Wednesday, July 30, 2014

I bought a Bitcoin and did not mine it! – My experience with CryptoCurrency or Digital currency!

I bought a Bitcoin and did not mine it! – My experience with CryptoCurrency or Digital currency!

Folks
This has been an interesting month in my journey into the land of Mobile Payments, where  got to learn the payment systems across the world, its limitations and strengths and many innovations attempting to disrupt the value chain and systems engaged in exchange of goods and services. Some of these disruptive forces attempt to provide value by lowering the costs of interchange and some claim to speed the flow of money and goods, thereby improving the economy. Many entrepreneurs draw parallel to impact of Internet on free flow of information and compare it to systems devised to attempt the same for flow to capital with no interchange fees. It has been fascinating journey  with lot more to learn , understand and device new business opportunity that emerge from these disruptions. In this write up I would like to focus on CryptoCurrency or Digital currency, and my experience with Bitcoin.

What is Bitcoin:
Bitcoin is a new currency that was created in 2009 by an unknown person using the alias Satoshi Nakamoto. Transactions are made with no financial intermediaries and are completely anonymous AND there are no transaction fees (for now).  Here are a few well-understood and not too well understood characteristics of Crytocurrencies:

  1. Distributed Public Ledger – Essentially a huge network, much like bit torrent, that has a copy public ledger and tracks the movement and exchange of bitcoin or digital bits that represent the currency
  2. Completely anonymous – The identity is completely anonymous and owners are identified by the bitcoin address much like this one 176ixDYhnaqqNcnobBHn3SW6rQuhJtdCyq. This presents advantage and several challenges, which I will discuss in my opinion section.
  3. Elliptic Curve Digital Signature Algorithm (ECDSA) – This is the digital signature algorithm used in a complex Public-Private key exchange infrastructure that promises to preserve the integrity of the digital currency system.
  4. Transaction chain – this is integral part of the Cryptocurrency system, which identifies the ownership using the bitcoin address. This keeps track of how ownership changes by the bitcoin address.
  5. Block Chain – This is a critical part of the system that describes the transaction ordering, this is a very important concept that this prevent the user from spending the same bitcoin or digital currency twice taking advantage of the delay in the network or simply put avoid double spend. This is where the Cryptocurrency system gets complex, as nodes involved in this huge network driven by complex mathematical algorithms collectively are involved to compute the block chain and prevent the double spend(Essentially solving for crypto hash locks in the block). The nodes or the system involved in computing these are rewarded with  bitcoins ( or fraction of it) and this is called Mining. This is how bitcoins are created or mined in the system.
  6. Bitcoin generation – Bitcoins enter the system by mining, the core purpose of mining provides an essential function to the cryptocurrency system of verifying transaction and safeguard block chain – addressing two function of ownership validation and preventing double spend. The Nodes involved in this process are rewarded  with bitcoins.
  7. Even Bitcoins adhere to universal laws of economics – The universal laws of balance of demand and supply for maintain system stability also apply to cryptocurrency systems.  There are only finite supply of bitcoin in the systems (about 42 million) that can enter the system, so we more bitcoins enter the system, the reward of bitcoin generation by solving block chain, is reduced by half every so many years, which implies that the nodes and the individuals or consortiums behind them will have to work twice as hard to earn these. Eventually  when the system has exhausted it’s finite supply of the bitcoin generation, the process of mining will be rewarded with transaction fees, which is a  fraction or smaller unit if  a bitcoin or a “Satoshi” ( 0.00000001 BTC), and the incentive to mine degrades.

Owning Bitcoins :
People can either mine and own bitcoins , send and receive them or buy them from marketplaces called “bitcoin exchanges”. These bitcoin or cryptocurrency exchanges allow people to buy or sell bitcoins using different currencies. Some popular exchanges include Mt. Gox, ANX, Moolah, BTC China, itBit and Bitstamp to name a few. As described earlier – Bitcoins enter the system by mining, the core purpose of mining provides an essential function to the cryptocurrency system of verifying transaction and safeguard block chain – addressing two function of ownership validation and preventing double spend. The Nodes involved in this process are rewarded  with bitcoins. The process with which the bitcoin enter the system itself makes it exclude a larger set of population that neither has access to technology nor understand the complex system that govern bitcoins.

