Observatory on epayment systems

1
Observatory on e-payment systems
e-Payment Systems Observatory (ePSO) Presentation
to 3rd Steering Group Meeting Brussels, October
10, 2001
ePSO team
2
Observatory on e-payment Systems
Innovation and Regulation - The Case of E-Money
Regulation in the EU Presentation to 3rd
Steering Group Meeting Brussels, 10 October 2001
PaySys
Paysys Consultancy GmbH Frankfurt
Malte Krueger (PaySys/ePSO)
3
Factors influencing innovation

• technology (affecting transactions costs)
• the market (demand, competition, prices, costs)
• the institutional framework (regulations)
• entrepreneurial activity

4
The spread of innovation
5
Money and credit
- payment services usually are not a
stand-alone product - money and credit are
closely linked - payment providers usually
perform many tasks - setting credit limits
- monitoring customers - choosing
customers - asset management - etc.
6
Role of technology and non-banks

• Main business of potential payment service
  providers
• bonus points/incentive schemes
• digital rights management
• electronic signatures/security
• payments for own services
• (single purpose payment instruments)

7
What is new about e-money?
- E-money is prepaid and not necessarily tied to
an account. - E-money makes anonymous electronic
payments possible. - Possible use of card-based
e-money in the real and in the virtual world.
- E-money was often introduced by non-banks. -
Software-based e-money can be sent through the
borderless internet.
8
Central features of existing e-money schemes

• E-money is mostly a product issued by banks.
• Software based e-money is basically
  non-existent.
• All schemes are account-based.
• Complete anonymity hardly ever possible.
• No P2P functionality or direct re-spending.
• No cross-border interoperability.

9
Some preliminary lessons
Payments are necessarily combined with
other financial services. Increasingly, payments
are combined with services that have
traditionally been provided by non-banks. Existing
e-money can be seen as an instrument for
anonymous (vis-à-vis the merchant), credit-risk
free offline payments.
10
The implementation of the EMI-Directive

• National regulators seek to preserve existing
  regulatory
• structures.
• National regulators may come up with their own
  definitions
• of e-money.
• Some countries plan to implement very
  restrictive waiver
• conditions or no waiver at all.
• To most regulators (except in Germany) the
  e-loyalty topic is new.
• The implementation of the Directive may lead to
  stricter
• regulation of multi-merchant e-loyalty schemes.
• Regulators still see little or no interest by
  non-banks to become
• an EMI.

11
Apathy towards e-money issuance
Regulation based on the final EMI-Directive may
still be a high hurdle for non-banks because
there is no big difference between an EMI and a
traditional bank. E-money issued by traditional
banks is still flopping in the market (still no
break-through for card-based schemes failures
of software-based schemes). There simply is no
business-case for card-based e-money. The
traditional e-money concept (monetary value
stored on an electronic device) no longer is an
appropriate concept as future means of payment
in e-commerce.
12
Innovation and regulation

• Companies from outside the financial sector may
  be crucial
• for innovation in payments.
• For smaller companies regulation may be a
  hurdle. Indeed, the
• simple fact that a license is required may
  already be a hurdle.
• Restrictions on investments must be seen as a
  strong
• disadvantage vis-à-vis competitors from the
  banking sector.
• No legal certainty exists because the definition
  of e-money is
• difficult to interpret.
• The argument that non-banks can always team up
  with a
• bank to issue e-money is tricky.
• Large players are more likely to buy (or
  imitate) new solutions
• if these have been tested in the market. Thus,
  small players
• must be able to test new systems.

13
Possible measures

• Liberal exemption of pilots from licensing
• requirements.
• Inclusion of limited-purpose schemes under
• the waiver.
• Clarification of the definition of e-money.
• No redeemability requirements.

14
Issues for further discussion

• What is known about the current implementation
  process in member countries?
• What types of electronic payment schemes are
  covered by the EMI Directive?
• Should future regulation include other types of
  electronic payment schemes (currently not covered
  by the Directive)?
• Discussion of the four measures proposed above.

