Steve Mott, BetterBuyDesign

1
FSTC Mobile Payments Technology Project
M-2 Kick-Off Meeting Wednesday 19 November 2008

• Steve Mott, BetterBuyDesign
• Frank Jaffe, PaymentsNation
• Jim Pitts, FSTC Payments Standing Committee
• Dan Schutzer, FSTC Executive Director

2
FSTC Mobile Project Goals Overall
Mobile Financial Services is a moving target
developing rapidly that represents substantial
commercial opportunities, but at yet-unknown
risks and complexities of operation. FSTC
established specific goals for conducting a
multi-phase project aimed at recommending best
practices for risk management and interoperability

• This multi-phase project is infrastructure-focused
  its aim is to identify best practices and
  recommend infrastructure components that enable
  building financial transactions applications that
  are
• User friendly and compelling
• Secure and private
• Resilient
• Efficient to operate and maintain
• Flexible enough to rapidly build new apps
• Capable of minimizing the need to build and
  support still another separate distribution
  processing silo
• A secondary goal is to reuse as much as possible
  globally accepted solutions and to work with such
  international standards bodies as ISO and W3C
  Mobile Web initiative, and GSMA

3
FSTC Mobile Project Phases
Phase Result/Objective

• Phase Zero Extensive discussions with The
  Clearing House (TCH) and other FI industry groups
  to sort out the best way to get a handle on FI
  requirements for participating in Mobile
  Financial Services (MFS)
• Phase One (M-1) Broad assessment of security,
  architecture and application capabilities and
  concerns inventory of market development and MFS
  efforts and standards from wireless industry
• Phase Two (M-2) Assumes minor roles needed for
  mobile banking, but significant role in defining
  suitable architecture and technology for mobile
  payments and transfers
• Phase Three (M-3) TBD, but likely to focus on
  specific infrastructure enhancements and
  practices business rule consistency and
  extensions beyond consumer market to B2B

• TCHs Strategic Payments Forum mobile commerce
  sub-group focused on deriving viable business
  models FSTC focused on interoperability and
  security requirements BITS working on risk
  management issues
• Inventory noted extensive development of best
  practices within wireless industry 21 use cases
  developed realization that focus should be on
  defining whats different and missingnot
  boiling the ocean
• Planned for immediate launch (11/08) with
  Architecture and Security working groups charged
  with identifying gaps in infrastructure, sources
  of transaction and systemic risk, and potential
  solutions and their ramifications
• Expected for mid-2009 with expanded involvement
  of wireless and banking industry organizations to
  support required changes in infrastructure and
  operating environment

4
Supporting Organizations
These projects are by their nature intended to be
collaborative and derivative

• Collaborating Industry Organizations
• ABA
• BITS
• Federal Reserve
• NACHA
• PaymentsNation
• The Clearing House
• SWIFT
• Additional Invitees
• GSM
• CTIA
• Mobey Forum
• NFC Forum
• Smart Card Alliance
• Global Platform
• W3C Mobile WG

4
5
Phase One Structure
M-1 broke into four work groups aimed at getting
a firm handle of the fast-moving target of mobile
financial services

• Four Work Groups / Volunteer Co-chairs
• Applications / Montresa McMillan (BBT), Reetika
  Grewal (ClairMail)
• Security / Jason Rouse (Cigital), Paul Smocer
  (BITS)
• Network-Handsets / Steve Mott (BetterBuyDesign,
  with support from the Boston Fed)
• Architecture / Tom Hissam (IBM), Tina Slankas
  (Wachovia)Project Management
• Project Management
• Janey Place, DigitalThinking
• Jim Pitts /Tim Kormos, FSTC

6
Phase One Deliverables

• M-1s focus on understanding the current mobile
  infrastructure resulted in a collection of useful
  outputs on where the marketplace is now, and
  where its going
• Network Handsets
• top carriers and mobile handset manufactures were
  reviewed and assessed against use cases
• broad review of wireless industry capabilities
• Applications
• 21 use case summaries were documented
• Mobile wallet, person-to-person payment, bill
  pay, POS, OTP, various combinations of network
  mode and payment network scenarios
• Security
• assessed the 21 mobile payment use case summaries
  developed by Applications Group
• general principles of mobile payments security
• Architecture
• assessment of barriers to interoperability
• high level patent review
• Regulatory issues were researched and documented
• Survey and technology profiling

