Title: Steve Mott, BetterBuyDesign
1FSTC Mobile Payments Technology Project
M-2 Kick-Off Meeting Wednesday 19 November 2008
- Steve Mott, BetterBuyDesign
- Frank Jaffe, PaymentsNation
- Jim Pitts, FSTC Payments Standing Committee
- Dan Schutzer, FSTC Executive Director
2FSTC Mobile Project Goals Overall
Mobile Financial Services is a moving target
developing rapidly that represents substantial
commercial opportunities, but at yet-unknown
risks and complexities of operation. FSTC
established specific goals for conducting a
multi-phase project aimed at recommending best
practices for risk management and interoperability
- This multi-phase project is infrastructure-focused
its aim is to identify best practices and
recommend infrastructure components that enable
building financial transactions applications that
are - User friendly and compelling
- Secure and private
- Resilient
- Efficient to operate and maintain
- Flexible enough to rapidly build new apps
- Capable of minimizing the need to build and
support still another separate distribution
processing silo - A secondary goal is to reuse as much as possible
globally accepted solutions and to work with such
international standards bodies as ISO and W3C
Mobile Web initiative, and GSMA
3FSTC Mobile Project Phases
Phase Result/Objective
- Phase Zero Extensive discussions with The
Clearing House (TCH) and other FI industry groups
to sort out the best way to get a handle on FI
requirements for participating in Mobile
Financial Services (MFS) - Phase One (M-1) Broad assessment of security,
architecture and application capabilities and
concerns inventory of market development and MFS
efforts and standards from wireless industry - Phase Two (M-2) Assumes minor roles needed for
mobile banking, but significant role in defining
suitable architecture and technology for mobile
payments and transfers - Phase Three (M-3) TBD, but likely to focus on
specific infrastructure enhancements and
practices business rule consistency and
extensions beyond consumer market to B2B
- TCHs Strategic Payments Forum mobile commerce
sub-group focused on deriving viable business
models FSTC focused on interoperability and
security requirements BITS working on risk
management issues - Inventory noted extensive development of best
practices within wireless industry 21 use cases
developed realization that focus should be on
defining whats different and missingnot
boiling the ocean - Planned for immediate launch (11/08) with
Architecture and Security working groups charged
with identifying gaps in infrastructure, sources
of transaction and systemic risk, and potential
solutions and their ramifications - Expected for mid-2009 with expanded involvement
of wireless and banking industry organizations to
support required changes in infrastructure and
operating environment
4Supporting Organizations
These projects are by their nature intended to be
collaborative and derivative
- Collaborating Industry Organizations
- ABA
- BITS
- Federal Reserve
- NACHA
- PaymentsNation
- The Clearing House
- SWIFT
- Additional Invitees
- GSM
- CTIA
- Mobey Forum
- NFC Forum
- Smart Card Alliance
- Global Platform
- W3C Mobile WG
4
5Phase One Structure
M-1 broke into four work groups aimed at getting
a firm handle of the fast-moving target of mobile
financial services
- Four Work Groups / Volunteer Co-chairs
- Applications / Montresa McMillan (BBT), Reetika
Grewal (ClairMail) - Security / Jason Rouse (Cigital), Paul Smocer
(BITS) - Network-Handsets / Steve Mott (BetterBuyDesign,
with support from the Boston Fed) - Architecture / Tom Hissam (IBM), Tina Slankas
(Wachovia)Project Management - Project Management
- Janey Place, DigitalThinking
- Jim Pitts /Tim Kormos, FSTC
6Phase One Deliverables
- M-1s focus on understanding the current mobile
infrastructure resulted in a collection of useful
outputs on where the marketplace is now, and
where its going - Network Handsets
- top carriers and mobile handset manufactures were
reviewed and assessed against use cases - broad review of wireless industry capabilities
- Applications
- 21 use case summaries were documented
- Mobile wallet, person-to-person payment, bill
pay, POS, OTP, various combinations of network
mode and payment network scenarios - Security
- assessed the 21 mobile payment use case summaries
developed by Applications Group - general principles of mobile payments security
- Architecture
- assessment of barriers to interoperability
- high level patent review
- Regulatory issues were researched and documented
- Survey and technology profiling
7Key Findings from Phase One
A number of important insights were gained from
M-1 that now share M-2s agenda
- Rapid evolution in handset capabilities is
driving the accessibility and availability of
data services - Higher-margin data services for carriers will, in
turn, increase the drive for mobile transactions - Web 2.0 applications will tax 3G configurations
further, pushing the industry toward 4G - NFC has value beyond interface to POS devices,
and could offer high levels of interoperable,
chip-based security - NFC security premises need to be scrutinized
- Mobile commerce is possible over a number of
channel technologies which vary in terms of the
security - FI security concerns with handset provision and
operation need to reflected and addressed in
tandem with mobile channel technologies - Initial priority on mobile web and SMS/text
messaging delivery channels and application use
cases is better placed on mobile payments
primarily (and to a lesser extent on P2P) - Initial payment type focus is best placed on
Credit, ACH and ATM payment networks - Carriers are prepared to open up their networks
to payment and other data-based transactional
services and work with FSTC (note open doesnt
mean free) - Carriers would prefer that banks manage the
fiduciary risk in Mobile Financial Services
(MFS), provided that in ensuing revenue models,
each party is fairly compensated for the work and
value they provide
8Why the Rush to Do Phase Two?
