Steve Mott, BetterBuyDesign - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Steve Mott, BetterBuyDesign

Description:

TCH's Strategic Payments Forum mobile commerce sub-group focused on deriving ... Wells Fargo is implementing a growing number of mobile services for commercial ... – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 23
Provided by: fstc
Category:

less

Transcript and Presenter's Notes

Title: Steve Mott, BetterBuyDesign


1
FSTC Mobile Payments Technology Project
M-2 Kick-Off Meeting Wednesday 19 November 2008
  • Steve Mott, BetterBuyDesign
  • Frank Jaffe, PaymentsNation
  • Jim Pitts, FSTC Payments Standing Committee
  • Dan Schutzer, FSTC Executive Director

2
FSTC Mobile Project Goals Overall
Mobile Financial Services is a moving target
developing rapidly that represents substantial
commercial opportunities, but at yet-unknown
risks and complexities of operation. FSTC
established specific goals for conducting a
multi-phase project aimed at recommending best
practices for risk management and interoperability
  • This multi-phase project is infrastructure-focused
    its aim is to identify best practices and
    recommend infrastructure components that enable
    building financial transactions applications that
    are
  • User friendly and compelling
  • Secure and private
  • Resilient
  • Efficient to operate and maintain
  • Flexible enough to rapidly build new apps
  • Capable of minimizing the need to build and
    support still another separate distribution
    processing silo
  • A secondary goal is to reuse as much as possible
    globally accepted solutions and to work with such
    international standards bodies as ISO and W3C
    Mobile Web initiative, and GSMA

3
FSTC Mobile Project Phases
Phase Result/Objective
  • Phase Zero Extensive discussions with The
    Clearing House (TCH) and other FI industry groups
    to sort out the best way to get a handle on FI
    requirements for participating in Mobile
    Financial Services (MFS)
  • Phase One (M-1) Broad assessment of security,
    architecture and application capabilities and
    concerns inventory of market development and MFS
    efforts and standards from wireless industry
  • Phase Two (M-2) Assumes minor roles needed for
    mobile banking, but significant role in defining
    suitable architecture and technology for mobile
    payments and transfers
  • Phase Three (M-3) TBD, but likely to focus on
    specific infrastructure enhancements and
    practices business rule consistency and
    extensions beyond consumer market to B2B
  • TCHs Strategic Payments Forum mobile commerce
    sub-group focused on deriving viable business
    models FSTC focused on interoperability and
    security requirements BITS working on risk
    management issues
  • Inventory noted extensive development of best
    practices within wireless industry 21 use cases
    developed realization that focus should be on
    defining whats different and missingnot
    boiling the ocean
  • Planned for immediate launch (11/08) with
    Architecture and Security working groups charged
    with identifying gaps in infrastructure, sources
    of transaction and systemic risk, and potential
    solutions and their ramifications
  • Expected for mid-2009 with expanded involvement
    of wireless and banking industry organizations to
    support required changes in infrastructure and
    operating environment

4
Supporting Organizations
These projects are by their nature intended to be
collaborative and derivative
  • Collaborating Industry Organizations
  • ABA
  • BITS
  • Federal Reserve
  • NACHA
  • PaymentsNation
  • The Clearing House
  • SWIFT
  • Additional Invitees
  • GSM
  • CTIA
  • Mobey Forum
  • NFC Forum
  • Smart Card Alliance
  • Global Platform
  • W3C Mobile WG

4
5
Phase One Structure
M-1 broke into four work groups aimed at getting
a firm handle of the fast-moving target of mobile
financial services
  • Four Work Groups / Volunteer Co-chairs
  • Applications / Montresa McMillan (BBT), Reetika
    Grewal (ClairMail)
  • Security / Jason Rouse (Cigital), Paul Smocer
    (BITS)
  • Network-Handsets / Steve Mott (BetterBuyDesign,
    with support from the Boston Fed)
  • Architecture / Tom Hissam (IBM), Tina Slankas
    (Wachovia)Project Management
  • Project Management
  • Janey Place, DigitalThinking
  • Jim Pitts /Tim Kormos, FSTC

6
Phase One Deliverables
  • M-1s focus on understanding the current mobile
    infrastructure resulted in a collection of useful
    outputs on where the marketplace is now, and
    where its going
  • Network Handsets
  • top carriers and mobile handset manufactures were
    reviewed and assessed against use cases
  • broad review of wireless industry capabilities
  • Applications
  • 21 use case summaries were documented
  • Mobile wallet, person-to-person payment, bill
    pay, POS, OTP, various combinations of network
    mode and payment network scenarios
  • Security
  • assessed the 21 mobile payment use case summaries
    developed by Applications Group
  • general principles of mobile payments security
  • Architecture
  • assessment of barriers to interoperability
  • high level patent review
  • Regulatory issues were researched and documented
  • Survey and technology profiling

