What if every time you went to pay for something at a store, the clerk behind the counter had a different terminal for each card network – one for Visa, another for American Express, and a few others for local domestic networks? That was what much of the world was like decades ago – and it still is a bit like that in some countries today. But in 1999, collaboration entered the picture when Europay, Visa, and Mastercard came together to create a common specification for Chip and PIN so that any chip-enabled card could be read from any chip reader anywhere in the world if both complied with a common EMV specification. That significantly impacted Chip and PIN adoption – for merchants and consumers.
Today, EMVCo supports seven EMV technologies. As a consumer, when you insert your card into a reader, “tap to pay,” or pay using Secure Remote Commerce, or as a merchant, accept payment through a mobile device or a QR code, support a tokenized card credential, or 3D Secure technology, you are benefiting from the work of EMVCo.
In this episode, we talk with Oliver Manahan, Director of Engagement and Operations at EMVCo, to understand how EMVCo fulfills its mission, catch up on its 2023 initiatives, and try to peek over the horizon to see what might be in store next for EMVCo.
Yvette Bohanan:
Welcome to Payments on Fire, a podcast from Glenbrook Partners about the payments industry, how it works, and trends in its evolution.
Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for Payments on Fire. To make progress as an industry, firms sometimes collaborate for the greater good, and there’s no better example of this than EMVCo. The origin of EMVCo goes back to 1999 when it was formed to develop, manage, maintain, and enhance the EMV chip specifications. Things have changed a lot since then. Today, EMVCo is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa. Stakeholders from across the payments industry participate as EMVCo associates and subscribers contributing their knowledge and expertise to the development of EMV specifications. Its mission is to facilitate the worldwide interoperability of secure payment transactions by developing and publishing the EMV specifications and the related testing processes. That sounds important and begs the question, how does EMVCo do this? Well, that’s what we’re about to find out in this episode, along with what are they up to these days, and maybe taking a peek over the horizon.
Joining me for this conversation is Russ Jones, a partner at Glenbrook who leads our education practice. Russ, welcome to another episode of Payments on Fire.
Russ Jones:
Always great to be on.
Yvette Bohanan:
Russ. We are going to be talking about a topic that we actually talk about a lot, but we’re actually talking with EMVCo today.
Russ Jones:
I know.
Yvette Bohanan:
Exciting.
Russ Jones:
We’re actually talking to the horse themselves.
Yvette Bohanan:
The horse themselves, straight from the horse’s mouth.
Russ Jones:
Straight from the horse’s mouth.
Yvette Bohanan:
So let’s introduce our guest, with apologies here for the analogy. Let’s introduce our guest. We are delighted to have Oliver Manahan, Director of Engagement and Operations with EMVCo joining us on this episode. Oliver, welcome to Payments On Fire.
Oliver Manahan:
Thank you so much and it’s a pleasure to be here. And even if I am, I guess, referred to now as the Horse on Fire.
Yvette Bohanan:
Well, we always like to start our podcast by asking our guests how they landed in the payments industry, and in your case specifically your journey and how did you arrive in this really interesting role with EMVCo?
Oliver Manahan:
Yeah, probably like most people in a somewhat non-direct fashion. So I started off my career, and in fact, have my school work in the computer science field, but more back in the 1980s when Cobol and things like that were the mainstay. And through my work with IT, I worked for companies such as Mercedes-Benz and Pepsi. And there was an individual I worked with at an organization who went to work for Visa Canada on an electronic purse application, Visa Cash. And he called me about six months later and said, “Hey, it’s 1996 and Visa is looking at doing credit and debit cards here in Canada on chip based payments.” So I went in for an interview and fortunately landed that job. Was quite honest that I knew absolutely nothing about smart cards or their application as it pertained to payment, which I guess was the right answer because I don’t think very many people back then knew.
So I spent 10 years at Visa Canada from 1996 to 2006 implementing Chip in Canada. And then I switched over actually to Mastercard Canada for another 10 years. The first four or so years of that was completing the Canadian migration. As we are going through the contact chip migration, contactless came into favor as well. So started that one. I was planning on doing something else, and then around 2010, liability shifts got announced in the US. And so for the next six years or so, I was on an airplane quite regularly and helping with the migration of chip cards and EMV payments in the US market. And at the end of that period, I went to an organization called Infineon, which is a semiconductor company. They actually do about 50% of the payment cards globally. So if you have a payment card, credit, debit with a chip in it, there’s a reasonable chance it’s got an Infineon chip.
They also do chips for automotive, things like that. And towards the mid-part of 2022, I actually was discussing with Brian Byrne, my predecessor in this role, the director of engagement and operations, that he was in fact planning to retire. And it sounded like a very interesting role. I’ve always been involved, at least for the last 27 years, in chip based payments and all of that that surrounds it. So given my experience with both Visa, then MasterCard, and then in the vendor space with a semiconductor manufacturer, it seemed like a fairly natural fit. So about 10 months into the role now, and I haven’t been disappointed. Every day’s been quite interesting, exciting, and always something new.
Yvette Bohanan:
When I think of EMVCo., which we’ll dive in a little bit to what the organization is exactly in a moment here, your title is not a title that would jump to the front of my mind. Well engagement maybe, but engagement and operations. So what do you do in this role that you’ve been in for 10 months?
Oliver Manahan:
It really does, I tell people that it really spans sort of two very opposite sides of the fence. One of which the engagement part, which I’ve been fortunate to do throughout my career, at least the last 20 plus years, which is going to conferences and speaking about what EMVCo does, talking to many of our members and understanding what’s important to them. So the softer side.
