ValidSoft is uniquely placed to help retailers and banks in the crucial area of fraud prevention, as the way we make purchases and payments increasingly embraces mobile telecoms, and contactless cards and Near Field Communications based on the mobile wallet concept are adopted around the globe.
Part of the Amsterdam-based international telecoms company Elephant Talk, ValidSoft is the only security company in the world that provides certified protection not only for all electronic and phone-based banking channels but also for card-based channels, both card-present and card not-present. ValidSoft’s stated mission is to make all transaction channels secure, using leading edge communications, recognising that mobile payments will soon be the centre of the universe in the e-commerce sector.
In our October issue we spoke to Patrick Carroll, Founder and Chief Executive of ValidSoft, about card not present (internet) fraud prevention and the benefits of their offering. Now we talk to Patrick about card present security and look at the fast approaching era of the mobile wallet, the implications for fraud and how VALid-POS®, ValidSoft’s card present product, can help.
GT – Patrick, we last spoke at the end of August. What’s been happening since then?
The marketplace is moving pretty quickly. We’re seeing a lot of interest in the mobile wallet, and the industry is shaping up for its adoption. It brings home the fact that there are both opportunities and threats – new business models, a new landscape and new companies entering the market alongside the traditional players.
The interesting aspect from the security point of view is that the traditional architecture isn’t the right model for the next generation of card transactions. Right now we’ve got card present, not present and other variations, but the future will be about mobile present. We’ll also have mobile-to-mobile and person-to-person payments, which may not go through the traditional players. We see the overall market developing rapidly.
GT – In our previous conversation we looked at your VALid® Card not present offering. This time we’re looking at VALid-POS®, your card present offering for ATM and point-of-sale fraud. Can you talk us through this?
VALid-POS® can determine, in real time, that a physical transaction involving a payment card is occurring in proximity to that cardholder’s mobile phone. It can do this in less than 400 milliseconds (0.4 seconds). If the card and phone aren’t in proximity, there’s a good chance the transaction is fraudulent. VALid-POS® is an evolution of our VALid® multi-factor authentication and transaction verification platform, which provides protection for multiple banking channels, and which financial services organisations and European governments have adopted.
GT – How does ValidSoft fit into mobile payments security?
We provide seamless architecture in the mobile world, for which as I’ve mentioned, the traditional security methods are not applicable. We believe the right model is telecoms, with both visible and invisible layers of security. It’s user friendly, but also very strong in defence against fraud.
GT – How does security for mobile commerce compare with security for e-commerce?
There are two fallacies doing the rounds, which I’d like to correct. The first is that mobile security is inevitably complex, which simply isn’t true – if anything, it’s less complex. As a mobile solution VALid-POS® is very secure, but also extremely user-friendly. The second fallacy is that in the mobile world, you have to compromise privacy to achieve security, which means that any location-based service is an invasion of privacy. We have thought long and hard about this, and the end result is our Proximity Correlation Logic™, which VALid-POS® is based on. Our PCL™ is fully compliant with EU data privacy regulations.
GT – What problem areas does VALid-POS® address?
VALid-POS® addresses three problem areas. The first is speed. Card payment transactions need to be approved in under 500 milliseconds, but using the signal from a mobile cell to determine the cardholder’s location takes 4-6 seconds or longer. Also, GPS location might fail when people are in buildings. The second point is that conventional geo-positioning systems aren’t very accurate for retail chains. Branch-based transactions are often routed through the head office, which is identified as the place where they happen, rather than the branch’s true location, so you get a very high failure rate. The third point is that location-based systems are relatively expensive, and most importantly, break the privacy rules.
GT – How does VALid-POS® get round all that?
Proximity Correlation Logic uses the other signalling functions within a mobile phone to achieve rapid response times. In just 400 milliseconds, it determines the physical correlation between the transaction and the cardholder through the global mobile network.
GT – What about privacy?
