Visa: Apple Pay, Bio-Hacking, Privacy and Protecting Your Money

By Gerald Lynch on at

The way we handle our money is changing. From NFC cards to contactless wearable payments, we've more ways to spend our hard earned moolah than ever before in history. And, with digital payments potentially as vulnerable as stuffing your month's wages into a burlap sack under your mattress, there's an ever-increasing need to protect our pay packets in ever-more elaborate ways.

Apple Pay, arguably the most important new name on the increasingly-large mobile payments playing field is already coming under scrutiny in the US where, according to the Guardian, fraud cases relating to it are already costing millions of dollars.

Preparing for the service's eventual UK kick-off is Visa, whose newly launched tokenisation system will be integral in protecting Apple Pay payments. It takes raw account data and turns it into a meaningless identifier to complete a transaction.

“In essence, tokenisation is removing the need for sharing the card number throughout the transaction, and that takes risk out of it,” Jonathan Vaux, director of new payment proposisitons, explained at MWC 2015.

“In the highly unlikely scenario that someone got hold of that token, it's of no use. It's another layer of added protection in the eco-system. It's not the only one, but it's an essential layer. In a more connected world, where effectively your card credentials are sitting on a number of different devices, that could in theory expand the risk of the account being compromised. But tokenising data minimises that risk.”

The tokenisation service goes live in April, corroborating with rumours that Apple Pay's UK launch will arrive at a similar time, but will be implemented into many different other payment systems besides Apple's.

However, before tokenisation can occur, authentication methods must be secure too. Apple Pay will leverage the Touch ID fingerprint scanner, but even something as personal as a fingerprint cannot always be relied upon.

“What you're seeing now is an increasingly complex world – if my card details are going to be stored somewhere new, that's probably going to require a new set of controls,” said Vaux.

“People want the convenience of not having to authenticate, or at least making it as unobtrusive as possible. The challenge is making customers comfortable with stepping up and checking that suspicious activity is addressed.”

Visa and its banking partners approach this in many different ways, but a key one is analysing the data on your behaviours (as anyone travelling abroad only to discover their cards have been blocked will no doubt be aware). Whether it's making an unusually large payment or accessing an account from a strange location, the companies in control of your money have reams of data on individual users which, in a world where privacy is an increasing source of paranoia, may be disconcerting to some. The Internet of Things will only exacerbate the concern – banking companies will potentially know what's inside your web-connected, Waitrose-registered fridge freezer. But it's a necessary evil in the face of such a wide array of hacking threats.

“The reality is with the payments industry, every time you build something new, already there's someone trying to hack it,” said Vaux.

“It's a question of managing that risk. The safest way to stop any fraud would be to decline a transaction, but nobody wants that. So how do you get that balance right; in the event of something untoward happening, how do you make sure the damage is minimised?

“It's about using all that data. If it's my web-connected fridge, sitting in my house, you're going to use geolocation to ensure the transaction is taking place where it should. Over time you'll build histories and patterns that tend to indicate your trusted behaviour.

“Privacy is one of those things that different people have different attitudes to. How you use that data is going to be subject to increasing scrutiny, and rightly so. That data is now available because of operating systems, smartphones, search engines. The data is out there, and people will look to leverage that data, hopefully towards services which drive better customer experiences.”

The use of biometrics, such as fingerprint and eye scanners, will become an increasingly important part of the endeavour to protect our information and accounts. But that too will bring with it new threats – biohacks and biohackers, those that find ways to manipulate the most personal of items, our bodies. But Vaux feels there may be undue scrutiny towards these futuristic threats.

“Biometric technologies are now much more commonplace, people are much more comfortable using them and they are now at a tipping point,” said Vaux.

“I'm a real fan of biometrics, and a real fan of Touch ID as it drives a simpler customer experience. Looking at the wider risk assessment, such as how card details were inputted in the first instance, there are many things to consider. And yet the criticism hangs on Touch ID. It's a much more complex world than that.

“Biometric technologies will win out because they are good. There will be challenges along the way. But at Visa we certainly look at how we incorporate biometrics, not as the only form of authentication, but as a part of the form of authentication, alongside your data; I'll know where your phone is, I'll know where your card is, I'll see your finger print scanned at the appropriate location, or a designated safe location.

“You'll see loads of different biometrics in a range of mobile devices and wearables. The more you can get a range of data from all these sources, the safer you'll be.”