SCA in a world of Internet-of-Things payments
First published: 01/12/2020
How people make payments have evolved greatly over the years. From cash, we have moved to paper cheques, to credit cards, to the current world of purely digital payment methods on the Internet. Where do we go from there?
Many people think that the next step is automatic payments through Internet-of-Things (IoT) devices, where payments are autonomous, and happen automatically in the background, almost without human interaction. An interesting paper by the French Association du Paiement, «Adapting payment to the Internet of Things» explores what this means, and made me think about how payments fit with IoT devices, and what the key issues are to make the IoT dream happen.
First, how do most IoT payments work today? In practice IoT payments are not that different from other types of payments: You register your payment details on a website or through an app, then when an event occurs, i.e. you pass a toll in your car, the payment happens. This is not very different from how payment happens when buying something online in situations where the payment details are stored in the merchants back-office database. It can be argued that this is not a true IoT payment, as it is only how the payment is initiated that is different. An example of a more true IoT payment is to delegate the right to initiate the payment to the device, then use something like a payment token stored on the device to initiate the transaction. This is the solution proposed by programs such as the “Visa Ready program for IoT”, where a payment token is transferred to the device, which is later used to initiate a payment.
A few years back, we at Okay looked into how security can be improved with IoT devices. The challenge here is obvious: An IoT device can be anything from a microcontroller with just a few kilobytes of memory to a system running full Linux distribution in the case of more advanced devices. Such devices rarely have a screen, a keyboard or anything that can be used to perform a Strong Customer Authentication. This makes doing a Strong Customer Authentication (SCA) process much harder. With tokenization, it has now become possible to initiate the transaction from the device, while the SCA is done with another device.
The discussion around how IoT payments should happen is just one part of a bigger trend in payments. It looks like we will move further away from the “authentication is the domain of the issuer, done with 3D-Secure for each transaction” to a more dynamic situation where the authority to initiate the payment is delegated to merchants or even to IoT devices, with radically different authentication methods. This raises some interesting concerns around the security for transactions. Under the PSD2, it is clearly the account holding banks that are responsible for the customer authentication, but who is responsible if the customer has delegated the authority to an IoT device? Must IoT device manufacturers be registered as “payment initiation service providers” (PISP)? In the paper mentioned above, there is a suggestion to allow for a new type of payment institution just for this: Object Payment Initiation Service Provider (OPIS), which extends the PISP role including device management. This is an interesting idea, but it would be a hard area to regulate - most of the IoT devices I’m using myself cost about 4-5 euro - including shipping.
At Okay we have been working on a proof of concept for how SCA can be used to securely delegate payment instruments to devices, including how to securely do dynamic linking of screen-less devices as part of the process. But it has become clear to us that there is a need for more innovation, in both the security and regulatory domains before this type of payment will become prevalent. What do you think? If you’re interested in the security around this type of payment, please let us know.