When Machines Pay Machines: An Update on IoT and Strong Customer Authentication

When we discuss payments in IoT, we’re talking about Machine-to-Machine (M2M) payments. In M2M payments, machines communicate and transact with each other without human intervention. When we talk about payments between merchants and humans, Strong Customer Authentication (SCA) is one of the fundamental mechanisms needed to secure payments. SCA is a process that requires customers to provide two or more forms of authentication, such as a password and a fingerprint, before a payment can be made. This helps to ensure that only authorised users can make payments and that they are not being made fraudulently.

However, applying SCA to M2M payments can be difficult because machines cannot provide the same types of authentication as humans, according to regulations such as the Payment Service Directive 2 (PSD2). According to the PSD2, a “payer” is: “a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.”

In addition, the PSD2 requires that payments are made through secure channels and that the customer’s information is protected from fraud and misuse. This can be difficult to achieve with M2M payments, as the same rules are hard to apply to machines and humans. S at least for now, machines have real problems understanding whether a transaction is valid.

So, from a legal point of view, there are clear challenges around the M2M style of payments. However, it is much simpler from a technical perspective, e.g. digital certificates are an option. Certificates are digital files that contain information about the identity of the machine making the payment. These certificates can be used to authenticate the machine, much like a human would use a password or fingerprint. 

When we look at the headlines over the last couple of years, there are a few trends which stand out:

• There is massive growth in the IoT space, with automation and sensors becoming more prevalent in several verticals, including our homes. From smart lightbulbs to logistics and supply chains, more and more devices are talking to other devices.
  
• But, looking at payments made between IoT devices, the progress is much less. Some programs, such as Visa Ready, support tokenisation and payments initiated from the devices. But my impression is that the vast majority of payments are still done with some variant of card-of-file. For example, a device might initiate the payment, but the call goes to a back-end server somewhere that triggers the payment itself. 
  
• On the business model side, the most talked about use case is still using IoT payments is still the pay-per-use scenario and automated payments when prompted, such as when passing a tollbooth.

My primary impression is that while the growth in IoT has been massive, there is still a gap between the automation we’re seeing with the technology and the automation we’re seeing in payments initiated by these devices.

From a technical perspective, I believe there is an excellent opportunity for the automation of payments in the IoT space, similar to what we’re seeing with the growth in the underlying technology. But to do this, some technical issues should be addressed first: 

• There is a real need for standardisation of payments between devices. While there are payment standards that can help (such as ISO 20022 messages), these are yet to be the most prevalent type of payment.

• To fully automate payments, we probably also need some way of programmable payments, similar to smart contracts in ledger-based systems, but preferably without the complexity and overhead that we’re seeing with blockchain-based initiatives today.

• Easier ways of transferring funds and more standardisation of electronic wallet solutions would also be helpful, such as what is being discussed in Central Bank Digital Currencies.

While the technical issues are solvable, from a pragmatic perspective, the primary issue that should be resolved is legal. As I described earlier, current regulation sees payments between natural and legal entities. A future PSD3 could then be updated to include the delegation of payments from natural or legal entities to devices, requirements for the mechanisms for how this delegation takes place, and guidelines on the type of payments devices can make. Again, strong Customer Authentication is the natural choice for enabling this type of delegation.

If you found this subject interesting, you can find similar information by following us on LinkedIn and subscribing to our newsletter!