Transacting with Bitcoins:
Bitcoins are stored in a “bitcoint or Digital wallet,”—which can be on a personal computer or cloud. The  bitcoin wallet is a kind of virtual personal account ledger that allows users to exchange bitcoins, pay for goods and/or services. Unlike bank accounts, bitcoin wallets are not insured by the FDIC, simply because it is not a  Fiat currency that is backed by full faith of a country’s economy and a government. Bit coins can be sent and received, and the ‘public ledger’ makes entry of the exchange. Which implies that the buyer and seller both need to have a bitcoin address and be a part of the bitcoin system.

Adoption Models by Banks, Retailers, Enterprise to accept Bitcoin:
            While the popularity of bitcoin grows many enterprise have stepped forward to claim acceptance on bitcoin as a viable currency to exchange for the goods and services they offer. Some popular retailers include Overstock.com, Amazon, Zynga, Sunway and CVS to name a few. It is notable that use of bitcoin in online games is widespread. So what does it mean for an enterprise to accept bitcoins? At a very minimum enterprise needs the following:
  1. A Basic understanding of the Bitcoin ecosystem
  2. A bitcoin address/account
  3. A Cybercurrency exchange account
  4. Inclusion of Bitcoin as a currency in the accounting systems or some mapping in the front end to convert bitcoin into local currency
  5. Tax disclosures – disclosing exchange costs and total bitcoin in local currency equivalent. i.e. Account and Tax reporting modifications
  6. A process to remove an individual from handling bitcoins – to eliminate and minimize thefts. Since Bitcoin is anonymous and he owner is identified by the bitcoin address.

Opinion and Conclusion:
My personal experience with Bitcoin has been interesting, and I have spend some time understanding technology behind it, the complex mathematical system and the momentum behind it.  I did buy a few – here I can claim anything and no one can verify, here in lies the problem.  Our entire financial system relies on guarantees, measured risks in form of credit and traceability. This is important because  the financial system that governs the exchange of financial instruments such as currencies, credit and cash needs a set of well established rules that are well understood and not misused by a few that understand the system. Traceability of the money transfer is also important to ensure fraud, Money laundering, tax evasion and monies are not used for nefarious activities. Hence over time our current financial system is constantly amended to ensure that misuse of the system, in other words the system of money transfer is maturing. And Maturity has its merits and advantages, after all we have invested a lot more ( over the years) in current system that enables a seamless exchange of Monies for good and services. Below are a few of my observations that make me a bitcoin skeptic:

  1. AML – Anti Money Laundering - Anti-money laundering (AML) is a term mainly used in the financial and legal industries to describe the legal controls that require financial institutions and other regulated entities to prevent, detect, and report money-laundering activities.
  2. Traceability – Though each bitcoin transaction is recorded in a public log, names of buyers and sellers are never revealed – only their wallet IDs. While that keeps bitcoin users’ transactions private, it also lets them buy or sell anything without easily tracing it back to them
  3. Absence of Economic inclusion – Due to complexity of the Bitcoin – generation and distribution system, it is only accessible to a few with knowledge and computing resources and economic means. As a currency bitcoin fails to address the economic inclusion and simplicity of a transaction involving exchange of goods and services for a instruments such as cash.
  4. Limited scope of Cybercurrency – At the outset there are predetermined number of bitcoins (42 Million), after which, if the currency goes mainstream will face inflationary pressures, and will face similar challenges of intermediation and interchange that it attempts to combat today. This also raises concerns over absence of economic inclusion discussed above.
  5. Lack of Governance – Fiat currency is backed by a  country’s government and economy, similar to gold standard it is backed by  a collateral. While bitcoin is still in infancy  and lack maturity,  it needs governance to resolve dispute. As a technical platform it is robust but it matter of time till the processing power catches up with the speed or other avenues to disrupt the block chain emerges. Lack of governance can cost not just the bitcoin users but the entire bitcoin economy.
  6. Lack of safety and Volatility – Bitcoin as a Cybercurrency as described in public ledger and the owner is identified by a  bitcoin address, which is protected by password. These digital currencies can be stored on hard drive, cloud drive or even paper (QR Code), access to which is  a password. Lost hard drive, replicated QR code and lost password implies lost wealth. This volatility of the currency can be problematic for large sums, and transactions.

