Embed Size (px)
Citation preview
Mobile Mobile PaymentsPayments
SDP SDP SDP SDP SDP SDP SDP SDP GlobalGlobalGlobalGlobalGlobalGlobalGlobalGlobal SummitSummitSummitSummitSummitSummitSummitSummit
RomeRomeRomeRomeRomeRomeRomeRome
12.12. 99.. 20120122
Martin Prosek, Martin Prosek, VAS VAS Platform Platform Development Development ManagerManagerTelefTelefóónica Czech Republicnica Czech Republic
AboutAboutAboutAbout TelefTelefTelefTelefóóóónicanicanicanica Czech RepublicCzech RepublicCzech RepublicCzech Republic
� FixedFixedFixedFixed andandandand mobilemobilemobilemobile voice and data,voice and data,voice and data,voice and data, IPTVIPTVIPTVIPTV� Operated under commercial brand OOperated under commercial brand OOperated under commercial brand OOperated under commercial brand O2222
1
TelefTelefTelefTelefóóóónica Globallynica Globallynica Globallynica Globally
2
BlueViaBlueViaBlueViaBlueVia –––– Global APIsGlobal APIsGlobal APIsGlobal APIs
https://bluevia.com/
IntroductionIntroductionIntroductionIntroduction
01010101Mobile Payments Quick Review
02020202 Telefónica Czech Republic Experience
00003333 Opportunities
00004444 Technical Solutions
00005555 Risks and their Mitigations
00006666 Summary/Recommendations
� Disclaimer: The opinions of the author expressed in this document do not necessarily state or reflect those of Telefónica company
4
Mobile PaymentsMobile PaymentsMobile PaymentsMobile Payments
�Most popular service
• Users use it – it is convenient method how to perform purchases
• Developers need it – provides monetization
• Operators like it – gives place in the value chain and another revenue stream
� Let us do some quick review…
Mobile NetworkOperator
Content Provider
MobileNetworkOperator
Consumer
What are What are What are What are the the the the Mobile PaymentsMobile PaymentsMobile PaymentsMobile Payments????
�Many definitions exist…
• It generally refers to payment services performed from or via a mobile device.
� Focus on Mobile Network Operator service
• Not mobile banking
• Not payments using credit/debit card
• Not payment through online payment provider
• Not NFC
� Direct to bill (D2B)
Experience in Telefonica CZExperience in Telefonica CZExperience in Telefonica CZExperience in Telefonica CZ
� Today is 10th anniversay of serviceJuice mJuice mJuice mJuice m----PlatbyPlatbyPlatbyPlatby
• USSD based, used or cinema tickets purchase
� Premium SMS – 7 years old service
�Mobile web paymentsmmmm----platba platba platba platba –––– 3 years old
� All these payment solutions are pre-SDP
Mobile Payment MethodsMobile Payment MethodsMobile Payment MethodsMobile Payment Methods
� Premium SMS – oldest one
�Mobile web – already established
� InInInIn----app payments app payments app payments app payments – great for freemium
� One-off payments
� Subscriptions/direct debit
200802 200806 200810 200902 200906 200910 201002 201006 201010 201102 201106
Google Android
Apple iOS
Smartphones penetration still grows…
LimitationsLimitationsLimitationsLimitations
� Transaction fees are and will be still high
� Limited use for intangible goods, mostly consummable on the mobile device
OpportunityOpportunityOpportunityOpportunity
� The situation is very positive• The smartphones penetration is high
• Users already have learned to pay for apps
• Operators are perceived as trusted parties and have good track of history in mobile content
• User experience is better than for using payment cards
�Mobile Payments can substitute the declining content revenues
�Mobile Payments can help operators to return to the value chain and stop being dumb pipedumb pipedumb pipedumb pipe
Technical SolutionsTechnical SolutionsTechnical SolutionsTechnical Solutions
� SDPs – standard means to expose
� API standards
OperatorOperatorPayment APIPayment APIPayment APIPayment API
Business Business Business Business RisksRisksRisksRisks
� Repudiation
• When operator cannot prove user‘s consent user later can reject the payment
• Closely connected to subscribe identification
� Provider charging without providing service
• By mistake or technical failure
• Biggest problem can be fraudulent use
� Unclear relation to the provider
• Not possible to get clear responsibility
Technical Technical Technical Technical RisksRisksRisksRisks
� Communication is not direct anymore
�Man-in-the-middle (M-I-M) attacks are possible
� Even the app itself can compromise the payment security –AppAppAppApp----inininin----thethethethe----middlemiddlemiddlemiddle (A-I-M)*
* Known examples: fraudulent Premium SMS sending…
OperatorOperator
ProviderProvider OperatorOperator
AppApp ProviderProvider OperatorOperator
Possible Risk Possible Risk Possible Risk Possible Risk MitigationMitigationMitigationMitigationssss
� Payment transactions and/or spend limitslimitslimitslimits (per day, month…)
� Different security levels for different amount of payments
• E.g. for purchases under 2 € lower security
� Security influenced design of payment authorization
• User giving consent as directly as possible (no M-I-M)
• Verification of human interaction (login by username/password, PIN, captcha, mouse movements/gestures…)
• Alternative communication channels (SMS, USSD…), use of one-time password
Possible Risk Possible Risk Possible Risk Possible Risk MitigationMitigationMitigationMitigationssss
� Payment notifications (by SMS and/or e-mails)
• User gets info about payment transaction everytime
� Offering opt-in model
• Use must confirm intention to have payments enabled
� Best solution would be use of SIM-based transaction signing
Good Balance of Security and ConvenienceGood Balance of Security and ConvenienceGood Balance of Security and ConvenienceGood Balance of Security and Convenience
� One click payments
� No authorization
� Opt-out
� Authorized payments
� Opt-in
� SIM-Toolkit based security
Convenience
Security
17
RecommendationsRecommendationsRecommendationsRecommendations
� Let the user be in control of the service Let the user be in control of the service Let the user be in control of the service Let the user be in control of the service security settings security settings security settings security settings –––– provide provide provide provide good web good web good web good web selfcareselfcareselfcareselfcare
� Give the user access to full history of the paymentsGive the user access to full history of the paymentsGive the user access to full history of the paymentsGive the user access to full history of the payments –––– on the web selfcareon the web selfcareon the web selfcareon the web selfcare
� Do your best to have direct access to user (no MDo your best to have direct access to user (no MDo your best to have direct access to user (no MDo your best to have direct access to user (no M----IIII----M or AM or AM or AM or A----IIII----M)M)M)M)
� Have clear contracts with providers stating responsibility for aHave clear contracts with providers stating responsibility for aHave clear contracts with providers stating responsibility for aHave clear contracts with providers stating responsibility for all casesll casesll casesll cases
Last Days of the Roman EmpireLast Days of the Roman EmpireLast Days of the Roman EmpireLast Days of the Roman Empire…………
� Mobile Network Operators had created „empires“
� Huge revenues were funding their development
� But now the „empires“ are under attacks of „barbarians“ from outside (the Internet…)
� If operators are not acting now the position in the value chain might be lost– the „fall of empire“
Questions?Questions?Questions?Questions?
Thank you.Thank you.