7
Key Findings from Phase One
A number of important insights were gained from
M-1 that now share M-2s agenda
  • Rapid evolution in handset capabilities is
    driving the accessibility and availability of
    data services
  • Higher-margin data services for carriers will, in
    turn, increase the drive for mobile transactions
  • Web 2.0 applications will tax 3G configurations
    further, pushing the industry toward 4G
  • NFC has value beyond interface to POS devices,
    and could offer high levels of interoperable,
    chip-based security
  • NFC security premises need to be scrutinized
  • Mobile commerce is possible over a number of
    channel technologies which vary in terms of the
    security
  • FI security concerns with handset provision and
    operation need to reflected and addressed in
    tandem with mobile channel technologies
  • Initial priority on mobile web and SMS/text
    messaging delivery channels and application use
    cases is better placed on mobile payments
    primarily (and to a lesser extent on P2P)
  • Initial payment type focus is best placed on
    Credit, ACH and ATM payment networks
  • Carriers are prepared to open up their networks
    to payment and other data-based transactional
    services and work with FSTC (note open doesnt
    mean free)
  • Carriers would prefer that banks manage the
    fiduciary risk in Mobile Financial Services
    (MFS), provided that in ensuing revenue models,
    each party is fairly compensated for the work and
    value they provide

8
Why the Rush to Do Phase Two?
  • MasterCard has done nearly two dozen NFC pilots
    at POS, and has enabled a Trusted Service Manager
    (TSM) configuration for Over-the-Air (OTA)
    provisioning
  • GSMA has a Pay Buy Mobile initiative that
    proposes fully configured payment options
    leveraging the POS contactless environment, but
    using SIM chips rather than waiting for NFC chips
  • Visa has a pilot where the member bank owns and
    manages the SIM chip (instead of the carrier
    operator) to effect banking and payment
    applications
  • Citibank customers can use Obopay to make P2P
    transfers worldwide where users can access value
    with MasterCards
  • One of the top U.S. banks recently issued an RFP
    for a comprehensive payments platform
  • Wells Fargo is implementing a growing number of
    mobile services for commercial customers small
    business demand is soaring

9
Phase Two Structure
M-2 is structured to make rapid progress mixing
comprehensive assessments with rifle-shot views
and recommendations for stakeholders to consider
  • Two Work Groups
  • Security
  • Architecture
  • Contracted Team Leaders
  • Frank Jaffe (PaymentsNation), Security Team
  • Steve Mott (BetterBuyDesign), Architecture Team
  • Project Management
  • Jim Pitts, Project Manager
  • Tim Kormos, Associate Project Manager
  • PMO
  • Web Site

9
10
Experimentation in the marketplace is
proliferating under several different
formulations that overlap and require consistent
definition
Need for Refinement of FI Participation
Various Working Definitions for Mobile Financial
Services
  • Mobile Banking Use of mobile device to connect
    to a financial institution to conduct customer
    self-service (CSS) financial business, including
    but not limited to, viewing account balances,
    transferring funds between accounts, paying bills
    or receiving account alerts.
  • Mobile Person-to-Person (P2P) Transfers Mobile
    person-to-person/peer-to-peer payments and
    transfers (mobile P2P) offer the first
    income-generating step for financial institutions
    on the pathway to full mobile banking and
    payments. While still a niche product, demand is
    growing and one out of ten consumers currently
    states that he or she would likely use mobile P2P
    if the service were available. Source Javelin
    Strategy Research
  • Mobile Payments Use of a mobile device to make a
    purchase or other payment-related transaction.
    Such payments can be initiated in the physical or
    virtual worlds, and can be conducted in a variety
    of ways including SMS/MMS, mobile Internet,
    downloaded application and contactless chip
    (e.g., NFC technology). Examples of mobile
    payments include ring tone downloads billed to
    the mobile phone bill, purchases/payments via the
    mobile Internet, tap-n-go purchases using a
    contactless chip embedded in the mobile device,
    and P2P transfers. Mobile payments may also
    include the use of many other novel methods under
    development. Source NACHA
  • Mobile Commerce Any transaction, involving the
    transfer of ownership or rights to use goods and
    services, which is initiated and/or completed by
    using mobile access to computer-mediated networks
    with the help of an electronic device (Tiwari and
    Buse, 2007, p. 33). M-commerce is extending
    ecommerce to a variety of mobile devices (e.g.,
    handheld devices such as cellular phones or
    personal digital assistants) for the purpose of
    buying and selling of goods and services.
  • Mobile Financial Services A broad term
    encompassing a variety of different types of
    services enabled via a mobile device. Edgar Dunn
    and Company has developed a classification system
    in which mobile financial services are broken
    down into 5 key categories digital or online
    payment, remote payment (mCommerce enabled
    websites), P2P payments, physical payments
    (customer and mobile device present) and mobile
    banking. Source http//www.edgardunn.com/uploads/
    100030_english/100195.pdf.

