19 raisons derrière la domination future des paiements par téléphone cellulaire
AVERTISSEMENT : Les articles reflètent les intérêts et les opinions de leur auteur et ne sauraient constituer des déclarations ou des prises de position officielles de Paiements Canada.
Résumé
Le secteur des paiements est déjà l’épicentre de grands changements dans les services financiers. La cadence s’accélérera dans les prochaines années à mesure que convergeront les avancées en matière d’identité numérique, de sécurité, de données et de protection des renseignements personnels, les nouvelles attentes des utilisateurs et les capacités technologiques émergentes. Malgré son modeste marché à l’heure actuelle, le téléphone cellulaire sera sans doute le point de convergence de tous ces changements et viendra ainsi à dominer le monde des paiements.
La suite de cet article est en anglais seulement.
Analyses of payments trends and predictions tend to throw a flurry of innovations and trends up that conflate a number of technologies. In payments news sources, we are assailed daily with headlines such as: “Contactless continues to surge across the country”,“Growth in remote card payments far outpaces point-of-sale”, “Wallet users set mobile payment trends”. But these trends typically implicate many different technologies. For instance, contactless payments through Near-Field Communication (NFC) can be made by card or phone, remote payments may be made on a laptop or desktop computer, tablet, phone (or even by cheque!). In-store payments may be made at a point-of-service (POS) terminal, NFC reader or even directly to another phone. It is important to analyze these underlying technologies separately to fully appreciate their likely impact on payments in the future.
Whether online or in person, by credit or debit transfer, or using digital cash, a single platform is poised to completely dominate shopping and payments for consumers in the coming years - the smartphone.
Identity and authentication
1. Identity - This is such a critical area with far-reaching consequences that it deserves its own blog piece (stay tuned) but suffice to say that the critical limiting factor for navigating the digital world is the establishment of personal identity. In the analog world, a consumer walks around with biometric authentication and identity proofs - typically his or her face and a plastic government-issued photograph-bearing piece of ID - that are built on foundational documents going back to birth and are increasingly hard to fake. In the digital world the consumer has neither face nor plastic identity documents, which makes opening bank accounts, renewing driver’s licenses, voting and paying more difficult. Because replication of a face in real life is (currently) untenable but digital reproduction is effortless, the real world has a big advantage for establishing identity, but is painfully inefficient, siloed and expensive.
In Canada and all over the world, organizations like the Digital Identity and Authentication Council of Canada (DIACC), 2Keys and SecureKey are hard at work on making digital ID a reality across services. For instance, by establishing a Pan-Canadian Trust Framework (PCTF), using banking authentication (based on KYC identity procedures) and moving towards decentralized blockchain-based networks to offer up unhackable proofs of identity at the right place and time.
The phone will be key to these efforts because it knows who you are. It knows the biometric information that is hard-to-fake in the real world and not worth faking most of the time in the digital world (see un-scalability point below). It knows that your fingerprint, iris, heartbeat, face, gait, voice, patterns of payments behaviour, and “liveness” belong to you, or at least to the person who passed the KYC procedures to activate the phone and who has been using it without issue across all manner of sensitive activities.
The phone is the rosetta stone between the real and digital worlds.
2. Multi-factor authentication - Authentication factors are categorized into buckets (see Figure 1): 1) what you know (knowledge), e.g., a password; 2) who you are (inherence), e.g., unique biometric data like a fingerprint, and 3) what you have (possession),e.g., a card, driver’s license or a phone. Increasingly 4) geo-location (where you are) and 5) “chrono-location” (when you are) are used to verify likelihood of valid activity and detect fraud. The multifactor power of the phone is surprising: If you open your phone (which you possess) - in a place (geo-location) and time (chrono-location) that make sense - with your fingerprint (biometric inherence) and, as an added layer of security, enter a passphrase (knowledge), you can be authorized with five-factor authentication! Compared to a desktop login with a password and security question (multiple but single-factor authentication, which is considered weak) the authentication is much stronger for the same user effort. Authorized environments have recognized this inherent weakness and harness the multi-factor of the security to send a one-time password (OTP) via text message.
Figure 1: Multi-factor authentication
3. Self-sovereign ID - Honeypots of user data, information breaches and infringements of privacy all rely on your personal data being stored in other people’s databases. What if you owned your identity data, proofs and claims and could dole this information out only as much as necessary and rescind it when and where needed? That’s what the self-sovereign identity movement is trying to do, spearheaded by groups like the Sovrin Foundation for whom ATB Financial is a “steward”. Their approach is blockchain-based, but the phone - with its secure encryption hardware or emulation - is as self-sovereign as it gets while still being outside your body.
