The Internet of Things - Galitt · Internet of things The IoT represents a combination of devices...

The Internet of ThingsAn innovative approachto the paymentexperience Whitepaper

20151030 - White Paper Galitt - IoT-An innovative approach to the payment experience 2015 10 30

1

ABOUT THIS DOCUMENT

This White Paper gives an overview of how Galitt perceives the potential inputs the Internet of Things (IoT) could bring to the payment experience.

Based on testimonies from Galitt experts but also from key players of the IoT, this document sheds light on this early stage market.

The first version of this document has been released in France on October 2015.

ABOUT GALITT

Being the reference in payment systemsand electronic transactions, Galitt is the leader in France in all its businesses,and a worldwide leader in providing test tools and expertise in payment innovation.

In 2014, Galitt had a turnover of 30 ME and employs 240 people. More infor-mation about Galitt at its website: www.galitt.us

Business Consulting Contact:Mr. Rémi GitzingerDirector - Consulting+33 1 77 70 28 [email protected]


2

Contents

Introduction 4

Context 4

Definitions 5

The IoT ecosystem: a wide range of use cases 8

1. The IoT devices, new promising payment channels 9

1.1. Prerequisites for IoT implantation 9

1.2. New payment form factors through connected devices 11

2. Improving customer experience with connected devices 15

2.1. Authentication advances through wearables 16

2.2. Innovative IoT based payment processes 20

3. The IoT arrival in payment: multidimensional challenges for an early stage market 24

3.1. Technology issues: the absence of unilateral standards 24

3.2. Security issues: uncertainties in an early stage market 26

3.3. Legal issues: potential legal hurdles 27

3.4. Social issues: customer understanding 28

Conclusion 30


3


4

Introduction Context

Seen by many experts as the next revolution of the Internet, the Internet of Things (IoT) arouses a lot of excitements, hopes, but also speculations in the digital-savvy sphere. Indeed, after the dramatic increase of connected mobile computing devices these past few years, the next step seems likely to be the connection of “things”. No matter what it is, all type of devices could possibly be connected to internet, with repercussions in everyday life but also in companies’ business models.

Indeed, for users, the IoT is expected to improve the quality of life (with smart home solutions for instance). For companies this new step represents a huge opportunity to increase productivity and to develop new markets.

IoT worldwide forecasts in few figures


5

On social media, the IoT appears among the trendiest subjects discussed. The high innovation pace this field knows feeds discussions as well as journalists’ articles. Such hit, raising the IoT as a truly buzzword, is due to tremendous forecasts concerning the IoT development and impact on society.

Even if great figures variations between studies stress that the potential of the IoT development is uneasy to assess, since still at its early stage, all the estimations highlight an exponential growth of use in all sectors. In particular, the card and payment sector expects a lot of benefits from it.

Definitions

Internet of thingsThe IoT represents a combination of devices and software systems that

communicates via the internet, capable of sending, receiving and analyzing data, wi-thout human intervention. It refers to the extension of internet to the physical world.

The term, which appeared at the end of twentieth century, is also closely linked to Machine to Machine (M2M).

But M2M communications are more partitioned: it often refers to point to point communications between two devices. Therefore the scope in terms of analysis and data exploitation is a far cry from IoT potential, which benefits from cloud applications and multiple interactions.

In a nutshell, IoT goes beyond M2M communications, in terms of scope and convenience.

Connected devices

Key components of the IoT, connecteddevices are items whose primary purpose does not include web interactions, but whose addition of connectivity gives a way better value, whether in terms of use or convenience. Some connected

devices, especially those dedicated to customers (smart doorbells, fitness trackers,baby monitors…), are closely connected to smartphones. Its calculation and communication capabilities enable the smartphone to be a substitute for traditional steering tools and therefore be used as an interface with multiple


6

connected devices. That is why smartphones are playing a paramount role for IoT devices massive adoption. As the IoT still at its early stage, smartphones will probably continue to bolster its development for a while.

Focus:thewearable,aspecificconnecteddevice

l Wearables or wearable technology refer to technologies incorporatedin accessories or clothes. It aims at being worn or attached to the body and then at providing insights and help for the user thanks to its connectivity. Still highly dependent on smartphone interface, wearables may nonetheless become truly independent in a close future. Indeed,by nature closer to the user than a smartphone could ever be, wearables have great potential in terms of variety of use and convenience.They represent one of the hottest current trends in the IoT, especially in the fitness, healthcare and payment domains.

Wearables, some examples on different body parts


7

Communication technology panorama

The IoT world communicates through different kind of communication technologies that possess their own characteristics, from scope to data rate. Depending on the device purpose, these technologies are more or less relevant. The graph below gives an overview of some communication technologies’ characteristics.


8

The IoT ecosystem: a wide range of use cases From genuine light bulb to smart industrial machine, the wide variety

of connected devices stresses that the potential use cases are limitless.

