1 / 34

“UK Consumer Payment Processing the last 20 years”

“UK Consumer Payment Processing the last 20 years”. And where are we heading ?. BCS Dorset Meeting June 2016. Steve Marshall Technical Advisor. June 2016. Context and ”why am I here” ?. I previously spoke to BCS Dorset in October 2011 on.

cindyhead
Download Presentation

“UK Consumer Payment Processing the last 20 years”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “UK Consumer Payment Processing the last 20 years” And where are we heading ? BCS Dorset Meeting June 2016 Steve Marshall Technical Advisor June 2016

  2. Context and ”why am I here” ? • I previously spoke to BCS Dorset in October 2011 on. "PCI DSS its impact on UK Credit & Debit processing and where EMV processing fits in. Where have we currently got to ?" • I was a little surprised to receive an email early this year asking me to speak to you again • BUT here I am some 4 ½ years after the first talk, and in that period • I’ve been formally retired (actually semi retired) for four years • Substantial changes have occurred, and are continuing in “Consumer Payment Processing” • Technology (and IT techniques) • Attitudes • Expectations • I’ve had more time than previously to observe, and contemplate, these matters Hence the title of the talk , which I hopewill prove interesting

  3. Preamble The views expressed in this discussion are the presenters, following over 25 years IT experience and involvement in :- • The development and management of IT systems for a major UK Financial Institution • Technical participation in the UK industry Chip, and subsequently PIN@POS initiatives (for me 1995 to end H1 2012) • All Information Security/ Cyber Security influences and incidents impacting “UK Card Security” over a 15 year period (1997 to end H2 2012)

  4. What I said to BCS Dorset - in Oct 2011 Two of the three main messages I put forward • The consequences of major organisational and control changes in Card Processing in the UK appear to takes five years, or more, before the consequences become apparent to all the major participants in the industry. • What challenges and opportunities are the next five years going to pose for Card Processing ? • The growth in Contactless payments • The advent of the use of Mobile Contactless • Increasing global acceptance of EMV • Reducing the actual importance of the PAN, in retailing especially

  5. How much foresight did I have ? • UK Contactless transaction volumes took off in autumn of 2015 • Accelerating very fast now • Mobile payments are here (in the UK) and again growing fast • Are we behind other regions ? • US has gone Chip (well Chip and signature) • Many more people are aware of the term “Tokenisation” these days • PCI has documentation on the subject • “Updated and modified” forms of attack are being used • Examples appear quite regularly in the media

  6. How do UK Consumers pay ? • Barter • Cash • Cheques • Credit Cards • Debit Cards • Mobile Payments/Micro Payments • On line Banking/”Faster Payments” Will concentrate – after some history -on post 1995 Credit, Debit (including Contactless) and Mobile for remainder of this talk

  7. 2016 Business / Consumer Issues – (challenges) Conveyancing Fraud Malicious Card details capture Will high denomination Notes be scrapped ? Card Not Present Social Engineering Who did you Say you are ?

  8. A few recent data points • The 2004 and 2014 UK annual fraud losses similar monetary amount circa £500m + - 5% • BUT Remote purchase (Card Not Present CNP) was 30% of losses in 2004 almost 70% in 2014 • Overall losses reached over £600m in 2008 and reduced to £340m in 2010 • Counterfeit was circa 25% of losses in 2004 and 10% of losses in 2014 – but its growing again

  9. The competing business factors Please make my life nice and simple Consumer Convenience Cost Compatibility Complexity Competition

  10. History to set the scene – 50 yrs 4 slides !

  11. And a little more history

  12. Moving on a little more quickly

  13. Last part of the history !

  14. What I also said to BCS Dorset in 2011 Every major change in Card Processing takes years longer to achieve than almost everyone in the card industry expected. • Still true of banks; 2016 topics such as imaging cheques • BUT In the last year or so I’ve started to change my mind • As a consumer I see the pace of change accelerating • Is that just confined to the end point ? • Customers are demanding interoperability – “I want/must use my “XYZ” phone or I will change my account” • The number of new participants in the marketplace • Two other competing factors for us to contemplate Resilience Speed to Market

  15. One of my 2016 experiences • Chip and Pin is already considered old hat by some ! • At a talk in Q1 2016 I put forward my view, “Chip and PIN” has been the most important influence on f2f payment processing in my working life • A member of my audience told me, in no uncertain terms, I was wrong it was Contactless • Here’s what I said to BCS Dorset in Oct 2011 • Biggest and most visible change in UK Face To Face (F2F) Card Payment Security in last twenty years • Many have forgotten Chip Cards were implemented in France in the early 1990’s • Regrettably there was a bit of a difficulty ! • There was a lot more to it than simply placing something gold on the LHS of a plastic card. • It put in place the acceptance infrastructure for other things • What’s happening now with contactless/mobile

