boosting and securing online shopping - making pin on phone a reality
Post on 12-May-2015
225 Views
Preview:
TRANSCRIPT
This document is offered compliments of BSP Media Group. www.bspmediagroup.com
All rights reserved.
Boosting and securing online
shopping - making PIN on phone a
reality Africa Com 2013
• Largest banking group in Africa
• Operates in 42 countries worldwide
• Significant card issuer and acquirer
Bank
• Largest Mobile Network Operator in Africa and Middle East
• 21 countries
• >200m subscribers
Oltio is a joint venture between the Standard Bank and MTN Groups – formally called MTN Mobile Money
“Oltio – the secure mobile commerce company”
2
Oltio was a GSM-A Global Mobile awards finalist in 2012 with payD and MasterCard Mobile
3
What is a mobile payment?
What is online shopping?
4
payD basics
• payD uses the handset as a “personal PIN entry device”; customers enter their ATM/POS PIN into their own phone when making a purchase.
• payD works across multiple channels – phone, web, POS, kiosk, App etc
• payD WIG uses SIM and handset based security to do the encryption of the PIN where the network has keys loaded to its SIMs.
• ORAGS App makes use of a 3DES DUKPT like security protocol for feature and smart phones where the SIM keys cannot be accessed.
• System constructs and submits to the acquirer an ISO 8583 transaction for debit and credit cards.
• The transaction is a CNP (card not present) with PIN.
• The normal four party card acquiring processes apply.
• In SA liability is shifted to issuer in a similar manner to 3D secure.
• payD has been live in SA for 4 years
• MasterCard approved and branded, Visa supported via marketing - in SA
5
Case study: South Africa: good debit card with PIN penetration – POS and online usage poor due to limited debit card acceptance
$10,000
$8,000
$6,000
$4,000
$2,000
20% 40% 60% 80% 100%
GD
P p
er c
apit
a P
PP
Financial Penetration
South Africa
Indonesia
Kenya
Uganda GDP per Capita and Financial Penetration
• High levels of debit card penetration
• PIN required due to single message ATM genesis
• High GDP per capita - good retail potential
• >120% mobile phone penetration
• Airtime top-up via cash not card
6
The m and e-commerce challenge in South Africa
Total retail sales in South
Africa
Online retail sales in South Africa: 0,36%
7
The m and e-payments challenge in South Africa
All payment types
accepted
Debit Cards with PIN code didn’t work in
m and e-commerce
8
There are an estimated 750 000 spaza shops in South Africa – with almost no POS acceptance
• Less than 200 000 POS merchants in SA - mostly in formal retail sectors
• Cost of POS high to merchant – R750pm min if turnover under R20 000 pm
•POS cost too high for merchants •Not viable to acquirers •VAS services key
9
Flea markets and other informal merchants pose similar challenges
New game: spot the POS
10
The lack of electronic acceptance is impacting business growth – suppliers wont accept cash – not just an SA issue
•Bulk distributors will not accept cash •Lack of electronic acceptance limits float to pay
11
Using a phone as the merchant device is a logical leap but does have limitations in emerging markets
•mPOS requires certification, distribution logistics and specific phones
12
Card payment – traditional four party model needs to be retained….
I ISSUER
A ACQUIRER
Request
Response
Request
Response
Card is presented at
terminal
Tx details captured on
POS and sent to acquirer
Acquirer attempts
authorisation from Issuer
Response sent back to acquirer and
to POS
13
So…..which way? Converge carefully….