Here are some areas where the IoT brings meaningful breakthroughs.

IoT application cases

Scale Areas Use cases


1. TheIoTdevices,newpromising payment channels 1.1. PrerequisitesforIoTimplantation

The extension of the payment capability to a growing part of connected devices is due to the incremental adoption of contactless point of sale, which allows payments with contactless cards or mobiles devices equipped with the Near Field Communication (NFC) technology. Despite a disappointing adoption rate during the first years of its roll out, contactless payment is now a widespread practice among the population, especially with millennials (18 – 35 years old). Connected devices payment is expected to accelerate this adoption.

Key components of the connected devices ecosystem related to payments

Hardware: many manufacturers have already stepped in connected devices production activity, which sounds logical since IoT application fields are wide. But fewer have worked to enable these devices with payment compatibility (Apple, LG, Swatch, Xiaomi, Jawbone...).

9

Payments in the connected devices ecosystem

Source:Bealder


10

OperatingSystems(OS): dedicated or tailored OS to new connected devices are the necessary interface between hardware and apps. Next to the giants Android and IOS, new players (Tencent, Huawei) are developing dedicated OS for connected devices which include the possibility to develop mobile payment apps.

Payment apps: the biggest names have already made their moves. PayPal, Apple, Samsung, Google… all these firms have developed payment apps that fit connected devices, especially smartwatches. Moreover, some big retailers, such as Starbuck, have launched payment applications in closed loop.

This ecosystem is characterized by an intense competition between heterogeneous players: tech giants trying to control the whole value chain (Apple), banks struggling face to new competition (Barclays), pure players in hardware (Jawbone, Swatch) making partnerships with famous payment actors (Paypal) to get payment capacity in their devices, and ambitious startups financed by crowdfunding, such as Pebble.

To enhance interactions within the IoT, low cost sensorshave also been developed in specific areas.

Focus: The beacon technology

l Electric beacons are small devices which emit steady radio signals, usingBluetooth Low Energy (BLE). Connected devices, such as smartphones, receive these signals thanks to the OS which scans regularly the transmission of signals. Signals serve to locate devices or to send notifications to users.

l Some retailers (Apple, McDonald’s, Darty…) are already using it in order to transform and enhance their relationship with customers (see retail use case for concrete example).

l Two prerequisites are necessary for an efficient use of beacons:

- On the retailer side, an optimized squaring of the store by beacons, knowing that the scope of these devices does not exceed a few meters;

- On the customer side, a subscription to the retailer’s app. If not, notifications cannot be sent.


11

1.2. New payment form factors through connecteddevices

New payment form factors leveraging on connectivity have appeared in the last few years. This opens new opportunities to enhance consumer experience both for remote and face to face payments.

1.2.1. Remote payment: extension to new devices

Concerning remote payments, tech companies are working on a wide range of new enabled-payments devices. As MasterCard executives repeat, in a near future each device will be a Point of Sale (POS) device. Let’s take two card not present examples.

The Smart TV

Smart TV manufacturers (Samsung, LG, Phillips…) allow henceforth users to make payment in few steps, after initial enrollment. Samsung Pay on TV has partnered with Paypal to provide a pay by PIN solution. During first registration, user has to select a payment method (PayPal, credit or debit card). Then when he wants to buy an item, he has to click on a “pay now” button. To finish his purchase, he has to indicate his PIN code. With this, users can pay for VOD or other items through dedicated apps downloaded on the TV.

The next step for converting this payment capacity into a real enhanced consumer experience should involve commercial offers to users based on movies they are watching. For instance, offering in a few clicks the possibility to get your favorite hero’s jacket looks like a brand new innovative shopping experience.

The connected car

Some exciting payment pilots are taking place on the connected car. Letting pay the user while he is driving is the current project of several companies. Some proof of concepts have already been released: for instance, Visa, in collaboration with Pizza Hut and Accenture, is working on implementing payment process features on cars for ordering in Pizza Hut restaurants. For a more secure experience, Visa Checkout will enable the driver to orally order. Then, whenthe driver comes near the restaurant, the restaurant staff is warned thanks to beacon technology that detects the car. Thus, after the at home and


12

the in-store experience, the user could benefit from the on-the-go payment experience.

In the case of the connected car, relevant use cases could apply for standardized services such as tolls or gas station. When a service implies more complex choices – in a restaurant for instance – experiencing payment through a car will require a truly operating system with convenient apps.

As to payments, this is nonetheless wearables which raise the most enthusiasm.

1.2.2. Face to face payments: the wearable breakthrough

Recent progresses in miniaturization, functionality and pricing have ramped up the sales of wearables, to such a point that it is becoming mainstream.

Retailers are especially relying on these devices to improve the whole customerexperience. In this context, wearable payments look like a key driver for contactless payments.