15
Observatory on e-payment systems
Securing Internet Payments The Potential of
Public Key Cryptography, Public Key
Infrastructure and Digital Signatures
3rd ePSO Steering Group Meeting, Brussels 10 Oct
2001
Clara Centeno
16
Outline
1. Background 2. Securing Internet
Payments 3. Potential of PKC, PKI and DS for
I-payments 4. Actual use of PKC, PKI and DS 5.
Implementation barriers encountered 6.
Discussion Concerns identified related to the
use of PKI for authentication and non-repudiation
in Internet Payments
17
1. Background
WEB servers browsers
GOVERNMENTS
SSL
e-government
SET
Legal framework
EC DIRECTIVE ON DIG SIG
I-banking
PKI for DS
BANKS
EESSI
USE OF PKC / PKI / DS
Smart cards for DS
EMV Smart Cards
MOBILE PHONES
eEurope Smart Cards
Smart cards as access key
chip reader
ENABLING INFRASTRUCTURE
?
SECURE ENVIRONMENT FOR E-COMMERCE
18
2. Securing Internet Payments
Internet communication networks are insecure and
security breaches continue to increase1
Consumers and merchants face risks 1.1 of
credit card transactions are fraudulent,
merchants are liable for 902

• Security requirements
• Confidentiality and
• integrity of data
• Mutual authentication
• Non-repudiation
• Limited or no liability
• 1Computer Security Institute 2001 2CommerceNet
  May 2001

• Other requirements
• Consumer trust building
• Secure design
• User friendliness
• Costs
• Interoperability

19
3. Potential of PKC / PKI / DS

• PKI could fulfil security requirements of
• data confidentiality and integrity
• cardholder / merchant mutual authentication
• non-repudiation
• DS could replace current use of hand-written
  signatures (direct debit, credit transfer, credit
  cards)
• Legally recognized DS could be used for
  I-payment authentication and non-repudiation
• ? potential synergies with other sectors

20
4. Current use of PKC / PKI / DS

• Service Status Comments
• SSL credit card 921 No authentication, no
  non-repud.
• SET credit / debit card Pilot(97) Lack of
  massive adoption
• Alternative solutions Virtual card,
  Pseudo/Random number
• 3D-SET, 3D-SSL, Verified by VISA
• Maestro, MasterCard UCAFSPA
• authen. techniques CVC2/CVV2, address
  validation
• PIN, password other
• Payment Service Providers Pilot/start Cartio,
  Jalda, MoverCard
• Alternatives PIN, password
• Mobile Payments Pilot EMPS, Mobitrust,
  RadioLinja
• Alternatives PIN
• B2C Internet banking Starting Irl Ulster, Fin
  Oko , Ger Spark-Fin
• Insurance Starting Fin Sampo-Fennia
• Mobile banking Starting PostBank
• G2C e-government Starting FINEID (Dec 99)

PAYMENTS
OTHER
1 Gartner 2001 estimates 93 of internet payments
are with credit cards SSL use estimated to 99
21
4. Current use of PKC / PKI / DS (contd)

• PKC broadly used (SSL) for data confidentiality
  and integrity
• PKI still in its infancy for authentication and
  non-repudiation in B2C and G2C sectors
• Alternative authentication and non-repudiation
  techniques gaining ground
• However, emerging use of PKI for
• i-payment by (non-banking) Payment Service
  Providers
• mobile payments
• on-line and mobile B2C financial insurance
  services
• e-government services

22
5. Implementation barriers

• Common barriers
• Lack of consumer incentives vs. costs effort
• Complexity and cost of solutions
• Technical interoperability across vendors
• Specific barriers in e-government
• Lack of standards
• Technical interoperability across CAs
• Legal and procedural aspects to build mutual
  trust recognition across CAs and across countries

