Your SlideShare is downloading. ×
Boosting and securing online shopping - making PIN on phone a reality
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Boosting and securing online shopping - making PIN on phone a reality


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. This document is offered compliments of BSP Media Group. All rights reserved.
  • 2. Boosting and securing online shopping - making PIN on phone a reality Africa Com 2013
  • 3. Oltio is a joint venture between the Standard Bank and MTN Groups – formally called MTN Mobile Money Bank • Largest banking group in Africa • Operates in 42 countries worldwide • Significant card issuer and acquirer • Largest Mobile Network Operator in Africa and Middle East • 21 countries • >200m subscribers “Oltio – the secure mobile commerce company” 2
  • 4. Oltio was a GSM-A Global Mobile awards finalist in 2012 with payD and MasterCard Mobile 3
  • 5. What is a mobile payment? What is online shopping? 4
  • 6. payD basics • • • • • • • • • • payD uses the handset as a “personal PIN entry device”; customers enter their ATM/POS PIN into their own phone when making a purchase. payD works across multiple channels – phone, web, POS, kiosk, App etc payD WIG uses SIM and handset based security to do the encryption of the PIN where the network has keys loaded to its SIMs. ORAGS App makes use of a 3DES DUKPT like security protocol for feature and smart phones where the SIM keys cannot be accessed. System constructs and submits to the acquirer an ISO 8583 transaction for debit and credit cards. The transaction is a CNP (card not present) with PIN. The normal four party card acquiring processes apply. In SA liability is shifted to issuer in a similar manner to 3D secure. payD has been live in SA for 4 years MasterCard approved and branded, Visa supported via marketing - in SA 5
  • 7. Case study: South Africa: good debit card with PIN penetration – POS and online usage poor due to limited debit card acceptance $10,000 • High levels of debit card penetration • PIN required due to single message ATM genesis • High GDP per capita - good retail potential • >120% mobile phone penetration • Airtime top-up via cash not card South Africa GDP per capita PPP $8,000 $6,000 $4,000 $2,000 GDP per Capita and Financial Penetration Indonesia Kenya Uganda 20% 40% 60% 80% 100% Financial Penetration 6
  • 8. The m and e-commerce challenge in South Africa Total retail sales in South Africa Online retail sales in South Africa: 0,36% 7
  • 9. The m and e-payments challenge in South Africa All payment types accepted Debit Cards with PIN code didn’t work in m and ecommerce 8
  • 10. There are an estimated 750 000 spaza shops in South Africa – with almost no POS acceptance •POS cost too high for merchants •Not viable to acquirers •VAS services key • • Less than 200 000 POS merchants in SA mostly in formal retail sectors Cost of POS high to merchant – R750pm min if turnover under R20 000 pm 9
  • 11. Flea markets and other informal merchants pose similar challenges New game: spot the POS 10
  • 12. The lack of electronic acceptance is impacting business growth – suppliers wont accept cash – not just an SA issue •Bulk distributors will not accept cash •Lack of electronic acceptance limits float to pay 11
  • 13. Using a phone as the merchant device is a logical leap but does have limitations in emerging markets •mPOS requires certification, distribution logistics and specific phones 12
  • 14. Card payment – traditional four party model needs to be retained…. Request Response A ACQUIRER Card is presented at terminal Tx details captured on POS and sent to acquirer Acquirer attempts authorisation from Issuer Request Response I ISSUER Response sent back to acquirer and to POS 13
  • 15. So…..which way? Converge carefully…. •Mobile Phones are pervasive and key to expanding payments •Phones need to be secure for PIN entry 14
  • 16. payD uses the phone‘s SIM to encrypt the PIN •SIM has encrypt and decrypt functionality •ISO PIN block can be created 15
  • 17. payD uses WIG security embedded into a mobile network operator's system Derived keys loaded onto the SIM card at the point of Manufacture WIG Gateway PIN-block returned HSM SIM Card containing a WIB browser That allows encryption of Data using the keys WIG Push for PIN Customer Enters PIN on Receipt of request Re-encrypted with Application Keys HSM Transaction Application Server System is protected by patents and licensed to operators 16
  • 18. …allowing the phone to become a Personal Key Entry Device - restricted to the identified cardholder = Personal Key Entry Device •Not for general PIN entry use by merchant •Locked to identified cardholder •Phone number is proxy for card number •No device certification required 17
  • 19. …..SIM and PIN = Chip and PIN Card PIN SIM 18
  • 20. payD replaces the card and POS A Request Response I Request Response ACQUIRER ISSUER Enabling Mobile Card Based Transaction - Card-Not-Present + PIN Secure encryption engine to capture and process ATM/POS PIN Auth Engine Customer’s card number linked to mobile number Request payD builds and sends formatted auth request to bank A Card Nr Mobile Nr I Response Response Database Request ACQUIRER ISSUER Mobile Phone number is used to identify cardholder 19
