MasterCard forecasts death of static passwords with 3DS 2.0

MasterCard says a forthcoming wholesale upgrade of the 3DSecure protocol for authenticating online transactions will pave the way for the introduction of more secure biometric and token-based prompts and the ultimate eradication of static passwords.

MasterCard has been working with Visa on the new authentication standard, ’3DS 2.0′, which will utilise richer cardholder data and result in far fewer password interruptions at the point of sale. In the event that an authentication challenge is needed, cardholders will be able to identify themselves with the likes of one-time passwords, or fingerprint biometrics, rather than committing static passwords to memory.

Read Full News at – http://www.finextra.com/news/fullstory.aspx?newsitemid=26692

 

Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

Read Full Story at http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

 

Visa and MasterCard face scrutiny by new UK watchdog

The UK government is planning to put supervision of MasterCard and Visa alongside the country’s main interbank payment systems into the hands of a new Payment Systems Regulator (PSR), whose chief remit is to inject more competition into the country’s payments industry.

In 2013 the government announced the creation of a new, economic regulator charged with increasing competition and innovation in the payments sector, which has traditionally been dominated by a small number of systems and the big banks.

From April next year, the PSR will have strong new powers to ensure the way the country’s main payment systems are run do not hold back competition in the sector, including requiring competitors such as challenger banks and smaller firms to have access to these systems on fair terms, and if necessary the power to order the owners of the more established systems to break them up or sell them.

To read complete news visit source article: http://www.finextra.com/news/fullstory.aspx?newsitemid=26572

ApplePay in Europe – Will it work?

apple pay

There is a big issue that Apple have probably faced in their negotiations with the card schemes. They probably had one of those days where they met with MC/Visa and and Apple executive said: “And this will of course apply globally?” – with an answer that introduced to Apple – Interchange rate differentials, Visa International vs Visa Europe, EMV 100% in EU and 0% in US, NFC issues on Mag-stripe vs CHIP, NFC implementation in EU, multi-currency issues with exchange rate setting issues etc.

It would seem that the 15 – 25 b.p. that have been negotiated in the US are based upon the VERY HIGH fraud rate that the US are seeing and the rinsing / growing problem faced there with the abysmal technical architecture there. The transfer of a chunk of the infrastructure onto the ApplePay architecture will create a test-bed for a new platform with a leap-frog in the technology, mankind it something that the issuers in the USA would have ‘jumped at’ in where delight, as it solves a problem that they have.

In contrast the motivation for EU issuers is not there. The EMV being 100% rolled out in most places for POS, has reduced the POS fraud to about €0/£0 – which takes away any possibility for a risk margin to be present for removal from the equation. Accordingly, and on the basis that it is a discussion between Apple and issuers on what interchange amount can be conceded to introduce this as a solution – these discussions may stall on this basis. So how will EU address this?

If we exclude the interchange concession being big enough to interest issuers to develop a process / and Apple to generate revenues, then it will need to be ‘sold’ in the EU as customer (and merchant) utility, rather than issuer savings. And we know that merchants feel overcharged, and customers not prepared to pay (in general).

OPTIONS

1. Apple to buy/create a stake in the currency-conversion part of the infrastructure

2. Apple to start thinking about disintermediating the scheme involvement in the EU (test-bed) removing transactions from the interchange regimen by negotiating the deals directly with the acquirers. This would then mean that Apple becomes a pseudo-scheme and would need to have ‘skin in the game’ in managing the risks and disputes too.

3. Apple and Schemes to enter a longer term agreement not to do 2 (above) but to enter negotiations around a part-disintermediation, with a removal of scheme elements of interchange and a bypassing of the scheme with the transactions, but then with the transactions reported into the schemes so that they can stay franchised and setting the rules (and see the transactions without taking the risk – which would now be significantly reduced.

These are of course options that would of course generate more revenues in the USA, if they adopt these there too thereafter.

