FROM PAPERLESS TO PLASTICLESS, EMV CARD SECURITY AND THE FUTURE OF PAYMENTS IN THE USA

by Nikeitha Alleyne

A Capstone Project Submitted to the Faculty of Utica College

May 2016

in Partial Fulfillment of the Requirements for the Degree of Masters of Science in Cybersecurity

i

© Copyright 2016 by Nikeitha Alleyne All Rights Reserved

ii

Abstract Theft of credit card data has become a significant problem for organizations of all size within the USA. Target, Heartland and TJX are seen as organizations which have suffered the most as a result of their customers' data being compromised. However, globally it is estimated that the cost of cybercrime to the global economy was between $400 billion and $575 billion in 2013. Considering the preceding, the purpose of this research was to scrutinize the current security issues facing EMV based cards. Additionally, this research examined plasticless alternatives such as virtual currencies like bitcoins and evaluated the security concerns relating to digital payment systems such as Android Pay, Apple Pay and Samsung Pay. This research also assessed how biometric addresses and or mitigates security concerns, when used as a payment method. The research revealed that while EMV helps to reduce the risk of card present fraud, it also results in an increase of card not present fraud. It also discovered that plasticless alternative payment solutions which leverage tokenization, provides a superior level of security than that currently provided by physical cards. The research concluded that the plasticless alternative future payment method which has the most opportunity for success, will be based on mobile devices such as smartphones and thus recommends that greater efforts be made towards sensitizing the society on the convenience and security that mobile payment provides over the present card based payment methods. Keywords: CyberSecurity, plasticless alternatives, Europay MasterCard Visa (EMV), Mobile Payments, Virtual Currency, Apple Pay, Android Pay, Samsung Pay, Bitcoins, biometrics, NFC, Christopher Riddell, Host Card Emulation (HCE), Secure Element (SE).

iii

Acknowledgement Praises be to the Most High God, for without him this journey to achieve my Masters would not have seen this destination. While there is reason for acknowledging all those people who have played a significant role in my life, I would instead like to thank those who contributed to me successfully completing this program. First up, big thanks and lots of respect for Mr. Gord Jamieson, Head of Visa Canada Risk Services and North America Acquirer Risk Services. Your willingness to be my second reader was much appreciated but the additional insight you provided forcing me to do additional research is what I will most cherish. Mr. Ulric Captain for putting the systems in place for me to be able to complete my BSc, ensuring that I got to do both study and work as opposed to having to choose between one or the other. I will always appreciate and remember you for that. To Forsythe Technology for having the systems in place to continually support their employees’ professional and academic development. I would also like to thank my aunt Vashti Greene for teaching me from an early age the importance of education. My two beautiful princesses Nakia and Neysa and apologize to Nakia for those days when she wanted to play but I could not because I needed to research and write. To my wife Saadia for all the love and support provided throughout this process and my motherin-law Ms. Pam for holding down the fort. My mother Desiree, sister Treniece and nephew Dexter (TQ) for the encouragement they have provided throughout this process and last but not least, Professor Christopher Riddell for helping me tremendously throughout this entire process of producing this paper.

iv

Table of Contents List of Illustrative Materials.......................................................................................................... vii From Paperless to Plasticless, EMV Card Security and the Future of Payments .......................... 1 Literature Review............................................................................................................................ 6 Dynamic CVV/CVV3/CVC3 .................................................................................................... 12 Master Card PayPass ................................................................................................................. 13 Tokenization .............................................................................................................................. 13 End-to-end encryption ............................................................................................................... 15 Risk Based Authentication ........................................................................................................ 16 Freeze It ..................................................................................................................................... 17 Defense in Depth/Layered Approach ........................................................................................ 18 Plasticless Alternative Payment Methods ................................................................................. 18 Digital Payment Systems .......................................................................................................... 20 Apple Pay .............................................................................................................................. 24 Android Pay ........................................................................................................................... 26 Samsung Pay.......................................................................................................................... 29 AliPay .................................................................................................................................... 31 PayPal .................................................................................................................................... 33 ChasePay ............................................................................................................................... 34 LG Pay “White Card” ............................................................................................................ 34 Adoption Rate of Alternative Digital Payment ......................................................................... 35 Security Concerns of Digital Payment Methods ....................................................................... 36 Crypto Currency ........................................................................................................................ 39 Crypto Currencies Security Concerns/Regulations ................................................................... 43 Adoption Rate of Bitcoins? ....................................................................................................... 45 Biometrics ................................................................................................................................. 46 MasterCard Seflie Verification .............................................................................................. 48 Fingerprint Impression + Tokenization ................................................................................. 49 Heartbeat as an authenticator ................................................................................................. 50 Vascular patternrecognition ................................................................................................... 51 Voice payments ..................................................................................................................... 52 Security Concerns of Biometrics............................................................................................... 53 v

