Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Boosting and securing online shopping - making PIN on phone a reality


Published on

  • Be the first to comment

  • Be the first to like this

Boosting and securing online shopping - making PIN on phone a reality

  1. 1. This document is offered compliments of BSP Media Group. All rights reserved.
  2. 2. Boosting and securing online shopping - making PIN on phone a reality Africa Com 2013
  3. 3. Oltio is a joint venture between the Standard Bank and MTN Groups – formally called MTN Mobile Money Bank • Largest banking group in Africa • Operates in 42 countries worldwide • Significant card issuer and acquirer • Largest Mobile Network Operator in Africa and Middle East • 21 countries • >200m subscribers “Oltio – the secure mobile commerce company” 2
  4. 4. Oltio was a GSM-A Global Mobile awards finalist in 2012 with payD and MasterCard Mobile 3
  5. 5. What is a mobile payment? What is online shopping? 4
  6. 6. payD basics • • • • • • • • • • payD uses the handset as a “personal PIN entry device”; customers enter their ATM/POS PIN into their own phone when making a purchase. payD works across multiple channels – phone, web, POS, kiosk, App etc payD WIG uses SIM and handset based security to do the encryption of the PIN where the network has keys loaded to its SIMs. ORAGS App makes use of a 3DES DUKPT like security protocol for feature and smart phones where the SIM keys cannot be accessed. System constructs and submits to the acquirer an ISO 8583 transaction for debit and credit cards. The transaction is a CNP (card not present) with PIN. The normal four party card acquiring processes apply. In SA liability is shifted to issuer in a similar manner to 3D secure. payD has been live in SA for 4 years MasterCard approved and branded, Visa supported via marketing - in SA 5
  7. 7. Case study: South Africa: good debit card with PIN penetration – POS and online usage poor due to limited debit card acceptance $10,000 • High levels of debit card penetration • PIN required due to single message ATM genesis • High GDP per capita - good retail potential • >120% mobile phone penetration • Airtime top-up via cash not card South Africa GDP per capita PPP $8,000 $6,000 $4,000 $2,000 GDP per Capita and Financial Penetration Indonesia Kenya Uganda 20% 40% 60% 80% 100% Financial Penetration 6
  8. 8. The m and e-commerce challenge in South Africa Total retail sales in South Africa Online retail sales in South Africa: 0,36% 7
  9. 9. The m and e-payments challenge in South Africa All payment types accepted Debit Cards with PIN code didn’t work in m and ecommerce 8
  10. 10. There are an estimated 750 000 spaza shops in South Africa – with almost no POS acceptance •POS cost too high for merchants •Not viable to acquirers •VAS services key • • Less than 200 000 POS merchants in SA mostly in formal retail sectors Cost of POS high to merchant – R750pm min if turnover under R20 000 pm 9
  11. 11. Flea markets and other informal merchants pose similar challenges New game: spot the POS 10
  12. 12. The lack of electronic acceptance is impacting business growth – suppliers wont accept cash – not just an SA issue •Bulk distributors will not accept cash •Lack of electronic acceptance limits float to pay 11
  13. 13. Using a phone as the merchant device is a logical leap but does have limitations in emerging markets •mPOS requires certification, distribution logistics and specific phones 12
  14. 14. Card payment – traditional four party model needs to be retained…. Request Response A ACQUIRER Card is presented at terminal Tx details captured on POS and sent to acquirer Acquirer attempts authorisation from Issuer Request Response I ISSUER Response sent back to acquirer and to POS 13
  15. 15. So…..which way? Converge carefully…. •Mobile Phones are pervasive and key to expanding payments •Phones need to be secure for PIN entry 14
  16. 16. payD uses the phone‘s SIM to encrypt the PIN •SIM has encrypt and decrypt functionality •ISO PIN block can be created 15
  17. 17. payD uses WIG security embedded into a mobile network operator's system Derived keys loaded onto the SIM card at the point of Manufacture WIG Gateway PIN-block returned HSM SIM Card containing a WIB browser That allows encryption of Data using the keys WIG Push for PIN Customer Enters PIN on Receipt of request Re-encrypted with Application Keys HSM Transaction Application Server System is protected by patents and licensed to operators 16
  18. 18. …allowing the phone to become a Personal Key Entry Device - restricted to the identified cardholder = Personal Key Entry Device •Not for general PIN entry use by merchant •Locked to identified cardholder •Phone number is proxy for card number •No device certification required 17
  19. 19. …..SIM and PIN = Chip and PIN Card PIN SIM 18
  20. 20. payD replaces the card and POS A Request Response I Request Response ACQUIRER ISSUER Enabling Mobile Card Based Transaction - Card-Not-Present + PIN Secure encryption engine to capture and process ATM/POS PIN Auth Engine Customer’s card number linked to mobile number Request payD builds and sends formatted auth request to bank A Card Nr Mobile Nr I Response Response Database Request ACQUIRER ISSUER Mobile Phone number is used to identify cardholder 19