And then the operational side is ensuring that we’re maintaining our financial status, that we’re staying in the black, that we have the right tools in terms of our collaboration platforms, the website, the association management system that we use, things like that. So it’s really very different roles, but part of what I find interesting is that I’m not pigeonholed into ‘this is all you’re doing is engagement’ or ‘this is all you’re doing is the finance and operational side of things.’ I get to do a bit of both, which keeps me on my toes.
Yvette Bohanan:
And it sounds like you’re perfectly suited for that too, which is wonderful. Wonderful.
Oliver Manahan:
Yeah, hopefully. My IT background is now coming to haunt me with some of the platform upgrades we’re going through.
Yvette Bohanan:
So before we jump into all of the technical stuff and what’s going on there, we have a lot of listeners who are either new to payments, who tune into this podcast, or maybe they’ve been in payments, but they’re kind of new to cards and that whole part of the industry, if you will.
So can we start with a little history? Can you share the origin story or the backstory of EMVCo and what happened with Chip and Pin and how did all that collaboration that’s been going on now and advancing, how did it begin?
Oliver Manahan:
Yeah, absolutely. And I guess one of the benefits of age and history is that I was around back then when some of it happened. And as you can imagine, a lot of standards and specifications are based on ISO. And in this case, EMV Contact Chip is actually based on an ISO specification. And in early projects, particularly in Europe and notably, I think France went first with a domestic project and then the UK followed shortly thereafter, there was two separate implementations based on these ISO specifications. The one in France, these are both great marketing terms. The one in France was called B0Prime, the one in the UK was called UCAS. And they worked in their own geographies, but they actually weren’t interoperable. So if you go back to what’s great about a payment card historically, like over the last 50 years, is that you can take your card and hopefully travel anywhere in the world and have that seamless experience of making a payment for goods, services, et cetera, and that card will work.
And conversely, whether you’re a merchant in the US, Canada, Europe, Asia, et cetera, you’ve got consumers coming and they can use their card, and it works. So we were at a point in time in the 90s where we had this new, more secure technology, which is great, but it wasn’t necessarily globally interoperable, which was a core tenant of the payment systems that ultimately got together and said, it’s important that we come up with a standard and a specification that in fact maintains that global interoperability and becomes more secure at the same time.
So that was the formation and the publication of the first EMV chip specifications where in 1996, and then in 1999, EMVCo was formed to manage, maintain, and enhance the EMV chip specifications.
Russ Jones:
And you guys drew on the same marketing skillset to name the organization EMVCo, right?
Oliver Manahan:
Well, there was some logic there. The E was European, the M was MasterCard, and the V was Visa. Of course, in around 2002, I believe European Mastercard merged. And then in the meanwhile, American Express, Discover JCB and UnionPay joined the organization as well. But by that point, and I think as you’re aware, since you’ve had podcasts in the past from EMVCo trying to use those six organizations and come up with a new acronym when EMV and EMVCo was fairly well known in the payments industry, didn’t seem like the greatest of ideas. So we now have EMV and EMVCo
Yvette Bohanan:
And the founders have a little street cred there.
Oliver Manahan:
Exactly.
Yvette Bohanan:
Which is always nice. It’s a nice nod, a tip of the hat. So now sitting here today, you have seven EMV technologies, right? So we have contact chip, contactless chip, emv mobile, payment tokenization, QR codes, secure remote commerce or SRC as some people refer to it, and 3D secure. And you create specifications for all of those as part of the charter, if you will, of EMVCo and you’re in this engagement piece of your role.
So when you’re out there speaking with people, what’s the value proposition today for industry stakeholders to adopt EMV standards versus doing something on their own? You mentioned global interoperability, is it that or is it others?
Oliver Manahan:
It’s definitely that. I mean, I think it’s a couple other things as well. So we always strive within the EMV specifications to provide a technical baseline that then enables any party to develop and deploy products and solutions that support the delivery of safe, reliable payments. So it’s really like a toolbox.
And so, if in Canada where I domicile the domestic debit network needs to do something specific to the Canadian market and regulations, they can use that toolbox, similarly in the US market, et cetera. But each of those can do their own implementations. But so long as they’re using the baseline specifications, we do ensure global interoperability and global compatibility. So using EMV technologies, organizations can develop payment products that will work everywhere. And there’s also consistency. So organizations can develop payment products that will deliver consistent payment experiences. So people always know to insert your card or to tap your card, or if you see an icon, for click to pay for secure remote commerce, you know that you’ll have a consistent experience. And an underlying goal for us is always security. So when you implement EMV technologies, the organizations can develop payment products that enhance transactional security.
Yvette Bohanan:
How do you interact with… Is it always drawn from the ISO standards and you find out what ISO is doing, the international standards organization, and then you move from there? Or are you going to the iso committee and saying, “Hey, this is going on in the payments industry, we need to work together here.” How does that bridge work between the two groups?
Oliver Manahan:
It varies. I mean, in certain instances, like I mentioned contact chip, and for whatever reason, some of these numbers are just stuck in my mind. But the contact chip specification was based on ISO 7816, contactless was 14443, and even more recently, there’s electric vehicle open payment charging standards that are based on ISO. But then there are other things like the contactless kernel that we did, really have no interplay or association with an ISO specification.
And I would say the same is true with our wallet product, secure remote commerce. There’s really no basis of an ISO specification there. It was in fact something that was developed by payment networks sometimes individually and then ultimately come to a conclusion that we can’t have a number of different specifications that are all trying to achieve the same goal but are built uniquely by payment systems. So then there tends to be a contribution of that property into EMVCo by various members or multiple members that then end up coalescing on a standard and specification that is globally interoperable. So it’s a two-part answer. Sometimes yes and sometimes not.
Yvette Bohanan:
Well, there were 25 different kernels for contactless that you had to pull together, right?