Implementation Challenges for Biometrics............................................................................... 53 Discussion of Findings .................................................................................................................. 55 Future Research and Recommendations ....................................................................................... 61 References ..................................................................................................................................... 65

vi

List of Illustrative Materials Figure 1. Percentage of U.S. credit cards with EMV capability . ................................................... 8 Figure 2. U.S. CNP credit card fraud losses ................................................................................. 11 Figure 3. Dynamic CVV enabled card .......................................................................................... 12 Figure 4. High level tokenization process..................................................................................... 14 Figure 5. Mobile device being used to complete payment ........................................................... 20 Figure 6. Adoption rate of Apple Pay. .......................................................................................... 25 Figure 7. Mobile operating system market share .......................................................................... 28 Figure 8. LG Pay “White Card”. ................................................................................................... 35 Figure 9. Image of Bitcoin representation .................................................................................... 40 Figure 10. Bitcoins in circulation as of Q4 2015 .......................................................................... 46 Figure 11. Depiction of payment cards being assigned to various fingers and palm ................... 49 Figure 12. Nymi Band................................................................................................................... 51

vii

From Paperless to Plasticless, EMV Card Security and the Future of Payments Theft of credit card data has become a major concern for organizations of all size. According to the Center for Strategic and International Studies (CSIS) and McAfee (2014), the estimated cost to the global economy from cybercrime in 2013 was more than $400 billion with a conservative low estimate at around $375 billion with a maximum of $575 billion. When organizations are compromised, recovery from these compromises can cause an organization upwards of $100 million, even if the amount the attackers gained from the compromise is much less. It is estimated that in Mexico, banks loose up to (3 million annually from online fraud while in Japan the estimate is around $110 million. However, while banks have been targeted, retailers are a favorite target for cyber criminals. Some notable organizations which suffered losses as a result of cyber criminals compromising their systems are TJX, Heartland and Target. In 2007, TJX was breached, resulting in the loss of 45 million payment card records. This loss resulted in TJX incurring pretax expense of $37.8 million for the first half of fiscal 2008. During the second quarter of fiscal 2008, a pre-taxed sum of $178.1 million was established as an estimate of the potential losses relating to the intrusion (The TJX Companies, Inc., 2007). As of January 31, 2015 the balance on this reserve stood at $7,616 dollars (The TJX Companies, Inc., 2014). The preceding paragraph showed that while this intrusion occurred during the latter part of 2006, TJX is still incurring financial expenses as a result of it. In 2009, a breach of Heartland Payment Systems resulted in the loss of as many as 100 million debit and credit cards. This loss resulted in Heartland having to pay out more than $140 million in fines (Lewis, 2015). Similarly, in 2013, Target was breached with 40 million payment cards being compromised. This loss

1

resulted in $264 million of cumulative expenses as of August 1, 2015 (Target Corporation, 2015). As a result of the aforementioned, efforts needed to be made to either identify new ways of securing the existing card or evaluate plasticless alternative methods of payment. The payment card industry within the United States of America (USA) recognized this and as a result have started to address the issue by moving towards implementing the Europay, MasterCard, Visa (EMV) or the better known “chip-and-pin” or “chip-and-signature” or “chip & choice” technology. The purpose of this research was to scrutinize the current security issues facing EMV credit card payments and future payment methods. What are the available plasticless alternatives to EMV credit card payments? What are the security concerns relating to bitcoins, whether real or perceived? What are the security concerns surrounding digital payment systems such as Android Pay, Apple Pay and Samsung Pay? How does biometrics address and or mitigate security concerns, when used as a payment method? The Barack Obama administration also recognized the importance of moving towards more secure payment methods and thus has issued an Executive Order via the Buy Secure initiative, which aims to accelerate the transition to more secure payment technologies and development of next generation payment security tools (Office of the Press Secretary, 2014). New payment methods such as mobile payment solutions like Tap and Go, Android Pay, Apple Pay and Samsung Pay, virtual currencies such as Bitcoins and Ripple, along with mobile biometrics presents opportunities for further addressing the security issues related to credit cards. Mobile payments technologies attempt to leverage the ubiquitous presence of mobile technologies such as smartphones, Bluetooth Low Energy (BLE), Quick Response (QR) Code,