I am a bitcoin skeptic but believe that Bitcoin itself has a lot of potential, not a currency but as a technology platform to be adopted in current financial system to ensure speed and security of money transfer.

Ref:
  1. https://en.bitcoin.it/wiki/Introduction
  2. http://money.cnn.com/infographic/technology/what-is-bitcoin/
  3. https://en.bitcoin.it/wiki/Protocol_specification
  4. http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
  5. http://bitcoincharts.com/markets/
  6. http://www.finra.org/Industry/Issues/AML/#2
  7. http://www.bitcoinvalues.net/who-accepts-bitcoins-payment-companies-stores-take-bitcoins.html

Tuesday, July 29, 2014

Understanding Payment Tokenization - a Must for futures of Mobile Payments



Business Problem:
Long standing PCI – Payment Card Industry Standard aims to solve the problem around security related to accepting, handling, transmitting and ultimately storing cardholder data. Thus high risk that is associated with Merchants that employ lax security practices. The obvious solution to this problem is to eliminate some cardholder data handling and processing by the merchants. If Merchants do not process cardholder data, the probability of theft of the data outside of secure channels is drastically reduced, which is directly proportional to the risk associated with compromise and fraud related to cardholder data. Additionally PCI compliance and audit costs are exorbitant including the security exposure of storing credit card information.

EMVCo Standard:
Visa, MasterCard and Europay (EMVCo) published a new specification on Payment Tokenization.  The idea is to provide a specification with proven technology to minimize fraud by reducing and eliminating exposures that may compromise the financial transaction. EMVCo has introduces in their Payment specification to ensure standardization around token solutions and more importantly to address fraud exposures (and financial loss) with existing and newly emerging payment systems. Below are salient features of the Payment Tokenization specification:

a.     Token Format – The data format needs to be exactly similar to current day credit card numbers
b.     Token to Initiate Payments – This is one unique requirement that differentiates itself from the traditional financial tokens – which essentially masked the data for privacy.
c.      Network Specificity – Token are Merchant or Payment network specific.
d.     Token as a payment Object - The PAN – Personal Account number is the data that is between the issuer and end consumer. The rest of the ecosystem gets this payment object, which is token. Potentially a Token service provider may emerge to provide domain specific services.
e.     Token Assurance level – A suggested mechanism to associate risk with the type of token. Risk analysis tools based on token issuer etc, will generate risk to a domain, and either a high cost or denial of transaction based on token assurance level.
f.      Token Metadata – additional “Data Elements” assigned to the payment object that describes the domain, cryptography, payment network data and assurance level. Metadata can be further utilized for threat analysis and KYC (Know your customer) applications.
g.     And more…

Each of the implementable items have a ramification on the Payment ecosystem, but needless to say these are to be designed to work with current system to ensure adoption and limit the costs of expensive upgrade of payment and POS systems.

Payment Tokenization Technology:
            Tokenization its simplest form means data substitution. This technology is used in many areas including enterprise security systems, Middleware services, Cloud application and services. Token is essentially a substitute in place of some meaningful data or policy. The idea behind token is to protect the data, and device a system to ensure that if the token are lost or stolen the data is preserved or uncompromised. This also paved way to many other qualities of services included in toke metadata such as time of expiry, other policies if access etc. The concept of Token has found a wide application in many areas of enterprise across many industries.
EMVCo Payment Tokenization takes into consideration the emerging payment technology and Mobile Payments. The specifications include PAN Privacy, elements of Mobile Payments, and use cases with Card present and card-not-present transactions. This standard makes sense as it ensure and address the technology and privacy implications around Near Field communication (NFC), Host card Emulation (HCE), Cloud based Security (SE) and Mobile Wallets/mPOS systems.
The Payment tokenization standard has the potential to move away form two variables namely Card present and card not present transactions to several creative ways to set the base rate of all type of Omni-channel transactions.  This is due to elimination of traditional risk model and adaption of new risk models. The risk in this new model is induced by “Token assurance level” which assess risk of token authenticity by various mechanisms such as validation (with a token service provider), identification at various times such as issuance, and transaction processing. This implies the new base rates based on the risk assurance levels. For instance token with lowest risk score will incur lowest rates. This could potentially induce new roles of token service providers and token requestor. These new roles could also provide new business or service monetization opportunity by new or existing ecosystem players.