11
Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications
  • The definitions on the page 11 cover three
    application areas (and two generic
    categoriescommerce and financial services)
    of the three (or more) applications, the project
    will focus on whats different about the mobile
    aspect of payment services, and whats missing in
    terms of infrastructure and a level of
    security/privacy that FIs can live with in
    general, this means
  • Mobile Banking Operational issues that affect
    FI-provided mobile banking service will be
    examined with respect to infrastructure and
    security implications only
  • Examplein-scope Wireless networks blocking SMS
    account alerts
  • Exampleout -of-scope Any attempts to use
    SMS/USSD for transactions other than actionable
    alerts
  • Mobile P2P FI-provided accounts are used to load
    and unload these transaction flows, but FIs have
    no jurisdiction over the flows themselves, within
    private computer networks and interactions
  • Examplein-scope Security procedures for
    accessing accounts at both ends and storage of
    credentials
  • Exampleout-of-scope Requirements for secure
    hosting and transport of account values and
    related information within private networks and
    computing systems
  • Mobile Payments Purchases of products and
    service via mobile devices over WAP-browser and
    client application configurations using
    FI-provided accounts are a key opportunityand
    concernand will be addressed in terms of both
    transaction and systemic risk
  • Examplein-scope Likely threats and feasible
    options for addressing these threats, and
    emerging infrastructure models (such as NFC)
  • Exampleout-of-scope Specific security protocols
    or infrastructure mandates
  • Note out of scope means not a primary focus.
    It does not mean that a subject will be
    completely ignored.

12
Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications
  • The definitions on the prior page are
    deliberately broad they include in mobile all
    forms of activity which can be performed from
    devices which are not fixed in location,
    including
  • IVR and Customer Service Representative from a
    cell phone
  • Online internet banking from a portable computer
    or remote location/device (e.g., kiosks,
    libraries, etc.)
  • For FSTC M-2, the deliberations will aim at
    purely advanced wireless services
  • Where one of the primary functions of the user
    interface design is to act as a cellular
    telephone
  • Examplein-scope Smart Phones
  • Exampleout-of-scope Laptop computers, basic
    cell phones
  • Where services are provided based on
    communication between the mobile device and the
    service involves an exchange of data beyond
    touchtone or speech recognition
  • Examplein-scope Smart phone web banking, USSD2
    services
  • Exampleout-of-scope IVR
  • M-2 will examine cross-border implications for
    MFS with U.S.-Can as a test case
  • Note out of scope means not a primary focus.
    It does not mean that a subject will be
    completely ignored.

13
Possible Phase Two Deliverables
While business models have substantial
ramifications for infrastructure and risk in the
emerging mobile environment, M-2s deliberations
and output will concentrate on the technology
options behind architecture and
security Specific deliverables will be
determined during the project but may include
  • Architecture Group
  • Identify needed infrastructure elements and
    dynamics
  • Map infrastructure flows for relevant business
    models
  • Providing supporting detail on technology options
  • Security Group
  • Application and enhancement of General Principles
    to security analysis
  • Identification of logical security use cases
  • Systemic risk analysis and plans of attack,
    possibly via use case summaries
  • Combined
  • Final report

14
Architecture GroupPoints of Intersection
FI near-term involvement and gaps in operability
and security
Differences from online and telephone banking
commerce
Exposure to transaction and/or systemic risk
Existing and prospective solution set with option
parameters
15
Security Group
  • Foundations of security
  • Confidentiality (includes privacy)
  • Integrity
  • Availability
  • Implementation models
  • Custom application
  • Generic functionality
  • Levels of risk
  • Transactional
  • Systemic

Security controls need to effectively manage
risks, not seek to eliminate them
16
Security Group Security Principles
  • Objective Provide guidance to the industry on
    mobile payments matters to permit reasonable and
    appropriate security design tradeoffs
  • Phase I Security Principles subject areas
  • Authentication
  • Enrollment/ registration
  • Transaction validation
  • Data protection (at rest and in transit)
  • Include analysis of aliasing

17
Security Group Systemic Risk Areas
  • Systemic risk area analysis will focus on the
    differences between mobile and other payments and
    seek to understand the alternatives available to
    mitigate those risks
  • Preliminary identified risks include
  • High volume of dropped calls
  • High device churn (lost/stolen and general
    replacements)
  • Device cloning
  • Limited device control with high levels of
    storage
  • New dependencies on handsets and mobile operators
  • Active network operator services (i.e. roaming,
    spam filtering, proxys, device upgrades, etc.)
  • Third party transaction monitoring/eavesdropping