2

Magnetic Secure Transmission (MST) and other Near Field Communication (NFC) Technologies. Mobile payment is defined as: purchases, bill payments, charitable donations, payments to another person, or any other payments made using a mobile phone. The amount of the payment may be applied to your phone bill (for example, Red Cross text message donation), charged to your credit card, deducted from a prepaid card, or withdrawn directly from your bank account. (Board of Governors of the Federal Reserve System, 2015, p. 22) From a mobile payment perspective, as of 2014, the QR technology which was developed by Toyota was the most common method used for payment at Point of Sales (POS) terminals. This was followed by a mobile app which is installed on the smart phone and used by waving the mobile phone at the POS terminal. Funding for these mobile payment systems are typically tied to a debit and or credit card. Alternatively, non-financial institutions such as Pay Pal may be used as a source for funding (Board of Governors of the Federal Reserve System, 2015). As with any new technology and as similar to EMV implementation, there has been slow adoption of mobile payment technologies. The first impediment for mobile payment is having a smartphone and not just any mobile phone. While as of 2014, 87% of the USA adult population had a mobile phone, only 71% of those were considered smartphones. Of this 71% only 22% reported conducting a mobile payment transaction during 2013 to 2014 (Board of Governors of the Federal Reserve System, 2015). The main reason cited by Board of Governors of the Federal Reserve System (2015) for not using mobile payments was basically a preference towards using other means of making payments. Similarly it is believed that other payment methods are much easier and does not have

3

the same security concerns as mobile payments. Additionally, there is no real benefits to using mobile payment methods. The Federal Reserve may see no real benefits to using mobile payment. However, continents like Africa have embraced this method of payment resulting in increased Person to Person (P2P) transactions as a result of economic growth, lower transactions cost and greatly increase customer convenience, while minimizing the need for expensive physical infrastructure (Kendall, Schiff, & Smadja, 2014). From a Canadian perspective, 74% of contactless payment users found contactless to be quicker (Visa, 2015). Most importantly, the Federal Reserve System’s view differs from that of the Federal Reserve Bank of Kansas City which identified that mobile payments were adopted rapidly in Japan as a convenient way for paying for mass transit and ultimately concluded that in general, greater convenience is likely to encourage consumer adoption of mobile payments for instore purchases. It also stated that from a portability perspective, mobile payments will likely be more convenient than traditional payment methods, while eliminating the need for coins and currency. Mobile payment is also more flexible and have faster transaction speed for certain type of purchases. A significant obstacle towards mobile payment becoming convenient is seen as it being difficult for some users to setup and use, since it requires more steps than checks, debit or credit card, while also resulting in the end user requiring time to learn the application (Hayashi, 2012). While the reasons identified by the Board of Governors of the Federal Reserve System are all valid, it is significant to note that one of the biggest reasons for low adoption is the low acceptance of contactless payment and its supporting infrastructure within the USA Market. The first contactless card was introduced in the USA in 2004. However, various reasons including convenience of magnetic stripe, minimal incremental spend and modest merchant uptake have

4

led to its sluggish adoption rate. Accepting of mobile payment via NFC for example, requires a compatible Point-of-Sale (POS) terminal, of which each terminal costs hundreds of dollars. At the beginning of 2015, there were millions of NFC payment terminals available ready to accept payments globally. However, this number is small when compared to the 10s of millions of terminals which are available (Smart Card Alliance, 2015). According to BNY Mellon (2014), mobile payments in Africa outpaced those from holders of bank accounts, with Kenya emerging as a regional leader. Similarly, China was projected to have a mobile payment market valued at $84 Billion at the end of 2015. This number is up from $7.6 Billion in 2012. The Chinese market is expected to double in size each year (BNY Mellon, 2014). Virtual currencies present another area which can see the world moving from paperless to plasticless alternatives. Currently, some of the more prominent virtual currencies are BitCoin, Ripple and LiteCoin. However, while these may be the more prominent, ones there are currently over six hundred and ninety providers of virtual currency (coinmarketcap.com, 2015). IRS notice IR-2014-36 defines virtual currency as currency which: operates like “real” currency -- i.e., the coin and paper money of the United States or of any other country that is designated as legal tender, circulates, and is customarily used and accepted as a medium of exchange in the country of issuance -- but it does not have legal tender status in any jurisdiction. (Internal Revenue Service, 2014) The newest entrant to the plasticless alternatives payment industry is biometrics. In most cases, companies are trying to leverage the existing ubiquitous nature of mobile phones and payment cards infrastructure to speed up the deployment and or availability of biometric payment technologies. In other cases, the objective is to use biometrics independently of any other tools,