Technology Components:
1.     Token and Card Data Vault -- This component is a storage for PAN, Token and personalized data. This can be on-premise of the service provider or in an off-site or secured public cloud environment. Because these sub-system stores personalized information this component needs to be PCI-DSS compliant.
2.     Tokenization Provider: This is a service provider and often times called a Token service provider.  The service provider should implement services with minimal impact to the merchant for ubiquitous adoption. Below are a few services that can be expected from a Token service provider.
a.     Data Discovery – Should assist with data inventory and Asses the location of sensitive data. This also helps with determination of token assurance level that indicates risk.
b.     Data Conversion – This subsystem or service allows for service provider to accept the data from merchants legacy systems like card on file and other PCI data and convert them into tokenized information back to Merchant for back office applications. This is an important step in on boarding merchants to a new system and reduces their PCI compliance requirements.
c.      Token Composition - Compose token as prescribed by the EMVCo specifications and provide the token to merchant for processing by the payment chain ecosystem.
d.     Token Format – The ability to format the token that mimic the card numbers and all the restriction imposed by EMVCo specification such, not include bin or credit card network identifiers, not include possibility of matching with real card numbers. Etc.
e.     Encryption – The token when stored with mapped data and other PCI information should be encrypted with string encryption. The tokenization provider’s encryption process should fit into the POS without significant modification.

3.     Token Generation System – this system includes tokens—bits of data associated with and used to retrieve cardholder data—is generated. There are many standard and custom methods to generate tokens, but regardless of the choice of method (such as non-reversible cryptographic function), PAN or primary account number cannot be deduced from its associated token.

4.     Token Mapping system –This is subsystem for managing token service providers token mapping system.  This component enables authorized personnel to retrieve the stored PAN when it is needed. This is process involved for dispute resolution.

5.     Cryptographic key management – This subsystem is involved at many levels to ensure the management of generating and using cryptographic keys in a tokenization solution.


Business Opportunity:
Payment Tokenization has been shown to be a highly effective data security tool with EMVCo and Payment ecosystem players behind this specification; Payment tokenization is bound to take momentum. Many business owners who process credit cards remain in the dark about how this process functions. This leaves a business opportunity to be exploited with by existing payment ecosystem players or new entrants.



References:


Thursday, July 3, 2014

Design Imperatives of Mobile Payment Solution


Design Imperatives of Mobile Payment Solution.


This paper discusses high-level design imperatives of a Mobile payment Solution. Most retailers, bankers and businesses should focus on Mobility not just for Mobile technology sake, but a platform and a vehicle for commerce and enterprise transformation. Mobile Payment is no different. In this short paper I will attempt to discuss some of the design imperatives of a Mobile Payment solution.  A Mobile payment solution may address various industries such retail (mCommerce), Banking (mBanking), Telecommunications (Mobile Money), to name a few, regardless  of the industry the underlying design ought to focus primarily on seamless, ephemeral and engaging transaction experience.  Mobile payment products may include a diverse set of use cases  which includes ( but not limited to) – Banking activity, money transfer, charity donations, coupons, loyalty currency, cross-border commerce and  fund transfer, receipt management and shopping ( and all related commerce activity). While each of these use case represents a deeper industry specific design challenges, any Mobile Payment initiative should have a singular focus on “Secure Engagement”.
   Secure Engagement implies that the technology should be mostly invisible, with a focus on consumer adoption and scale for sustained growth and usage. With focus on consumer adoption which may manifest in form  user interface design, better back end integration with system of records, optimized performance and use of contextually relevant mobile services, security should be embedded in every aspect of the design. Security design considerations are particularly important as we design a Mobile Payment Solution as Trust is single most important currency, which will enable rapid adoption and protect and establish long-standing consumer relationship.
         Security by design implies that product or solution  has been designed to be secure.  Security design is not only aware of Mobile specific threats but also factors in security controls around Malware, location and user behavior. It is also important to consider that a secure design does not impede the user engagement. While security is important, user experience  around engagement is paramount.  Including robust security and rich engaging design  in a Mobile Payment solution is a balancing act, and a challenge.
         Focusing on “Engagement” part of the “Secure Engagement” paradigm , implies that  we understand the compelling reason around usage of a Mobile Payment solution which does not equate to simply ‘Mobilizing” the current payment channels. Therefore the design should be deliberate.  There are many solution that provide “a Payment” vehicle. Let me explain, Credit/Bank cards are an obvious staple, and but either digitizing or automating that function certainly adds to convenience but falls short of delivering the promise of an integrated digital payment experience. But the same payment vehicle would include banking integration, reward point redemption, bank based financial controls such as receipt management, bill pay, money transfer, etc, as an inclusive feature allowing to integrate not just Payment function but other aspects of  ‘Life Transactions’. Such a solution would appeal to the consumer adoption and act as a strategic differentiator.
Mobile Payments is an emerging space that no enterprise engaging in any Mobile transaction, ranging from retailers to governments can ignore. Mobile payments promise an Omni channel experience incorporating the coupon, loyalty programs, and integrating that with Mobile experience. Mobile payment if not integrated into a complete experience fall short of delivering the holistic digital experience. While the promises of Mobile payments are immense there are many considerations, challenges and possibilities that an enterprise should consider. What makes Mobile Payments an interesting space is the emergence of new players on a daily basis. For instance, facebook announced it Social Payment ( P2P and MMT patterns) ambitions – if facebook succeeds it will not only lower the cost of transaction of payments and transfers, but will disrupt yet again a landscape that is in constant state of flux. The true challenge is to pick a sustainable platform or a mobile payment strategy that is cost effective, and yet addresses the diversity in this evolving landscape.
                  With “Secure Engagement” as  a singular focus, it only makes sense to draw upon the characteristic of the design imperatives, and it may make sense for us to split this concept, for sake of granularity into two distinct topics – Engagement AND Security.