Oliver Manahan:
Yeah, exactly. And that was quite an interesting piece of work and actually one that came together quite quickly in terms of how long standards and specifications usually take. It was within a year of the interaction that we had. And a lot of what we do and my role is the engagement portion, is understanding what the market’s looking for. And in this case, we had a lot of feedback from the market merchants, acquirers, processors that it was getting to a degree, difficult to maintain all of these separate and bespoke kernels for various payment systems.
Not only would you have the ones at the global payment level, but you may in fact have ones for regional markets as well. As is the case I know here in Canada there’s one specific for Interac, the domestic debit payment network. And so the merchant call and the processor call was, hey, EMVCo, can you actually get us to a point where there is one specific EMC kernel the way you have for contact, and therefore we can then over time hopefully migrate to that one versus… I’m not sure if anybody has all 25 on their point of sale terminal, but they definitely have more than one in most instances.
And so, the goal there was to make the lives easier for constituents out there that wouldn’t have to go through and certify and approve a multitude of contactless kernels end state where there would hopefully be just one.
Russ Jones:
And Oliver, I’m sort of intrigued. I am glad that Yvette was poking at the relationship between ISO and EMVCo. I’m always sort of noting to myself when EMVCo does things that are specific for the card system, like you’re talking about secure remote commerce, as a good example of that, very card-centric, but you also do work that’s picked up by other payment systems that don’t have anything to do with cards.
So I’m fascinated by the uptake of your QR code work in non-card systems. And I’m wondering if you guys follow that, encourage that, and if you ever feed anything back to ISO.
Oliver Manahan:
Well, we have in some instances liaison agreements with ISO. And in one example, the EV charging is one. So the EV charging the iso specification, which the number is eluding me, I remember all the older ones, they have done a really good job of specifying the electrical delivery to the car from the charge point. What can happen if the electricity arcs and things like that. What hasn’t happened is any sort of specification related to how to make sure that the car and the charge point can exchange information specific to a secure payment.
So we’re in very early days, literally I think September, that task force within EMVCo was formed. And whether we feed information back to ISO or we develop our own subset specification or how that will look, I’m not sure, but we certainly have these liaison agreements, whether it’s with ISO specific to this specification that they have around EV open payments or whether it’s NFC form or FIDO or W3C. We have a multitude of liaison agreements because we certainly can’t and don’t operate in a vacuum when it comes to all the things related to payments because we will define the portion of payments where it’s relevant for our stakeholders, but Fido does fast identity online in terms of password list, things like that that certainly come into play with our secure remote commerce, and we have to make sure we’re as aligned as possible with what they’re doing to make sure that what they’re doing works well with what we’re doing and vice versa.
Yvette Bohanan:
It’s very complicated. I was going to ask you how W3C fits into all of this too. It’s interesting because we’re glossing over a point that you brought up earlier in your comments, that if you don’t have a technical background and if your technical background wasn’t in trying to implement a standard, you may not appreciate the fact that the biggest problem with the word standard is the S that often falls to the end of the word that, there’s always standards of implementation.
Oliver Manahan:
Yes.
Yvette Bohanan:
And so you were saying that some terminals have multiple versions, if you will, of things that have to be maintained, including the EMVCo version that’s typically there, right?
Once you have a specification in place, how do you certify that someone has done this properly for EMVCo? What is the testing certification piece of it? Because the other thing I don’t think people realize is, and you have this chip background, that’s really interesting, how much testing actually and standards go on in just the construction of the chip and how much a manufacturer has to go through to certify that their chip can go on a card. There’s a lot to this stuff and now you’re going into charging stations and self-driving cars in the world of all of this. So how do you ensure it’s done properly and all of these different environments? I mean we’re way beyond just a standard, old-fashioned, if you will, terminal, right?
Oliver Manahan:
Yeah, absolutely. And I was going to answer your question, but you already answered it in the two words I was going to use, which is a lot.
That’s the amount of testing that has to take place. But to peel that onion back a little bit more, we do, in some instances, some of the testing ourselves, but what we tend to do, is we will write the test scripts based on the specifications and then we accredit various test laboratories around the world because it would be a very, very difficult job to try to be a singular entity that did all of the testing for secure payments globally. So what we’ve done is we accredit labs in various parts of the world for them to be able to run the tests, whether it’s on a contactless read range or how 3D Secure works or the Qr code works, and they will then generate test reports from that, and the test reports tend then to come back to EMVCo specialists, perhaps the chair of the working group as an example, and ultimately, a letter of approval will be issued from EMVCo based on the passing of all the various test cases that are out there for a particular specification.
Yvette Bohanan:
And do they have to recertify periodically, the specs, update and change?
Oliver Manahan:
Yeah, absolutely. And beyond what EMVCo tests for the payment systems, tend to have their own functional tests as well. So yeah, whenever a new product, whether it’s a chip that goes into a card gets released, then it has to go through the entire test suite. If there’s an upgrade, as an example of the 3D secure specification and there are new test cases, then the solution providers for 3D Secure will have to, if they’re going to use those new specifications, the most recent version, then they will, of course, have to take their solutions and run them through the test suite as well for those.
Yvette Bohanan:
How long do you have to stay backwards compatible? Because talking about an enormous global ecosystem here. I mean it is-
Oliver Manahan:
Indeed.
Yvette Bohanan:
It’s a lot of stakeholders, but now you have seven specs, and counting probably, and morphing or advancing. How long do you have to stay backward compatible to let everyone catch up? What’s the normal, before you sunset and say, this is done, we’re not supporting this anymore, this version or whatever?