  • 21. payD is secure and PCI compliant •payD is PCI DSS level 1 compliant •PCI Compliance is not required by merchant/PSP in payD transaction as card details are captured into the customers phone •payD is a “cloud” POS •Reduces merchant risk and cost 20
  • 22. Authenticated Mobile Transaction (AMT) is a PASA approved Card PCH rule in South Africa • Card PCH specified and approved • PIN is captured into phone in secure manner • AMT rule is similar to 3D Secure and V-by-V • Liability shifts to issuer • Issuer opt-in required • Applies to all card types • payD conforms to AMT • Licensed in South Africa to IPSEP 2 1
  • 23. payD is supported by both MasterCard and Visa •MasterCard Mobile Remote Payment (MMRP) certified •Supported by Visa •Issuer opt–in required 22
  • 24. MTN uses payD to sell airtime directly to customers - via MTN Eazi Recharge – customers dial a USSD shortcode and enter the PIN in a WIG session *141*10# •Customers do on average 8 transactions pm • Debit card purchase as opposed to cash withdrawal •350 000 registered users 23
  • 25. As do Vodacom for their Express Recharge offering … *130*082# 24
  • 26. payD also enables e-commerce purchases for PIN-based cards 25
  • 27. payD WIG is a complex system and needs all elements to be in place to work - this isn't always the case outside of South Africa Key learning's from payD WIG • MNO dependence - requires MNO technical support – correct SIM, SIM keys and WIG to be in place • App is in – customers demand a richer experience – use of USSD declining and WIG/S@T has not proven successful to MNO’s 26
  • 28. ORAGS App – works on all networks, with 3DES DUKPT like security protocol - called ORAGS 1. Customer downloads App 2. Phone sends SMS to identify itself 3. Subset of keys sent to phone 4. Creates one off session Feature and smart phones PIN-block returned encrypted under secure protocol – one off use only 27
  • 29. ORAGS works across multiple channels vPos Physical POS App to App Low cost POS with no extra hardware required Can be used on current technology (no EMV compliance required). mCommerce Ticketing Cinema Airtime WEB eCommerce Simple API and simulator for merchant integration Static Parking Ticketing Retail F2F Code Entry Call Centre Outbound Sales Insurance In most instances App or USSD WIG can be used Kiosk Bill Payment 28
  • 30. Face-to-face provides the biggest opportunity for payment acceptance expansion and cash reduction 29
  • 31. Face-to-face using a phone App - no extra hardware is required - low level phones can be used 30
  • 32. POS – non-EMV for example – here using USSD 31
  • 33. App to App allows the monetisation of Apps 32
  • 34. Payment on web via App 33
  • 35. Bill payments 34
  • 36. Tickets at a kiosk 35
  • 37. Payment using printed code via USSD and WIG 36
  • 38. Chargeback experience; well known SA ex- low cost airline • Largest low cost airline in SA – over 200 000 passengers per month • Linked to payD to allow debit cards to grow potential customer base Sample year; commencing July 2011: • 8900 tickets sold with sales values of R11m via payD • No confirmed charge backs via payD noted • 20% of usage was credit card and PIN • 3D not user friendly to mobile 37
  • 39. Stakeholder Benefits summary Stakeholder Card Issuer Card Acquiring Benefit  Provides additional value added services to cardholders by allowing mobile remote authentication  Increased PV on transactions through expansion of acceptance channels that except remote authentication  Enablement of debit cards for mobile authentication on cards that do not allow card not present transactions.  Expand acceptance network to include remote authentication solutions. Enjoy increased merchant fees from expanded estate.  Enable new card based payment channels, e.g. B2B mobile payments. Cardholder   Merchant   Card company         Convenience of using mobile phone to pay in remote authentication situations e.g. travel bookings No need to share card information with any merchant or payment gateway that reduces hacking of data Accept card based transactions in previously unsupported environments, e.g. debit e-commerce transactions. Cost savings through direct distribution capability of virtual services e.g. airtime. (In this scenario the mobile network operator becomes the merchant.) Enjoys liability shift rules similar to VbyV/3D – no need to be PCI Compliant Increased security of cardholder information. No card data is shared with a merchant when a transaction is processed. Out of band authentication ensures separation of card sensitive data. Data compromises do not enable fraudsters to replicate transactions or cloning cards. Remote authentication capability increases PV for issuers. Remote authentication capability can extend acceptance infrastructure within a market. Enables the mobile phone as an authentication device. Provides a direct communications interface to the cardholder. Promotions and offers can be better articulated and promoted. Increased security through GIS enablement of transaction info. All transactions carry a location 38 signature.
  • 40. The Future is - CNP plus PIN 39
  • 41. Show video 4 0