Tap to Trust: The Trust Paradox in Payments Security

In a recent episode of the Cybersecurity Institute podcast, host Ken Kadet chatted with Entrust experts Simon Horswell and Andy Cease as they explore resolving the trust paradox in payments and closing the gap between customer payments usage and confidence in its security.

Ken Kadet: So, let us start off by maybe taking us behind the scenes on this a little bit. What is the thinking at banks and other places that are taking care of our money about this balance, this paradox about trust and security?

Simon Horswell: We're actually starting to see it shift. What we've seen certainly up until this point with many banks is this idea of let's try and get people in first and then as the risk increases, let's try and build on the trust. So, trying to add layers on top that previously weren't there. That's OK because you're not doing anything particularly dangerous. But your first high-risk transaction now will start to ask more from you. And I think there's quite a few banks or quite a few parts of the financial services that have turned this on its head. You can look at someone's transaction history and get a gauge for them, but you haven't really established that you know who they are. You just know what they're doing. It's much more robust if you actually build that trust from the beginning. You want me to trust you. And I want to know who you are. Show me who you are and tell me who you are. Let's have that upfront. Now I've got a record, I've got a baseline, and I can compare you to that at various stages. And I think that's what we're starting to see more now is, when you're onboarding, that's when I feel most of that KYC should be happening. And then I've got a frame of reference. For example, if we start by confirming your identity with an identity document, a government-issued document, something verifiable, something that we can actually look at and authenticate. And then we bond that to your identity through your biometrics, right? We all have a face, and your face appears on the document. We can use it to tie it so that we know who you are from the outset.

And then I've also got a frame of reference for later on. If we start looking at things like re-authentication, once I've established who you are, then I can start trusting your device so when you send your fingerprint token on there that confirms it, you've established who you are on there. Or maybe as part of the setup once you've been onboarded, you have voice recognition. All of these need to come from that basis, that foundation of trust at the beginning.

Andy Cease: I would wholeheartedly agree with that, especially coming at it as the issuer, as the bank, or as the network supporting that transaction. But I think everything Simon just called out is also hugely important and not lost on the consumer. First impressions are everything. And if you're starting what you know to be a significant financial relationship of some kind, you're grading that provider as you're going through that onboarding process, as much as they're trying to get a feel for who you are. And right by using some of this best-in-class technology it becomes very apparent to that end-user that they're doing business with someone who's not only compliant and above the line, but, you know, typically, you know, setting the next line, leading innovation that not only makes that experience immensely easier as compared to sort of the traditional ways of doing KYC, but it's also immensely more secure. I think the consumer comes out much more confident when they go through something that's robust upfront, as opposed to the kind of breadcrumbing their way throughout the journey.

Ken Kadet: Maybe take a step back for me for a second because, you talk about that ease of use and that balance of ease and security and what's behind it. But let's say the experience in the UK and in Europe and experience in the U.S. is built on a completely different foundation. Tell us about that a little bit. How is that experience different?

Simon Horswell: What we found when we entered into identity verification, we started off in the UK and Europe and the attitude was very much about knowing your customer at the beginning, establishing all of your bonafides in a way that you can trust from the beginning as a way to ensure that you were protecting yourself against fraud as a banking company.

What we found in America was that the process was much more about being quick. So trying to make it as convenient as possible with checks and balances of course, but trying to make it as convenient as possible for the consumer and you'd get as many of them in and then you'd start trying to layer it up further down the line and ask for more credentials and ask for more proof as opposed to starting off because it was kind of felt as well if it's too inconvenient or too slow, then people will drop and then we've lost them as a client. So we try to get them in as quickly as possible. Now that we've got them in, we'll try and build up that trust. But the European model is much more about, no, actually I've got something you want. And everybody else around me is doing the same thing. All of the European financial organizations are going to be asking you the same questions. Prove your identity, now we've got somewhere that we can set off from as opposed to, hey, can you give me a Social Security number, great, then let's crack on and we'll establish it's yours later down the line. It's a different kind of approach.

Andy Cease: And I think a lot of that, especially as a resident of the United States. I think the way we arrived at how we do credit, for instance, is fundamentally different as you alluded to Ken, but one of the nice things about the arrival of things like biometric identity verification is these really robust signals that can be derived from the mobile device itself, from these additional databases, both private and public.

Maybe some of the decisions that were made in the U.S. prior to this technology's arrival have put us in a situation where we do have more fraud on the credit side than other countries, though that calculus can change. Even though we are still a very geographically dispersed populace, the fact that we all have mobile phones now and those cameras can do something like biometric identity verification means that we can really quickly shift this calculus that was we're so concerned about speed at the cost of security, that equation has changed now and speed and security are on the same side of the equation and can actually compound one another in a way that they really couldn't even just five years ago. The market is at a point where I think we're going to evolve into something that is not any less easy, but is also much more secure in the next few years.

Ken Kadet: Maybe just to take an aside, tell me more about that. What does that mean? Is this sort of the contrast between you know Mr. Johnson at the bank and Mr. Johnson knows you versus something more digital where your personal relationship doesn't matter as much, it's more being able to identify yourself.

Andy Cease: I think it's a couple of things and one of them being mobility. Just the ability, I mean, as Simon said, back when he first started in the banking industry, he had to physically show up somewhere and had to have a formalized document and present in person. So that whether the physical movement to the location is a challenge or they're finding the time is a challenge because you have other obligations to dependents or a job. All of these things, just the time it takes to do them, is dramatically shrunk. And that's just when we're talking about a standard demand deposit account. When we extend that out to things like EBT and some of these other ways of paying electronically, they can be disbursed much faster and more effectively and with more confidence to the right people when you're operating in this ecosystem of trust. So even the disbursement of public benefits, right, can be greatly improved and made more efficient through the use of this technology. This is where I think we get beyond just the realm of credit and debit and consumer payments and into kind of how does money move and how do we trust the individuals that it moves between.