Oliver Manahan:
Yeah, interestingly, I mean we may, and there are instances where we will say, as an example with 3D secure, that we’re moving to a new and we won’t be testing something that was done a few years ago. But otherwise, any sort of market implementation type of work and the timelines around that would fall to a payment system who would say, hey, we’ve got our branded card out into the market and for a certain amount of time it will support a certain level of technology, but we will then put out a policy, and again, this EMV code does not do policy. This will be the payment system to say as of some future date, be it 2030 or what have you, our payment system will no longer support this functionality.
So from a standards and specs perspective, we tend to just keep moving forward and we’ll have those same specifications, the most recent versions, which is what we test against, but we don’t say things are typically pulled out of market. That would fall to the payment system.
Yvette Bohanan:
The complexity of the ecosystem of payments, the number of specs, all create challenges. I am trying to think of the right word, complications, challenges, opportunities. We want to be really positive about it and how you’re working through things, but what other sort of constraints or headwinds do you face in doing this work?
Oliver Manahan:
I would say there’s probably a couple of things in this regard. We always want the need to evolve the specifications. I would say that payments technology, as it continues to advance and innovation in payments is of course critical, then we need to evolve accordingly and time becomes the biggest factor.
I mean, the world and payments in generally the change is accelerating, but to get a good specification out there requires the right amount of attention to detail. Making sure that all of the input that we get from a multitude of stakeholders is incorporated, that as best as possible we get it right the first time. And so can’t just, ‘Hey, we want a new specification in two weeks’ is something that is not typically feasible. And particularly, after you get the specification out, if you’re going to do a testing regime around that, that takes some time as well. And then getting the labs accredited, et cetera, to do those tests. So I would say the biggest headwind is trying to keep pace and doing things as quickly as possible while still ensuring the quality and ensuring that we’re doing it right.
Yvette Bohanan:
The contactless kernel you said came together pretty quickly in about a year, but what is the typical timeframe from sort of, ‘Hey, we need a spec’ to ‘Here’s the first spec out in the wild.’
Russ Jones:
From a crazy idea to a job well done.
Oliver Manahan:
I think probably one of the benefits of what we do is it doesn’t, hopefully doesn’t too often tend to be a crazy idea. Because of the payment systems that constitute EMVCo, we tend to work on things, and I’ll use another example like biometric payment cards. They have been in market for a number of years now, typically in pilot projects and things like that, but it seems now where there is potentially an inflection point where could go beyond pilots and perhaps into some larger rollouts and things like that. And so there’s already been experience with getting pilot projects up to speed and things like that. So we’re not taking usually from a blank sheet of paper to a fully done spec and testing in isolation. We tend to already have experience from the payment systems in working on pilot projects where we know that we’ve got a reasonable start at a specification, which is the contactless kernel, why it went fairly quickly. There was already some development in that regard.
And what needed to happen at that point was the industry engagement, the collaboration, the understanding with the six payment systems that comprise ENVCO to get it to a point that everybody agreed, yes, this is the right way. We want to have the specification and standard out there, and this is the way we’re going to test it. And that tends, we think that’ll be the same way in biometrics, biometric cards. So we don’t have a set answer, it’s X years, whether it’s one year or less is relatively quickly. Perhaps on the early days of ENV, the specification got released in 1996 and EMVCo was formed in 1999. That one I would guess was in the two to three year range, but that was also the very early days of ENV and we were working relatively in a new space back then.
Yvette Bohanan:
And all these pilot programs, you’re making me remember, there were a lot of pilots around contactless, I think it was, and with transit systems and things like that, trying to figure out, will this stuff work? Will it work underground? Will it work in this environment? That takes a lot of coordination because you have to have a lot of stakeholders engaged just to do the pilot, just to do a limited test for so many months to figure it out, right?
Oliver Manahan:
Yeah, absolutely. And there were, I think in my memory anyway, there’s at least three different types of contactless in very early days. One which was North American based and based on magnetic stripe data, and one in Europe that was based purely on chip data, and then one in Asia pacific that was a little bit of a hybrid between the two.
But it’s certainly one of those areas. And you touched on it, transit and things like that, where we really draw on the associates that we have. And we’ve got about eighty-five of them that span the payment ecosystem, and they provide invaluable information to us when we have multiple meetings per year with them where they’re providing both strategic direction and technical input into what we’re working on. So it’s not payment systems by any means working in isolation, but quite the opposite. We try to engage as much as possible with the broader payments ecosystem. So the associates play a vital role in that regard.
Yvette Bohanan:
When we think about EMVCo and some of these foundation specifications that we’re talking about, a lot of that focus, as you mentioned, is on security and privacy. It’s a big value proposition of implementing the EMVCo spec and the CHIP is a bedrock framework. And one of the recent updates to that was the elliptical curve cryptography or ECC portion of the spec. Can you discuss why that was really important as an addition to the EMV chip spec itself?
Oliver Manahan:
Yeah, absolutely. And you actually provided a nice segue with the mention of transit in the prior question on this one, because elliptic curve cryptography is a version or an algorithm of what’s known as asymmetric cryptography. So there’s a public and a private key. And historically, EMV specifications have been based on asymmetric cryptography called RSA, and I think it’s three gentlemen, Rivest, Shamir and Adelman, if my memory serves correctly, that originally did those specifications. What’s happened over time is that the key length for that algorithm has grown, and it’s now over 2,000 bits for the key of that. And apologies if I get a little bit technical, but what this means in the real world is to actually do the cryptographic calculation within the chip. Once you get beyond a certain key length, the transaction time frankly just starts taking a little bit longer, and that fraction of a second becomes a half a second, becomes closer to a second, which, if you’re just buying something at a restaurant or jewelry, that’s not a big deal.