4. Device-owner nexus - FIDO (Fast Identity Online) technology allows the biometric authentication of the phone and its unique machine identity - established through device-specific public-private key pairs - to allow fast access to banking and other authorized environments. This is exhibit number one of how the convergence of technology in the phone moves the security/convenience possibility frontier out.
5. Zero-knowledge - Authorization to perform many activities requires satisfaction of some sort of criteria, typically achieved with often-superfluous information about the person in question. The phone provides the platform to satisfy the criteria without divulging unnecessary information, or even any information at all. The classic example: a young person trying to enter a bar who must satisfy the criterion that they are above the age of majority. Typically, this is achieved through squinty-eyed scrutiny of a driver’s licence or passport. In addition to the examiner establishing that the would-be patron is of age, he or she now has access to their full name, address, height, gender and date of birth - all unnecessarily. Compare instead the patron biometrically activating their phone and holding it over an NFC reader: green light means go, red means stop and the bouncer has zero-knowledge about the person entering.
Security
6. Tokenization - Primary Account Numbers (PANs) for credit cards, banking and other services are a primary locus for fraud and counterfeit. Most consumers understandably don’t know or much care that using an NFC-enabled contactless credit card and Apple Pay send two completely different numbers to the issuing processor - hence part of the reason for the slow migration from cards to mobile wallets (in Canada at least). But they should - one is much more secure than the other. The physical card featuring the PAN will work - barring an exceptionally vigilant merchant - no matter where it is being used (and by whom), whereas the tokenized number only works with one phone, owned and authenticated by one person. This is also the case with debit cards - and is of even greater importance as consumer protection is weaker in this space. Ironically, a key reason for relatively slow uptake of mobile contactless payments - beyond a simple novelty effect - is the perception that phone tapping is less secure (see Figure 2, above).1 That is likely to change with broader use and demographics - in 2017 over 2 in 5 Canadians in the 18-34 age group reported using mobile contactless payments.2
Figure 2: Perception of security on contactless credit /debit card payments: % of cardholders
7. Hardware encryption - Apple’s Secure Element (SE) and Android’s cloud-based Host Card Emulation (HCE) provide a physical or emulated almost-unbreakable encryption environment hived off from the operating system with no possibility of a scalable attack. The SE or HCE are what makes tokenized card numbers infinitely more secure than PANs. When the Token Service Provider (TSP) creates the token on behalf of the card issuer, it is stored safely away from prying eyes (and apps) in the SE/HCE vault.
8. Un-scalability - In a world where “scalable” is a mandatory adjective in every solution pitch, the phone offers a welcome refuge. To get at the biometric factor authentication, tokenized card numbers and other sensitive nuggets in a phone requires serious effort. Yes, faces and fingerprints have been hacked - but one at a time and usually at some expense. The cost is not worth it for criminals and fraudsters who have better odds of hitting the jackpot buying databases with stolen card numbers and passwords on the dark web. With multiple biometric authentication and Fort Knox hardware (or emulation thereof) encryption, there will be few conceivable incentives to pry open a phone.
9. Vigilance - Recent studies indicate that typical users touch their phones an average of over 2,600 times per day. This means that a missing phone is noticed very quickly - more quickly than a missing wallet, cash, health card etc. This also means that people respond very quickly when their phone is missing, leaving comparatively little time for malfeasance. And unlike a physical wallet when a phone goes missing there are intuitive and helpful steps that can be taken to find it or minimize risk, including using the onboard location services to find the phone, sign out of sensitive applications or ultimately to wipe it.
The digital portal
10. Portability - It’s the computer that you can carry around. Tablets are fine for POS devices or browsing in a cafe but are cumbersome when paying for a coffee or getting on a bus. Some would argue that the phone is just a stepping stone to biometric payment through face recognition or “smile-to-pay” but the problem is that the face doesn’t have apps, can’t take pictures and interface with digital systems through APIs. A phone can and does (see “convergence” below). And payment-by-face simply shifts the device ownership from the consumer to the merchant, who will inevitably be using a phone for face-to-face payments.
11. Convergence - Phones aggregate your life’s activities into a single platform. Banking, social media, communication, entertainment, navigation, news and weather, photos and more all in one place. It’s hard to imagine that as recently as the early 2000s, this functionality would have required more objects than a person could carry at a single time, sparing few arms for taxi hailing in the pre-Uber era.