23
6.1 Discussion Concerns

• PKI and DS may not be the adequate solution for
  authentication and non-repudiation
• Challenges or, may be too early?
• - Cost - Lack of smart card base
• - Competing solutions - Lack of smart card
  readers
• - Legal, procedural and - Lack of legal
  framework
• technical interoperability and solutions for
  DS
• - Current business model

24
6.2 Discussion Concerns

• In spite of the potential synergies, banks and
  governments may not co-operate more in the
  definition and implementation of PKI and DS
• Challenges Potential synergies
• - Different case (benefits, - e-gov payment
  services
• legal vs. contract DS, - Role of governments
  in
• requirements) infrastructure deployment
• - Decision process - Development of PKI market
• - Data protection risks - Leverage banks
  capabilities
• - Need multiple digital IDs - Accelerate consumer
• - Co-operation model adoption

25
6.3 Discussion Concerns

• Lack of consumer adoption could remain a major
  barrier
• Lack of incentives vs. impact
• - Lack of technical competency and
  understanding
• - Cumbersome procedures
• - Legal consequences may not be acceptable
• - Costs
• Feasibility of non-repudiation
• - Preservation of distance selling consumer
  rights
• - Need for digital evidence supporting tools
• - Difficulties to ensure the right person
  signed
• (server wallets, security breaches, consumer
  awareness,
• consumer errors)

26
Observatory on e-payment systems
Building Trust Security in Internet
Payments The potential of soft measures -
Preparing Background Paper -
3rd ePSO Steering Group Meeting, Brussels 10 Oct
2001
Clara Centeno
27
Outline
1. Background 2. Topics to be analyzed 3.
Validation of approach
28
1. Background

• The Strategic and Technical Issues identified
  in BP1 include consumer protection, risk
  perception and understanding fraud
• Trust is a psychological factor and building
  trust requires many ingredients
• Security is a process, not a product (B.
  Schneider), requiring human intervention
• Role of the paper
• Analyze the potential role of soft measures as
  tools for building trust and security

29
2. Topics to be analyzed

• 1. Fraud risk analysis in current I-payment
  solutions
• Current fraud
• Consumer liabilities and risks
• Consumers risk perception
• 2. Building security
• The role of hard (technology based) measures
• The role of soft (human processes) measures
• Responsibilities in building security

30
2. Topics to be analyzed (contd)

• 3. Building consumer trust
• Role of psychological factors
• Data privacy and data protection
• Liabilities
• Merchant trust marks and codes of conduct
• Dispute resolution systems
• Intermediary organizations
• 4. Questions (to be defined)

31
Observatory on e-payment systems
ePayment Systems Observatory (ePSO) Brief
Outline of Analysis of Inventory Salient
Data at 3rd Steering Group Meeting Brussels,
October 10, 2001
ePSO-team
32
Outline
1. What the database covers (criteria) 2. What
ePSO wants to find out (topics) 3. First
Findings 4. Discussion
33
What the database covers

• Systems that
• can be used for B2C and/or P2P payments on
  Internet,
• have at least one merchant,
• are present in Europe,
• are visible to the consumer.

34
What the database covers 73 systems

• Bank access products used DIRECTLY 35
• Virtual wallet/account 16
• Prepaid e-purses 16 prepaid dedicated
  accounts 11
• Money surrogates 10
• Mobile 16

35
What ePSO wants to find out
1. Cooperation vs. competition 2. State of
development 3. Trends in mobile
payments 4. Trends of specific payment methods,
eg e-money, micro payment, virtual wallets,
loyalty schemes, access products 5.
Cross-border capability 6. Security measures
7. Consumer aspects (costs, convenience...)
36
First findings Cooperation vs. competition
37
First findings M-payments
38
Observatory on e-payment systems
e-Payment Systems Observatory (ePSO) Brief
Presentation of project Status to 3rd Steering
Group Meeting Brussels, October 10, 2001
Ioannis MaghirosePSO project leader
39
ePSO Concept
40
ePSO project Status