7
Key Findings from Phase One
A number of important insights were gained from
M-1 that now share M-2s agenda

• Rapid evolution in handset capabilities is
  driving the accessibility and availability of
  data services
• Higher-margin data services for carriers will, in
  turn, increase the drive for mobile transactions
• Web 2.0 applications will tax 3G configurations
  further, pushing the industry toward 4G
• NFC has value beyond interface to POS devices,
  and could offer high levels of interoperable,
  chip-based security
• NFC security premises need to be scrutinized
• Mobile commerce is possible over a number of
  channel technologies which vary in terms of the
  security
• FI security concerns with handset provision and
  operation need to reflected and addressed in
  tandem with mobile channel technologies
• Initial priority on mobile web and SMS/text
  messaging delivery channels and application use
  cases is better placed on mobile payments
  primarily (and to a lesser extent on P2P)
• Initial payment type focus is best placed on
  Credit, ACH and ATM payment networks
• Carriers are prepared to open up their networks
  to payment and other data-based transactional
  services and work with FSTC (note open doesnt
  mean free)
• Carriers would prefer that banks manage the
  fiduciary risk in Mobile Financial Services
  (MFS), provided that in ensuing revenue models,
  each party is fairly compensated for the work and
  value they provide

8
Why the Rush to Do Phase Two?

• MasterCard has done nearly two dozen NFC pilots
  at POS, and has enabled a Trusted Service Manager
  (TSM) configuration for Over-the-Air (OTA)
  provisioning
• GSMA has a Pay Buy Mobile initiative that
  proposes fully configured payment options
  leveraging the POS contactless environment, but
  using SIM chips rather than waiting for NFC chips
• Visa has a pilot where the member bank owns and
  manages the SIM chip (instead of the carrier
  operator) to effect banking and payment
  applications
• Citibank customers can use Obopay to make P2P
  transfers worldwide where users can access value
  with MasterCards
• One of the top U.S. banks recently issued an RFP
  for a comprehensive payments platform
• Wells Fargo is implementing a growing number of
  mobile services for commercial customers small
  business demand is soaring

9
Phase Two Structure
M-2 is structured to make rapid progress mixing
comprehensive assessments with rifle-shot views
and recommendations for stakeholders to consider

• Two Work Groups
• Security
• Architecture
• Contracted Team Leaders
• Frank Jaffe (PaymentsNation), Security Team
• Steve Mott (BetterBuyDesign), Architecture Team
• Project Management
• Jim Pitts, Project Manager
• Tim Kormos, Associate Project Manager
• PMO
• Web Site

9
10
Experimentation in the marketplace is
proliferating under several different
formulations that overlap and require consistent
definition
Need for Refinement of FI Participation
Various Working Definitions for Mobile Financial
Services

• Mobile Banking Use of mobile device to connect
  to a financial institution to conduct customer
  self-service (CSS) financial business, including
  but not limited to, viewing account balances,
  transferring funds between accounts, paying bills
  or receiving account alerts.
• Mobile Person-to-Person (P2P) Transfers Mobile
  person-to-person/peer-to-peer payments and
  transfers (mobile P2P) offer the first
  income-generating step for financial institutions
  on the pathway to full mobile banking and
  payments. While still a niche product, demand is
  growing and one out of ten consumers currently
  states that he or she would likely use mobile P2P
  if the service were available. Source Javelin
  Strategy Research
• Mobile Payments Use of a mobile device to make a
  purchase or other payment-related transaction.
  Such payments can be initiated in the physical or
  virtual worlds, and can be conducted in a variety
  of ways including SMS/MMS, mobile Internet,
  downloaded application and contactless chip
  (e.g., NFC technology). Examples of mobile
  payments include ring tone downloads billed to
  the mobile phone bill, purchases/payments via the
  mobile Internet, tap-n-go purchases using a
  contactless chip embedded in the mobile device,
  and P2P transfers. Mobile payments may also
  include the use of many other novel methods under
  development. Source NACHA
• Mobile Commerce Any transaction, involving the
  transfer of ownership or rights to use goods and
  services, which is initiated and/or completed by
  using mobile access to computer-mediated networks
  with the help of an electronic device (Tiwari and
  Buse, 2007, p. 33). M-commerce is extending
  ecommerce to a variety of mobile devices (e.g.,
  handheld devices such as cellular phones or
  personal digital assistants) for the purpose of
  buying and selling of goods and services.
• Mobile Financial Services A broad term
  encompassing a variety of different types of
  services enabled via a mobile device. Edgar Dunn
  and Company has developed a classification system
  in which mobile financial services are broken
  down into 5 key categories digital or online
  payment, remote payment (mCommerce enabled
  websites), P2P payments, physical payments
  (customer and mobile device present) and mobile
  banking. Source http//www.edgardunn.com/uploads/
  100030_english/100195.pdf.