A very dynamic market…

Despite a relative uncertainty about figures, the future trends should involve constant increase of wearable shipments, especially for smartwatches.

Wearable Device Shipment by Device Type, World Markets: 2013-2020


13

…which is turning into payments

Following the growth of wearables sold, projections concerning wearable payment transactions are also very dynamic. Currently, we can distinguish two specific wearables which are driving wearable payments: wristbands and smartwatches.

The wrist-based solutions for payment in closed loop system are meeting a great success, especially for live events. Venues organizers such as music festivals (Coachella, Tomorrow Land, Vieilles Charrues, Garo-rock…), or Recreation Parks (Disney) are more and more choosing these cashless payments solutions based on prepaid accounts. One advantage is that it increases the average spending of users. Indeed, according to RFID wristbands supplier ID&C, wristbands increase from 16% to 35% spending per head during live events.

Some wristbands are also used as a payment solution for everyday life. For instance, Purewrist startup is offering the possibility to tap and go in any retail equipped with a contactless payment terminal, thanks to an embedded chip in a band. The partnership with MasterCard offers the Purewrist users a large acceptance merchant base.

Some banks have initiated their own bands. For instance, Bpay from Barclay offers a solution for everyday life, with a limit of £30 per spending. Three different devices are available: a wristband, a key fob, and a sticker. The band is based on a prepaid account link to a credit or debit card. For Barclay, this is a way to attract new customer since Bpay does not require the subscription to a bank account at Barclay.

Moreover, payment capability is a sales argument used by manufacturers to convince consumers to opt for their item. For instance, fitness trackers manu-facturers are progressively diversifying the functions of their bands towards payment. For jogging-lovers, being able to pay without carrying a wallet isconvenient. Jawbone has launched the UP4, which allows contactless paymentsthanks to a partnership with American Express. Based on the smartphone, Jawboneuses tokenization for securing the payment: card data is neither incorporated in the wristband, nor in the smartphone app. The Chinese manufacturer Xiaomi,


in collaboration with Alipay, has also extended to payments the capability of the Mi wristband. These actors are convinced that including payment capacity in their device is an efficient way to keep them attractive in the long run.

But the item which encounters the greatest growth is the smartwatch. Contrary to previous wristbands, smartwatches get a computing capacity which allows a wider array of apps. That is why a large variety of smartwatches have popped upthe last few years: both tech companies (Apple, Samsung, LG, Google, Sony, Motorola, Alcatel, Pebble…), and watch manufacturers (Swatch, Kairos) are developing or have already commercialized their own device. As fitness trackers, the next move is likely to be the extension of payment capability for these smartwatches. One argument beyond the adoption of smartwatch as payment solution is that it is, contrary to a mobile or a wallet, safer because tied to the wrist. Therefore, as the others wrist wearables mentioned, the pro-bability of losing it is weaker. Perceived for many experts as the app that would boost smartwatches sales, payment solutions already exist for some smartwatches devices.

Focus: mobile wallets extending to new wearables

l What will make wearables such as smartwatches so popular lies in thepossibility to make transactions thanks to wallet apps. According to market research and consulting firm Chadwick Martin, nearly 40 percent of people who are highly likely to buy wearables in the coming years say they want it to come with mobile wallet functionality.

l Making payments by just tapping our wrist seems way more convenientand easier than doing it with a smartphone. That is why some companies have recently extended their mobile pay program to smartwatches. Thus, Apple Pay with the Apple Watch or Samsung Pay with Samsung Galaxy Gear are on race to fulfil consumers’ expectations. Soon new players might enter the market: Google with its brand new Android Pay, LG with G Pay, or the big retailers’ wallet solution CurrentC for instance.

. . .

14


15

. . .

l Answering to security challenges with M-payments, smartphonemanufacturers such as Apple and Samsung have integrated dedicated embedded Secure Element (SE) within the smartphone. This SE, usually a chip, is capable of securely hosting payment applications and their confidential card data. For its part, Google has developed since 2013 the Host Card Emulation (HCE) technology, which basically offers more flexibility concerning the localization of the sensitive data. Among several possibilities, the SE in the cloud option has met large success 1.

l Payments through wearables start to benefit from these improvements:Apple’s smartwatch embeds a SE, allowing the Apple Watch to inde-pendently process contactless payments.

Nonetheless, some other manufacturers are more skeptical about the extension of NFC technology on smartwatch. Guess Watch, for instance, does not believe it will convince watch buyers. According to the manufacturer, a majority of potential buyers is still more focused on fashion and design than on connectivity.

In the next few years, new innovative wearables with payment capacity may emerge under the collaboration between fashion and tech firms. The work between Visa Europe and the art and design school Central Saint Martins on wearables’ concepts clearly highlights this trend.