- MasterCard has done nearly two dozen NFC pilots
at POS, and has enabled a Trusted Service Manager
(TSM) configuration for Over-the-Air (OTA)
provisioning - GSMA has a Pay Buy Mobile initiative that
proposes fully configured payment options
leveraging the POS contactless environment, but
using SIM chips rather than waiting for NFC chips - Visa has a pilot where the member bank owns and
manages the SIM chip (instead of the carrier
operator) to effect banking and payment
applications - Citibank customers can use Obopay to make P2P
transfers worldwide where users can access value
with MasterCards - One of the top U.S. banks recently issued an RFP
for a comprehensive payments platform - Wells Fargo is implementing a growing number of
mobile services for commercial customers small
business demand is soaring
9Phase Two Structure
M-2 is structured to make rapid progress mixing
comprehensive assessments with rifle-shot views
and recommendations for stakeholders to consider
- Two Work Groups
- Security
- Architecture
- Contracted Team Leaders
- Frank Jaffe (PaymentsNation), Security Team
- Steve Mott (BetterBuyDesign), Architecture Team
- Project Management
- Jim Pitts, Project Manager
- Tim Kormos, Associate Project Manager
- PMO
- Web Site
9
10Experimentation in the marketplace is
proliferating under several different
formulations that overlap and require consistent
definition
Need for Refinement of FI Participation
Various Working Definitions for Mobile Financial
Services
- Mobile Banking Use of mobile device to connect
to a financial institution to conduct customer
self-service (CSS) financial business, including
but not limited to, viewing account balances,
transferring funds between accounts, paying bills
or receiving account alerts. - Mobile Person-to-Person (P2P) Transfers Mobile
person-to-person/peer-to-peer payments and
transfers (mobile P2P) offer the first
income-generating step for financial institutions
on the pathway to full mobile banking and
payments. While still a niche product, demand is
growing and one out of ten consumers currently
states that he or she would likely use mobile P2P
if the service were available. Source Javelin
Strategy Research - Mobile Payments Use of a mobile device to make a
purchase or other payment-related transaction.
Such payments can be initiated in the physical or
virtual worlds, and can be conducted in a variety
of ways including SMS/MMS, mobile Internet,
downloaded application and contactless chip
(e.g., NFC technology). Examples of mobile
payments include ring tone downloads billed to
the mobile phone bill, purchases/payments via the
mobile Internet, tap-n-go purchases using a
contactless chip embedded in the mobile device,
and P2P transfers. Mobile payments may also
include the use of many other novel methods under
development. Source NACHA - Mobile Commerce Any transaction, involving the
transfer of ownership or rights to use goods and
services, which is initiated and/or completed by
using mobile access to computer-mediated networks
with the help of an electronic device (Tiwari and
Buse, 2007, p. 33). M-commerce is extending
ecommerce to a variety of mobile devices (e.g.,
handheld devices such as cellular phones or
personal digital assistants) for the purpose of
buying and selling of goods and services. - Mobile Financial Services A broad term
encompassing a variety of different types of
services enabled via a mobile device. Edgar Dunn
and Company has developed a classification system
in which mobile financial services are broken
down into 5 key categories digital or online
payment, remote payment (mCommerce enabled
websites), P2P payments, physical payments
(customer and mobile device present) and mobile
banking. Source http//www.edgardunn.com/uploads/
100030_english/100195.pdf.
11Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications
- The definitions on the page 11 cover three
application areas (and two generic
categoriescommerce and financial services)
of the three (or more) applications, the project
will focus on whats different about the mobile
aspect of payment services, and whats missing in
terms of infrastructure and a level of
security/privacy that FIs can live with in
general, this means - Mobile Banking Operational issues that affect
FI-provided mobile banking service will be
examined with respect to infrastructure and
security implications only - Examplein-scope Wireless networks blocking SMS
account alerts - Exampleout -of-scope Any attempts to use
SMS/USSD for transactions other than actionable
alerts - Mobile P2P FI-provided accounts are used to load
and unload these transaction flows, but FIs have
no jurisdiction over the flows themselves, within
private computer networks and interactions - Examplein-scope Security procedures for
accessing accounts at both ends and storage of
credentials - Exampleout-of-scope Requirements for secure
hosting and transport of account values and
related information within private networks and
computing systems - Mobile Payments Purchases of products and
service via mobile devices over WAP-browser and
client application configurations using
FI-provided accounts are a key opportunityand
concernand will be addressed in terms of both
transaction and systemic risk - Examplein-scope Likely threats and feasible
options for addressing these threats, and
emerging infrastructure models (such as NFC) - Exampleout-of-scope Specific security protocols
or infrastructure mandates - Note out of scope means not a primary focus.
It does not mean that a subject will be
completely ignored.
12Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications
- The definitions on the prior page are
deliberately broad they include in mobile all
forms of activity which can be performed from
devices which are not fixed in location,
including - IVR and Customer Service Representative from a
cell phone - Online internet banking from a portable computer
or remote location/device (e.g., kiosks,
libraries, etc.) - For FSTC M-2, the deliberations will aim at
purely advanced wireless services - Where one of the primary functions of the user
interface design is to act as a cellular
telephone - Examplein-scope Smart Phones
- Exampleout-of-scope Laptop computers, basic
cell phones - Where services are provided based on
communication between the mobile device and the
service involves an exchange of data beyond
touchtone or speech recognition - Examplein-scope Smart phone web banking, USSD2
services - Exampleout-of-scope IVR
- M-2 will examine cross-border implications for
MFS with U.S.-Can as a test case - Note out of scope means not a primary focus.
It does not mean that a subject will be
completely ignored.
13Possible Phase Two Deliverables
While business models have substantial
ramifications for infrastructure and risk in the
emerging mobile environment, M-2s deliberations
and output will concentrate on the technology
options behind architecture and
security Specific deliverables will be
determined during the project but may include
- Architecture Group
- Identify needed infrastructure elements and
dynamics - Map infrastructure flows for relevant business
models - Providing supporting detail on technology options
- Security Group
- Application and enhancement of General Principles
to security analysis - Identification of logical security use cases
- Systemic risk analysis and plans of attack,
possibly via use case summaries - Combined
- Final report
14Architecture GroupPoints of Intersection
FI near-term involvement and gaps in operability
and security
Differences from online and telephone banking
commerce
Exposure to transaction and/or systemic risk
Existing and prospective solution set with option
parameters
15Security Group
- Foundations of security
- Confidentiality (includes privacy)
- Integrity
- Availability
- Implementation models
- Custom application
- Generic functionality
- Levels of risk
- Transactional
- Systemic
Security controls need to effectively manage
risks, not seek to eliminate them
16Security Group Security Principles
- Objective Provide guidance to the industry on
mobile payments matters to permit reasonable and
appropriate security design tradeoffs - Phase I Security Principles subject areas
- Authentication
- Enrollment/ registration
- Transaction validation
- Data protection (at rest and in transit)
- Include analysis of aliasing
17Security Group Systemic Risk Areas
- Systemic risk area analysis will focus on the
differences between mobile and other payments and
seek to understand the alternatives available to
mitigate those risks - Preliminary identified risks include
- High volume of dropped calls
- High device churn (lost/stolen and general
replacements) - Device cloning
- Limited device control with high levels of
storage - New dependencies on handsets and mobile operators
- Active network operator services (i.e. roaming,
spam filtering, proxys, device upgrades, etc.) - Third party transaction monitoring/eavesdropping