• ePSO-Forum Active since Feb.01 (550
  subscribers)
• ePSO-Newsletter Issue N10 will be soon
  distributed
• Background Papers (draft final)
• m-payment systems, I-payment systems, Payment
  Culture matters
• Innovation Regulation, Security in Internet
  payments,
• Steering Group Calendar
• 10/10/01 SG3, analysis of remaining background
  papers
• SG4 options related to its possible content
  (coincides)
• ePSO Conference February 2002 consensus
  conference
• ePSO web site and e-discussion Forum Statistics

41
ePSO-Forum statistics (1)
42
ePSO-Forum statistics (2)
43
ePSO Newsletter

• Issue Number Focus Subject
• Jul.00, N01 Mobile phone payment systems I
• Oct.00, N02 Mobile phone payment systems II
• Nov.00, N03 E-purses
• Jan.01, N04 Interchange Fees
• Feb.01, N05 Internet Payment Systems I
• Mar.01, N06 Internet Payment Systems II
• May.01, N07 EMI-Directive
• Jul.01, N08 Security in Internet Payments
• Sep.01, N09 Security and the Consumer
• ePSO-N issue N10 October 2001 (to be distributed)
• - Focus area Security in the Online Environment
  -

44
ePSO team Background Papers
BP Number and Title ( Status ) BP1 Electronic
Payments systems - Strategic and Technical Issues
(T SG F) BP2 The Future of M-payments - Business
Options and Policy Issues (T SG F) BP3 The
Potential of Server-based Internet Payment
Systems (T SG F) BP4 Payment-Culture Matters - a
comparative EU-US perspective on Internet
payments (T SG F) BP5 Innovation Regulation -
the case of e-money regulation in the EU (T
SG) BP6 Securing Internet payments - the
Potential of Public Key Cryptography, Public Key
Infrastructure and Digital Signatures (T SG) BP7
Building Trust Security in I- Payments - the
potential of soft measures BP8 Integrating
e-Payments into the whole e-Commerce Transaction
Process
45
ePSO Web Site statistics (1)
46
ePSO Web Site statistics (2)
47
ePSO Web Site statistics (3)
48
Steering Group Calendar

• ePSO Deliverables
• Background papers (8), Newsletter reference
  archive (2), Conference Proceedings, Observatory
  Sustainable Future Study, ePSO Final Report
• Inventory Analysis, IPTS Report Special Issue on
  e-payments
• Steering Group Calendar
• SG3, discussion on background papers 5, 6 ePSO
  status
• SG4 (before 23/1, together 18 or 20/2 or after
  Conference 9/4)
• to discuss deliverables
• wrap up project
• argue future plans
• ePSO Conference 19 February 2002

49
ePSO Final Conference (1)

• Title
• Retail Payments for (1) The Online World (2)
  e-Commerce Report
• Online Consumer Payments in/for (1) electronic
  (2) Information Europe
• Future Policy Challenges ( for Europe )

• Organisation
• Call for Speakers (open or restricted), session
  plenary rapporteurs
• Round-table participants, question to debate

• Content
• Innovation and Regulation, Standards
  Interoperability, Security Infrastructure
  (Technology is present in all three sessions)
• Industry Guest Digital Markets, Digital Goods
  Round Table Debate

• Participants (market actors, for free, by
  invitation only)

50
ePSO Final Conference (2)

• Proposed Speakers ( draft preliminary )
• Need for 15 speakers 1 moderator, 4-5 round
  table debate personalities as well as 3-4
  rapporteurs
• for example
• Interesting market players, Active ePSO-F
  supporters, Others (emphasis on
  consumer/standards needs for debate, Public
  sector), Consultants (probably not as session
  speakers)

Please help by indicating by 10/11 possible
speakers and themes by advertising the
conference event to the public