I would imagine that this whole set-up is a major threat to the schemes – so I would imagine that the ‘heads of term’ agreements on the current infrastructure design includes some ‘in partnership’ / ‘will not destroy’ long term agreements between these parties for having ‘allowed’ Apple to play in this space OR some very big threats from Apple to the schemes that they would go for full-disintermediation if they did not ‘play game’.

Only time will tell, but what we do know, is that this is going to stir things up and lead to some big legal / court-room disputers in due course and all the parties here have BIG muscles and are very prepared to be aggressive in ‘defending their ground’ in the courts.

Author of this press release, Bill Trueman is director of RiskSkill.com a global risk review and risk management organization which is specialist in providing all risk and compliance solutions to commercial organizations. For more information about RiskSkill visit http://www.riskskill.com/

Source: http://www.prlog.org/12374266-applepay-in-europe-will-it-work.html

 

Will Apple Pay kill the QR code?

apple pay

An interesting question – and of course Apple Pay will not kill the QR code per se, because the QR code does a lot of different things – most notably allowing a camera on a ‘connected’ device to quickly access material without the need to type into the device, and to effect various instructions.

However, with Apple having just ‘raised the bar’ significantly in its launch of ApplePay it will undoubtedly remove the possibility for the QR code to ever gain any ground – or to make any business case again as a payment enabler. The ApplePay infrastructure is very clear now (well it is not clear at all, but we can draw together the following parts of the infrastructure:

a) The adoption of EMV and a well-practiced security is adopted.

b) NFC enabled transactions (whether you like it or not – whether it has an EU or USA adoption rate) – which ensures that the NFC standard is adopted, and they the EMV Co protocols and encryption is present.

c) Tokenisation – to protect the personal details

d) Two/Three factor authentication – i.e. using the scanned fingerprint (or whatever is scanned to validate the transaction) and then Geo-location and/or device profiling too.

e) A reduced costs (interchange fee) and liability protection for pretty much all parties.

So why not do any of this with a QR code? Technically, this is almost all possible, but of course technical possibility and a good idea in the QR codes won’t make this work. Using a QR code produced by a device (that the consumer has) would look pretty, but would mean that:

- The customer has to enter the transaction details to validate – unless another way of communicating with the merchant was created and standardised globally.

- The protections that are in the chip on a card and in the secure area in the device where the card details are stored including floor limits, counts, rules, service codes and resets would all be bypassed.

- The secure part of the chip used and set-up by Apple would have to be accessible by developers to create QR codes – which Apple should never allow (due to a compromised of that secure element (and probably not allowed by the banks/schemes either); and because they would probably not want others to use their rails – due to commercial protectionism.

- Retailers would have to create new software and protocols for reading the QR codes at the points of sale, and then create EMV CO protocols to be used to secure the transactions – which of course would preclude the retailer validation or a two way dialogue with the card / secure element.

- And ALL vendors would have to build standards for this and compete with their proprietary protocols and add massive costs for retailers.

- 3FA or further authentication validation would be impossible/hard to introduce without the EMV / NFC standards backbone.

This creates the underlying problems in:

a) The EMV Co and NFC standards, which require that there is a 2-way hand-shakes and communication with the device and the secure element and a decryption process would be circumvented.

b) The card schemes, who will have required the NFC to be adopted as the communication vehicle for the transactions to be permitted in Apple Pay would be removed,

c) The issuers to allow the transaction to attract the interchange concession, to be transacted using the EMV Co / NFC standards and a channel that can be used to validate the transaction and ensure closed security would be gone.

Accordingly, the security, payment guarantees, standards and security would all be removed or circumvented. So QR codes in the transactions for payments can now never be progressed – as Apple has surely killed it off in one single stroke by introducing something far superior, far more future proofed and adopting all the latest and global ‘industry standards’ to do this through – in a way that no-one else could have achieved and made to happen.

QR codes were only a transient interim technology, that only had a place in small ways to bridge the gap that has now been theoretically bridged.

We have heard a LOT about the impact of the ApplePay announcement on who/what will be affected, but one thing is sure: It has killed the QR code as a payment vehicle – but of course it will ‘live on’ as a very good ‘informational application’ tool where it has been used thus far – i.e. to stop people needing to type various things into a device.