5

i.e. mobile phones or cards. The biometric modalities currently being leverage are facial recognition, heartbeat, fingerprint, palm, vascular patterns, voice, retinas, iris, etc., as part of the payment process. Overall the global biometrics market is expected to be around $6.9 Billion by 2024. During this growth, fingerprint technology is expected to represent the largest market segment followed by facial biometrics technology. These will be followed by iris/retinal and signature based solutions respectively (Reuters, 2014). Literature Review During 2015, the number of EMV cards issued within the USA exceeded expectations hitting nearly 600 million units. This quick market penetration means the USA is likely to hit 100% penetration over the next two years. The USA market is expected to peak in 2016 reaching around 617 million units (prnewswire.com, 2016). However, as the number of cards in distribution has significantly increased, the same is not true for the number of card accepting merchants. As of February 17, 2016 and four months after the USA’s liability shift only 37% of merchants were ready to accept payments via EMV cards. This situation is expected to improve by June 2016 of which by then at least 50% of USA merchant locations will be ready to accept payments via EMV cards with a threshold of around 90% being met in 2017. Some of the reasons cited for this delay are payment processor readiness, gateway readiness and resource availability of technical staff (Business Wire, 2016). According to Morea, Christiansen, Dragt and Randolph (2011) as part of the Single European Payments Area, 38 banks were required to complete their migration to EMV by January 2011. Data from (globalpaymentsinc.com, n.d.) show Canada’s domestic liability shift started on March 31, 2011. Similarly, Latin America and other countries made the shift in 2012

6

(smartacquiring.com). This early start provided Europe, Canada and Latin America countries an almost 5 years lead on the USA. Additionally, impediments towards ensuring the USA has greater penetration range from lack of understanding of the capabilities of EMV in reducing fraud, as some considers it an outdated technology which is not secure, EMV implementations being too complicated and difficult, cost of implementation being too high (Choudhary, 2012), the Durbin Amendment, lack of a Common Application ID (Smart Card Alliance, 2012) and ultimately procrastinators who assumed the USA would never actually transition to EMV (Kossman, 2015). The argument that EMV does not help to reduce fraud cannot be supported when considering the facts as looked at from the perspective of card-present or face-to-face transaction in those jurisdictions that have already implemented the EMV technology. According to Canadian Bankers Association (2014), there was a decrease of 51% in domestic counterfeit cards during the period December 2009 to December 2014 in Canada. This represented a decline from $159.8 million to $51.3 million for the same period. Similarly within the United Kingdom (UK), Point of Sale (POS) fraud using counterfeit or lost/stolen card decreased from $244.1 million Great Britain Pounds (GBP) in 2004 to $102.3 million in 2013 (Aite, 2014). Additionally, structural issues such as EMV implementation is considered too complicated and difficult, requiring changes to various parts of the payment infrastructure and its associated processes have been cited as reason for slow adoption. Because of the required infrastructure changes, it is also felt that cost is too prohibitive and thus the number of fraud against existing cards system cannot be used to justify the migration cost (Choudhary, 2012). According to Figliola (2015), the cost for implementation of EMV ranges between $6 to $8

7

billion dollars, of which 75% of this will be more than likely borne by merchants, making the cost for them to shift at least three times more than that of the card issuers. More importantly, business-related issues such as negative impact on interchange fees which may result in a loss of up to 1.7 billion per year, the absence of any positive business cases along with the fear that the investment already made to become Payment Card Industry Data Security Standard (PCI-DSS) compliant may be wasted, have all been cited as reasons why the USA has been slow to adopt the EMV technology (Choudhary, 2012). Despite the concerns surrounding EMV implementation within the USA, its EMV Credit Card deployment is expected to be at 98% by 2017 (Aite, 2014) and the liability shift will be one of the primary drivers of this deployment (see Figure 1). Importantly, Target Corp piloted an early generation of chip-enabled cards around 2004 with mixed results and stated that, the cards were much more expensive to produce, and also required replacement of their store card readers. Another of Target’s concern was that since the cards were only usable in their stores, it made for a confusing experience for consumers (Mulligan, 2014).

Figure 1. Percentage of U.S. credit cards with EMV capability (Aite, 2014, p. 26).

