This document is offered compliments of BSP Media Group. www.bspmediagroup.com

All rights reserved.

Boosting and securing online

shopping - making PIN on phone a

reality Africa Com 2013

• Largest banking group in Africa

• Operates in 42 countries worldwide

• Significant card issuer and acquirer

Bank

• Largest Mobile Network Operator in Africa and Middle East

• 21 countries

• >200m subscribers

Oltio is a joint venture between the Standard Bank and MTN Groups – formally called MTN Mobile Money

“Oltio – the secure mobile commerce company”

2

Oltio was a GSM-A Global Mobile awards finalist in 2012 with payD and MasterCard Mobile

3

What is a mobile payment?

What is online shopping?

4

payD basics

• payD uses the handset as a “personal PIN entry device”; customers enter their ATM/POS PIN into their own phone when making a purchase.

• payD works across multiple channels – phone, web, POS, kiosk, App etc

• payD WIG uses SIM and handset based security to do the encryption of the PIN where the network has keys loaded to its SIMs.

• ORAGS App makes use of a 3DES DUKPT like security protocol for feature and smart phones where the SIM keys cannot be accessed.

• System constructs and submits to the acquirer an ISO 8583 transaction for debit and credit cards.

• The transaction is a CNP (card not present) with PIN.

• The normal four party card acquiring processes apply.

• In SA liability is shifted to issuer in a similar manner to 3D secure.

• payD has been live in SA for 4 years

• MasterCard approved and branded, Visa supported via marketing - in SA

5

Case study: South Africa: good debit card with PIN penetration – POS and online usage poor due to limited debit card acceptance

$10,000

$8,000

$6,000

$4,000

$2,000

20% 40% 60% 80% 100%

GD

P p

er c

apit

a P

PP

Financial Penetration

South Africa

Indonesia

Kenya

Uganda GDP per Capita and Financial Penetration

• High levels of debit card penetration

• PIN required due to single message ATM genesis

• High GDP per capita - good retail potential

• >120% mobile phone penetration

• Airtime top-up via cash not card

6

The m and e-commerce challenge in South Africa

Total retail sales in South

Africa

Online retail sales in South Africa: 0,36%

7

The m and e-payments challenge in South Africa

All payment types

accepted

Debit Cards with PIN code didn’t work in

m and e-commerce

8

There are an estimated 750 000 spaza shops in South Africa – with almost no POS acceptance

• Less than 200 000 POS merchants in SA - mostly in formal retail sectors

• Cost of POS high to merchant – R750pm min if turnover under R20 000 pm

•POS cost too high for merchants •Not viable to acquirers •VAS services key

9

Flea markets and other informal merchants pose similar challenges

New game: spot the POS

10

The lack of electronic acceptance is impacting business growth – suppliers wont accept cash – not just an SA issue

•Bulk distributors will not accept cash •Lack of electronic acceptance limits float to pay

11

Using a phone as the merchant device is a logical leap but does have limitations in emerging markets

•mPOS requires certification, distribution logistics and specific phones

12

Card payment – traditional four party model needs to be retained….

I ISSUER

A ACQUIRER

Request

Response

Request

Response

Card is presented at

terminal

Tx details captured on

POS and sent to acquirer

Acquirer attempts

authorisation from Issuer

Response sent back to acquirer and

to POS

13

So…..which way? Converge carefully….

•Mobile Phones are pervasive and key to expanding payments

•Phones need to be secure for PIN entry

14

payD uses the phone‘s SIM to encrypt the PIN

•ISO PIN block can be created

•SIM has encrypt and

decrypt functionality

15

payD uses WIG security embedded into a mobile network operator's system

Derived keys loaded onto the SIM card at the point of Manufacture

SIM Card containing a WIB browser That allows encryption of Data using the keys

WIG Gateway

WIG Push for PIN

Customer Enters PIN on Receipt of request

PIN-block returned

HSM

Re-encrypted with Application Keys

Transaction Application Server

HSM

System is protected by patents and licensed to operators

16

…allowing the phone to become a Personal Key Entry Device - restricted to the identified cardholder

•Not for general PIN entry use by merchant •Locked to identified cardholder •Phone number is proxy for card number •No device certification required

Personal Key Entry

Device 17

=

…..SIM and PIN = Chip and PIN

SIM Card PIN

18

payD replaces the card and POS

I ISSUER

A ACQUIRER

Request

Response

Request

Response

Enabling Mobile Card Based Transaction - Card-Not-Present + PIN

I ISSUER

A ACQUIRER

Request

Response

Request

Response

Auth Engine

Database

Card Nr Mobile Nr

Customer’s card number linked

to mobile number

Secure encryption engine to capture

and process ATM/POS PIN

Mobile Phone number is used to identify cardholder

payD builds and sends formatted auth request to bank

19

payD is secure and PCI compliant

•payD is PCI DSS level 1 compliant

•PCI Compliance is not required by merchant/PSP in payD transaction as card details are captured into the customers phone

