Boosting and securing online shopping - making PIN on phone a reality
1. This document is offered compliments of
BSP Media Group. www.bspmediagroup.com
All rights reserved.
2. Boosting and securing online
shopping - making PIN on phone a
reality
Africa Com 2013
3. Oltio is a joint venture between the Standard Bank and
MTN Groups – formally called MTN Mobile Money
Bank
• Largest banking group in Africa
• Operates in 42 countries worldwide
• Significant card issuer and acquirer
• Largest Mobile Network Operator in Africa and
Middle East
• 21 countries
• >200m subscribers
“Oltio – the secure mobile commerce company”
2
4. Oltio was a GSM-A Global Mobile awards finalist in 2012
with payD and MasterCard Mobile
3
5. What is a mobile payment?
What is online shopping?
4
6. payD basics
•
•
•
•
•
•
•
•
•
•
payD uses the handset as a “personal PIN entry device”; customers enter
their ATM/POS PIN into their own phone when making a purchase.
payD works across multiple channels – phone, web, POS, kiosk, App etc
payD WIG uses SIM and handset based security to do the encryption of
the PIN where the network has keys loaded to its SIMs.
ORAGS App makes use of a 3DES DUKPT like security protocol for feature
and smart phones where the SIM keys cannot be accessed.
System constructs and submits to the acquirer an ISO 8583 transaction
for debit and credit cards.
The transaction is a CNP (card not present) with PIN.
The normal four party card acquiring processes apply.
In SA liability is shifted to issuer in a similar manner to 3D secure.
payD has been live in SA for 4 years
MasterCard approved and branded, Visa supported via marketing - in SA
5
7. Case study: South Africa: good debit card with PIN
penetration – POS and online usage poor due to limited
debit card acceptance
$10,000
• High levels of debit
card penetration
• PIN required due
to single message
ATM genesis
• High GDP per
capita - good retail
potential
• >120% mobile
phone penetration
• Airtime top-up via
cash not card
South Africa
GDP per capita PPP
$8,000
$6,000
$4,000
$2,000
GDP per
Capita and
Financial
Penetration
Indonesia
Kenya
Uganda
20%
40%
60%
80%
100%
Financial Penetration
6
8. The m and e-commerce challenge in South Africa
Total retail
sales in South
Africa
Online retail
sales in South
Africa: 0,36%
7
9. The m and e-payments challenge in South Africa
All payment
types
accepted
Debit Cards
with PIN code
didn’t work in
m and ecommerce
8
10. There are an estimated 750 000 spaza shops in
South Africa – with almost no POS acceptance
•POS cost too
high for
merchants
•Not viable to
acquirers
•VAS services
key
•
•
Less than 200 000 POS
merchants in SA mostly in formal retail
sectors
Cost of POS high to
merchant – R750pm
min if turnover under
R20 000 pm
9
11. Flea markets and other informal merchants pose
similar challenges
New game:
spot the POS
10
12. The lack of electronic acceptance is impacting business
growth – suppliers wont accept cash – not just an SA
issue
•Bulk
distributors
will not accept
cash
•Lack of
electronic
acceptance
limits float to
pay
11
13. Using a phone as the merchant device is a logical leap
but does have limitations in emerging markets
•mPOS
requires
certification,
distribution
logistics and
specific
phones
12
14. Card payment – traditional four party model needs
to be retained….