11
Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications

• The definitions on the page 11 cover three
  application areas (and two generic
  categoriescommerce and financial services)
  of the three (or more) applications, the project
  will focus on whats different about the mobile
  aspect of payment services, and whats missing in
  terms of infrastructure and a level of
  security/privacy that FIs can live with in
  general, this means
• Mobile Banking Operational issues that affect
  FI-provided mobile banking service will be
  examined with respect to infrastructure and
  security implications only
• Examplein-scope Wireless networks blocking SMS
  account alerts
• Exampleout -of-scope Any attempts to use
  SMS/USSD for transactions other than actionable
  alerts
• Mobile P2P FI-provided accounts are used to load
  and unload these transaction flows, but FIs have
  no jurisdiction over the flows themselves, within
  private computer networks and interactions
• Examplein-scope Security procedures for
  accessing accounts at both ends and storage of
  credentials
• Exampleout-of-scope Requirements for secure
  hosting and transport of account values and
  related information within private networks and
  computing systems
• Mobile Payments Purchases of products and
  service via mobile devices over WAP-browser and
  client application configurations using
  FI-provided accounts are a key opportunityand
  concernand will be addressed in terms of both
  transaction and systemic risk
• Examplein-scope Likely threats and feasible
  options for addressing these threats, and
  emerging infrastructure models (such as NFC)
• Exampleout-of-scope Specific security protocols
  or infrastructure mandates
• Note out of scope means not a primary focus.
  It does not mean that a subject will be
  completely ignored.

12
Definitional Scope Clarification for Phase Two
M-2 is designed to identify potential gaps and
risks in emerging financial applications

• The definitions on the prior page are
  deliberately broad they include in mobile all
  forms of activity which can be performed from
  devices which are not fixed in location,
  including
• IVR and Customer Service Representative from a
  cell phone
• Online internet banking from a portable computer
  or remote location/device (e.g., kiosks,
  libraries, etc.)
• For FSTC M-2, the deliberations will aim at
  purely advanced wireless services
• Where one of the primary functions of the user
  interface design is to act as a cellular
  telephone
• Examplein-scope Smart Phones
• Exampleout-of-scope Laptop computers, basic
  cell phones
• Where services are provided based on
  communication between the mobile device and the
  service involves an exchange of data beyond
  touchtone or speech recognition
• Examplein-scope Smart phone web banking, USSD2
  services
• Exampleout-of-scope IVR
• M-2 will examine cross-border implications for
  MFS with U.S.-Can as a test case
• Note out of scope means not a primary focus.
  It does not mean that a subject will be
  completely ignored.

13
Possible Phase Two Deliverables
While business models have substantial
ramifications for infrastructure and risk in the
emerging mobile environment, M-2s deliberations
and output will concentrate on the technology
options behind architecture and
security Specific deliverables will be
determined during the project but may include

• Architecture Group
• Identify needed infrastructure elements and
  dynamics
• Map infrastructure flows for relevant business
  models
• Providing supporting detail on technology options
  
• Security Group
• Application and enhancement of General Principles
  to security analysis
• Identification of logical security use cases
• Systemic risk analysis and plans of attack,
  possibly via use case summaries
• Combined
• Final report

14
Architecture GroupPoints of Intersection
FI near-term involvement and gaps in operability
and security
Differences from online and telephone banking
commerce
Exposure to transaction and/or systemic risk
Existing and prospective solution set with option
parameters
15
Security Group

• Foundations of security
• Confidentiality (includes privacy)
• Integrity
• Availability
• Implementation models
• Custom application
• Generic functionality
• Levels of risk
• Transactional
• Systemic

Security controls need to effectively manage
risks, not seek to eliminate them
16
Security Group Security Principles

• Objective Provide guidance to the industry on
  mobile payments matters to permit reasonable and
  appropriate security design tradeoffs
• Phase I Security Principles subject areas
• Authentication
• Enrollment/ registration
• Transaction validation
• Data protection (at rest and in transit)
• Include analysis of aliasing

17
Security Group Systemic Risk Areas

• Systemic risk area analysis will focus on the
  differences between mobile and other payments and
  seek to understand the alternatives available to
  mitigate those risks
• Preliminary identified risks include
• High volume of dropped calls
• High device churn (lost/stolen and general
  replacements)
• Device cloning
• Limited device control with high levels of
  storage
• New dependencies on handsets and mobile operators
• Active network operator services (i.e. roaming,
  spam filtering, proxys, device upgrades, etc.)
• Third party transaction monitoring/eavesdropping

