A Year in Secure Payment – 2013 Review by SPA's Technical Director, Lorenzo Gaston
Here, Lorenzo takes a look at the five big events of 2013, and discussed what we should expect as we move into 2014.
It’s tempting to begin this kind of article by claiming the past year marked a ‘revolution’ or ‘watershed’ in the development of the particular market or service. But to do so here would be disingenuous.
This is no new market. The payment industry (as we know it today) has been around since before the appearance of the mag stripe card, and is one of the most established, highly regulated and secure transaction environments in the world. It’s not the kind of market that experiences massively hyped ‘explosions’.
But that’s not to say that 2013 wasn’t a very interesting year for payment. It was.
EMVCO’s Next Generation programme continued to evolve, to shape payment well into the next decade. Moves from SEPA to harmonize payment systems will likewise continue to have a significant and growing influence on the kinds of technologies and devices we’ll be using to purchase goods and services within the European Union. Similarly, the industry has been discussing new payment mechanisms, models and virtual currencies for sometime – and some began to break through last year.
So let’s take a closer, more pragmatic look at what 2013 meant for payment – and perhaps more interestingly, what should we be expecting from 2014.
We’ll start with the EMVCO Next Generation Taskforce programme. Launched back in 2012, the programme aims to build a series of use cases in an effort to develop next generation technical specifications that are able to address future demand. This work is fundamental to the development of the payments ecosystem and will define the long term evolution of the EMV protocol itself.
As the programme developed throughout 2013 we began to see signs of a shift in emphasis from the terminal to the card. Transaction authentication and encryption is planned to evolve from conventional protocols to elliptic curve technology.
These are just a few examples of the kind of work that Next Generation programme is doing that will have a profound impact on the payments sector – not least by offering more payment application choice and flexibility for merchant and user.
As members of the EMVCo Technical Associates programme, SPA has been instrumental in supporting the development of new generation specifications, contributing heavily to the use case program and working to identify those specific solutions that will secure payment for the next one to two decades.
Similarly, the continued evolution of the Single Euro Payments Area or SEPA was noteworthy in 2013. Already the first organisation to harmonize functional and security requirements for all payment systems in Europe, its importance in defining interoperable and secure payment solutions over the coming years will be crucial – particularly in the areas of proximity and remote (mobile) payments.
As members of the EPC-CSG, SPA has strongly contributed to the development of new SEPA for card specifications. Having been involved in all public consultations on upcoming regulations throughout 2013, and now working to translate the legal requirements into technical solutions, the SPA and its membership will continue to have an important role to play.
Moving into 2014 and SEPA specifications recognizing that mobile and online payments constitute complementary channels to the card is a positive move – and will require an even greater level of regulation and cooperation up and down the payment value chain. SPA will be leading this year the CSG innovation expert team responsible for the drafting of the specification for remote payments.
In 2013 we saw the expansion of EMVCo membership. First to join was China UnionPay in June 2013, followed by Discover Financial Services in September.
Joining existing members Visa, MasterCard, American Express and JCB, all six members will continue to work together to manage and progress both contact and contactless EMV industry specifications and facilitate global interoperability and acceptance of secure chip payments. Read more about the push to biometric technologies in card security here
Last year also saw the arrival of some long awaiting regulations – not least the publication of the draft Payment Services Directive (PSD2) in July of 2013. Aimed at bringing together the various European payment initiatives since the launch of the European Commission's Green Paper on Card, Internet and Mobile Payments (COM (2011) 941) in 2012, the publication of PSD2 reflects the Commission’s attempt to keep pace with technical advances.
It’s a complex debate that offers significant opportunity for innovation as payment schemes and service providers look to enhance the value of the payment card by offering new services to their banking customers. The challenge is now to turn the legal provisions of PSD2 into compliant technical specifications. You can read our position on PSD2 here.
Finally, no review of 2013 would be complete without a quick reference to the new technologies that have been launched, trialed and so on. The emergence of cloud is one technology that has had the industry questioning its models – both now and in the future. The debate is where to store and manage identity in a secure way – in the cloud or on the Secure Element. Here at the SPA we tale a pragmatic view – and you can read it here.
Other technologies made news of course. Mobile wallets continue to offer opportunities for users to bring multiple payment instruments together. So far the vast majority of wallets are local in nature – and almost always lack interoperability.
One reason has been the regulation – or the lack of it in 2013. Added to this, the fact we need a range of Trusted Service Managers (TSMs) to populate the wallets, and we don’t have them, doesn’t help tremendously either. In contrast, it’s also possible to have too much of a good thing. There are a huge number of players within the value chain that makes for a very complex revenue share.
The problems of a lack of regulation, direction and a lack of a single platform are not, of course, limited to the world of the mobile wallet. But they are major challenges. To grow and succeed new payment mechanisms, like mobile payment, must be able to maximize transaction value – which requires the very highest levels of interoperability. This is the very least we need, and the SPA is continuing to work hard to highlight this open and interoperable agenda – and where possible to suggest solutions.
As we move into 2014, we will continue to be fully supportive of the EMVCo Next Generation program, of NFC proximity payments and the growth of interoperable technologies and standards. And we’ll continue to collaborate to improve security provision from all kinds of payment, regardless of form factor.
Technical Director, SPA