evolution of the mobile payment market€¦ · premise is wrong regarding sources of risk to data...
TRANSCRIPT
![Page 1: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/1.jpg)
Evolution of the Mobile Payment Market
NYTECH Council Event October 15, 2015
New York City Robert Tibbs, Founder and CEO, Kayden
Andy Lorentz, Partner, Davis Wright Tremaine Paul Miller, CEO, mSIGNIA
![Page 2: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/2.jpg)
2
Andy Lorentz Partner,
Davis Wright Tremaine
Robert Tibbs Founder and CEO,
Kayden
Paul Miller CEO,
mSIGNIA
![Page 3: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/3.jpg)
Moore’s Law*
The number of transistors on a chip doubles every year for a doubling of the computing power at roughly the same cost
Updated in 1975 to forecast a doubling of computing power every two years
*From Gordon Moore, head of research at Fairchild Semiconductor, later co-founder and CEO of Intel
Intel 4004 (1971) vs. Intel Core i5 (current model):
3,500 times the performance
90,000 times more energy efficient
60,000 times lower cost
Source: NY Times (5/13/2015)
3
![Page 4: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/4.jpg)
Moore’s Law and the Volkswagen Beetle
Volkswagen Beetle (1971) vs. Volkswagen Beetle (current model – IF Moore’s Law applied to VWs)
Top speed of 300,000 miles per hour
2,000,000 miles per gallon of fuel
Cost of 4 cents
Source: NY Times (5/13/2015)
4
![Page 5: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/5.jpg)
What if we apply Moore’s Law to financial services? “FinTech” – worlds colliding or connecting?
5
![Page 6: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/6.jpg)
What Divides “Fin” from “Tech”…
Banks Product Development:
– Bank grade product / technology before it hits the market
– Invest on the front end – Slow to market – Don’t fail (or even better,
be “too big to fail”), don’t run out of other people’s money
– Ask permission Outsourcing means Due
Diligence, Contract, Monitoring: – Protracted and detailed
APPs Product Development:
– Philosophy of “Lean Startup” by Eric Ries: only “Minimum Viable Product” before it hits the market
– Invest on the back-end – Rush to market – Fail fast, iterate product,
don’t run out of money – Beg forgiveness
Outsourcing means “take out” food: – Handshakes instead of
contracts
![Page 7: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/7.jpg)
…Leads to Culture Clash
7
![Page 8: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/8.jpg)
Growth in “Alternative Payment Providers”
Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 8
In January 2014, it was estimated that APPs will account for 59% of online transactions and
that e-wallets will equal cards in
terms of market share in 2017
Peer-to-peer payment market
expected to reach $17 billion in 2019
Growth of P2P Market, APPs for
online transactions, e-wallets, mobile
payments, “Buy” Buttons
![Page 9: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/9.jpg)
Who (and what) are these guys?
9
bought
![Page 10: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/10.jpg)
The Clearing House Diagnosis: An Uneven Playing Field in Data Privacy and Security
“Financial Institutions” are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators
GLBA Interagency Guidelines
More stringent implementing regulations and consequences
Safety and soundness
Banks ultimately bear customer service and fraud costs
Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 10
Alternative Payment Providers (APPs) provide products and services utilizing “backbone of existing payment systems” and avoid the reach of prudential regulators
GLBA FTC Safeguards Rule
Not subject to regular examinations, enforcement actions or oversight
– Lighter substantive requirements
– Lower odds of facing enforcement actions or sanctions
“Banks and APPs engaging in functionally similar activities should be subject to similar
regulatory regimes.” The Clearing House
![Page 11: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/11.jpg)
The Clearing House Prescription: Level the Playing Field
Enhance substantive regulatory requirements imposed on APPs
Use available examination authority to examine APPs – CFPB should designate “larger participants” in
payments market
– CFPB and others – use authority over “service providers”
Enforce existing requirements for APPs – FTC GLBA Safeguards Rule
– FinCEN (money services businesses)
Legislate additional data security requirements for APPs, resource FTC further, give FTC or CFPB exam authority over APPs
Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 11
“REGULATORY FAILURE”
![Page 12: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/12.jpg)
“Gaps” in The Clearing House Paper
12
Premise is wrong regarding sources of risk to data
– Encryption, tokenization and biometrics are APP staples
Treats “banks” as a monolith and “APPs” as a monolith – ignores tremendous variation within both groups, except that:
– All banks enjoy exclusive powers in the “business of banking” including certain network access
– Banks can borrow at the Fed window and are FDIC insured
– Nationally chartered depository institutions benefit from preemption
Ignores possibility that cacophony* of legislatures and regulators and fractured regulatory regime are the root causes of disparities in regulation, supervision, and enforcement
Soft-pedals bank obligations to oversee service providers
*jarring, discordant sound; dissonance. The Free Dictionary.