Simon Horswell: I think Andy's hit on something really solid there in terms of it's finding the time as well. And then the time that's convenient for you might be oversubscribed right now – that that's not an obstacle anymore. And then at the same time, I think coming back to the idea of security, you've now got greater consistency in the level of these checks. Now every check is done at a top premium level, right? If I turned up at the bank before, I'm expecting the cashier behind the counter to have 25 years' worth of experience examining every single document. That's not realistic. They might have maybe a little bit of an idea or maybe you've got them a cheat sheet, but now you're talking about applying other people's experience and knowledge in a consistent manner, uniformly across hundreds, thousands of different document types and ending up with a very reliable, solid response at the end of it. So, it's improved the quality of what you can actually rely on as well as making it more convenient and removing some of those geographical obstacles that we were talking about.

Ken Kadet: That makes sense. As a financial consumer yourself, what are you looking for? What level of security are you demanding from your institutions, or what would be the experience that you'd be looking for?

Andy Cease: I think if I just take a step back to what I was thinking about maybe before I was immersed in this space, it comes down to how easy would this be for someone who isn't me to do? And that's the rubric by which I'm grading anyone who I'm trying to set up a somewhat sensitive relationship with, whether it be a social network or a merchant or a financial institution. And how many steps in the workflow early on are difficult for someone who isn't me to complete? That to me is sort of my first impression of the security of this service. I think that's when I'm establishing a relationship with a financial institution, for instance, is how quickly can they ascertain that I am uniquely me and that someone who is pretending to be me somewhere else who doesn't look like me could accomplish those same steps. When I'm at the point of payment, it's about can I complete the transaction, and will that information be stored with the merchant in any way? And I think we can all recall back to the advent of embossed credit cards and the fact that they would take an impressor and take a carbon copy of the 16-digit PAN on your card and the CVV and the expiration. And then after the shift was done, that taxi driver, whoever it was, would then transact on it. Well, that's immensely insecure and magstripe was a little bit better than that. And chip greatly improved on magstripe. And so that's where consumers are beginning to see that even if I'm making a transaction at a food truck and I don't know if they're going to get hacked tomorrow, I can still be confident that the payment I made today is the only money that's going to be taken from me by that merchant or someone who's compromised it. So to me, it's really basic of initially setting up the relationship. Could someone who isn't me complete this process? And biometric IDV instantly breaks that if it's done correctly. And then at that point of sale, if I'm using something like a tap payment, either through a physical card or a mobile phone or something like Apple Pay, or PayPal button on an e-commerce website, right? Those are also tokenized. And I think that's where your standard consumer is sort of setting the line to say, is this a secure transaction? And the threshold there is, am I turning over PII that can be abused for nefarious purposes by bad actors without my knowledge after I've made this transaction today?

And it also opens a door for an opportunity to personalize that experience in a way that just hasn't been possible. Is doing this type of upfront KYC, the identity provider, right? The financial institution, in this case on the other side of it, has a much better idea of what would be most valuable to this person and can begin to present those things in a really smart and easy to consume way.

Simon Horswell: I think you're quite right. It's that onboarding process that sets out the stall of the company you're dealing with. You want to feel, even if it's made convenient for you, that it is discriminating insofar as it's ensuring that you are who you say you are, and it isn't allowing someone else in there. And that's your first time dealing with that company. So that tells you how they're going to protect your money or your investments. No one wants to find out that their stuff has been the result of the latest hack. You get that email from a company that says, we're really sorry, but that's a nightmare scenario because now it's out there. And it's not stuff you can get back. It just means you need to be far more guarded. So when you can feel that sense of security on the way in, that something has been considered and thought out and isn't just like a swinging door, it feels like you are actually having something unlocked for you to allow you to enter. That then sets up this whole experience and the impression of the company that you're dealing with and how they're going to handle your valuables essentially.

Ken Kadet: So, are you thinking, Andy, that this is kind of where we talked about the U.S. not really adopting some of the biometric technologies immediately, but that there are opportunities here? Is this kind of where U.S. banks and financial institutions and others are going to start to see the opportunity that they can maybe provide a different kind of offering?

Andy Cease: Yes, and I think they've really been on that road since the migration to chipped cards, right? So the migration to the EMV chip was sort of the first big step away from using the magstripe and the inherent insecurity there. And then pulling through to the mobile device and the pay, the tap and pay there, that still leaves the physical card with a personal account number on it, primary account number on it, your PAN, your 16-digit card to the consumer, we're actually going to see that begin to phase out. And so this idea of a single 16-digit number that defines my ability to access credit, right? That's going away. It's now going to be tied to the identity. So whether I'm tapping my phone at a point of sale, whether I'm clicking a button on e-commerce, whether I'm tapping my card, again, at a food truck onto someone's iPhone, there's not going to be this concept of there's a 16-digit PAN that I can type in and begin transacting and storing, you know, card on file is something that's really going to be a relic of the past because that card on file is just an inherent insecurity sitting on the database of however many merchants you store that card with.

We do that for the ease of use and simplicity of it. But that same use case can be fulfilled much more securely through the use of something like tokenization. So, I'd say a vast majority of the U.S. consumers are primarily using tokenized payments today, but even those small, fringe use cases of there's not an Apple Pay button on my e-commerce, so I'm going to type in my 16-digit PAN. That's something the sun will set on. In a matter of years we're going to be in a much more secure payment ecosystem whether you're transacting online or in person physically with a card or digitally through a mobile phone.

Join us for part 2 of this episode – coming soon!