But if you’re in a turnstile going through the MTA in New York or TFL in London, those transactions need to be extremely quick, usually faster than a third of a second. So if you’re getting key lengths that are now making those transaction times longer, you have to look for what’s the next algorithm that we can use that will either be faster or can use a smaller key length, but have the same amount of security. And that’s where ECC or elliptic curve cryptography came in, is that you can achieve the same level of security, but with a smaller key length and therefore keep the transaction time very quick, in which case you can open and close that turnstile and mass transit in situations like that where speed is still important. So yeah, an interesting and fairly significant piece of work that delves very quickly into the technical, but it does have a very real world impact.
Yvette Bohanan:
We’re always talking in education in our workshops about fintechs and innovation in the payments industry in general by everybody, not just the fintechs. And I think this is a great example of how a foundation technology, almost a general purpose technology is being used to improve security in the payments industry. Presumably ECC can be used for a lot of things, right?
Oliver Manahan:
Yes, absolutely. And is I’m pretty sure in other markets as well.
Yvette Bohanan:
Right. But here we are figuring out how to keep things secure in payments with it, which is pretty cool.
Oliver Manahan:
Absolutely.
Yvette Bohanan:
3D Secure is another thing I wanted to just touch on a little bit with you in this episode. And we talked about sunsetting earlier. 3DS version 2.1 is sunsetting and new features, new capabilities are coming in with 2.3.
And when we were preparing for today’s recording, you mentioned some really interesting examples of the evolution of 3D Secure, things like smart speakers for authentication. If you think about Alexa or all these different smart home technologies that are used out there, and some of the work you’re doing with different companies like Sony and Microsoft on using 3DS authentication for in-game payments that might have implication to the Metaverse and things that are really more old school. Some of the work that you’re doing with the International Airline Transportation Association, which happened to be, I think, the first issuer of a card, if I’m not mistaken, I heard that piece of trivia from somewhere at one point, and the work you’re doing with them to handle some issues with fraud in airline sales. So how is this arc of evolution of 3DS maturing for you? And as we talk about new, new stuff like the Metaverse and the internet of things and all the stuff that’s happening, where do you see it going?
Oliver Manahan:
It’ll probably go to places that frankly I haven’t thought of yet. If I did, I’d probably make some investments in the stock market and make some money, help my portfolio grow, but-
Yvette Bohanan:
It’ll be our next podcast series, prognostications and payments.
Oliver Manahan:
Yeah, I’m not sure anybody will want to hear my prognostications on that.
Russ Jones:
I’ll give you a tip right now. You should put some money in elliptical curve cryptography code.
Yvette Bohanan:
Yeah, ECCCo. Were you on that naming committee for that Prime B…
Oliver Manahan:
I was not. I’m not even sure what b-zero was, but they made a prime version of it.
Yvette Bohanan:
I know, I love that. I love that. It is so nerdy math, it’s wonderful.
Oliver Manahan:
Do we need a disclaimer at this point? This podcast is not meant to provide investment advice or something like that?
Yvette Bohanan:
Yeah, exactly.
Russ Jones:
Nor marketing advice.
Yvette Bohanan:
Exactly. Precisely. Definitely not that.
Oliver Manahan:
But yeah, getting back to 3D Secure, it really has evolved over time to provide more implementation flexibility for a broader range of use cases. So in addition to the expanded support for recurring payment authentication, which was kind of the initial use case, it also provides added support for various operating system and platform providers and a split software development kit specification now, in fact, with multiple variants that make it easier to implement EMV 3DS across both traditional and non-traditional E-commerce payment channels and devices, some of which you mentioned, smart speakers, other IOT devices. And I think the Metaverse and the work we did with Sony and Microsoft, sadly it predated my time. I would’ve loved to have been playing on a gaming console, testing out some of this stuff, but I’m of the age where I don’t play this stuff as much. Luckily I’ve got a couple of kids that keep me somewhat in this realm of first-time player games and things like that.
And the simple use case I think of, is you’re playing a role-playing game and a dragon’s attacking you, and you need to buy a sword to fend off the dragon. Now, in prior versions, that may have in fact caused a one-time passcode to be sent to your phone, the game needs to be interrupted, you enter into one-time passcode, and then you buy your sword. Unfortunately, that type of interaction doesn’t really work well in these fast-paced games. And in fact, the dragon may in fact have gotten the better of you by the time you complete that sword purchase, unless it’s like the dragon in Shrek or Game of Thrones where it’s actually a friendly dragon-
Yvette Bohanan:
A friendly dragon.
Oliver Manahan:
But let’s assume it’s not a friendly dragon and it got the better of you. So there’s various data that is held within a gaming console, that this is what Sony and Microsoft fed to us, whether it’s the actual controller, the gaming unit itself, there are specific pieces of data that can go along with the credential. It’s on file, a payment card credential.
So that when the issuer gets this information in, they say, hey, this was actually Oliver, more likely one of his kids playing the game. We know that he’s already done purchases or she’s already done purchases from this gaming console, from this handset controller that they’ve got, and therefore you’re getting numerous pieces of additional data that helps that issuer and risk scoring. So they don’t have to do a step-up authentication and send you out of band one-time passcode. They can in fact say, yeah, we know it’s Oliver’s kid’s Xbox or Playstation and approve the transaction right away. The transaction may only be for $5, but if it’s from a console that was never used before and some other things geographically perhaps looked different about the transaction, there may in fact be a decline. So those sorts of things, kind of the cool, new world.