Request
Response
A
ACQUIRER
Card is
presented at
terminal
Tx details
captured on
POS and sent
to acquirer
Acquirer
attempts
authorisation
from Issuer
Request
Response
I
ISSUER
Response
sent back to
acquirer and
to POS
13
16. payD uses the phone‘s SIM to encrypt the PIN
•SIM has
encrypt and
decrypt
functionality
•ISO PIN
block
can be
created
15
17. payD uses WIG security embedded into a mobile
network operator's system
Derived keys loaded
onto the SIM card at
the point of
Manufacture
WIG Gateway
PIN-block returned
HSM
SIM Card
containing a
WIB browser
That allows
encryption of
Data using the
keys
WIG Push for PIN
Customer Enters
PIN on Receipt of
request
Re-encrypted
with
Application
Keys
HSM
Transaction Application Server
System is protected by patents and licensed to operators
16
18. …allowing the phone to become a Personal Key Entry
Device - restricted to the identified cardholder
=
Personal
Key Entry
Device
•Not for general PIN
entry use by merchant
•Locked to identified
cardholder
•Phone number is
proxy for card number
•No device
certification required
17
20. payD replaces the card and POS
A
Request
Response
I
Request
Response
ACQUIRER
ISSUER
Enabling Mobile Card Based Transaction - Card-Not-Present + PIN
Secure encryption
engine to capture
and process
ATM/POS PIN
Auth Engine
Customer’s card
number linked
to mobile
number
Request
payD builds and sends formatted
auth request to bank
A
Card Nr
Mobile Nr
I
Response
Response
Database
Request
ACQUIRER
ISSUER
Mobile Phone number is
used to identify cardholder
19
21. payD is secure and PCI compliant
•payD is PCI DSS level 1
compliant
•PCI Compliance is not
required by merchant/PSP in
payD transaction as card
details are captured into the
customers phone
•payD is a “cloud” POS
•Reduces merchant risk and
cost
20
22. Authenticated Mobile Transaction (AMT) is a PASA
approved Card PCH rule in South Africa
• Card PCH specified and approved
• PIN is captured into phone in secure
manner
• AMT rule is similar to 3D Secure and V-by-V
• Liability shifts to issuer
• Issuer opt-in required
• Applies to all card types
• payD conforms to AMT
• Licensed in South Africa to IPSEP
2
1
23. payD is supported by both MasterCard and Visa
•MasterCard Mobile Remote Payment (MMRP)
certified
•Supported by Visa
•Issuer opt–in required
22
24. MTN uses payD to sell airtime directly to customers - via
MTN Eazi Recharge – customers dial a USSD shortcode
and enter the PIN in a WIG session
*141*10#
•Customers do on average 8
transactions pm
• Debit card purchase as
opposed to cash withdrawal
•350 000 registered users
23
25. As do Vodacom for their Express Recharge offering …
*130*082#
24
27. payD WIG is a complex system and needs all elements to
be in place to work - this isn't always the case outside
of South Africa
Key learning's from payD WIG
• MNO dependence - requires MNO
technical support – correct SIM, SIM
keys and WIG to be in place
• App is in – customers demand a
richer experience – use of USSD
declining and WIG/S@T has not
proven successful to MNO’s
26
28. ORAGS App – works on all networks, with
3DES DUKPT like security protocol - called ORAGS
1. Customer downloads App
2. Phone sends SMS to identify itself
3. Subset of keys sent to phone
4. Creates one off session
Feature and
smart
phones
PIN-block returned encrypted under secure protocol – one off use only
27
29. ORAGS works across multiple channels
vPos
Physical POS
App to App
Low cost POS with
no extra hardware
required
Can be used on current
technology (no EMV
compliance required).
mCommerce
Ticketing
Cinema
Airtime
WEB
eCommerce
Simple API and simulator for
merchant integration
Static
Parking
Ticketing
Retail F2F
Code Entry
Call Centre
Outbound Sales
Insurance
In most instances
App or USSD WIG
can be used
Kiosk
Bill Payment
28
30. Face-to-face provides the biggest opportunity for
payment acceptance expansion and cash reduction
29
31. Face-to-face using a phone App - no extra hardware is
required - low level phones can be used
30
38. Chargeback experience; well known SA ex- low cost
airline
• Largest low cost airline
in SA – over 200 000
passengers per month
• Linked to payD to allow
debit cards to grow
potential customer base
Sample year; commencing
July 2011:
• 8900 tickets sold with sales
values of R11m via payD
• No confirmed charge backs
via payD noted
• 20% of usage was credit
card and PIN
• 3D not user friendly to
mobile
37
39. Stakeholder Benefits summary
Stakeholder
Card Issuer
Card Acquiring
Benefit
Provides additional value added services to cardholders by allowing mobile remote authentication
Increased PV on transactions through expansion of acceptance channels that except remote
authentication
Enablement of debit cards for mobile authentication on cards that do not allow card not present
transactions.
Expand acceptance network to include remote authentication solutions. Enjoy increased merchant
fees from expanded estate.
Enable new card based payment channels, e.g. B2B mobile payments.
Cardholder
Merchant
Card company
Convenience of using mobile phone to pay in remote authentication situations e.g. travel bookings
No need to share card information with any merchant or payment gateway that reduces hacking of
data
Accept card based transactions in previously unsupported environments, e.g. debit e-commerce
transactions.
Cost savings through direct distribution capability of virtual services e.g. airtime. (In this scenario the
mobile network operator becomes the merchant.)
Enjoys liability shift rules similar to VbyV/3D – no need to be PCI Compliant
Increased security of cardholder information. No card data is shared with a merchant when a
transaction is processed.
Out of band authentication ensures separation of card sensitive data. Data compromises do not
enable fraudsters to replicate transactions or cloning cards.
Remote authentication capability increases PV for issuers.
Remote authentication capability can extend acceptance infrastructure within a market.
Enables the mobile phone as an authentication device.
Provides a direct communications interface to the cardholder. Promotions and offers can be better
articulated and promoted.
Increased security through GIS enablement of transaction info. All transactions carry a location
38
signature.