2. Improvingcustomerexperience withconnecteddevices

At the 2015 Retail Reinvention (R2) summit organized by PYMTS the 4th and 5th of August, CEOs from various payment industry companies were invited to discuss the future of retail. Answers did not fluctuate much: the key is about improving user experience, leveraging on new connected devices.

This statement goes not only for retail, but for all sectors. Payment is perceived as a paramount stake to reach such expectations.

1 - For more information, read Galitt WP on HCE technology http://www.galitt.com/White-Paper-HCE-Technology_1034.html


16

2.1. AuthenticationadvancesthroughwearablesAn area where new connected devices may bring substantial impro-

vements is authentication, with promising first steps in biometrics.

2.1.1 Authentication progresses led by biometrics

As connectivity spills over new areas, cyber security concerns have been raised as a critical subject of matter. The traditional password systems to authenticate seem to be more and more vulnerable, facing smarter hacking attacks. In this context, biometrics possesses some solid arguments to overcome these threats. On one hand, the IoT development provides opportunity to enhance biometrics solutions convenience. On the other hand, new IoT areas urgently need solid security systems to protect critical data or infrastructure.

In the payment area, several of these solutions have already found a concrete application.

Securityissuesfromtraditionalauthenticationsystems

A password alone, string of letters and figures, does not cater to security requirements (anymore). Actually the main vulnerability of passwords is that it is closely link to people. Password failures are often due to people ignorance or negligence.

First because sophisticated attacks, in order to get confidential data, can easily trick people who are not aware of internet threats. And then because passwords created by people are unlikely to be secure (too basics and used for multiple accounts).

Single factor authentication, especially when based on password, does not reach sufficient security level. That is why more and more security systems integrate two factors authentication systems (2FA).

However, 2FA solutions do not constitute relevant responses to increasing threats. This kind of solutions strengthens protection but remains vulnerable to complex cyber-attacks. Above all, it is the lack of convenience that makes 2FA systems not really popular. 2FA generally combines a password (knowledge factor) with a second kind of protection, either a hardware one or a software solution (ownership factor). Nonetheless, because of adding delays to the process or lack of interoperability, this solution looks flawed.

It remains to be seen whether the third security factor, based on biometrics (inherence factor), handles with expectations in terms of security and convenience.


17

Anefficientpasswordalternative(orcomplement)

Biometrics refers to metric processes that aim at identifying humans through his physical, physiological or behavioral characteristics. It is widely used for granting access to buildings, rooms… and has also been developed for granting access to devices, or to certify actions.

Biometric authentication looks much more secure than passwords; if the enrollment biometrical process is well concocted and based on a high quality sensor, it is harder to replicate or to steal. Moreover, in terms of convenience, the user does not have to worry about reminding a code or carrying a specific device since his or her body acts as the authentication “tool”.

Technology manufacturers are gradually integrating for all their devices biometricssolutions. Smartphones, which once again have served as trailblazers for innovation, are now supplied with biometric authentication, most of the time based on fingerprint.

The Mobile Biometric Authentication System (MBAS) is expected to know a great growth, notably through its extension to wearables: according to Google Intelligence forecasts, 150 million wearables will be delivered in 2015. One fifth will contain biometric technology.

Biometricsolutionspanorama

A large panel of biometric solutions has already found concrete application.

Main biometric solutions


18

Combiningbiometricssolutionstostrengthensecurity

Coupling biometric solutions is a way to strengthen authentication to reduce frauds. By providing multiple biometric authentication choices, manufacturers also handle convenience issues: depending on the context, a biometric solution is not always suitable. For instance, voice recognition in loud places or facial recognition in a shiny day may face some authentication failure.

Biometric enterprises in paymentsAs well as defense or law enforcement, the payment industry sees in

biometrics great opportunity to secure and reduce fraud in payments.

In France, Natural Security promotes a standard based on a biometrical technology (for more details, look at the focus on Natural Security p.28). Galitt played a key role for the development of this standard, by realizing its general description and the specifications for each part of the technology (POS, personal device andBiometric reader). It is now used by several companies to develop safe and convenient products. For instance, in October 2015, Trust Designer, a French firm, has launch a Kickstarter crowdfunding campaign to finance its project Sesame Touch, a biometric connected device using fingerprint to authenticate before payments (it can also be used to grant access to buildings or mail box for example). Once payment card account data registered in the device, it can be used as a contactless payment solution in face-to-face payments. For online purchases, it replaces all the check in steps: putting the finger on the device is the only required step to purchase products the customer has selected online.

Mobile wallet providers such as Apple or Samsung include fingerprint authentica-tion to make a purchase. But most of the time this authentication is not possible with the wearables these manufacturers provides. However, this should evolve very soon: the Samsung Gear should have fingerprint sensor, which would probably allow payment with biometric authentication by using only the smartwatch.