![Page 13: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/13.jpg)
(More) “Gaps” in The Clearing House Paper
13
Fails to ask whether particular regulation is sensible – why should we “level” to inappropriate standards?
– Ignores policy preferences for regulation based on performance rather than design standards
• BUT beware UDAP/UDAAP combined with excessive authority
Ignores considerations of consumer choice and reaching underserved markets for financial services
Is one-dimensional – data privacy and security only – when the need for (sensible) regulatory policy changes is much broader
– Data-driven risk-based approach informed by behavioral economics?
Fails to ask why bank partners of APPs agree to participate in platforms that so disadvantage them
![Page 14: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/14.jpg)
Business of banking / Deposit-Taking
Truth in Lending Act / Reg Z
Reg
ulat
ion
B
Bank Secrecy Act
OFAC Reg D
Truth in Savings Act
Regulation II
Gramm-Leach-Bliley Act Fair Credit Reporting Act
Data breach/security FDIC Deposit Insurance
E-SIGN Act
Unfair, Deceptive or Abusive Acts and Practices Laws
State Money Transmitter Laws
State Privacy and Security Statutes
Card brand rules Gift
car
d
Anti-Money Laundering Compliance
OFAC
TISA/Reg DD
Reg CC
Escheat
Durbin Amendment Identity-Theft Red Flags
Check 21
Truth in Billing Electronic Fund Transfer Act / Regulation E
Regulation DD
The banking lawyer’s world…
14
![Page 15: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/15.jpg)
Reflection
American Bankers Association: “Lets Innovate. Not Mandate.”
U.S. Chamber of Commerce: “[T]he Chamber believes that industry self-regulation and technology-neutral best business practices are the most effective way to enhance innovation, investment, competition, and privacy.”
Building a 21st-Century Regulator’s Toolkit by Daniel Gorfine and Chris Brummer of the Milken Institute
21st Century Regulation: Putting Innovation at the Heart of Payments Regulation by Ebay/PayPal’s Public Policy Lab
The Regulator of Tomorrow by Shrupti Shah, Rachel Brody, & Nick Olson of Deloitte
15
![Page 16: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/16.jpg)
Mobile Payments Overview
16
![Page 17: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/17.jpg)
17
Who’s Leading Mobile Payment Innovation?
Copyright ©, Confidential 2015
The ‘Usual Suspects’ ??? A New Leader ??? A Disruption???
Visa MasterCard Amex Discover Banks
Apple Google Operators Samsung Merchant PayPal Bitcoin
Copyright ©, Confidential 2015
![Page 18: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/18.jpg)
18
CP Payment: EMV (online)
Merchant website
Consumer / Issuer Network / Interoperability Merchant/Acquirer
Issuing Bank Card Network
(w/Tokenization Service)
Acquiring Bank
Merchant SE
Payment Token +
Verification
Transaction Data &
Payment Token
Payment Verification … Transaction Approved
Transaction Data &
Payment Token
Payment Verification
Transaction Data & Card #
Payment Verification
PIN
Bio
Sign
Copyright ©, Confidential 2015
![Page 19: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/19.jpg)
[CATEGORY NAME] [PERCENT
AGE] [CATEGORY NAME] [PERCENT
AGE] [CATEGORY NAME] [PERCENT
AGE]
[CATEGORY NAME] [PERCENT
AGE] 89% of the 3B Smart
Devices Worldw
ide have NO
Secur…
Global Security HW Availability
NO NATIVE HARDWARE SECURITY … NO MASS MARKET
19
[CATEGORY NAME] [PERCENT
AGE]
[CATEGORY NAME] [PERCENT
AGE]
[CATEGORY NAME]
[PERCENTAGE]
Android FP 0%
81% of the 365M Smart Devices in the US have NO …
US Security HW Availability
How do Merchants and Web Services Reach the Majority of their Customers? Copyright ©, Confidential 2015
![Page 20: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/20.jpg)
20
Merchant website
Consumer / Issuer Network / Interoperability Merchant/Acquirer
Issuing Bank Card Network
(w/Tokenization Service)
Acquiring Bank
Merchant Payment
Token
Transaction Data &
Payment Token
Transaction Approved
Transaction Data &
Payment Token
Payment Verification
Transaction Data & Card #
Payment Verification
PIN
Bio
Sign
CP Payment: Host Card Emulation (HCE)
SE Payment
Verification
Wallet Authentication
Copyright ©, Confidential 2015
![Page 21: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/21.jpg)
21
Merchant website
Consumer / Issuer Network / Interoperability Merchant/Acquirer
Issuing Bank Card Network
(w/Tokenization Service)
Acquiring Bank
Merchant Payment
Token
Transaction Data &
Payment Token
Transaction Approved
Transaction Data &
Payment Token
Payment Verification
Transaction Data & Card #
Payment Verification
PIN
Bio
Sign
CNP Payment: 3-Domain Security (3DS)
Payment Verification
Wallet Authentication
Copyright ©, Confidential 2015
![Page 22: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/22.jpg)
22
Who Are You?
