Online Paymentsusing Information Cards

Your Questions Answered

Sid Sidner, ACI Worldwide

2

Who the heck is ACI?

• 30 years of delivering software to the payment card industry

– Payment engines and back office software

• In 2006, ACI customers processed over 70 billion transactions

– About half the plastic in the world goes through our software– Bank of America did 21.7 million on 23 Dec 2005

• ACI’s customers include the largest banks, retailers, and payment networks in the world• ACI is one of the world leaders in EMV smartcard

products• ACI also sells wholesale banking software

3

Why is Sid Sidner talking about this?

• During my 9 years at ACI– ACI Virtual Wallet (for SET)– Mobile Banking

• National Bank of Greece• Movipay in Spain

– BankPass in Italy– 3D-Secure

• Verified by Visa• MasterCard SecureCode

– Liberty Alliance participant

• My day job is the director of product security• But I love poking holes in new payment ideas!• I haven’t been able to find the hole in this one (yet…)

4

What’s in it for ACI?

• More clicks!• We also have an obligation as a long-time PCI thought

leader to move the industry forward• We will not patent this and in fact published it on a blog

to prove it.• We make money the old fashioned way: we build

software and get it work at our customers– “Always strive to lower your talk-to-do ratio.”

5

What are the problems with e-commerce?

• Increasing fraud– MasterCard: Card Not Present fraud, up 52%, 2006 vs 2005– The PCI Data Security Standard and compliance activities are

severely tasking merchants

• Consumer perceptions of insecurity• Privacy

– Consumer data is everywhere, including billing addresses and phone numbers

• The hassle of entering payment data– The click path for checkout is long– Too bad we can’t just swipe a card

6

How do the payment networks work?

ConsumerMerchant

Payment Networks

Issuer

Authorization flow

Settlement flow

Acquirer

7

Who are the real players?

* ACI provides software

* **

* *

*

*

*

**

*

*

*

*

*

*

Visa – 2006

8

What’s the history of e-commerce?

• Plain old virtual POS terminal– Consumer enters data; merchant sends to an Internet

gateway provider

• Secure Electronic Transactions– Perfect security– PKI for merchants, networks, and consumers– Required a SET wallet

• 3D-Secure– “Son of SET”– Lighter weight– Uses browser redirects – no wallet required

9

What did SET look like?

10

How about the 3D-Secure architecture?

11

What’s wrong with 3D-Secure?

• The card brands tried!– Lower interchange rate– Risk shift to the issuer for fraud

• Poor merchant adoption– It made the click path longer

• Poor issuer adoption– Implementing an ACS was hard if done internally– Out-sourcing had data risk– Burnt from their SET experience

• Poor consumer adoption– Hard to understand– Poor merchant & issuer adoption

• Other methods still accepted

12

How do Information Cards work?

Identity Provider Relying Party

User User

IdentitySelector

IdentitySelector

Get a Card Use a Card

13

What’s your big idea, ACI?

Bank Merchant

User User

IdentitySelector

IdentitySelector

Get a Card Use a Card

14

So what?

15

Isn’t this just like authentication?

• Yes, from an architectural standpoint– Just a few little tweaks…

• But, the Information Card Issuer is a payment brand, not a specific issuer

– E.g. The same for all Visa card issuer Information Cards– E.g. Different for Visa and PayPal

• And, the Information Card claims from the merchant include variable data

– The transaction details

• The claims returned from the issuer include – a one-time use pseudo card number for privacy– and a strong cryptographic token with the transaction details

• There is no impact to the PCI networks – these look just like 3D-Secure transactions

16

What does a Payment Information Card look like?

<Issuer>http://paymentcard.vista.com</Issuer><SupportedClaimTypeList

<SupportedClaimTypeUri="http://paymentcard.vista.com/account"><DisplayTag>Account Number</DisplayTag>

</SupportedClaimType><SupportedClaimTypeUri="http://paymentcard.vista.com/VV"><DisplayTag>Verification Value</DisplayTag>

</SupportedClaimType><SupportedClaimTypeUri="http://paymentcard.vista.com/expiry"><DisplayTag>Expiration Date</DisplayTag>

</SupportedClaimType><SupportedClaimTypeUri="http://paymentcard.vista.com/trandata?"><DisplayTag>Transaction Details</DisplayTag>

</SupportedClaimType></SupportedClaimTypeList>

17

What changes are required to the protocol?

• Variable data in claims– Identity Selector: Match claims only up through the question

mark in the claim URL– Information Card: http://paymentcard.vista.com/trandata?

– Merchant: http://paymentcard.vista.com/trandata?COMPRESSED_AND_BASE-64_ENCODED_REQUEST

• Allow multiple issuers in the WS-SecurityPolicy element

– So that merchant can indicate which payment types are accepted at their store

• Kim and Mike @ MFST are aware of this and plan to include it in “version 2”

18

How does this rate, privacy-wise?

• The consumer no longer has to enter billing address and phone number

• The issuer can return a one-time use pseudo card number to the merchant

– The routing prefix gets it to the issuer– This range not allowed on plastic

• All the consumer has revealed is what issuer they use• Identity theft is thwarted• This is a Bob Blakley Identity Oracle

– Q: Is the customer good for the money?– A: Yes, show me this token and you’ll get paid

19

Why is this better than 3D-Secure?

– More secure– Easier

– Lower fees; lower risk– More transactions!– Shorter click path– No storage of live card numbers (PCI DSS 3.4 Data Storage)

– Lower fraud– Brand awareness– More transactions!

20

Anything else you’d like to say?

• This would work well in mobile and set-top boxes– Information Cards reduce the number of UI gestures– Cards should be replicated among devices

• Payment Information Cards for authentication with liability

– A new transaction type could be defined for the PCI networks– Card Verify with a specified risk liability (Best Effort, $50,

$5000, $50000)– The IdP (the Bank) guarantees the authentication, up to the

liability amount– The more the risk, the higher the fee– This is an idea of another day...

21

Is there an identity metasystem here?

IdP RP

22

Can you show me this live?

• ACI partnered with Ping Identity to construct a demo, a proof of concept for the show (See it in booth #404!, 5:45 pm & 8 am)

– Ping Identity did the Information Card parts– ACI did the banking part

• We validated Kim’s vision – there is a very clean separation between the application and the mechanics

– ACI: issuer, claims, token data– Ping Identity: endpoints, token types, crypto– Neither needs to know anything about the other

• Our big disappointment – it looks too simple! :O)– Request a card from ACIBank– Shop at Starbuzz Web Coffee and pay with your card

23

What does it take to make this happen?

1. Adoption of Information Cards– Will consumers adopt it for authentication?– Will it catch on in non-Windows contexts?

(Mac, Linux, Mobile, Set-top)

2. Small change to the identity selectors– Multiple issuers & variable claims

3. Adoption by the payment providers (PCI, PayPal, BillMeLater, ClickToBuy, NACHA) and issuers (30,000)– Standards, branding, contracts, marketing, fees

4. Adoption by merchants (1 million)– What is it? What’s in it for me?

5. Adoption by consumers (1 billion)– What is it? What’s in it for me?

Deputy Dawg

24

How do I find out more?

• See it!– Ping Identity, Booth #404

• Read about it!– http://tootallsid.blogspot.com/2006/12/infocard-and-e-commerce.html

• Talk to me!– Sid.Sidner@ACIWorldwide.com