ING has developed its own biometric solution, using voice’s user. Services basedon this authentication include access to the account, balance checks, and payment orders. In France, PW Consultants has launched a similar solution. After a 13 months test, La Banque Postale has decided to generalize this solution for its clients within the end of the year.

Other solutions are tested: Amex is experiencing facial recognition for payments, both for smartphones and screens wearables devices, as well asMasterCard. The latter has planned to roll out this solution for 500 users at first.


19

2.1.2 Wearable inputs in authentication

Strengtheningauthenticationviafamiliarpattern

A research field for securing payment without using biometrics is to use devices identity (serial number for instance) and trails’ devices when they are connected. As wearable and other connected devices become closely related to people’s lives, it should be possible to reduce fraud thanks to a body of evidence constituted of connected devices.

In a case of a remote payment, at home, payment after payment, a layout is settling: the customer is always located at the same place, going to internet through the same network, using the same device, which is perhaps connected to other wearables. This pattern proves that no fraud is occurring, since the payment is happening in an ecosystem of known connected devices. Thus, in this familiar case, authenticators such as Pin code may not be necessary.

Specialized in authentication, the Swedish firm Keypasco has developed this idea: it offers a multifactor solution based on geographical location and device authentication.

Persistentbiometricalauthenticationthroughwearables

If wearables open new end point for biometrical opportunities, the most exciting project related to biometric authentication goes a step further by introducing a passive and persistent biometrical wearable authentication usable for payments.

Canadian-based firm Nymi has launched the first biometrical authentication wearable payment with its product Nymi band.

Nymi band is based on electrocardiogram (ECG) sensors, which provide a person’s unique signature through his heartbeat. This authentication technology is potentially usable for a wide range of services, from physical to application access.

The first time the user puts on the band, sensors will scan its ECG during few seconds. Then the Nymi band remains in continuous authentication while worn.


20

For two years, Nymi has worked with MasterCard, the bank TD Canada Trust and the electronic company NXP to develop a secure payment solution with its band. The solution is now experienced in Canada with a hundred TD users. It permits contactless payments thanks to NFC technology within the Nymi band. Unlike other contactless payments, this solution is a step above safer since the user is authenticated when making a purchase.

Thus this passive and persistent authentication offers a great opportunity to enhance convenience in payments - by simply tap the wrist on a NFC POS - whilst maintaining a strong level of security. Here is a concrete example of the inputs wearables will bring to the payment industry sector. A new step has been reached to make payments as invisible as possible.

2.2. InnovativeIoTbasedpaymentprocessesSome innovative payment processes are poised to give a new dimension

to user itinerary. Either implemented or still in test, they use connected devices to provide a seamless customer experience. Here are some of these concepts.

2.2.1. Hands free payment

From automated check in…

Hands free payment goes further in effortless payment experience by removing traditional steps of payment process. A concrete experience is given by PayPal which has implemented Beacon PayPal. PayPal furnishes retailers with specific beacons which will detect PayPal subscribers when they come in the store. At the time of check out, the retailer checks if the client and the PayPal account are matching, thanks to a photograph. Then he only has to orally ask the customer the payment confirmation to ends the payment process. Depending on stores, the PayPal client gets the choice of opting to a manual check-in, a confirmation when he comes in or the automated check in.

…To automated checkout

The next step could be the removal of the interaction between the consumer and the retailer. A complete automated checkout for payments implies first the authentication of a consumer when he comes in the store, such as the previous example. This authentication gives access to personal bank data. During shopping, the consumer scans his items with its wearable which calculatethe total amount. When the consumer walks out of the store, it triggers


21

the payment, thanks to sensors located at the entrance, which also check the correlation between the price and the items the client brings with him.

This time saving system, still in testing phase, combines seamless experience and autonomous way of doing shopping.

Aretailusecase:abettershoppingexperience

l With the payment system previouslyanalyzed, retailers have tools to improveconsumer experience during shopping. First of all, with the IoT the shopping experience can free itself from single channels to become a global one. For instance, when the customer goes on a retailer website with his mobile, the items he has targeted will be registered in order to give the retailer the possibility to make customized offers if this client comes to the brick and mortar shop with the same device.

l Moreover, by detecting customer as soon as they come in the shop,the retailer can address specific offers (thanks to beacons for instance) related to products the client is close to. All the data gathered from its customers as they wander in the store also permit the retailer to understand how to improve the layout of his store in order to increase the average basket price of his customers.

l About payments, consumers and merchants expect to take advantageof these new connected devices. These devices, as well as the user experience processes we have seen in the previous section, are poised to remove the last frictions in payment to make it as simple as possible. In stores, it means time-savings, by avoiding the cue lines and confining the payment checkout to really quick operations if not invisible.

l To sum up, the IoT use for retailers is all about tailoring the service tothe customer, by fitting the offer to his taste and by minimizing all the procedure around shopping.