12. Integration - Beyond just a portable location to store your life, the phone offers an integration environment to connect the various parts of life in meaningful and helpful ways. WeChat Pay and AliPay aren’t just closed-loop commerce platforms, they are integrated life platforms for the user offering a single interface to shop, buy, rent a bike, do banking, invest in money markets, schedule and budget towards a savings goal. Similarly, popular African payment app mPesa turns the phone into a banking service but also allows payment of electricity, water and even satellite TV services. Visitors to Canada from Europe, Asia and Africa may find it charming that we open one banking portal to send money to another person and click on a separate apps to hail a ride. With the rise of lifestyle platforms on social media and increased access through open banking and APIs, that is likely to change.
13. Interoperability - Carriers and Original Equipment Manufacturers (OEMs - e.g. Apple, Samsung) differ between people and places, but their phones can access the same information and can communicate with each other. As commerce becomes borderless and open and closed-loop systems provide frictionless consumer and person-to-person payment choices, phones will become the international passport for shopping and transferring money without the need to move through domestic banks and correspondent international arrangements, likely through digital cash, international remittance or credit card push payments.
14. Ubiquity - Not everyone has a credit card, out of choice or accessibility. Cash comes and goes and may not be there (for nefarious and other reasons) when you need it, but almost 90% of Canadians aged 18 and over own a smartphone and about the same proportion are subscribed to a wireless device. That figure is only likely to increase. Already it is a priority even for people who struggle to get by. In the coming years, it will become an indispensable pseudo-right - a passport to digital life and this ubiquity will form a virtuous circle (or vicious, depending on your techno-wariness) with the other factors listed here.
15. Substitution - The phone has replaced all manner of gear in the consumer’s life and it is poised to do the same for merchants. The phone not only emits an NFC signal, which can be picked up by readers, it is a reader itself. This means that it is feasible that merchant readers, typically furnished by processors and acquirers, can theoretically be bypassed and transactions can occur directly between an NFC-enabled card or phone and another smartphone. Canada’s Mobeewave, has put theory into practice and done just that. Mobeewave has introduced technology that allows NFC-enabled Android smartphones to directly accept credit card payment by card or phone tap. National Bank has launched EasyPay as a white-label implementation of the Mobeewave technology and Samsung has announced that it will enable the Mobeewave POS on its OEM devices.
The User’s Best Friend
16. Sensation & perception - The phone can see the world through the camera. It can see QR codes (which are destined to return in force), NFC fields, bar codes, faces, environments and objects that can be overlaid with augmented reality. This opens untold possibilities for browsing (the real-world old-fashioned kind), self-checkout, payment authorization and authentication. The phone can also hear. Not only hear but only be awakened when it should be. This puts the phone firmly in the pantheon of voice-activated internet of things. However, unlike the smart fridge or toaster, the phone moves with you and can explore the environment with you. This allows it to be the input for a digital coding of the physical environment, which can be aggregated into augmented reality and AI systems to help the user identify opportunities and navigate the real world.
17. User Experience - Banking and payments regulation and systems are likely to change in Canada. With the possibilities inherent in open banking, payments modernization and the Retail Payments Oversight Framework, new players are chomping at the bit to enter the space between the end user and their deposit and credit accounts. These overlay and user experience (UX) services will provide a tailored, integrated and intuitive experience for the right user at the right time in a way that generic portals, interfaces and stand-alone platforms never can. Owning the platform but not creating the content has been the key to the explosive success of the iPhone and Android devices. Financial institutions (FIs) are realizing that they can never hope to create the multi-varied content and experience that will appeal to tomorrow’s (and today’s) end users and are shifting, first through a “partnering” phase with fintechs, and eventually towards a “platform” phase where they own the universe and the plumbing and others come to play in their API space.
18. Data, for better or worse - There is a gold rush for commercializable consumer and business data. Some businesses do a good job of capturing consumer behaviour in their silo but still can’t see the complete picture of their current or potential customer. Platforms that can see across the silos (e.g. search engines, e-Commerce ecosystems and, increasingly, acquirers and card brands) have a real advantage. As consumers and their algorithms become increasingly sophisticated, they can also benefit from offerings that meet their needs. To find evidence for this point, one need not look any further than Amazon, which generates up to 35% of sales from predictive suggestions. Almost half of customers make a purchase decision based on recommendation. Almost everyone nowadays is walking around with a silo-busting platform in their pocket that not only increasingly sees their every purchase but knows when, where and - thanks to biometric authentication - who they are. Regulation, advocacy and personal awareness will dictate whether this rich-data omni-presence will be used for empowerment or exploitation but regardless there are strong demand- and supply-side pressures turning the phone into the golden chalice.