18Security Group Systemic Risk Areas
- Preliminary identified risk reduction
opportunities - Richer information available
- Device identification
- Geolocation
- Device security
- SIM Chip
- NFC
- Potential Infrastructure Services
- Trusted Services Manager (TSM)
- Lost/stolen/replaced device reporting
- Remote device memory wiping
19Project Deliverables Understanding of Risks
An example of M-2 project deliverables will
include selective assessments of the underlying
risks at-hand with a framework that facilitates
FI choices on options
- Two major risk areas
- Transactional risk (the risk associated with an
individual transaction) - Systemic risk (major risks which affect all users
of a system) - Areas of Exploration in the Project
- Evaluate major areas of operation to identify and
document potential systemic risks to Mobile
Payments - User enrollment/Registration
- Activation and use of mobile devices and
applications - Traversal of carrier networks and third party
systems - Lost/Stolen devices and device re-issue
- Malware and other device weaknesses
- Note Cross institution settlement risk is out of
scope for M-2 - Recognizing that a certain amount of fraud ( 1
2) is to be expected, evaluate potential
standards at three levels of security - As is
- Minimal security baselines
- Upgraded security able to withstand sustained
attacks - Attempt to develop a security framework to allow
an orderly migration from the current security
state to an appropriately secure cross-company
end-state the framework will form a basis for
FIs to use in creating their own risk management
profiles and policies. - Example Account aliases vs. account shutdown
and replacement - ExampleUse of unique transaction IDs and/or
cryptograms/digital signatures
20Project Deliverables Market Road-map
But the moving target of MFS must take into
consideration the rapid consolidation of the
wireless industry, and the ensuing transition to
a more open environment examples of M-2
deliverables include broader technology and
business model trends, such as
- The current state of the marketplace involves a
wide variety of proprietary software and closed
networks (walled gardens) but significant
changes are anticipated in this environment as
the market begins to mature and progress toward
open operations (especially with Googles
Android) - The project will seek to identify transitional
needs (e.g. common browser capabilities) and
platform enhancements (e.g. leveraging SIM chips)
which will influence this transition these can
provide a blueprint to financial institutions on
where to focus their efforts in achieving
sustainable mobile payments - M-2 will also seek to handicap the prospects
for mobile phones enabled with Near-field
Communications (NFC) NFC chips are theoretically
more powerful than SIM chips, can be owned and
managed by banks (rather than carriers), and
promise to provide a high degree of
interoperability across many different security
mechanisms and protocols this project phases
will assess the transitional market and security
potential of NFC-enabled phones
21Future Focus Business Models and Policies
M-2s best practices and technology
recommendations will need a further drill-down in
subsequent phases, in which additional issues
will be deliberated upon
- In M-3, an evaluation is planned for the
transitioning of mobile payments infrastructure
and models to identify key points of leverage
where enhanced services or risk reduction can be
achieved through services which cross mobile
operators and financial institutions - Example Can there be a single point of reporting
for lost phones that would notify account holding
institutions as well as mobile network operators
(while avoiding multiple customer service
interactions) - Example Certification (and possible branding)
for all components of the MFS value chain (i.e.,
enrollment, device, application, carrier network,
Internet interface, third-party hosts, and FI
systems) - Example Pros and cons of a uniform, monolithic
enrollment and credential maintenance host for
the mobile payments industry - In addition, M-3 will begin to address whats
different about mobile capabilities for B2B
interactions, as some FIs are already
aggressively entering that market segment today - M-3 will drill down to very specific
infrastructure and technology fixes that might be
deemed necessary
22Phase 3 Goals/Deliverables
Preliminarily, Phase-3 outcomes could cover a
workable set of participant desires and concerns
- Desired mobile infrastructure end state
includes optimal technology infrastructure and
options as business models proliferate and evolve - Provide details on implementation of best
practices - Submit any generic standards recommendations to
appropriate deliberative bodies - Document and communicate recommendations to
Financial Services Industry - Pilot/proof-of-concept monitoring and evaluation
- Broader global compatibility ramifications
- Implications for B2B services
23FSTC Mobile Payment Technology Project
- For information on how to become a member of the
project team email jim.pitts_at_fstc.org
QA