18
Security Group Systemic Risk Areas

• Preliminary identified risk reduction
  opportunities
• Richer information available
• Device identification
• Geolocation
• Device security
• SIM Chip
• NFC
• Potential Infrastructure Services
• Trusted Services Manager (TSM)
• Lost/stolen/replaced device reporting
• Remote device memory wiping

19
Project Deliverables Understanding of Risks
An example of M-2 project deliverables will
include selective assessments of the underlying
risks at-hand with a framework that facilitates
FI choices on options

• Two major risk areas
• Transactional risk (the risk associated with an
  individual transaction)
• Systemic risk (major risks which affect all users
  of a system)
• Areas of Exploration in the Project
• Evaluate major areas of operation to identify and
  document potential systemic risks to Mobile
  Payments
• User enrollment/Registration
• Activation and use of mobile devices and
  applications
• Traversal of carrier networks and third party
  systems
• Lost/Stolen devices and device re-issue
• Malware and other device weaknesses
• Note Cross institution settlement risk is out of
  scope for M-2
• Recognizing that a certain amount of fraud ( 1
  2) is to be expected, evaluate potential
  standards at three levels of security
• As is
• Minimal security baselines
• Upgraded security able to withstand sustained
  attacks
• Attempt to develop a security framework to allow
  an orderly migration from the current security
  state to an appropriately secure cross-company
  end-state the framework will form a basis for
  FIs to use in creating their own risk management
  profiles and policies.
• Example Account aliases vs. account shutdown
  and replacement
• ExampleUse of unique transaction IDs and/or
  cryptograms/digital signatures

20
Project Deliverables Market Road-map
But the moving target of MFS must take into
consideration the rapid consolidation of the
wireless industry, and the ensuing transition to
a more open environment examples of M-2
deliverables include broader technology and
business model trends, such as

• The current state of the marketplace involves a
  wide variety of proprietary software and closed
  networks (walled gardens) but significant
  changes are anticipated in this environment as
  the market begins to mature and progress toward
  open operations (especially with Googles
  Android)
• The project will seek to identify transitional
  needs (e.g. common browser capabilities) and
  platform enhancements (e.g. leveraging SIM chips)
  which will influence this transition these can
  provide a blueprint to financial institutions on
  where to focus their efforts in achieving
  sustainable mobile payments
• M-2 will also seek to handicap the prospects
  for mobile phones enabled with Near-field
  Communications (NFC) NFC chips are theoretically
  more powerful than SIM chips, can be owned and
  managed by banks (rather than carriers), and
  promise to provide a high degree of
  interoperability across many different security
  mechanisms and protocols this project phases
  will assess the transitional market and security
  potential of NFC-enabled phones

21
Future Focus Business Models and Policies
M-2s best practices and technology
recommendations will need a further drill-down in
subsequent phases, in which additional issues
will be deliberated upon

• In M-3, an evaluation is planned for the
  transitioning of mobile payments infrastructure
  and models to identify key points of leverage
  where enhanced services or risk reduction can be
  achieved through services which cross mobile
  operators and financial institutions
• Example Can there be a single point of reporting
  for lost phones that would notify account holding
  institutions as well as mobile network operators
  (while avoiding multiple customer service
  interactions)
• Example Certification (and possible branding)
  for all components of the MFS value chain (i.e.,
  enrollment, device, application, carrier network,
  Internet interface, third-party hosts, and FI
  systems)
• Example Pros and cons of a uniform, monolithic
  enrollment and credential maintenance host for
  the mobile payments industry
• In addition, M-3 will begin to address whats
  different about mobile capabilities for B2B
  interactions, as some FIs are already
  aggressively entering that market segment today
• M-3 will drill down to very specific
  infrastructure and technology fixes that might be
  deemed necessary

22
Phase 3 Goals/Deliverables
Preliminarily, Phase-3 outcomes could cover a
workable set of participant desires and concerns

• Desired mobile infrastructure end state
  includes optimal technology infrastructure and
  options as business models proliferate and evolve
• Provide details on implementation of best
  practices
• Submit any generic standards recommendations to
  appropriate deliberative bodies
• Document and communicate recommendations to
  Financial Services Industry
• Pilot/proof-of-concept monitoring and evaluation
• Broader global compatibility ramifications
• Implications for B2B services

23
FSTC Mobile Payment Technology Project

• For information on how to become a member of the
  project team email jim.pitts_at_fstc.org

QA