Trustonic’s David Keating, Sales Director, and Joe Pinder, Product Director Payments met with Paul Hampton, Senior Product Manager at Thales to discuss developments and trends in the payments industry. Sign up to watch the on-demand recording of the future of mobile payments below.
Usability, friction and security
Over the last 10 to 15 years, there have been significant changes in the payments industry, with the shift from plastic cards to the use of mobile devices to make payments. The ApplePay experience, for example, has transformed what customers expect from payment technologies. However, security has been playing catchup and needs to adapt accordingly.
When chip and PIN replaced signatures on cards, this helped bolster security by removing much of the cardholder-present fraud. However, having to remember a PIN introduced complexity into the experience, and banks were concerned this friction might result in low adoption rates. Although the growth of contactless payments and the removal of minimum spend have reduced friction, there will always be this balance between security and friction, and we will continue to see this as we move forward.
What’s next: consolidation or change?
The payments industry has undergone a period of intense change in recent years, despite the industry tending to be more cautious than technology in general due to regulatory control and issues around consumer acceptance.
Although a period of consolidation to capture and secure these changes is probably needed, it may be that we’re at an inflection point and rapid change will continue, fueled by the SPoC and CPoC standards from the Payment Card Industry (PCI), the body that governs payment card security.
The new CPoC™ plus PIN standard is expected in 2021 and this will revolutionize card payments by enabling PIN entry on smart mobile devices to allow higher value transactions. CPoC plus PIN will democratise card payments by replacing expensive, specialist hardware with a secure, integrated experience on a smartphone. Download the pdf attached to learn more about CPoC plus PIN.
However, there are security challenges and complexities involved in this, and achieving the CPoC plus PIN standard will be no easy feat, as payment providers are discovering. How do you design a secure, future-proof solution that isolates and protects a user’s PIN separately from their account details, on the same device? And how do you do this when you’ve no control over the capabilities of the end-user device? Dealing with these challenges will be the same regardless of whether you’re a large, long-established business in the payments industry or a new player.
“It becomes a level playing field of who is actually going to come up with the best technology, the best methods and processes to provide security in this new arena.” Joe Pinder, Trustonic
CPoC plus PIN also changes the entire onboarding experience which used to involve issuing physical devices to merchants, with a lead time of 4 or 5 days before they could accept payments. Now, all merchants need to do is download and install an app onto their phone to accept card payments.
There will be new security challenges around operational procedures in this new environment; for example, how do you inject a secure key, on a huge scale, on a monthly basis, and in a cost-effective way? How do you cycle your keys? Ultimately, these processes will be solved by technology but this is likely to take 12 to 24 months.
These challenges will be especially difficult for organisations that have firmly established and embedded ways of working. Pinder believes there will be many in this space who cannot make the transition and will have to spin off or acquire start-ups to enable them to go to market rapidly. The organizations that will succeed and excel are those that can make the various components work together seamlessly in a smooth and cohesive manner.
How do you future-proof payments provision?
For many businesses, payments and the way you receive them are closely coupled with your current payment provision. However, this traps businesses into doing things in a certain way because they’ve always been done like this, and it then becomes difficult to change your processes. This means you can’t pivot as quickly as competitors who can switch to the latest, greatest, and easiest way of accepting payments.
“As a business operating in this space, you almost need to treat your payment provision as a utility”. Paul Hampton, Senior Product Manager at Thales
The API will be key to this and is expected to become the de facto way of communicating between organisations. The API will also play an important role in the handling of micro transactions.
“API will be king and will take over in the next 24 months.” Paul Hampton, Senior Product Manager at Thales
Final thoughts
Hampton’s advice is do not couple your business and your business processes tightly to your payment mechanisms. Maintain that flexibility, build on the API technologies and make sure your business is operating via those APIs. This will future-proof you and enable you to pivot quickly, whichever way things go.
Pinder believes that we need to learn the lessons from cloud computing. Amazon disrupted this market by producing a solution that was much easier to consume. So, it’s about considering the wider developer experience and not getting bogged down in the details of encryption standards etc.
For more information visit Trustonic’s Application Security on how it can protect your apps with the best security possible on every device, and achieve CPoC™ plus PIN certification. Also find the attached pdf for more about this.