•payD is a “cloud” POS

•Reduces merchant risk and cost

20

Authenticated Mobile Transaction (AMT) is a PASA approved Card PCH rule in South Africa

• Card PCH specified and approved

• PIN is captured into phone in secure manner

• AMT rule is similar to 3D Secure and V-by-V

• Liability shifts to issuer

• Issuer opt-in required

• Applies to all card types

• payD conforms to AMT

• Licensed in South Africa to IPSEP

2

1

payD is supported by both MasterCard and Visa

•MasterCard Mobile Remote Payment (MMRP) certified

•Supported by Visa

•Issuer opt–in required

22

MTN uses payD to sell airtime directly to customers - via MTN Eazi Recharge – customers dial a USSD shortcode and enter the PIN in a WIG session

*141*10#

•Customers do on average 8 transactions pm • Debit card purchase as opposed to cash withdrawal •350 000 registered users

23

As do Vodacom for their Express Recharge offering …

*130*082#

24

payD also enables e-commerce purchases for PIN-based cards

25

payD WIG is a complex system and needs all elements to be in place to work - this isn't always the case outside of South Africa

Key learning's from payD WIG

• MNO dependence - requires MNO

technical support – correct SIM, SIM

keys and WIG to be in place

• App is in – customers demand a

richer experience – use of USSD

declining and WIG/S@T has not

proven successful to MNO’s

26

ORAGS App – works on all networks, with 3DES DUKPT like security protocol - called ORAGS

Feature and smart phones

PIN-block returned encrypted under secure protocol – one off use only

1. Customer downloads App

2. Phone sends SMS to identify itself

3. Subset of keys sent to phone

4. Creates one off session

27

eCommerce Simple API and simulator for merchant integration

WEB

App to App mCommerce Airtime Ticketing Cinema

Code Entry Call Centre Outbound Sales Insurance

vPos Low cost POS with no extra hardware required

Physical POS Can be used on current technology (no EMV compliance required).

ORAGS works across multiple channels

In most instances App or USSD WIG can be used

Static Parking Kiosk Ticketing Bill Payment Retail F2F

28

Face-to-face provides the biggest opportunity for payment acceptance expansion and cash reduction

29

Face-to-face using a phone App - no extra hardware is required - low level phones can be used

30

POS – non-EMV for example – here using USSD

31

App to App allows the monetisation of Apps

32

Payment on web via App

33

Bill payments

34

Tickets at a kiosk

35

Payment using printed code via USSD and WIG

36

Chargeback experience; well known SA ex- low cost airline

• Largest low cost airline in SA – over 200 000 passengers per month

• Linked to payD to allow debit cards to grow potential customer base

Sample year; commencing July 2011:

• 8900 tickets sold with sales values of R11m via payD

• No confirmed charge backs via payD noted

• 20% of usage was credit card and PIN

• 3D not user friendly to mobile

37

Stakeholder Benefit Card Issuer Provides additional value added services to cardholders by allowing mobile remote authentication

Increased PV on transactions through expansion of acceptance channels that except remote authentication

Enablement of debit cards for mobile authentication on cards that do not allow card not present transactions.

Card Acquiring Expand acceptance network to include remote authentication solutions. Enjoy increased merchant fees from expanded estate.

Enable new card based payment channels, e.g. B2B mobile payments.

Cardholder Convenience of using mobile phone to pay in remote authentication situations e.g. travel bookings No need to share card information with any merchant or payment gateway that reduces hacking of

data

Merchant Accept card based transactions in previously unsupported environments, e.g. debit e-commerce transactions.

Cost savings through direct distribution capability of virtual services e.g. airtime. (In this scenario the mobile network operator becomes the merchant.)

Enjoys liability shift rules similar to VbyV/3D – no need to be PCI Compliant Card company Increased security of cardholder information. No card data is shared with a merchant when a

transaction is processed. Out of band authentication ensures separation of card sensitive data. Data compromises do not

enable fraudsters to replicate transactions or cloning cards. Remote authentication capability increases PV for issuers. Remote authentication capability can extend acceptance infrastructure within a market. Enables the mobile phone as an authentication device. Provides a direct communications interface to the cardholder. Promotions and offers can be better

articulated and promoted. Increased security through GIS enablement of transaction info. All transactions carry a location

signature.

Stakeholder Benefits summary

38

The Future is - CNP plus PIN

39

Show video

4

0