But absolutely like IATA, the International Airline Transportation Association, you mentioned very similarly, they have specific data within their world. And we worked with Amadeus extensively and other key travel industry experts to provide their input. And there was particularly, whether it’s a ticket number, other things within your profile that could say, yes, this is an airline transaction coming in, we’ve got a bunch of extra data. Because typically, the authorization data that would come in is it’s your card number, it’s got the various cryptogram coming in from your card, but if it’s a remote transaction done online or something like that, you may not have as many pieces of information. So 3D Secure was really all around taking more data and taking it in specific verticals. So I think 3D Secure spec now at 2.3 has in around 150 new data elements that can be used for the merchant to pass to the issuer, for the issuer to make a more informed risk scoring decision.
And of course, 150 is, I don’t think anybody would use that in any one transaction, but there may be a handful, a half dozen, a dozen that get used by IATA, similarly for a smart speaker, similarly for a gaming controller, et cetera. So the more worthwhile data you can put into an authorization stream, the better risk decision you can make. And that’s what 3D Secure is ultimately all about is, A, reducing fraud, and B, making the consumer be able to have a more seamless and secure payment transaction. Because as a consumer, none of us frankly, like to do a transaction that we know is legitimate, but it gets rejected or declined because there wasn’t enough information for the issuer to make a good informed risk decision.
Yvette Bohanan:
I don’t play a lot of games either, Russ, you’re on your console all day long, so this is very relevant to your world. But what I do do is a lot of shopping, it’s a lot of online shopping. And the other thing that’s come out is the secure remote commerce spec, right?
Oliver Manahan:
Yep.
Yvette Bohanan:
The whole evolution there. And obviously, secure’s in the name, in the brand, in the branding of it. But it’s not just about security, it’s also about speeding things up and frictionless checkout, what you’re alluding to here with 3D Secure. How did the evolution of SRC happen in all of this and how are people deploying it successfully right now?
Oliver Manahan:
Yeah, it’s a good question. I’m actually heartened to see every once in a while, I’ll go online here in Canada and I’ll see the click to pay icon, which is the-
Yvette Bohanan:
The consumer facing brand.
Oliver Manahan:
The consumer facing brand, exactly. And it’s like, Hey, secure remote commerce is great. I’ve actually enrolled a couple of my cards in the wallet and I know it’s going to work and I know it’s going to be secure. So it’s nice to see that it’s actually being implemented and done well by many of our constituents. And so yeah, ENV co-published version 1.3 of the SRC specs to support a more flexible online checkout option for merchants and consumers. So over time, again, we get feedback, and one of our key partners is the Merchant advisory group, or the MAG, and they said they’d love to have a merchant orchestrated checkout model where the payment experience and interaction are actually developed by the merchant or their payment service provider, which then enables the merchant to integrate the user experience and manage customer recognition. Because obviously, big merchants already have a lot of sophistication in this, so they didn’t want some third party coming along saying, “Hey, we’ve got a wallet and it’s secure, but it’s going to disrupt what you’ve already done.”
So we took a lot of that feedback and tried to make that work for those constituency groups. And obviously, it’s a significant technical achievement, which enables the merchants to deliver the seamless payment experience and again, supports global, regional and domestic payment systems through the integration of a single solution. And I think one of the most important things that we’ve done in this year, particularly the year that I’ve been on board here with EMV, is the consumer experience guidelines. And so, even though we’ve got the merchant orchestrated checkout model, we went through a lot of time and effort to understand the flow, and you’d be surprised, or maybe you wouldn’t be surprised, maybe I’m surprised because I don’t do the bulk of the shopping in my house, but there are so many different paths that a checkout can potentially take. And what we wanted to do is publish guidelines.
So what we typically do, the technical specifications, this is a bit of a deviation for us to do consumer experience guidelines, but what we wanted to do is, even if it’s an experienced merchant that knows exactly what they’re doing, we wanted to say, listen, here are the guidelines that we’ve gone through and taken a year and engaged with you and engaged with small merchants, mid-sized merchants all along the gambit to understand how the flows can work best and what our recommendations are in terms of this. So there won’t be testing and approval around this because it purely is guidelines, but we’ve taken a great deal of time and it’s actually going through public review right now for the public to provide input on, ‘Hey, EMVCo, you guys got this right,’ or ‘Did you consider tweaking this or tweaking that?’ So aside from going through the associates, which I mentioned earlier and getting all of that input, we ultimately will take all of our work product and put it through a public review period as well.
Yvette Bohanan:
Well, that’s cool. What other things, I mean, I guess to wrap up here before we thank you, because we’re coming up on time, unfortunately. I could talk to you for about another three hours. What should people be on the lookout for? I know, I’ve heard there’s maybe a white paper coming out on wireless. If people want to get involved, how do they get involved? Where do they go to read all this stuff to maybe see if they qualify to participate more actively in the organization as an associate or whatever, and just to keep up and provide commentary as an industry member, how do they engage and what should they be on the lookout for?
Oliver Manahan:
Yeah, I guess first and foremost, as with so many organizations, we in fact have a website, and luckily it’s emvco.com, so pretty easy to find, and you can literally, anybody can download our specifications royalty free and have a look at them. We have educational materials on there as well, whether podcasts, white papers you just mentioned. We will in fact be releasing a wireless white paper hopefully in the next few weeks, if not couple months. Also ways to engage are on there. So we’ll list out all of the associates that participate in EMVCo now. There’s also another level called subscriber. It’s not as direct input is what the associates get, but there is a yearly meeting with subscribers called our user meeting where we engage with an even wider stakeholder group. And of course, there is the ability, as I noted, for the public to provide review in our specification development process.
