.

Next Blog: New Fraud Detection Techniques for Needs Based Payment Systems