18
Security Group Systemic Risk Areas
  • Preliminary identified risk reduction
    opportunities
  • Richer information available
  • Device identification
  • Geolocation
  • Device security
  • SIM Chip
  • NFC
  • Potential Infrastructure Services
  • Trusted Services Manager (TSM)
  • Lost/stolen/replaced device reporting
  • Remote device memory wiping

19
Project Deliverables Understanding of Risks
An example of M-2 project deliverables will
include selective assessments of the underlying
risks at-hand with a framework that facilitates
FI choices on options
  • Two major risk areas
  • Transactional risk (the risk associated with an
    individual transaction)
  • Systemic risk (major risks which affect all users
    of a system)
  • Areas of Exploration in the Project
  • Evaluate major areas of operation to identify and
    document potential systemic risks to Mobile
    Payments
  • User enrollment/Registration
  • Activation and use of mobile devices and
    applications
  • Traversal of carrier networks and third party
    systems
  • Lost/Stolen devices and device re-issue
  • Malware and other device weaknesses
  • Note Cross institution settlement risk is out of
    scope for M-2
  • Recognizing that a certain amount of fraud ( 1
    2) is to be expected, evaluate potential
    standards at three levels of security
  • As is
  • Minimal security baselines
  • Upgraded security able to withstand sustained
    attacks
  • Attempt to develop a security framework to allow
    an orderly migration from the current security
    state to an appropriately secure cross-company
    end-state the framework will form a basis for
    FIs to use in creating their own risk management
    profiles and policies.
  • Example Account aliases vs. account shutdown
    and replacement
  • ExampleUse of unique transaction IDs and/or
    cryptograms/digital signatures

20
Project Deliverables Market Road-map
But the moving target of MFS must take into
consideration the rapid consolidation of the
wireless industry, and the ensuing transition to
a more open environment examples of M-2
deliverables include broader technology and
business model trends, such as
  • The current state of the marketplace involves a
    wide variety of proprietary software and closed
    networks (walled gardens) but significant
    changes are anticipated in this environment as
    the market begins to mature and progress toward
    open operations (especially with Googles
    Android)
  • The project will seek to identify transitional
    needs (e.g. common browser capabilities) and
    platform enhancements (e.g. leveraging SIM chips)
    which will influence this transition these can
    provide a blueprint to financial institutions on
    where to focus their efforts in achieving
    sustainable mobile payments
  • M-2 will also seek to handicap the prospects
    for mobile phones enabled with Near-field
    Communications (NFC) NFC chips are theoretically
    more powerful than SIM chips, can be owned and
    managed by banks (rather than carriers), and
    promise to provide a high degree of
    interoperability across many different security
    mechanisms and protocols this project phases
    will assess the transitional market and security
    potential of NFC-enabled phones

21
Future Focus Business Models and Policies
M-2s best practices and technology
recommendations will need a further drill-down in
subsequent phases, in which additional issues
will be deliberated upon
  • In M-3, an evaluation is planned for the
    transitioning of mobile payments infrastructure
    and models to identify key points of leverage
    where enhanced services or risk reduction can be
    achieved through services which cross mobile
    operators and financial institutions
  • Example Can there be a single point of reporting
    for lost phones that would notify account holding
    institutions as well as mobile network operators
    (while avoiding multiple customer service
    interactions)
  • Example Certification (and possible branding)
    for all components of the MFS value chain (i.e.,
    enrollment, device, application, carrier network,
    Internet interface, third-party hosts, and FI
    systems)
  • Example Pros and cons of a uniform, monolithic
    enrollment and credential maintenance host for
    the mobile payments industry
  • In addition, M-3 will begin to address whats
    different about mobile capabilities for B2B
    interactions, as some FIs are already
    aggressively entering that market segment today
  • M-3 will drill down to very specific
    infrastructure and technology fixes that might be
    deemed necessary

22
Phase 3 Goals/Deliverables
Preliminarily, Phase-3 outcomes could cover a
workable set of participant desires and concerns
  • Desired mobile infrastructure end state
    includes optimal technology infrastructure and
    options as business models proliferate and evolve
  • Provide details on implementation of best
    practices
  • Submit any generic standards recommendations to
    appropriate deliberative bodies
  • Document and communicate recommendations to
    Financial Services Industry
  • Pilot/proof-of-concept monitoring and evaluation
  • Broader global compatibility ramifications
  • Implications for B2B services

23
FSTC Mobile Payment Technology Project
  • For information on how to become a member of the
    project team email jim.pitts_at_fstc.org

QA
Write a Comment
User Comments (0)
About PowerShow.com