•Mobile Phones are pervasive and key to expanding payments
•Phones need to be secure for PIN entry
14
payD uses the phone‘s SIM to encrypt the PIN
•ISO PIN block can be created
•SIM has encrypt and
decrypt functionality
15
payD uses WIG security embedded into a mobile network operator's system
Derived keys loaded onto the SIM card at the point of Manufacture
SIM Card containing a WIB browser That allows encryption of Data using the keys
WIG Gateway
WIG Push for PIN
Customer Enters PIN on Receipt of request
PIN-block returned
HSM
Re-encrypted with Application Keys
Transaction Application Server
HSM
System is protected by patents and licensed to operators
16
…allowing the phone to become a Personal Key Entry Device - restricted to the identified cardholder
•Not for general PIN entry use by merchant •Locked to identified cardholder •Phone number is proxy for card number •No device certification required
Personal Key Entry
Device 17
=
…..SIM and PIN = Chip and PIN
SIM Card PIN
18
payD replaces the card and POS
I ISSUER
A ACQUIRER
Request
Response
Request
Response
Enabling Mobile Card Based Transaction - Card-Not-Present + PIN
I ISSUER
A ACQUIRER
Request
Response
Request
Response
Auth Engine
Database
Card Nr Mobile Nr
Customer’s card number linked
to mobile number
Secure encryption engine to capture
and process ATM/POS PIN
Mobile Phone number is used to identify cardholder
payD builds and sends formatted auth request to bank
19
payD is secure and PCI compliant
•payD is PCI DSS level 1 compliant
•PCI Compliance is not required by merchant/PSP in payD transaction as card details are captured into the customers phone
•payD is a “cloud” POS
•Reduces merchant risk and cost
20
Authenticated Mobile Transaction (AMT) is a PASA approved Card PCH rule in South Africa
• Card PCH specified and approved
• PIN is captured into phone in secure manner
• AMT rule is similar to 3D Secure and V-by-V
• Liability shifts to issuer
• Issuer opt-in required
• Applies to all card types
• payD conforms to AMT
• Licensed in South Africa to IPSEP
2
1
payD is supported by both MasterCard and Visa
•MasterCard Mobile Remote Payment (MMRP) certified
•Supported by Visa
•Issuer opt–in required
22
MTN uses payD to sell airtime directly to customers - via MTN Eazi Recharge – customers dial a USSD shortcode and enter the PIN in a WIG session
*141*10#
•Customers do on average 8 transactions pm • Debit card purchase as opposed to cash withdrawal •350 000 registered users
23
As do Vodacom for their Express Recharge offering …
*130*082#
24
payD also enables e-commerce purchases for PIN-based cards
25
payD WIG is a complex system and needs all elements to be in place to work - this isn't always the case outside of South Africa
Key learning's from payD WIG
• MNO dependence - requires MNO
technical support – correct SIM, SIM
keys and WIG to be in place
• App is in – customers demand a
richer experience – use of USSD
declining and WIG/S@T has not
proven successful to MNO’s
26
ORAGS App – works on all networks, with 3DES DUKPT like security protocol - called ORAGS
Feature and smart phones
PIN-block returned encrypted under secure protocol – one off use only
1. Customer downloads App
2. Phone sends SMS to identify itself
3. Subset of keys sent to phone
4. Creates one off session
27
eCommerce Simple API and simulator for merchant integration
WEB
App to App mCommerce Airtime Ticketing Cinema
Code Entry Call Centre Outbound Sales Insurance
vPos Low cost POS with no extra hardware required
Physical POS Can be used on current technology (no EMV compliance required).
ORAGS works across multiple channels
In most instances App or USSD WIG can be used
Static Parking Kiosk Ticketing Bill Payment Retail F2F
28
Face-to-face provides the biggest opportunity for payment acceptance expansion and cash reduction
29
Face-to-face using a phone App - no extra hardware is required - low level phones can be used
30
POS – non-EMV for example – here using USSD
31
App to App allows the monetisation of Apps
32
Payment on web via App
33
Bill payments
34
Tickets at a kiosk
35
Payment using printed code via USSD and WIG
36
Chargeback experience; well known SA ex- low cost airline
• Largest low cost airline in SA – over 200 000 passengers per month
• Linked to payD to allow debit cards to grow potential customer base
Sample year; commencing July 2011:
• 8900 tickets sold with sales values of R11m via payD
• No confirmed charge backs via payD noted
• 20% of usage was credit card and PIN
• 3D not user friendly to mobile
37
Stakeholder Benefit Card Issuer Provides additional value added services to cardholders by allowing mobile remote authentication
Increased PV on transactions through expansion of acceptance channels that except remote authentication
Enablement of debit cards for mobile authentication on cards that do not allow card not present transactions.
Card Acquiring Expand acceptance network to include remote authentication solutions. Enjoy increased merchant fees from expanded estate.
Enable new card based payment channels, e.g. B2B mobile payments.
Cardholder Convenience of using mobile phone to pay in remote authentication situations e.g. travel bookings No need to share card information with any merchant or payment gateway that reduces hacking of
data
Merchant Accept card based transactions in previously unsupported environments, e.g. debit e-commerce transactions.
Cost savings through direct distribution capability of virtual services e.g. airtime. (In this scenario the mobile network operator becomes the merchant.)
Enjoys liability shift rules similar to VbyV/3D – no need to be PCI Compliant Card company Increased security of cardholder information. No card data is shared with a merchant when a
transaction is processed. Out of band authentication ensures separation of card sensitive data. Data compromises do not
enable fraudsters to replicate transactions or cloning cards. Remote authentication capability increases PV for issuers. Remote authentication capability can extend acceptance infrastructure within a market. Enables the mobile phone as an authentication device. Provides a direct communications interface to the cardholder. Promotions and offers can be better
articulated and promoted. Increased security through GIS enablement of transaction info. All transactions carry a location
signature.
Stakeholder Benefits summary
38
The Future is - CNP plus PIN
39
Show video
4
0
top related