19. Queue jumping - Don’t feel like waiting in line to pay for something? You’re not alone: a Payments Canada survey in 2018 revealed that over half of would-be customers have walked out of a store or abandoned an online purchase when faced with a long line-up or inconvenience at checkout. More and more, customers will have the option of paying with a proprietary store app or an open loop app like that developed by Digital Retail Apps leaving queues shorter for consumers that prefer the personal interaction. Some stores like Amazon Go leave no choice but to use the phone as a conduit for payment. Order ahead services for everything from coffee to take-out to groceries to gourmet pick-up offer the triple-threat of less waiting, pre-payment and tantalizing customer data and loyalty for the merchant.
So what is the current status of phones in the payment process in Canada? The short answer is that - notwithstanding the arguments presented above - where we measure phone penetration in payments, it is not very high. A 2017 Ipsos study found that only 7% of respondents had used their phone to make a contactless transaction, an underwhelming increase from 5% the year before (see Figure 3). Data from Visa doesn’t paint a much rosier picture - suggesting in 2017 that only 12% of consumers had used the phone to make a contactless payment. However a few factors should be considered here: first, contactless phone payments are still in the early going and facing a more familiar and seemingly equivalent competitor in the NFC-enabled credit and debit card. Watch this space for more recent data that may show strong growth as consumers realize they can leave their wallets at home or get by with their phone and ever-fewer plastic cards. Second, NFC-capable phones and readers are not ubiquitous in Canada and the card can still be used via chip and PIN when necessary - that gap will close over time. Third, most contactless transactions face a $100 limit. However, spending limits are likely to rise with integration of trusted biometric authentication, allowing the contactless methods to pay for ever-pricier items.
In fact, stirrings in data are starting to paint a picture of mobile payments taking off. A 2018 Payments Canada consumer payments study3 showed that more than half of the debit transactions in the previous week were contactless and almost two-thirds of these were made over a mobile device. Similar trends are observed for credit card use.
Also, contactless retail payments only tell a portion of the mobile payment story. Is there any other way to pay for an Uber or Lyft than via phone? Google estimated in 2017 that one-third of Canadians had paid for something with a smartphone, though not necessarily in the retail contactless space. There are also strong suggestions that a high proportion of INTERAC e-Transfer payments are initiated via phone.4 Again, as new data are accumulated, a very different story may emerge from the rather flat tale thus far.
Concluding remarks
To be sure there are drawbacks to the phone as the primary portal to the world of digital consumption and digital life in general. Even before smartphones have achieved full ubiquity and without the advent of digital ID, an integrated app environment or open banking, losing one’s phone feels akin to being tossed out of the walled garden. Loss of signal or WiFi can induce similar feelings. In the future, it could be cataclysmic to be without a connected phone. So there will always be the need for redundancy, probably in the analog world. The phone has its limitations as well. Small displays and pinpoint-accurate dexterity will never make it the primary candidate for high-quality viewing, typing or manipulation.
Much of the promise of the phone detailed above has not arrived yet. We still need plastic cards to drive, buy alcohol, vote and go to the doctor. And there is no magic life app that has your banking and Netflix wishlist on the same interface. For all the talk of data sharing and accompanying manipulation, strong predictive and integrated data is still in its infancy and will rightly revert even further until privacy and consent - and the subsequent tyranny of consent - get sorted. Mobile payment still faces misplaced pricing hurdles5 and the regulatory playing field is almost impossible to predict. However, it seems self-evident that most or all of these things will be settled. And settled soon. There’s too much at stake for all of the players involved - the consumer, processor, payments networks, payments account providers and even financial market infrastructures. When the dust settles, the phone will almost certainly emerge supreme and indispensable.
The Author
Jeffrey Stewart
As a Business Analyst at Payments Canada, Jeff is responsible for analyzing and developing educational material for the Canadian payments ecosystem and conducting research in support of payments modernization initiatives. His research interests include data in payments, closed-loop ecosystems, monetary policy and decentralized currency. Prior to joining Payments Canada, Jeff worked in the private and public sectors as a policy analyst, researcher and programmer, and as an independent business owner. Jeff holds Master's Degrees in Cognitive Science and Public Administration from Queen’s University.
12017 Personal Cardholder Syndicated Survey (PCS), Ipsos 2018.
2Ibid.
3Payments Canada/Leger Marketing. 2018 Canadian Consumer Payments and Transactions Survey
4Over half of our survey respondents indicated that they use their mobile phones to send INTERAC e-Transfers. Payments Canada/Leger Marketing. 2018 Canadian Consumer Payments and Transactions Survey
5E.g. mobile in-store app purchases being charged a higher Card-Not-Present processing and interchange fee.