If you left the payment industry five or 10 years ago, and came back after this hiatus, you may feel like the prehistoric man brought back to life after 40,000 years frozen in a cave. Everything looks different and moves way faster.
Technology has obviously advanced with a mixed bag of success and failures. Additionally, several new trends are evolving: changing consumer expectations, increased regulation, new platform-based business models. Taken together these forces are combining to create a fundamental shift in the way we pay.
QR codes are a good example of how times have changed. Initially designed for low-tech environments (merchant closed-loop, tags), QR codes combine simplicity and ubiquity in a mobile environment. However, the “one-way” aspect of the transaction (one party generates the tag and the other party reads it) fundamentally limits the security of this solution. “One-way” transactions prevent the back and forth mechanism, known as a challenge-response in information security, required to establish trust between two parties sharing confidential data.
When looking at in-store transactions, we find ourselves in an interesting situation. The payments industry undertook considerable investment and effort to phase out static, one-way solutions such as mag stripe (deemed not secure enough to prevent fraud) and mandated EMV implementation, based on strong authentication and dynamic, challenge-response protocols.
In a similar fashion, mobile payment systems which were restricted to the same chip-based technical solutions, finally moved pure software emulation solutions. So, what changed? What created this sudden shift in payments? While fraud declined, it did not disappear overnight.
In practice, we have seen a flurry of new ways to transact, distinctly different from the traditional in-store and “card not present” methods. From mobile ordering to P-to-P, or “invisible payments” (e.g., Uber), users have shown an appetite for convenient, value-creating methods rather than technical increments (case in point: the deployment of contactless in the U.S., which has met with limited success).
The method used to transact, being the dip of a chip card or the tap of a phone, becomes less relevant in the grand scheme of things. As long as we can create enough trust between the parties involved in a payment transaction, the system works.
We can then imagine a future where authentication becomes more important than the payment form factor. We might even be able to retire the venerable primary account number. Come to think of it, this future does not look so distant: it’s Friday evening, I’m tired and the kids are hungry; I call Alexa or Google Home to the rescue and order a pizza. My voice-activated device knows my usual order, authenticates my voice securely (authorized against my stored payment credentials) and completes the transaction. From a technology standpoint, we are already very close to that.
The barrier to adoption is then no longer technical; it has become a scaling consideration. The next Gordian knot to solve will be: How to provide a global, interoperable and safe authentication framework? In traditional payment schemes, the interconnectivity issue has been assumed by networks (Visa, Mastercard, CUP, etc.), while managing authentication/authorization factors remained the responsibility of the issuers.
It is, however, less clear who has the legitimacy to manage more sensitive authentication credentials such as biometrics. Many private contenders are positioning themselves as the repository for this Id&Auth information (Apple, Google, Facebook, Amazon, etc.), while governments and regulators start to take notice of the creation of these large data pools of population information. There are obvious privacy and data security issues.
However still fragmented, competitive new ways to pay such as QR code or P2P are now offering credible alternatives to traditional payment methods. Will standardization efforts such as FIDO or the W3C be enough to propel them to the front stage?