22

2.2.2. Usage based payment

The IoT could also be used to tailor the amount due by the clientaccording to his activity. The fees would depend on what item a client uses, how and how long he uses it. With sensors embedded in items which authenticate the client wearables, the retailer would be able to proceed to an exact usage based payment. This system is already implemented in the car insurance sector in some countries which offer tailored fees based on multiple factors such as distance covered, speed, historic riskiness of the road, or part of day in which the car is used…

Unlike this previous example, usage based payment might constitute an even more relevant use case for activities which drive the customer to switch from a product to another, like in gym centers or recreation parks.

Avenueusecase:acustomerdayinarecreationpark

l Live events are more and more using closed looppayment systems to enhance the consumer experience. Indeed, by doing so, organizers arefree to fit the payment experience to their activity. In practice it means providing a prepaidaccount for each venue comer, who fills it as hewishes. Then organizers can issue a specific formfactor, such as a wristband, linked to this prepaidaccount. Sparing consumers from carrying a wallet is particularly convenient for recreation parks, within some activities are a bit jolting.

l More than being a convenient form factor, these wristbands could alsobring usage based payment capacity. If the wristband embeds a RFID chip, the customer can be authenticated when approaching to a specific attraction. After being authenticated, the customer is charged accordingto the time spent in the attraction: when he leaves, he taps his wrist-band on a reader, which takes the due amount. We even can imagine an automated checkout system when leaving the attraction.

l For the park, these wristbands offer also a precious communicationtools: detected thanks to beacon technology, organizers are able to send customized messages (if the wristband is connected to the smartphone’s customers) depending on customers’ location.


23

2.2.3. Invisible payment 2.0

All the payments processes described so far imply a human action: scanning an item, entering a store, tapping its wrist... Finally they only partially leverage on the IoT. Truly benefit from the IoT would imply a total automated payment process handle from A to Z by our connected devices. This concept raises a lot of speculation from the media sphere, which has recently become more than a concept, since Amazon’s roll out of the Dash Replenishment Service (DRS) in October. With DRS, automatized reorder of consumables is now possible with no more than 10 lines of code into the hardware. For instance, when ink is low or water filter is worn, reorder is sent to Amazon. The custo-mer is warned by text message and can eventually cancel the order. For now, a dozen of brands are compatible with DRS (Brother, GE, Samsung, Whirlpool…). Some interesting use cases emerge from this innovation.

Alogisticusecase:theautomatizedrefueling,a bartender dream which becomes true

l Automatized ordering and paymentprocesses might have interesting opportunities for a logistic use case. A bartender, for instance, has much to win by automatizing its refueling with his brewer and his distributor.

How could it work? Sensors located on barrels measure in real time the remai-ning beer volume. When volumes goes be-low a preset volume amount, an alert, which indicates what type of beer and what volumeis needed, is sent to the brewer by a hub device whose purpose is to collect the data from the different barrels.

l Once the brewer has sent the delivery, he confirms to the hub devicethat will initiate the payment in return. This system would allow a just in time stock management reducing the risk of waste or stock shortage.


24

3. TheIoTarrivalinpayment: multidimensionalchallenges foranearlystagemarket

The compelling opportunity the IoT is creating for payments raises numerous questions: market standards, security matters, legal issues and societal acceptance.

3.1. Technology issues: the absence of unilateral standards

The IoT fast shifting ecosystem is primarily characterized by the heterogeneous cohabitation of standards. At the end of the day, this context might daunt actors such as merchants or users to really believe in the IoT inputs in payment.

3.1.1. IoT platforms

Today’s projects for implementing IoT standards are flourishing, driven by communication consortiums. These consortiums gather IoT platform builders: AllSeen Alliance (Qualcomm, Microsoft, Panasonic, LG…), The Open Interconnect Consortium (IBM, Cisco, Intel, Samsung), and off course Google with its own protocol, called Weave. Companies who joined that kind of initiatives want to promote interoperability between their platforms. But still, multiple projects are appearing, which relativizes the likelihood of a global standard emergence. Thus, without an open collaboration between IoT giants, interoperability at a global level is threatened. Yet, IoT needs interoperability, at least for connected devices that are likely to exchange data, such as smart home solutions.

This opacity as to the future of IoT standards might discourage potential clients to implement it. Waiting for a standard that wins the race seems a wiser decision than investing today in a machine using a standard that could be irrelevant or limited aftermath. For the final user, benefit from the IoT goes through a convenient experience with a unique interface. Standards bring stability, a key word for market development.


25

3.1.2. IoT communication technologies

Uncertainty about dominant wireless system for the IoT is also slowing massive adoption of smart solutions.

The lucrative market of connected devices has brought several players to compete for a global technology standard for connected devices. In France, new players have appeared in the last few months, all using low frequency band commu-nication technology: next to the trailblazer Sigfox, LoRa, a consortium, gathers big industrials and Telecoms Operators (Bouygues Télécom, Orange) who joined the alliance in order to roll out this network on the French territory.