Adopting QR code developments with access to secure elements in the device CHIP is NOT an option, and it is VERY VERY VERY VERY VERY unlikely that the access to the secure element (i.e. the underlying security) will be accessible to TP developers in this way either.

Source: https://www.linkedin.com/pulse/article/20140915153149-6227568-will-apple-pay-kill-the-qr-code

Will The PSR changes work

fraud and risk management specialist

The Payment Services Regulator may make major UK infrastructural changes and legal changes to ‘open up’ the payments industry and access to it in the UK in order to encourage innovation. They have the powers to do many things, but care is certain needed. Caution is most certainly needed.

a) Only yesterday, I received an email telling me that they are not well staffed and resourced; and from my discussion and the stakeholder meetings so far, it appears that they have very little payments industry experience in the team. The objectives of the PSR need to be clear and not driven by a few disgruntled small banks wanting free access to many established infrastructures that are maintained and paid for by all of us.

b) There seems to be a format for these types of regulators who adopt an ‘economic’ regulator agenda. This format of addressing these things has opened up the telecoms networks to new operators, and the water pipe infrastructure in the water business (and Gas and electricity), and the PSR CEO comes straight from one of these. But payments are not the same, and without payment industry knowledge there is a danger that the PRS will regulate in the same way. Some creativity is required by the PSR – to ensure it does not simply act in ‘the same way’.

c) The biggest danger is that because payment systems are global and becoming more global, and as the UK is a leading global payments hub, that action by the PSR will make the UK market something different – uncompetitive, and isolated – so care must be taken NOT to do this.

d) The main restrictions on the payments ‘gateways’ are not competitive or restrictive as they were with water, electricity, gas and telecoms. The payments infrastructure is open to anyone who wants to ‘play’. The bigger restrictions are quite rightly about the governance and controls over money laundering – which requires very tough controls and restrictions to be imposed, managed, and governed. Again, The PSR needs to step carefully.

Source: https://www.linkedin.com/pulse/article/20141015091911-6227568-will-the-psr-changes-work

 

Obama signs chip and PIN executive order

usa flag

US president Barack Obama has signed an executive order mandating the use of chip and PIN technology at executive departments and agencies for card payments.

With more than a 100 million Americans falling to data breaches over the past year, thanks in part to massive attacks on the likes of Target, Home Depot and JPMorgan, the Obama administration has moved to get its own house in order.

From 1 January, cards issued by the federal government to distribute benefits will have to be chip and PIN and payment terminals acquired by agencies through the department of the treasury will also be upgraded.

“We know this technology works — when Britain switched to a chip-and-pin system, they cut fraud in stores by 70%,” says the president.

For online transactions, Obama has given a group of agencies 90 days to come up with a plan to ensure that all those making personal data accessible to citizens through digital applications use multiple factors of authentication and an effective identity proofing process.

Obama ha also set out plans designed to cut the time victims of identity theft have to wait for remediation and actions designed to improve credit score transparency.

“There is a need to act, and to move our economy toward stronger, more secure technologies that better secure transactions and safeguard sensitive data,” says the White House in a statement.

The president called on the private sector to up its game, commending those that have taken action, including breach victims Target and Home Depot, who are now rolling out chip and PIN. Earlier today, a trade body set up to push the migration from magstripes, estimated that nearly half of US merchant terminals will accept EMV chip card payments by the end of next year.

In an effort to speed up adoption, there will be a White House Summit on cybersecurity and consumer protection later this year to promote partnership and innovation, with mobile payments a particular focus. Obama is also renewing his call to Congress to enact cybersecurity legislation.

National Retail Federation CEO Matthew Shay, says: “We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.”

Obama admits his card was rejected

At today’s event, Obama revealed that even the most powerful man on the planet can suffer the indignity of having his payment declined. “My credit card was rejected,” at a restaurant in New York last month, the president said. “Fortunately, Michelle had hers.”

Source: http://www.finextra.com/news/fullstory.aspx?newsitemid=26601

Follow

Get every new post delivered to your Inbox.