8

The Durbin Amendment required that debit card issuers participate in at least two unaffiliated networks. Specifically the law “prohibits an issuer or payment card network from restricting the number of payment card networks on which an electronic debit transaction may be processed to fewer than two unaffiliated networks, regardless of the method of authentication”. For cards that used magnetic strip technology, the rule was able to be applied without any issue, as the merchant would ask whether the payment is being done via debit or credit depending on the terminal capability and depending on the choice made the merchant can then route the transaction to the appropriate network of the card which verifies the verification method the user specified. This method could be signature or PIN. In an EMV chip environment, complying with the Durbin requirement is a challenge, as EMV chip cards are proprietary in nature and transactions being routed must go to the network associated with the chip application to be processed correctly and ensure application security. Each of these networks have a specific Application Identification (AID) to which the transaction is routed (Smart Card Alliance, 2012). In order to ensure EMV transactions are compliant with the Durbin Amendment, a Common Application ID called Common Debit AID was developed. The US Common Debit AID can be found on the chip which can be found on the EMV enabled card. On the chip, each application can have one or more AIDs. A Global AID, is an AID which is owned by a payment network such as Discover, American Express, MasterCard or Visa. When transactions are made using a Global AID, generally it is routed directly to the global network whose logo is on the card. This would not be in compliance with the Durbin Amendment as there is no choice for an alternate route (EMV Migration Forum, 2015). To preserve the routing choice and ensure compliance, during the early phase of EMV deployment, cards will have two AIDs. One of these is a Global AID and the other the US

9

Common AID. Each US chip card will typically have one debit application from the global payment network which has two AIDs associated with it. One of these AIDs is the Global AID and the other the US Common Debit AID. By selecting the US Common Debit AID, a transaction can be routed to any network which the issuer has enabled for the card. These networks can be either the associated global payment network or a US debit network which supports this AID, thus complying with the Durbin Amendment (EMV Migration Forum, 2015). While some of the early impediments towards implementing EMV were major concerns, today it is not necessarily that way. The primary driver for EMV implementation within the USA was the data breaches which targeted major retailers such as Target Corp. As a result of its data breach, Target Corp accelerated their $100 million investment towards putting chip-enabled technology in their stores and on its proprietary REDCards by early 2015, which would have been greater than 6 months ahead of schedule (Mulligan, 2014). Procrastination, may have also played a part in the delay as cited by Kossman: I suspect that there has been some procrastination on the payment processors' part, as they may have been expecting a deadline extension, but clearly that didn't happen. If you are a small- or medium-sized business, you need to keep the pressure on who supplies your software and devices. The longer you wait to go to your equipment supplier the longer it will take for you to get enabled. (2015) The liability shift addresses the way card-present fraudulent transactions are currently handled. Presently, when fraudulent transactions are identified, the issuer, i.e. the bank or institution providing the card, is ultimately responsible. As a result of the liability shift, one of its primary components is transactions occurring as a result of a counterfeit card, created from the magnetic stripe of a card which is EMV enabled, will now have the liability shifted from the

10

issuer to the merchant if the merchant is not EMV enabled (EMV Migration Forum, 2015). This should in turn force and or encourage merchants to move towards EMV. However, because some merchant segments typically have a low fraud rate, there may not be enough incentives for them to migrate to EMV (Jamieson, 2015). While EMV helps tremendously in reducing card present (CP) or face-to-face fraud, the same is not true for card not present (CNP) fraud or non face-to-face transactions. During the period 2005 to 2013, the UK saw an increase in CNP fraud from $43 million GBP to $301 million GBP. In Australia, during the period 2008 to 2012 there was an increase from $72.6 million to $183.1 AU million. This trend continued in Canada which saw an increase from $128.4 million CA in 2008 to $299.4 million in 2013 (Aite, 2014). This trend is expected to continue into the US, with projected CNP fraud loss expected to rise to $6.4 Billion by 2018 from $2.1 Billion in 2011 as illustrated in figure 2 below.