The database at the centre makes sure your phone is in sync with the network. We never tell the bank where you are – we only confirm or refute the proximity correlation. The EMV chip-based card placed in the ATM or POS device ‘talks’ to the issuing bank, and a correlation is made between the ATM and the nearest phone tower – we do the mapping. With the international model we confirm that, for example, the card and mobile are both in The Netherlands; with the domestic model, we confirm that the ATM or POS unit is in a particular location and the cardholder’s phone is there too.
GT – What happens if someone drops a card and a criminal picks it up? How far can the criminals get with using the card before they are ‘spotted’?
The lowest level of granularity is the cell ID – the reality of card fraud is that it is more likely to happen to you if you go abroad and your card gets skimmed. The fraudsters have centres of expertise, and sell cards on to other criminals that are based in different countries. That said, it therefore takes time to skim an EMV card. Some 39 countries in the world have EMV cards. So a few weeks might elapse before a skimmed card re-appears in a non-EMV country and is then used by fraudsters. The likelihood of your card and mobile phone both being stolen is remote, and our card present fraud prevention solution will always defeat attempts to use skimmed cards. Thanks to Chip and PIN, ‘domestic’ fraud happens less when a card is stolen. Yet, our card present fraud prevention solution can play a key role in stopping fraudsters.
GT – What verification does VALid-POS® give?
VALid-POS® can go from validating transactions at country level or an even larger area to confirming that the cardholder is at a specific individual ATM or POS device.
GT – Does VALid-POS® create a record somewhere ‘outside’ the issuing bank of where the card has been used?
No it doesn’t, it’s totally anonymous. Thanks to this anonymity, we can demonstrate that we fully support the data protection requirements.
GT – You have been awarded the European Privacy Seal. Can you tell us about that?
We have actually received not one but two Privacy Seals, one for VALid-POS®, for Card Present, and one for VALid-4F®, which is also part of our VALid card not present offering. VALid-POS® and VALid-4F® are both completely invisible – the cardholder doesn’t know the check is happening. We own the Intellectual Property for both of these technologies, and have a genuine interest in the privacy of the consumer and in preventing false positives.
GT – Picking up on the ‘Privacy’ element, are there any privacy issues involved with using geo-location of people’s mobile phones to validate transactions? Do cardholders need to confirm their consent beforehand?
Under the European Privacy Seal VALid-POS® does not require explicit customer opt-in. Without such protection, a transaction might be going ahead and the money coming out of the cardholder’s account even though the transaction is fraudulent. It’s too late to stop it. The object is to deter the fraudsters – the consumer wants the goods, and banks have a brutal way of dealing with suspect transactions by rejecting them, which can be very inconvenient and embarrassing.
GT – How often do card transactions get declined incorrectly?
The issuing bank gets it wrong 90% of the time, and as we move to new payment platforms such as mobile and they decline more payments, as much as 98% of future rejections could be incorrect. Card fraud is very high for cross-border transactions, and cards are rejected at the POS terminal or ATM. For example, when I went to Hong Kong on business recently, one of the cards I was using got declined. I couldn’t resolve it, so I had to pay with another card. The bank’s risk engine got it wrong, and the bank lost the interchange fee to the card that I paid with successfully.
GT – It’s probably a daft question, but aren’t card present transactions already reasonably secure, due to Chip & PIN and payment systems such as Secured by Visa?
Under these standards a card in an ATM or POS terminal is strongly secure within the EMV countries, but there are no similar standards yet for mobile, SIM or SD cards which go in the side of a smart phone, and security remains the number one concern. If you lose your card today, it’s not the end of the world, you can tell your bank via a comms link. But in the future if your phone is configured as a mobile wallet and you lose it, you will have lost everything.
GT – What are your recommendations for mobile security?
It needs a dedicated methodology – it can’t just be server-based. There are lots of different models currently being tried out, and while operating standards clearly need to be developed, the security issue must also be addressed. ValidSoft already have the solutions, in the form of our telecommunication-based technologies.