Copyright ©, Confidential 2015
![Page 23: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/23.jpg)
23
COMPARING AUTH METHODS FOR HARDWARE AND USER
45 Auth Methods Mapped by Security, Friction, and Cost
Ctxt Key Crypto
SIMaaS
Smartcard / USB Key
OOB eMail
ID Pict
Custom OTP Token
Card/RFID
Signature
BioRetina
PIN/ Swipe
Choose Image
BioHeart
Dev Geo
KBA preset
BioVoice
Bio3DFace BioFP
SE/Token
MNO Acct SMS Link
SMS OTP Up Contextual DevID
Push Alert
BioFacial
Passive Voice
Social Validation
SiteNav
Codebook
UI Tracking Password Cache PW
KBA Real-time
Soft Token
Device FP QR code 2 PC
OOB call
Push OTP
Soft OTP
Geo Proximity Zero U
ser Effort, Frictionless Fric
tion,
Use
r Act
ion
Requ
ired
Zero User Effort, Passive
High Security High Security
Fric
tion,
Use
r Act
ion
Requ
ired
Low Security Low Security
OS TEE
SMS OTP Contextual Auth
Net Geo
Hardware Auth Methods (26) User Auth Methods (19)
ID Cost Free Low
(<$1/yr) High (>$1/yr)
Dynamic Tag
(Assumes 50 auths/year)
Copyright ©, Confidential 2015
![Page 24: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/24.jpg)
Active Biometrics • Requires discrete user action
• Examples
• Fingerprint
• Facial (static, proof-of-life, 3D)
• Cardio
• Retina
• Voice (scripted)
• Static validation
• Actual bio should stay local
• Perfect for Perimeter Auth where sensor high quality + trusted
• Boarder control
Passive Biometrics • ‘Learned’ behavior
• Frictionless
• Examples
• Geolocation
• User Data Analytics
• Voice (sampling)
• User Interface (kinesiology)
• Typing, mouse/pinch
• Site navigation
• Scoring threshold
24
ACTIVE VS PASSIVE BIOMETRICS
Copyright ©, Confidential 2015
![Page 25: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/25.jpg)
25
Attributes (> 500 in total)
Select Examples
General Rate of Change
(varies by user)
User Added Personalization
• Music Count • Calendar Count
Volatile, behavior-based change rates
User Behavior • Location • UI Gestures
User-defined repeating patterns
User Secrets and Biometrics
• PIN • Fingerprint No change
Apps & OS • App binary • Jail broken
ISV and OS driven change
Connections • Cellular • Wifi • Bluetooth
Repeating, network related context
Hardware • Serial # • IMEI # No change
CONTINUOUS CONTEXTUAL IDENTITY
PII hashed at device to respect privacy
Data consistent across new & secondary user devices, Defends against account
takeover when adding a device
Device HW
Connections
Apps/OS
User Added Data
Behavior
Secrets + Bio
App
App
Perm
issi
on b
ased
dat
a us
ed b
y ap
p
Copyright ©, Confidential 2015
![Page 26: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/26.jpg)
Definitely My Prediction?
26
So… Who’s Leading Mobile Payment Innovation?
Apple Google MasterCard
EMVCo
Copyright ©, Confidential 2015
![Page 27: Evolution of the Mobile Payment Market€¦ · Premise is wrong regarding sources of risk to data – Encryption, tokenization and biometrics are APP staples Treats “banks” as](https://reader034.vdocument.in/reader034/viewer/2022042401/5f0ff6fe7e708231d446c458/html5/thumbnails/27.jpg)
THANK YOU! THANK YOU!
27
Robert Tibbs Chairman and CEO, Forbes Digital Commerce
[email protected] 415.244.2055
Andy Lorentz
Partner, Davis Wright Tremaine [email protected]
202.973.4232
Paul Miller CEO, mSIGNIA
[email protected] 310.945.7744