Sebastien Taveau
Before adopting a hybrid “chip/cloud” approach to mobile payments, providers need to figure out how to tie account owners to their devices. A former architect of PayPal’s hybrid model explains why—and how to do it.
It seems clear that mobile is changing a lot of things. The telco industry has been massively impacted by the rise of the smart phone. The users of smart phones have been exposed to new behaviors (the coolest apps quest, social media oversharing, instant comparative shopping in stores or showrooming, etc.).
So it is reasonable to expect the financial world to also be impacted by smart phones beyond the changes we are seeing today.
For the past four years, I led the Mobile Ecosystems and Technology Integration unit at PayPal. Mostly, it was reading the trends and inflection points within various industries and finding which technology could support our strategy and product roadmap.
Somehow, some of the mix worked well, boosting PayPal Mobile to $4 billion in total payment volume for 2011, well on track to achieve the announced $7 billion projection in 2012 when I left (this projection has since been revised upward to $10 billion).
Looking at the trends and future needs and threats, it became clear that the payment-wallet war was showing two clear camps: the cloud-based one and the in-the-device one. However, from multiple testing and reviews, I and others as well arrived at the conclusion that a hybrid solution was the only viable solution.
Smart Hacker
Granted, most of the payment instruments should be in the cloud for ease of access from multiple devices (no one carries just a phone today, you also have a laptop, a tablet if just one) but a presence on the device is necessary to create an “anchor” or secure validation that the conduit for the transaction (the phone) can be a trusted point of entry to the cloud or to a retailer’s network (including the classic acquiring rails but also the retailer’s own CRM system).
The theory behind the wallet-in-the-device argument is that payment instruments are also stored on the phone, hence, for proximity payment, the presence of a physical element can be verified. This invariably leads to a debate about card present/card not present within the mobile-payment ecosystem. It should be asked, however, if this is a viable debate at a time when the boundaries between online and offline are blurring faster than the city of San Francisco on a summer day.
It’s my contention that mobile payment should not simply be a way to port a payment card into the phone or a method of adding a screen to a card. This would limit the user experience and limit portability across devices of a payment instrument. The experience and the wallet must provide true value and differentiation to consumers to entice usage.
And mobile payment should not be cloud-only, as in some instances (transit, for example), the consumer may not have the luxury to ping the infrastructure to validate a transaction.
A reasonable approach is to create a strong source of trust in the device and to validate it from the cloud when a connection is possible. The concept of such a hybrid solution is not far-fetched when you consider the Amazon Silk browser, which is able to run on the device or from the cloud.
However, before going down the trail of a hybrid solution, the payments industry needs to take a hard look at its legacy infrastructure and decide if it’s time to unplug its life support.
For many years, payment has been summarized from a risk-management point of view by combining what you have (a plastic card, an e-mail) with what you know (a PIN, a password, a card-verification value). Extending that concept to mobile payment and near-field communication (NFC), it could be said that the mobile phone with its secure element is what you have and the PIN (entered on the device or at the point of sale) is what you know.
This may be sufficient until some smart hacker figures out how to clone a device with proper credentials (and a secure element may not be sufficiently secure, especially for low-power transactions). This may not be as far down the road as you think since the black-hat world has been learning and hacking on smart phones faster than on any other device.
Broken Model
So the existing system creates a source of trust that is actually only partially reliable. The only way to truly manage risk on mobile—especially when moving to the hybrid approach I outlined above—is to create a strong bond between the user/owner of the account and the device itself.
This realization came to me when I was working at PayPal and found that the need for this bond extended way beyond payment. It was also the answer to the challenges of a personal cloud and the ownership of multiple devices.
This idea brings into a completely different perspective how the ecosystem players should cooperate. Arguing about who controls the secure element or who owns the consumer relationship or how to split the transaction fees was not constructive and had limited the speed of adoption of NFC for years.
Cooperation is needed around risk management, and everyone has something to bring to the table. Carriers have a strong asset in the device itself. They can provide data that proves not just what you have but also, with location services, where you are. Financial networks can provide a strong what-you-know validation with an unbeatable risk-management understanding at the transaction level.
And the last piece is the user self. Natural ID (fingerprint, voice, kinetics, etc.) can be achieved easily on a mobile device and can bring the presence of the user into the fold of risk management. This solves the who-you-are aspect of the root of trust. And it can be done on-chip, in the device, or in the cloud.
Fingerprint sensors also allow the consumer to short circuit the necessary log-in process with password or PIN, which can be cumbersome. This is especially true when navigating from one application to another, as is often the case, for example, when moving from a merchant application to a payment application, and being asked at least twice for log-in information, leading most of the time to the consumer abandoning the cart.
This solution seems even more relevant after the massive hack of LinkedIn, another high-profile company. By putting the burden to fix the problem on the consumer by requesting a regular change of passwords, LinkedIn just provides another example of a model that is totally broken and needs a complete overhaul.
The Most Pressing Issue
And before going into new business models and methods of revenue generation, it is important to address these security issues around compromised log-ins, exposed financial data, and cross-contamination of applications on plural devices. Leveraging assets on the device and in the cloud will address most of the security concerns and offer more alternatives in case of problems (and there will be problems).
We must also keep the user concerns about privacy and security front and center. For this approach to work, an opt-in/opt-out process needs to be in place. This is what Isis has created with their coupons/offers model and it is the right approach.
It also allows retailers to have stronger confidence in the transaction by making sure the verified user is doing the transaction, solving the non-repudiation issue. With a fingerprint sensor, the user provides a conscious input into the transaction by touching a specific area. This consent cannot be truly achieved with other forms of natural ID in the consumer world.
By creating a strong bond between the user and the device, a user profile and a device profile can be created, enabling the delivery of premium risk services or standard services. There is a possibility to monetize valuable data and it can benefit almost everyone in the ecosystem: Users, carriers, banks, retailers.
At PayPal, with this approach in mind, I co-authored the SSOCCADD method, a security methodology designed to cope with mobile risk.
This methodology views mobile payment as a completely different beast, with real threats and with new approaches needed to protect consumers, retailers, and payment providers. The most efficient environment to control these threats was centralized around the chip-to-cloud concept, which is a distributed form of credential validation.
So the new risk-management paradigm is pushing the card present/card not present debate to a consumer present/consumer not present debate. And it also adds a new element, the who you are/where you are pair, to the what you have/what you know risk model.
By associating the chip-to-cloud proposition with the new approach from payment networks around chip and choice (beyond chip and PIN), the user can finally have access to the true and complete content of the wallet and decide his level of comfort on authenticating himself. And the risk associated with the user and the transaction can be mitigated by multiple-factor correlation, even if these vary over the lifetime of the wallet.
Chip-to-cloud also helps solve the most pressing issue raised by the problem of multiple digital IDs: Who is the true owner?
Having left PayPal Inc. earlier this year, Sebastien Taveau is chief technology officer at Validity Inc., San Jose, Calif.