  16. Why talk about UK Chip and PIN • My suggestion to you is that “Chip Infrastructure” has only become an enabling technology, in the last three years • Other parts of the world haven’t even got to Chip and Pin, • USA is getting there now • Other countries have “different implementations” compared to the UK • At least twenty years have passed to get to where we are now with the UK’s f2f “EMV” payment infrastructure • Biometric authentication is around the corner but is it at scale ? • Well now we are going to see with HSBC’s late 2015/16 announcements • What if biometric details become compromised, then what ?

  17. Business Context for Chip and PIN • UK Fraud losses in early 1990’s • The UK had relatively high floor limits then compared to now • The percentage of transactions authorised pretty much doubled in 1993. (Telecoms was an expensive cost then) • There was a long term desire for using Chip Cards as an enabling technology • That was secondary to dealing with actual and anticipated fraud challenges • My “IT” involved started in H2 1995 • Business activities had already been in train for a significant period • The target in H2 1995 was UK Chip trials starting in Jan 1997 • The UK Chip Programme was led by Apacs

  18. Quick recap of the UK Chip timeline • 1997 October UK Chip Card trial started • 2002 decision to proceed with Chip and Pin in the UK • 2003 Chip and PIN trials commenced in Northampton • 2004 July start of significant rate of increase in Chip transaction volumes • 2004 Nov/Dec “1st Chip & PIN retailer Christmas in UK” • 2006 14th Feb Chip and PIN or P day • 2007 One Pulse in London – Contactless • 2007 Mobile Contactless trialled • 2011 Mobile Contactless payments launched (1st in EU) • 2012 Paytag’s launched • 2014 Apple Pay announced 20th October • 2015 Apple Pay launched in the UK – not all Banks ready to go ! • 2016 Android Pay launches/follows in UK /

  19. How did my Exec see Chip and PIN It’s just a collection of small changes Yes, That’s the Problem

  20. Influences on the timeline • 1998-2002 getting the commercial and technology matters to work and be comfortable with everything as a UK industry • Making the next step to include the PIN; resulting in incremental technical changes • Did everyone design production strength ? • Interchange and liability mattered • 2002-2004 the magnitude of the implementation challenge • Up to 1.5m retail assistants needed to be trained • 50,000+ ATM’s; 900,000 POS devices to be deployed • 10’s of millions of Cards to be issued/reissued • There was a recession/slowdown on then • 2005-2008 Operational challenges for major players • Drive to on-line authorisation of transactions in the UK • Increasing peak acquiring transaction rates of 10-15% year on year

  21. Current UK Chip and Pin status The UK is now a mature Chip and Pin marketplace • All cards issued have to be at least DDA or CDA (rather than SDA) • Over 90% of transactions are on-line authorised (not anticipated) • 2011 UK Fraud losses credit and debit were £341m (£610m 2008) • 2011 f2f Fraud losses in UK were £43m (£98m 2008) “Today f2f fraud isn’t the main issue for UK industry” • It is however if it happens to be your card (especially debit) • f2f fraud now less than “Lost and Stolen” • CNP (Telephone, Internet and Mail Order) fraud is 4 times F2F 2011 it was roughly 3 times in 2008 (£221m 2011) • Counterfeit fraud down from £170m 2008 to £36m 2011 “No room for complacency in any channel”

  22. My observations on Chip and Pin • Chip and PIN in the UK successful at the macro level. • Implementation approach unlikely to be repeated. • The overall security and technology model has to be robust, resilient and secure, yet mind-full of commercial realities. • Transaction times have to be acceptable • So what is the US up to in 2016 ? • The malicious activity against Chip and PIN 2005-2010 did not unduly surprise myself and other members of CSG (Card Security Group) • The level of industrialisation and sophistication sometimes did • There will always be errors in implementation of any framework – on this scale. • The UK’s Card Payment eco-system is now simply taken for granted – it shouldn’t be !