1. Engaging with Mobile Payments

a.    Enhancing Customer engagement – Mobile enables an robust and unprecedented way to strengthen and establish client relationship. Mobile has certainly changed the parameters of Mobile relationship. This implies that an enterprise use Mobile Payment as a channel to extend the engagement from transaction to interaction. An enterprise Mobile design should focus on his expanded channel with self-service capabilities, which empowers the customers, strengthen the perception, reduces cost and paves the way to cross-sell and up-sell opportunities. Payment is ultimate form of endorsement, and  when consumers buy, they can  better understood and marketed to.  Hence a design that is inclusive of integrated “Life Transactions” can be a strategic tool for an enterprise that is customized to every individual  in every way – Payment, coupons, Loyalty currency, integrated values in a single engagement channel.

b.    Shift in Competitive Dynamics – Many of current day client relationships and engagements come with a pre built barrier. A system that is laden with intermediaries and distribution chain between the service provider and consumer. This lengthy value chain not only distances the customer, but also increases the costs of transactions. Integrated Mobile payment solution can not only disintermediate the value chain but also present an opportunity to gain deeper insights, design customized offers, reward loyalty and pass on the costs saving of a shortened value chain to the client. Without a well-designed engagement model, enterprise would have to reply on the value chain. A robust Mobile Payment strategy can shift the competitive dynamic by collapsing the value chain and delivering real value in real time.

c.    Considering “other” Digital Currency -  When we discuss payments natural conclusion is transfer of money, be it  consumer to business, business to business to business, or even person to Person.  A complete payment solution should include  management of ‘Other digital” currency as an options such as coupons, Loyalty rewards, Airline and hotel Points, and mostly anything with ‘Value’ to the consumer. Other digital currency may also include Crypto Currency and Bitcoins.

d.    Contextually relevant transaction – The contextually relevant transaction implies personalized, and context specific be it location, user, mood or even sentiments based transaction.  The information ( logic and decision) consumed by mobile payments, promises to deliver new levels satisfaction and loyalty. The insights obtained by such engagements are the very insights that help drive this rich system of engagement. This type of service and experience delivered by a mobile payment system can lends itself to ability of an enterprise to “Mass Customize” Mobile payment products.

e.    An Ideal Digital wallet?  - The notion of digital wallet is very confusing. The market of digital wallets is fragmented and changing rapidly. The innovations to the likes of Google wallet, Square, and PayPal to name a few have truly disrupted the traditional payment schemes such as cash or bankcards.  This led to a  digital wallet frenzy where every bank, including payment processors such as a Visa and MasterCard has launched their own version of Digital or Mobile Wallet. So which is an Ideal Mobile/Digital wallet? The Answer happens to be in our own wallet. An ideal wallet should be

a.    Customizable – Like our own wallets
b.    Does more than Pay ( such as a Person to person, like cash,  and have the ability to store other credit or cash instruments)
c.    Work Anywhere (open frameworks technology implied),
d.    Inclusive of rewards management – either links the apps, or drive the reward management from the back end systems
e.    Simple, Secure and Easy to use – Simple and easy to encourage adoption, Secure to institute trust.