In the payment area, merchants in the United States remain hesitant about adopting contactless NFC technology. Multiple existing solutions (NFC, QR codes, Bluetooth…) do not encourage players in the US to make a move.

3.1.3. Authentication processes

As seen on Part II, several authentication processes currently exist. This trend is also true for payments. Most of the time 2FA is used. But neither the kind of factor (between knowledge, ownership or inherence) nor the concrete methods within these factors (what form factor, what kind of enrollment…) toconstitute this 2FA are based on a unique standard. Thus different combinations exist. It is especially true within the new field of biometric authentication. Numerous biometric solutions are tested as well as different authentication schemes (use of a data base, location of the personal data…) are experienced.

The spread of biometric solutions in payment will probably be related to the capacity of main actors to find an agreement around a common standard. Working on a certification scheme may constitute an answer.

Focus:Certifyingbiometricaltechnologiestosettlelargescalebiometricsdeployment

l In 2012, a heterogeneous group of players decided to create the BiometricsAlliance Initiative (BAI) to cater for non-governmental biometrical applications with recognized certifications. Gathering banks (Banque Accord…), labs, schools (Ensicaen…), and some major actors from the payment industry (Paycert, Monext, Wincor-Nixdorf…), . . .


26

. . .the BAI aims at building a certification process to test and grant biometricalcertification. Contrary to the governmental sphere, the private sphere lacks of certifications, which certainly plays a role in user’s distrust and hesitation towards biometrical applications. To change biometrics’ image, the BAI is working on different evaluation models (depending on final use), and certifications in case of successful evaluation. To build a relevant evaluation model, the BAI collects users’ needs and establishes recommendations for certification’s appliers.

3.2 Securityissues:uncertainties inanearlystagemarket

The introduction of new payment channels we have seen so far is raising some hot issues about security, especially since these devices are connected.This connectivity multiplies the potential security drawbacks. Moreover, a part of wearables or connected devices manufacturers has no experience in cybersecurity, which is worrisome. Serious efforts have to be done to bring these new paymentexperiences at the same security level we know with chip card face to face payments. A lead to follow would be to expand the adoption of secure elements for each device containing sensitive data. Some experts in this field, as UL, are working on a baseline of certifications to guide these manufacturers.

In the authentication process more particularly, biometrics has been raised as a suitable solution. But more than only relying on biometrics, payment players must get the big picture in order to build solid authentication processes. The last few months, several testimonies stated that some new biometrics solutions had serious security breaches. The potential consequence of a stolen fingerprint is more worrisome than a password thief since it is unreplaceable (unless you take another finger).

Behind the biometric sensor, the enrollment process has to be complex in orderto avoid intrusions in the system. It means making the authentication as dynamicas possible: repeat a one-time sentence, or blink an eye during the facial recognition (as MasterCard is testing it) for instance. In this context, the lack of standards previously seen aggravates security uncertainties. Therefore, succeeding in implementing standards and certification processes may be a way to reduce security issues.


27

3.3 Legalissues:potentiallegalhurdlesDespite the IoT’s huge opportunities, companies first have to keep

in mind that these opportunities, to be converted in concrete assets, require a prior reflection on specific issues, especially concerning legal framework and customer acceptance.

3.3.1. The act of purchase

A few years back, at the introduction of contactless payments, some legal matters have been raised. Since the NFC technology avoids the necessity of typing a code, some argued that the act of purchase became such effortless that no proof of willing payment could be established. But even in a contactless payment transaction, the customer has to bring his device close to NFC reader. In the case of potential innovative customer payment itinerary such as automated checkout, the willingness is even harder to establish since the payment is realized by the only action of leaving the store.

3.3.2. About biometrics

Legal landscape about biometrics use differs from one national legal framework to another.

In the EU, a reflection was launched in 2012 to reform the data protection rules of 1995. Still in discussion between the Commission, the Parliament and the Council, the reform aims at granting more rights for individuals to control their data, through a mandatory prior consent.

In France, the legislation closely regulates the use of biometrics. La Commission Nationale de l’Informatique et des Libertés (CNIL) is in charge to control each new biometric system requests and grant prior authorization to implement it. To earn this authorization, future implementers have to prove that the proposed biometrical respects proportionality between the loss of privacy and the potential benefits, necessity of implementation (for efficiently realizingthe action submitted to biometrical authentication) and data minimization (in terms of retention period and security).

Usually, the CNIL grants experimentation in a limited area during a defined period. Then, if the experimentation is a success, the user is enabled to roll out its solution. For now, only experimentations have been granted concerning


28

biometrics authentication methods in payment (Talk to Pay, Natural Security’s technology…). In payments, other players monitor the implementation of new payment processes, such as the payment networks. In France for instance, the Economic Interest Group (GIE) Cartes Bancaires delivers certifications for each level of the payment ecosystem from issuing to acceptance. Authentication is part of the scope of GIE CB, which has granted certification for a biometric solution using Natural Security standard a few months ago.