So yeah, a couple of the new things that are coming up are tap to mobile. So probably a lot of people have seen recently the ability for payments to be made on a smartphone, whether Android, Samsung, Apple. There are both consumer-level devices and commercial-level devices that can now not only make payments, as probably a lot of us, at least listening to this podcast, are aware that you can pay with your phone, pay with your watch. Merchants are now more and more accepting payments on mobile devices, and we’re doing some specifications around there because, particularly the consumer devices were not in their first instance meant to be payment acceptance devices. They’re meant to text and surf the web and make phone calls and do things like that, but they do have-
Yvette Bohanan:
Wait, wait. Make phone calls? I don’t that on my phone anymore.
Oliver Manahan:
No, I don’t either, but my mother told me that she still does.
Yvette Bohanan:
Oh, okay.
Oliver Manahan:
Yeah, I’m going by that data point. But yeah, it’s true. Sometimes that’s the last use case people think of with a smartphone, is the actual phone call. But yeah, I mean because it’s got an NFC controller in it that can make a payment, it can equally accept a payment. But we are finding all sorts of interesting, where to tap, how close you need to actually tap. Do you have to actually touch card or touch phone to the other person’s phone? So we’re trying to make some requirements around that so that it may in fact be that we’ll have a reduced range of one centimeter or two centimeters so that we can let people know that there’s at least consistency in the handset market. And what we hope to do is ultimately take that one centimeter and say that’s no longer the lowest read range, two centimeters is now the lowest read range, and we want to get up to four centimeters, which is really the EMV co-standard for the more traditional point of sale device.
And I think we mentioned earlier on biometric cards, that’s something that we’re getting into now in terms of looking at doing a standard and specification around how those cards will work. There’s certain terms like false acceptance rates, false rejection rates, things like that where your biometric isn’t captured properly and to what the metrics are around that. And again, we have some pilot project work that’s already been done in that area and we have in two weeks time our first special interest meeting or dedicated technical meeting on biometric cards where most of the biometric card ecosystem will be taking part in that so we get their firsthand input. So yeah, never a dull moment. Lots of exciting things. And of course, EV Open Payments is another one that we touched on earlier that we’ve just started off with as well.
So EV Open charging, the problem statement is pretty easy there. You go to a charge point, and again, I’m in Canada, I’ve got 10 different mobile apps from charge point operators, most of which require me to download their app and then preload funds onto a store value card before I can start a charge. And that’s just not a particularly good consumer experience when you’re used to going to a petrol station and tapping your card or tapping your phone or inserting your card and tanking up with gas, that’s pretty straightforward. People understand it. You go to charge an EV and you’ve got a plethora of different ways that the payment can actually happen. What we’d like to see happen is you plug your car in and within that plug you’ve actually got a communication channel built in.
So what we want to do is take that communication channel and take the EMV type of security within payment and have the car and the charge point communicate with one another and take that same level of cryptographic data and have the payment lists where you may just, in fact, on your infotainment unit within the car press, “yes, I’m okay with this payment” and that’s the end of it, as opposed to downloading the app and doing all those other things that seem to be the requirement these days.
Yvette Bohanan:
Well, you’re really getting into, from streamlining the checkout process and mobile and online and in app, to cars, planes, trains, and automobiles. We always say it’s an exciting time to be in payments and I think everything you have shared here not only sheds light on some of the inner workings of the industry that people don’t really think about on a day-to-day basis, even when you’re in the industry and how dynamic it is.
Oliver Manahan:
Yep. I tell people every day it gets more interesting in payments, and I think every day that still holds true.
Yvette Bohanan:
Yep, absolutely. Oliver, thank you so much for joining us for this episode. Clearly, you’re a very busy person these days, so we really appreciate you taking the time. And Russ, as always, lovely to have you joining me.
Oliver Manahan:
It was interesting for sure.
Yvette Bohanan:
Yeah, it really is. It’s a fascinating world out there.
Oliver Manahan:
Yeah, absolute pleasure on my side and thank you both so much for having me.
Yvette Bohanan:
So Russ, that was a fun interview with Oliver. We covered so much ground.
Russ Jones:
We did. We did. I, as well as you, I’ve been in the payments industry a long time, 25 plus years, and I’m learning things in this Payments On Fire episode that I didn’t know.
Yvette Bohanan:
What didn’t you know that you learned? One thing.
Russ Jones:
I didn’t really understand the interaction between ISO and EMVCo. I really didn’t appreciate the degree that some of their specifications are drawn on ISO specifications. That was surprising to me. Yeah, that was interesting.
And the other thing that struck me is, Oliver, he was great. He could speak articulately about all the things they’re doing and the process and why it’s hard, basically. I’m not sure he appreciates how important and impactful what they do really is. The reason I say that is we talk in our workshops about the card system, and he’s clearly working at the level where he’s thinking about payment systems, networks as payment systems, which is a fine way to think about the payments industry.
But the point we always make in our workshops is you can talk about the card system as the card system, even though there’s 90 plus card networks in the world, you can talk about the card system holistically because there’s a common thread that runs through all those systems, all those networks, in that they all use the same technical standards. And in that sense, it’s an amazing system. And the reason they have the same technical standards is because of EMVCo. EMVCo is really the glue that turns a bunch of card networks into the card system holistically. And it is what makes me and you able to just use our cards anywhere in the world, to pay for anything anywhere we are. As we like to say, “Pay for lunch in Singapore.” It’s really because of EMVCo that we can do that.
Yvette Bohanan:
And the other thing that I was reminded of when he was chatting with us is that it’s new, ’96 is not that long ago. I mean it’s long ago, but it’s not that long ago in the history of, say, cards, as the card system, which goes back to the 1950s. And so for 40 ish years, give or take, there wasn’t that common thread and everything was different and people had different terminals for everything behind the merchant’s lane when you were checking out.
Russ Jones:
Yeah, people don’t give the card system enough credit for global interoperability. And EMVCo is behind that, but it didn’t have to turn out the way it did.