2. Security in Mobile Payments:

a.    On-Device Security – This area encompasses all security aspects of the Devices, which includes device, application and data protection. There are several technologies that can be employed to accomplish this, including the tools  and API provided by the Mobile OS. It is imperative that the Application and solution design  ensure that the application, related data and the connection to enterprise – be it  a merchant, issues or acquirer bank etc is secure. Other techniques include application containerization, application of guard technology and so on.

b.    Securing Interaction – Securing interaction implies secured mobile acceptance that leads to higher confidence and trust.  Securing interaction may spans multiple participants including mPOS or Point of interaction, and any other third part  in the “Interaction value chain”. PCI Council has listed Point-to-Point Encryption (P2PE) solution guidance  to ensure acceptance of secure Mobile payments. Secured interaction at surface may leverage device display and communication to secure mobile payments, but it is about addressing and maintaining data security throughout the payment lifecycle.

c.    Transaction Security – Transaction security does not only include the mechanism of a traditional secure transaction, but also new emerging technology such as NFC, BLE, iBeacon, HCE ( Host card emulation) and  Tokenization as a cloud based Secure element to secure the transaction. The idea of this design imperative to include tokenization for payments is to reduce the scope of PCI-DSS compliance by either not storing credit card information at all or limiting where and how it is stored. The PCI Data Security Standard (PCI-DSS) requires merchants to protect payment card information in any form – printed, processed, transmitted or even if it is stored. Transaction security  consideration is primarily to reduce risk and in turn transaction cost. A design that employs multi prong approach to mitigate fraud risk may increase the cost of solution but reduces the long-term transaction costs.


d.    Data SecuritySecuring data is one of the most fundamental solution design requirement. There are many set of masking algorithms  that can be employed for static data masking, i.e., allowing customers to mask data when they move across various systems in payment network. Transaction security and Data Security combined are building blocks of  securing the Mobile Payment engagement. This foundation would typically include  the following components:

1. The tokenization/encryption algorithms – this is to create  and encrypt tokens
2. A  Vault – a Vault where not only the token but also the data mapping between token and sensitive data is kept. This component should be PCI-DSS compliant.
3.  API/SDK – This can be exposed as a service and allows the solution that enables integration with payment transaction processing
4. Auditing and Reporting – For compliance and management.

e.    Trust as a Currency – Mobile Payment in this discussion has been about money transfer, mCommerce, mBanking and basically transacting with things that are of value. Trust is one currency that is of tremendous value to any enterprise – Retail, Banks, payment processors and anyone involved in “secured engagement”. Trust can be viewed as a virtual currency that is earned one interaction at a time. Trust as  a design paradigm is central to a mobile payment solution design as it is focused on safeguarding things of value that leads to rapid consumer adoption.

Conclusion:
Mobile Payments is an important avenue to consider for any enterprise, as its application and impact goes way beyond “a Payment” system. Mobile = Engagement and Payment = Security, so I have described the design principles of any Mobile Payment solution to be “Secure Engagement”, in absence of Engagement it is nothing but a existing payment vehicle with mobile front end and in absence of security it not really a meaningful payment system.
         Secure engagement implies that the technology should be mostly invisible, with a focus on consumer adoption and scale for sustained growth and usage. With focus on consumer adoption which may manifest in form  user interface design, better back end integration with system of record , optimized performance and use of contextually relevant mobile services, security should be embedded in every aspect of the design. Security design considerations are particularly important as we design a Mobile Payment Solution as Trust is single most important currency, which will enable rapid adoption and protect and establish long-standing consumer relationship.



References:

4.    McKinsey Report: The Next Phase of  Consumer Mobile Payments