  21. 21. payD is secure and PCI compliant •payD is PCI DSS level 1 compliant •PCI Compliance is not required by merchant/PSP in payD transaction as card details are captured into the customers phone •payD is a “cloud” POS •Reduces merchant risk and cost 20
  22. 22. Authenticated Mobile Transaction (AMT) is a PASA approved Card PCH rule in South Africa • Card PCH specified and approved • PIN is captured into phone in secure manner • AMT rule is similar to 3D Secure and V-by-V • Liability shifts to issuer • Issuer opt-in required • Applies to all card types • payD conforms to AMT • Licensed in South Africa to IPSEP 2 1
  23. 23. payD is supported by both MasterCard and Visa •MasterCard Mobile Remote Payment (MMRP) certified •Supported by Visa •Issuer opt–in required 22
  24. 24. MTN uses payD to sell airtime directly to customers - via MTN Eazi Recharge – customers dial a USSD shortcode and enter the PIN in a WIG session *141*10# •Customers do on average 8 transactions pm • Debit card purchase as opposed to cash withdrawal •350 000 registered users 23
  25. 25. As do Vodacom for their Express Recharge offering … *130*082# 24
  26. 26. payD also enables e-commerce purchases for PIN-based cards 25
  27. 27. payD WIG is a complex system and needs all elements to be in place to work - this isn't always the case outside of South Africa Key learning's from payD WIG • MNO dependence - requires MNO technical support – correct SIM, SIM keys and WIG to be in place • App is in – customers demand a richer experience – use of USSD declining and WIG/S@T has not proven successful to MNO’s 26
  28. 28. ORAGS App – works on all networks, with 3DES DUKPT like security protocol - called ORAGS 1. Customer downloads App 2. Phone sends SMS to identify itself 3. Subset of keys sent to phone 4. Creates one off session Feature and smart phones PIN-block returned encrypted under secure protocol – one off use only 27
  29. 29. ORAGS works across multiple channels vPos Physical POS App to App Low cost POS with no extra hardware required Can be used on current technology (no EMV compliance required). mCommerce Ticketing Cinema Airtime WEB eCommerce Simple API and simulator for merchant integration Static Parking Ticketing Retail F2F Code Entry Call Centre Outbound Sales Insurance In most instances App or USSD WIG can be used Kiosk Bill Payment 28
  30. 30. Face-to-face provides the biggest opportunity for payment acceptance expansion and cash reduction 29
  31. 31. Face-to-face using a phone App - no extra hardware is required - low level phones can be used 30
  32. 32. POS – non-EMV for example – here using USSD 31
  33. 33. App to App allows the monetisation of Apps 32
  34. 34. Payment on web via App 33
  35. 35. Bill payments 34
  36. 36. Tickets at a kiosk 35
  37. 37. Payment using printed code via USSD and WIG 36
  38. 38. Chargeback experience; well known SA ex- low cost airline • Largest low cost airline in SA – over 200 000 passengers per month • Linked to payD to allow debit cards to grow potential customer base Sample year; commencing July 2011: • 8900 tickets sold with sales values of R11m via payD • No confirmed charge backs via payD noted • 20% of usage was credit card and PIN • 3D not user friendly to mobile 37
  39. 39. Stakeholder Benefits summary Stakeholder Card Issuer Card Acquiring Benefit  Provides additional value added services to cardholders by allowing mobile remote authentication  Increased PV on transactions through expansion of acceptance channels that except remote authentication  Enablement of debit cards for mobile authentication on cards that do not allow card not present transactions.  Expand acceptance network to include remote authentication solutions. Enjoy increased merchant fees from expanded estate.  Enable new card based payment channels, e.g. B2B mobile payments. Cardholder   Merchant   Card company         Convenience of using mobile phone to pay in remote authentication situations e.g. travel bookings No need to share card information with any merchant or payment gateway that reduces hacking of data Accept card based transactions in previously unsupported environments, e.g. debit e-commerce transactions. Cost savings through direct distribution capability of virtual services e.g. airtime. (In this scenario the mobile network operator becomes the merchant.) Enjoys liability shift rules similar to VbyV/3D – no need to be PCI Compliant Increased security of cardholder information. No card data is shared with a merchant when a transaction is processed. Out of band authentication ensures separation of card sensitive data. Data compromises do not enable fraudsters to replicate transactions or cloning cards. Remote authentication capability increases PV for issuers. Remote authentication capability can extend acceptance infrastructure within a market. Enables the mobile phone as an authentication device. Provides a direct communications interface to the cardholder. Promotions and offers can be better articulated and promoted. Increased security through GIS enablement of transaction info. All transactions carry a location 38 signature.
  40. 40. The Future is - CNP plus PIN 39
  41. 41. Show video 4 0