Yvette Bohanan:
That’s true.
Russ Jones:
If you think about one of our favorite topics, electricity.
Yvette Bohanan:
Wait, where’s the episode of, we just can’t stop talking about electricity?
Russ Jones:
About electricity. It’s had a big impact on my life, but think about the different electrical plug standards around the world and how hard it is to take a device and go country to country to country without having a universal adapter and all that type of stuff. And it’s-
Yvette Bohanan:
Right. And then you still can’t use your hairdryer. I know you don’t have this problem, but you still can’t use your hairdryer, even if you you have adapter because it’s going to blow up because it’s set at the same voltage or whatever.
Russ Jones:
Right. So it’s so common to find different technical standards in different markets around the world. And the card systems should really, the participants in there should pat themselves on the back that there is huge global interoperability in the world of cards.
Yvette Bohanan:
Well in this collaboration notion to get to interoperability, you can get to interoperability a lot of ways. You can have your third party bridging things for you and doing translations. There’s a lot of models of interoperability. We should probably do a podcast on that, but this is an elegant level of interoperability because there has been this collaboration, and you’re bringing up a great point. I think that’s really true. I think the other thing that’s funny, and he added some interesting commentary about piloting that ties into this, 25 or 20 whatever it was, contactless kernels flying around for a while. I get that you have to pilot it, and I was really glad we touched on that with our favorite pilot case study, the transit system stuff.
But when you know interoperability works and you have a system that’s as complicated like the card system, and then a new technology comes up and you still end up with oodles of implementations of that standard, and then they have to pull it back together – 25 kernels is what it was – back together. I also thought it was interesting, A, that happened, after having so many proof points that you don’t want to do it that way, but B, that it only took a year to get everyone back on the same page, pretty much.
Russ Jones:
The thing about standards I’ll observe is really, yes, there are multiple standards oftentimes, but they’re often tied up in market dynamics and momentum and whatnot. And I think we’ve seen a great example of that. Oliver was talking about EV charging, and what he described in Canada is a painful experience.
That experience is also painful in the United States. It’s not unique to Canada, but we’ve seen basically the whole automotive industry in the US in the last 12 months deciding to standardize on Tesla’s charging standard, and that’s the North American charging standard. The so-called North America charging standard is what Tesla calls it. And there are plenty of ISO standards in that area, and Tesla had so much momentum in the marketplace. It’s like, are you going to wait five years for some other neutral standard to get a foothold, is not happening in Canada, or are you just going to throw your lot in with the market leader? And most of the major manufacturers have said the timing is such that we just need to go where the market’s going, which is a good example of letting the market decide, which is a very US-centric approach to things.
Yvette Bohanan:
And there’s a lot of examples of how market decisions evolve into an industry standard out there in all sorts of areas. So it happens lots of different ways, a lot of collaboration, I think, that’s why they have the governance structure and the associates and subscribers trying to get all of that feedback from all of those perspectives. And going beyond the specification too. They have the core specs, and obviously, it’s a very technical organization. I mean, we could have really gone into the tech here in a big way, but coming out with guidelines on design, customer experience.
Russ Jones:
On usability, customer experience guidelines, that’s very different for them, but-
Yvette Bohanan:
Important.
Russ Jones:
It’s very important, super important. And that’s one of the things that has made Apple so successful, is here’s an SDK, here’s a bunch of APIs, and here are a bunch of usage guidelines. And that’s what makes the uniformity of the experience so magical with those products. And it’s heartening to see EMVCo realize that, because you take something like SRC, and I can only imagine there’s a dozen ways you could implement the experience, and you lose the impact if you don’t have the uniformity of experience. And the market wants simplicity and they know.
Yvette Bohanan:
Well, you don’t solve that classic poultry problem of adoption if you lack simplicity. It’s a key ingredient to getting people to do something.
Russ Jones:
And the poultry problem in payments, just so everyone’s on the same page here, is a reference to who came first, the chicken or the egg. And that’s a pervasive problem in payments because all transactions are two-sided. So in the world that we live in, it’s who comes first, the buyer or the seller.
Yvette Bohanan:
And you need both of them to get any volume.
Russ Jones:
That’s exactly right.
Yvette Bohanan:
Adoption.
Russ Jones:
If you bifurcate experiences, it’s like you have 12 incompatible chickens and one egg.
Yvette Bohanan:
At some point, Russ, an analogy just breaks down.
Russ Jones:
No, I’m saying that this one works.
Yvette Bohanan:
12 incompatible chickens.
Russ Jones:
Right.
Yvette Bohanan:
Okay. We got to work on this. Anyway, I’m hoping we get EMVCo back to talk with us some more because they’re doing some very, very exciting stuff right now.
Russ Jones:
Absolutely.
Yvette Bohanan:
So thanks so much. Thanks for the extra time here and breaking it down with me and reflecting. We’re looking forward to some more podcasts coming up, all our industry friends out there who are leaders in this space. Until then-
Russ Jones:
Thank you.
Yvette Bohanan:
Take care.
Russ Jones:
Thank you, Yvette.
Yvette Bohanan:
Thank you, Russ. Bye-Bye.
If you enjoy Payments On Fire, someone else might too. So please feel free to share this podcast on your favorite social media outlet. Payments On Fire is a production of Glenbrook Partners. Glenbrook is a leading global consulting and education firm to the payments industry. Learn more and connect with us by visiting our website at glenbrook.com. All opinions expressed on our podcast are those of our hosts and guests. While companies featured or mentioned on our show may be clients of Glenbrook, Glenbrook receives no compensation for podcasts. No mention of any company or specific offering should be construed as an endorsement of that company’s products or services.
