MasterCard: Security Is Nice, Functionality Is Better

MasterCard sees mobile payment security as crucial, but it’s power is relevant only to the point that shoppers are actually using it. And with Apple Pay, that is starting to happening meaningfully.

In a talk with analysts on Wednesday (Nov. 19), Ed McLaughlin, the chief emerging payments officer at MasterCard, stressed how the device is merely the temporary transportation mechanism for the payment.

“We’re in the midst of just a global transformation as people are moving from the offline and disconnected to the connected. And what you have to remember is mobile, as compelling it is, it’s just a device. You didn’t throw out your PC when you got a smartphone. I’m positive you bought a tablet two years later and now you’re probably thinking about a wearable and you have a game system and your car is basically a computer on wheels, right?” McLaughlin said. “So what we see is every device that consumers have will become a commerce device. And I think the mistake that’s often made is you look at the device or you look at the interface and you think that’s what makes the payment systems. Rather, it’s the payment systems that make all these devices more useful.”

In other words, it’s the device functionality that drives how people use it and, yes, how they make transactions.

“You see this global transformation of how people educate themselves, entertain themselves, how they interact with each other socially, we see that as driving the transformation of how people transact,” he said. “And our position absolutely is this transformation, this shift to the connected and the digital from the offline and the physical, is the biggest opportunity we’ve had since plastic and electronic transactions were introduced 35 years, 40 years ago.”

He also warned analysts against trying to simply recreate the prior experience.

“People think the job is to recreate precisely what you could do before in a more complex environment. We’ve all been through waves of innovation, it never works. We call it horseless carriage innovation. The only question is: ‘Is this better than what you could do before?’ And the only arbiter of if it’s better is that’s consumers who has to decide whether they’ll stay with their current behavior or adopt the new behavior. So people have asked for a long time around things like contact and why I’m such a strong advocate of it. It’s because we know, we’ve seen in countries around the world. Once people start to tap two or three times, they never go back to their prior behavior, because it is faster, because it is more convenient. This isn’t an abstract argument on interfaces. It screams out of the data that people like this better. So whether it’s the Tube in London or the taxis in Singapore, Tap & Go is a better experience. In-app is a better experience. Being able to order ahead and pay for it right with a touch rather than having to go and queue up to get my sandwich at lunch, that’s a better experience, that’s what drives the adoption.”

McLaughlin also gave a fairly detailed explanation of how he sees tokens working today, at least those with a MasterCard flavor.

“I’ll use Apple Pay as an example, but again it’s abstract, they just happened to be the first users of this. It says I would like to turn my new device into a valid payment instrument to generate genuine MasterCard transactions. That request hits our Digital Enablement System. We look to see if this is a bank that has enabled to do it, so there is a directory of the banks who are participating. We then immediately connect with the bank and we provide information, context information, a score if you will about how certain we are that the consumer is the consumer and this is this. The bank can automatically provision if they want to, if the score is high enough, or they can have a reach out and make sure they’re validating the consumer, but nothing happens without the bank validation,” he said.

What happens then? “When we get the go — and this is happening in some seconds, it’s an amazing system. When we get the go, what we then do is we put a different 16 digit MasterCard pan number onto the device, we call it the device account number, and we associate an EMV key with it unique to that number which also goes into a secured area in the device. That can be an embedded secure element like with Apple, it could be a SIM, it can work with telcos, can be stored remotely in an HCE environment. But you get a unique device PAN and you get an associated key with that. That’s the enablement side. I always say it’s like peeling the sticker off the digital card. You go through some procedure and we light the instrument up. We’ve lived it in plastic, it’s really emulated in digital.”

McLaughlin also addressed the popular “can the token be somehow stolen and then used fraudulently” issue.

“The transaction is never released, it’s never fired if you will, until you’ve actively authorized it. You’re using a thumb biometric or something else. It’s not transmitting a signal. You release the transaction. So one, you know precisely when it’s there. In a contactless world, the gap is 2 centimeters to 4 centimeters, is the effective range of NFC. So that’s what we’re talking about a tap. You literally are right there on the terminal and you’re saying ‘Yes, I want it to go.’ So I don’t think (a token) being pulled out of the ether is going to be that much of a challenge.”

He then detailed some of the potential threats.