  23. TMy observations on Chip and Pin (2) • The UK hasn’t experienced a major Chip and PIN incident • The Chips in the Cards have got better and cheaper. • Pin Entry Devices (PED’s) / terminals have also improved. • Operational processes have evolved and developed. • There will continue to be attempts to show up weaknesses in Chip and PIN implementations • These will continue to increase in sophistication and move to Contactless and Mobile • UK needs to consider whether it has an appropriate Chip and PIN posture for the next ten years

  24. Why Chip and PIN has its place • Realistically UK is in only its third (possibly fourth) Chip and PIN card cycle • a cycle being typically based on a three card life • Short to medium term no practical alternative, but longer term ? • Behaviour changes now with £30 Contactless limit • TfL not accepted cash on buses for almost two years • The interoperability has been proven • “Card and Consumer Payments” have become ubiquitous / indispensible in the last decade • Acceptance infrastructure is out there (refreshes and updates are & will be needed) • I’m fairly certain there are no short term alternates - this decade • “The Card(s)” (physical or logical) is now a multi delivery channel payment device

  25. Card Payment processing is CNNI Card Payment processing to be viewed as Commercially Critical National Infrastructure (CCNI) • Stakeholder expectation have changed in the last five years • Particularly when something is considered an avoidable incident • Its no longer what you are contracted to supply it’s the perception of what should have been supplied • Number of Cards in issue in UK over 140m • Number of UK ATM’s now 60,000 + • Number of UK POS devices now circa 1.3m • Contactless terminals target circa 150k end 2012 • Oct 2015 1 in 10 card transactions now contactless (120.5m in Oct 15) Apr 2016 it’s now 1 in 7 • Circa 300k Contactless terminals and 76m cards in issue (circa 52m debit 24m credit/charge Oct 15) • Contactless terminals possibly now 450k Spring 2016

  26. Was last slide title valid/accurate ? • Valid as far as it went, in its scope, but should it be amended to Consumer Payment mechanisms and systems must be viewed as Commercially Critical National Infrastructure (CCNI) • Most UK consumers accept “all this stuff” as a utility service • On-line service “glitches” they become national news within minutes • If “glitch” lasts two or three days then “responsible Executives” more than likely invited to see an MP’s Select Committee

  27. More recent UK market moves Contactless Mobile Payment mechanisms such as Pingit PAYM ApplePay Android Pay Mobile Banking • Limit now £30 • Massive growth in transaction volumes in last nine month • Applicable to Credit & Debit • Not all cards issued (80m +) • Contactless enabled vending machines are here • Spring 2016 - a Big Issue seller now accept this mechanism Blockchain Technology

  28. So where are we heading ? Recent data points/news April/May 2016 • VISA Inc in US announces Quick Chip for EMV to make secure chip card transactions faster and even more convenient • European Bank to stop issuing the 500 Euro note • UK silver surfers embracing contactless payments • 600 UK Bank branches closed in last 12 months • SWIFT payment system has been attacked/hacked • UK Cyber crime reporting is understated • Major financial implications for companies subject to data breaches

  29. Those competing factors again Resilience Speed to Market Consumer Convenience Cost Compatibility Complexity Competition

  30. Important to Whom – (my suggestions) Consumers/Customers Finance Industry (& others now) Cost Compatibility Competition Complexity Convenience Speed to market Resilience • Convenience • Cost • Resilience (implicit) • Compatibility • Competition

  31. A Quick test • What do you consider a micropayment to be ? From 1990’s $12 so is something less than £10 valid ? • What would you consider a UK consumer high value payment to be ? Don’t think there is consensus on this but The average salary in UK to April 2015 was £27,600 • What is the average value of a UK cheque ? In 2015 it was £1125 and in 2014 it was £1074 There were 13% less cheques 404m compared to 464m • What is the current Faster Payments maximum value transaction ? From Nov 2015 £250,000

  32. Concluding Remarks • UK consumers expect whatever choice of chosen payment mechanism, they make, in whatever channel, “it” will work in accordance with all their wishes. • This implied or implicit trust/expectations are likely to be increasingly put to the test in coming years. Do consumers need to have their expectations managed or reset ? • “Chip and PIN” continues to develop globally. It’s now well into the life cycle management and exploitation phase. In UK in f2f channel it has been successful.

  33. Concluding Remarks cont • Pace of change and innovation in consumer payment processing will continue. • I won’t be placing any bets on the mechanisms and offerings which will flourish and those which will flounder • I am concerned as to whether there might be a systemic incident in the years ahead, then what ? • I still want to hope there is sufficient proactive and timely real oversight of Payment Processing infrastructure and systems, nationally and globally, so that consumers implicit expectations are being properly served. You may be wondering where does fit into this subject area. For over 25 years they have supplied behind the scenes technical products that make a lot of the essential Security functions operate.

  34. Q&A Discussion – to follow Hopefully some things from the last 20, or more, years now gel or mesh a little better ! Thank you all for your attention

More Related