Paul Rodgers, Chairman, Vendorcom and regular columnist at The Fintech Times highlights the profound impact PSD2 and payments security will have on the payment industry and to retailers’ and merchants’ business models over the next year
“We’ve broken the Internet”. These bold words seemed shocking at first when one of Vendorcom’s foremost e-commerce merchant members made the pronouncement, at a recent Payment Security & Risk Management Forum. He went on to reveal a catalogue of frankly astounding areas where, from a fintech and payments perspective, we are risking both the integrity of remote commerce and the basis of trust that we need from citizen consumers, if digital transactions are to develop in commerce.
My view of how the fintech world and regulatory environment is serving retailers and the wider merchant community is bleak as we go into 2019 and head for the third decade of this century!
Security, in the merchant-consumer payments ecosystem, where I’ve spent most of my time since setting up Vendorcom in the rollout of chip & PIN in 2003, has advanced considerably in the past 15 years but we’re still, relatively speaking, at an embryonic stage when it comes to providing fit-for-purpose payment systems that can be safely and securely be used by everyone.
Traditional payment methods have evolved from very simple, analogue methods and have been digitised in the same way as early computers simply provided faster adding machines or put a screen where the paper and ribbon were on a typewriter. Computing came a long way in the 50 years from 1955 to 2005, before it really added to true economic productivity. even though we thought we were realising the full benefit at each intermediate stage – PCs in the late 1980s/early 90s and the dotcom boom of 2000.
I am becoming increasingly convinced that unless we move to a distributed, networked, standardised model for digital transactions in general and payment security in particular, as we have for global electricity systems and cloud computing architectures, we will fail to deliver the full benefit of digital identity authenticated transactions to citizen/consumers, service users, and national economies.
Lack of standardisation of payment security processes/protocols and the inconsistency of messaging that goes out to citizen/consumers around payment security, identity and authentication credentials will continue to create confusion and result in low levels of uptake of novel solutions and add risk to the payments sector as a whole.
A collaborative approach is essential to ensure that the challenge of educating citizen/consumers and socialising a ubiquitous digital transaction security message is owned by all and forms part of the basic facts of life in a developed economy.
The payments sector, especially card schemes and banks, have been able to determine payments security and authentication protocols, e.g. chip & PIN, 3D Secure and PCI (payment card industry, in the past two decades. Their role in that regard is coming to an end where, whilst they will continue to have some input, it will be the technology interface providers in telecoms, entertainment, automotive, domestic appliances, public kiosks that will own the route to securing all interactions of the citizen/consumer, including payments. I expect to see organisations like Haier, Electrolux, LG, Samsung, Apple, Lexus, Volkswagen, Mercedes, Sony, Miele and other consumer-preferred brands take the lead in transaction security. The best opportunities for the main protagonists to collaborate globally are presented by the World Wide Web Consortium in their groups on Web Authentication and Web Payments or their workshops on Strong Authentication and Identity.
Coming back from the brink
It might not be the most popular thing to say in a fintech article, that frankly, in the first instance, it’s less about technologies than a need to improve general levels of awareness of risk and an appreciation of the basic steps that the citizen /consumer can take to protect themselves.
There’s also a need to re-examine the complex contract between payers, payees, the providers of payment channels, payment instruments and sources of funds. For a long time, in merchant-consumer payments generally – and in card-based payments particularly – the payer has been absolved of all risk and that has created a flabby, risk prone ecosystem that lacks the motivation of mutual risk.
Probably the most inspiring initiative today is Sir Tim Berners Lee’s ‘Solid’ project which aims to radically change the way web applications work today, resulting in true data ownership as well as improved privacy. I recommend anyone working in the payment security and wider digital transactions field to engage with this. It is encouraging that Mastercard, as an established fintech company, is one of the sponsors of this initiative.
There is a wealth of other small changes that are emerging in the payments ecosystem that have the potential to make their own small contribution to overall security and integrity. I believe that initiating and accepting payments on consumer devices is the mature market model for merchant to consumer payments and will put more control into the hands of the payer. AI, biometrics, and massively-multifactor authentication will also add value, as we see more access to networked authentication models that are now emerging.
It’s all about evolutionary transformation – over a generation (or two)!
Regulatory developments such as Open Banking and PSD2 promise much and, taken together, have the potential to be transformative in banking and payments for businesses, citizen/consumers and the economy as a whole. The real challenge as national economies deploy open banking frameworks is how to release the full potential in a coherent programme of transformation.
We could do well to learn from the work of Economist and Professor Emeritus & Senior Fellow at Stanford University’s Institute for Economic Policy Research, Paul A. David who, in 1990, described the “special difficulties in the commercialisation of novel technologies that need to be overcome before users can benefit…” This echoed the work of Robert Solow, Professor of Economics at MIT who said in 1987, “You can see the computer age everywhere, but in the productivity statistics.”
The current fintech fetish that promotes the dogma of disruption as a primary motivator already rings hollow and discordant with what we know delivers true economic value and productivity at a national scale. Transform by all means, but ’disrupt’ is an ugly and inappropriate word for trusted infrastructures of national economic importance.
As I see the current landscape, my assessment would be, “I can see fintech fever everywhere, but in the productivity statistics.”
There are opportunities for all and it will be those neo-fintech start-ups who collaborate with the traditional fintechs who will ultimately gain market traction and build successful, sustainable businesses. Those who shout loudest on the basis of narrow, short-term, vested interest and have a very limited perspective of needs of the service users who might deploy their solutions and even less empathy with the end users – the citizen/consumers – who might adopt and apply their innovation in their daily lives, provide little more than will-o’-the-wisp distractions to those who are journeying towards a bigger destination on this challenging road.
We are in a state of transition and, in the real world, it will take 10-15 years to reach maturity of deployment by merchants and adoption by citizen consumers. One of the most potent examples of how we are disrupting when we should be transitioning is the imminent enforcement (from 14th September 2019) of the Regulatory Technical Standards for Strong Customer Authentication which will be, for ecommerce, mobile and remote payment acceptors, the biggest single catalyst for change in the payments ecosystem since chip & PIN. The main challenge is that the market and economy is ill-prepared for such a momentous change. Most merchants are unaware that this is even on the horizon despite EBA consultations over the past three years and, together with a lack of authoritative, credible responses from most payment processors, issuers and acquirers, it is brewing into a perfect storm for a GDPR-style free-for-all that will be catastrophic at a national economic level, undermine confidence in payment systems and has the potential to take ecommerce check-out back to the dark ages of the 1990s.
Rather than say we’ve broken the internet, I think it is more accurate to say that we are at risk of breaking commerce on the internet – both through ignorant regulation and unrealistic knee-jerk responses by the fintech and paytech sectors.
If we get it wrong, as we seem to be currently, this time next year we may not only be talking about the death of the high street!
Bio: Paul is Chairman & Founder of European payments community, Vendorcom; Mentor at fintech accelerator, Level 39; and Member of the UK Payments Systems Regulator Panel, provided the secretariat for the All Party Parliamentary Group on Payment Systems in the last session of the UK Parliament and is European Evangelist for the World Wide Web Consortium (W3C).