Focus:NaturalSecurity,analliancetopromoteanauthenticationstandard

l Natural Security gathers different players of the payment value chain (CB, Visa, Inge-nico, Elitt, BNP Paribas, Pay Cert…) whose main aim is to promote a standard based on a specific technology that insures safe and privacy friendly authen-tication for payments. The standard combines the use of a SE (located on a multiform factor personal device) that contains personal data, a biometrical reader for the merchant and a communication technology in order to establish communication between the two devices. This standard, which has received agreement for experimentation from the CNIL, has already found concrete application fields, notably in retail with Auchan.

3.4 Socialissues:customerunderstanding

3.4.1. Privacy concerns

More and more concerns due to the IoT tremendous development are coming from public opinion. The new connectivity of daily life devices raises some questions about respect of privacy. Where does the data collected from personal devices go? Are big tech players exchanging data for commercial purposes? Is the data I store on my wearable safe?

These concerns are particularly perceivable when it comes to payment: personal financial data is a very sensitive matter. Reassuring public view on privacy probably constitute one of the main stakes for companies willing to embrace the IoT.


29

3.4.2. Consumer maturity towards new technologies in payments

Given the current and future potential innovations in payments the IoT brings, the question of the maturity of the market should be posed. Are consumers ready to commit with new payment experiences? That is the underlying question Sam Shrauger, Senior Vice President of Digital Solutions at Visa, asked at the last R2 summit: “There’s a part of me that looks at what’s going on in the industry and thinks, ‘We are inventing so much new technology so quickly on a historical time scale, but human behavior hasn’t really changed that much in a million years.’”

The last few years, tech and payment industry companies have been focused on making the payment experience more and more convenient. Supported by IoT innovations, these players aimed at making the payment less and less visible. But they should find the good balance between innovation and customer’s approval. The latter remains the key for a successful innovative implementation.

Recently Uber stepped back by reintroducing a button to confirm the customer willingness to pay surge pricing during peak hours. Uber wanted to reach anew step in payment experience. Instead, by removing information, it haddisconnected customer from reality. Same issues are likely to emerge with automated payments (see third use case). ddChanging consumers’ habits requires education and good communication, what’s more in the payment domain.

About biometrics in payments, a 2013 study from the CNIL showed that Frenchconsumers felt uncomfortable using it. Only 27% of the respondents would accept biometrics in payments. It does not mean that biometrics is in a dead endin France. It means that it will take more time and efforts to be truly accepted.


30

ABOUT THE AUTHORS

Gwendal Boëdec

Gwendal is graduated from Sciences Po Rennes and the School of Economic Warfare (EGE). Currently business ana-lyst at Galitt, he is a digital innovations enthusiast.

Several collaborators from Galitt contri-buted to this document, bringing theirexperience in the field of payments:

Marc Adam (Consultant)

Armel Aubert (Senior Consultant)

Corinne Becker (Sales Manager)

Stéphane Dubois (Senior Consultant)

Jérémie Fave (Consultant)

Bruno Kovacs (Consulting Manager)

Jean-Michel Mamann (ExecutiveDirector)

Alexandre Martin (Senior Consultant)

Anne-Sophie Mouraud (Consultant)

Pierre Poughon (Senior Manager)

Diane Walch (Business Development Director).

ConclusionBetween daily enthusiastic speeches and figures always more impressive,

speculations around the IoT encourages adopting a cautious approach: what if the IoT was just a passing fad? Nonetheless, Galitt, with this White Paper, stresses that in the payment area, the inputs the IoT brings lead to very interesting use cases.

On the business side, new connected devices constitute huge opportunities, especially through wearables. This context brings new players that strengthen competition within the market. This more and more competitive market will probably lead players to fully exploit the IoT in order to launch new innovations, accelerating market changes.

On the customer side, significant progresses are expected in terms of convenience. From extension to new devices to simpler and safer authentication, the whole payment experience is changing. A remaining key issue to address is privacy, which lays on businesses capacity to reassure people.

It remains to be seen how deep these changes will transform the payment. Here multiple factors could intervene: legal landscape, regulation rules, state of the competition… and of course the customer approval.

Galitt17 route de la Reine - 92100 Boulogne - FranceTél. : +33 177 702 800Fax : +33 177 702 [email protected]

www.galitt.com

Gra

phi

c de

sign

: Je

an-C

harl

es D

art

-

j.c.d

art@

sfr.

fr

The Internet of Things - Galitt · Internet of things The IoT represents a combination of devices...

Documents

Transcript of The Internet of Things - Galitt · Internet of things The IoT represents a combination of devices...