“What if it’s a spoof terminal or something of that nature, where you’ve released it into something and someone tries to pull it out of the street? And that’s why we say it’s so important that you can’t use that data out of context. So one, you get the unique identifier number, so I couldn’t take the number from that device and try them in white plastic or implement it somewhere else. I can’t take that data and create another payment instrument with it because I can only use it on the device, through the iPhone in this case, that it was provisioned to. Secondly, that device identifier is accompanied and this is how EMV works. It’s fully backward compatible with all the systems that are already in place. There’s a one-time cryptology based block that signs the transaction, that’s unique to that transaction. It can never be captured, it can never be replayed, we actually have transaction counters that are maintained so we know where it came from. In other words, even if you had that data, you couldn’t use it to create another transaction. That’s how we’ve put the whole frame around it and that’s why we’re able to say that these are actually more secure than what you’d see before and sort of the mag-stripe physical world.”

McLaughlin also spoke of the next generations of cryptography. “We are moving from things like factoring primes to what’s called elliptical curve cryptology, which allows for much smaller, much more powerful keys. This is a standard that we are already working on. How do we ensure against theoretical attacks for theoretical quantum computers that don’t even exist yet?”

He also touched on various other payments hot buttons.

 

  • Contactless

“If you look at Canada, which I will say is a remarkably similar market to the U.S. except the people are nicer, in Canada over 20 percent of our transactions are contactless already, the vast majority coming off the card. Australia, Poland, we have markets around the world where that’s already happened. We opened up transit for London for contactless couple of weeks ago and we are getting millions of taps already, again mostly based on the plastic card. So the ability to tap and go particularly for low value transactions we have seen is just a great experience.

Kohl’s in Australia, one of the largest retailers there, says over 70 percent of the transactions are contactless today. It’s the experience we are looking to deliver and there are multiple devices we’ll use to enable it. I just see the mobile as a contactless delivery mechanism, not so much as a mobile transaction.

  • MCX’s CurrentC and the SKU-level data it is promising to deliver.

 

“The sole question, sole arbiter, is whoever gives the consumer the thing that’s the most compelling is the one who is always going to win. And I think in every one of those merchants, and they’re great customers of ours and we talk to them all the time, is that it is the folks on the merchandising side that drive their business. They say, ‘How do I sell more and how do I get my customers to love me?’ And what we find is consumers are saying over and over and over again ‘I want something that works really well with the stuff that I already have. I want the rights and benefits of a genuine MasterCard transaction, whether it’s zero liability, whether it’s reward points. I don’t want to fragment my life, I don’t want to have to surrender bank account and driver’s license and social security information, I just want to use what I have really well.'”

  • Is Apple Pay Compliant With Durban?

“I was at a conference out in Last Vegas a couple of weeks ago and a question I kept getting asked is, is Apple Pay Durbin-compliant? And simple answer, that’s the law. Of course it is. Our compliance people have compliance people. We’re MasterCard. We honor the regulatory oversight in 210 countries and jurisdictions. So, absolutely out of the gate, full Durbin-compliance with Apple Pay.

  • Bitcoin implications?

“From a technology standpoint, the ability to have an irrefutable and unitary digital ownership of something is interesting. I think if you look at a sharing economy, some of the applications like who can unlock the car and things like that, you know it’s there. I think like a lot of really cool technologies, often the initial uses are miscast. It was an odd example, but they just had an anniversary, so bubble wrap was initially deigned to be groovy wallpaper. And when no one bought a wallpaper, they just started using it for packaging and found out they had a fabulous packaging material. Some of the initial implications that this is a payment system for anonymity, for regulatory avoidance, for things like that, those wash out of the system. When you start look again at consumer benefits, having zero liability, knowing if there’s a dispute MasterCard and your bank stands behind it, knowing it all works together, I think come down saying okay you got something which has value what the mechanism can be used for, but I don’t necessarily think a payment system is the best application for that. And the way it is being applied for payments are very often accomplished one we don’t want to participate in. Or two, when I look at the services right now that are being offered to merchants around us, it’s usually at a 2 percent or greater discount rate, taxes and asset class, where we can go after DDA for $0.20. So again, it’s more expensive and more awkward. And if the purpose is to avoid — for anonymity or to avoid regulatory scrutiny, those are the types of business I think we want no part of that.”