GT – As an industry expert, in your view how far has security for mobile payments got in terms of being brought to market?
On one hand, we have the traditional payments world, in which the security architecture is fragmented, as we’ve discussed; on the other hand there are the needs of the new, emerging mobile market, in which people are overlooking security as they race for market share. It needs telecommunication to be integrated as part of the security process.
Online traders have a line open to their bank and accept a message back to confirm the transaction. We need something similar for mobile to address the areas of concern – has the SIM card been swapped? Has the retailer ‘seen’ this card before? Do they recognise the transaction? Has it been interfered with in any way? Is there a correlation between where it’s occurring and where we believe the cardholder to be? All these layers need to be brought together in a simple, integrated fashion, which ValidSoft can provide. We can demonstrate quite definitely that a correlation exists between the cardholder’s phone and the card. All of this is done anonymously.
GT – How near are people to adopting ValidSoft’s technologies?
We’re very close to it happening with various major players. The crux of the matter is that under our systems the transaction goes for authorisation to the issuing bank, which makes the correlation with the cell phone. After that it goes back to the issuing bank, so we need to get our solutions integrated with the banks’ systems at issuing level.
GT – Have you been carrying out trials with the major banks?
If you look at any of the top ten banks on a global scale, chances are they’ve conducted trials with us. All the banks are interested in our technology, and we can prove conclusively that we can deliver.
GT – What is the level of ‘false positives’ for card transactions with VALid-POS®?
In a recent trial with one of the top three banks, we confirmed 100% correctly and also refuted 100% without error.
GT – How are you getting on with signing up the retailers and other merchants?
A lot of people in the banks know they have to talk to the retailers and merchants about ValidSoft: we can only educate and inform them. Security is the number one point of concern in card payments, and the banks must lead the way.
GT – What are you doing to spread the word about VALid-POS®?
We’re doing it through industry groupings and events, and getting out there and talking to the banks’ retail and cards teams, who have expressed an extremely high level of interest globally.
GT – Going back to the mobile wallet, how will this be brought into the retail sector?
Adjusting the point of sale environment to accept payment with the mobile wallet will be done externally by the banks. The retailers and merchants will need to acquire new devices to take mobile payments, and Visa and the others will be offering them different options. The merchants will see all this as an extra constraint – the drive will come from the banks, each of whom is now ready to go.
GT – What’s the likely timetable for mobile wallet payments to become widely adopted?
It could take two to five years, depending on how proactive everyone is, namely banks, retailers and mobile operators like our parent company Elephant Talk. However the recent announcement from the GSMA stating that they aim to set a global standard for SIM-based NFC services amongst mobile operators is a positive step in the right direction.
GT – Will you need to change VALid-POS® for mobile wallet payments?
VALid-POS® doesn’t need to be changed to validate mobile payments – we secure them all.
GT – Talking of other payment methods currently in the news, can VALid-POS® be used to validate Person-to-Person payments?
VALid-POS® is usable for P-to-P solutions, but in my view its adoption for this purpose is likely to come last in priority for the banks and financial institutions.
GT – With PayPal now being widely accepted by airlines as a means of paying for tickets online, is there a place for ValidSoft in providing security for these transactions?
Yes, there is. VALid®, our card not present product is a suitable security solution for PayPal. The issue there is around authentication, and SMS messages from PayPal. If a mobile is hacked and payments are affected, the way back in for the payment operator to carry out the account holder’s authentication through voice, and not SMS.
GT – How far do you envisage VALid-POS® and VALid® could reduce the level of false positives for suspected card fraud?
In time they could reduce the level of ‘refutes’ being false positives from the current average of 90% to single digits. The reality is that the banks don’t regard transactions which are wrongly aborted due to suspected fraud as a major problem, but for retailers and other merchants false positives mean dissatisfied consumers and lost sales.
Tel: 020 3170 8125