Figure 2. U.S. CNP credit card fraud losses (Aite, 2014, p. 28)

To address this new threat of fraudsters taking advantage of card not present fraud along with strengthening card security, credit card vendors have started to implement solutions which are based on Dynamic Card Verification Value (DCVV) along with risk based authentication. 11

Dynamic CVV/CVV3/CVC3 While EMV has been implemented in over 80 countries where it has significantly reduced counterfeit card fraud resulting in saving of hundreds of millions dollars (mastercard.us, n.d.), its implementation also sees a significant increase in CNP fraud. Considering the USA is projected to have retail e-commerce sales of $491.5 Billion by year 2018 (statista.com, 2016), this would suggest that unless a solution is found to mitigate card not present fraud then this type of fraud would continue to grow. To address this fraud, vendors are now looking at technologies which allow for integrating dynamic security codes into cards to better secure online transactions. One of the first providers of this technology was Oberthur Technologies (OT) of which an illustration is provided in figure 3 below.

Figure 3. Dynamic CVV enabled card (oberthur.com, n.d.)

Static CVV is a three or four digit number which is part of the card and never changes. This code is typically found next to signature panel on the back of the credit card. With dynamic CVV, this static number is replaced with a mini screen which displays a code which is dynamically generated and refreshed based on timing specified by the card issuer. An example of this refresh interval can be one hour. If the card information is stolen, this information will have little significance to the person possessing it, since the DCVV value would probably change by 12

the time the card is being used (oberthur.com, 2014). Another provider of dynamic CVV cards is Gemalto whose solutions secures the traditional in-store purchases along with ATM withdrawals and e-commerce payments. It also has a mobile version and the solution requires a validation server along with its associated services (gemalto.com, 2015). Master Card PayPass MasterCard introduced its PayPass technology in 2003 as an additional method to secure the physical card when used for card present or face-to-face purchases. The cards use a “challenge response” mechanism in which the terminal sends a challenge to the card and the card sends its “response” which is the cryptographically calculated dynamic CVC3 code. When used for payments, each value is unique to a transaction and cannot be reused. More importantly, future values cannot be predicted which in turn reduces the potential of fraud (MasterCard Worldwide, 2011). Tokenization Tokenization is considered to be the most secured method of processing payment data, as it replaces the card number with a randomly generated placeholder called a token. This is a randomly generated token which does not rely on a specific algorithm, thus it is extremely difficult to regain the original card number. From an example perspective, a card with number 2123 3456 5678 6789 may have its token represented as EGHV234AUD54367. These tokens can be between 13 and 19 alpha numeric digits. In the case of Visa, a 16 alpha numeric token is used, thus ensuring no changes are needed to the payment processing network (Jamieson, 2015). By itself, this number should be meaningless and have no value to criminals. Tokens come in various forms of which the more popular ones are durable, transaction, customer facing and merchants to name a few. Durable tokens are used to replace the customer’s credit card and

13

remain unchanged overtime, while transaction tokens are only once for the specific purchase (3 Delta Systems, 2016). Figure 4 below provides a high level overview of the tokenization process.

Figure 4. High level tokenization process (PCI Security Standards Council, 2011)

To ensure payment token are protected from misuse, a specific token is assigned to and can only be used with a specific merchant and or channel. It is anticipated that these tokens will result in less data breaches to merchants and acquirers as the token databases will be of less importance since the token are only relevant to specific domains (EMVCo, 2014). Efforts are also being made to eliminate the database or token vault component of the tokenization process, thus further increasing security and reducing the possible effects of a successful breach of an acquirer and or merchant. Voltage Security has released its’ Voltage Secure Stateless Tokenization (SST) technology which completely eliminates the need for distributed token

14

vaults or traditional databases by creating one multi-use token which is used to replace each credit card number (Voltage Security, Inc.). End-to-end encryption End-to-end encryption can be defined as a method of protecting data as it traverses a medium, allowing only for the two end points within the transaction to see the data in its unencrypted or clear text state (Williams, 2010). For most of the security solutions identified above, the Personal Account Number (PAN) continues to travel in the “clear” on the network. This means that if an attacker were to compromise a network and place a “sniffer” within the path the data travels, he or she would be able to see the data in its clear text format before it is stored in any database. The preceding highlights the situation as it occurred within Heartland Payment Systems infrastructure. According to Cheney (2010), attackers broke into Heartland Payment Systems network via a SQL injection vulnerability and then rather than attack the data which is stored in the databases, they instead installed sniffers capturing data for a period of six months as it traversed the network. As a result of this breach Heartland identified protection of data in transit via end-to-end encryption as the technology best suited to address risks involved with data in transit. Varying views exist as to where the end-to-end encryption should begin. Some believe that this process should begin at the card itself via the chip or smart cards, while other believes it should begin when the card is swiped at the Point of Sale (POS) Terminal. As with all solutions, there are potential barriers to adoption. In the case of end-to-end encryption some of the barriers relate to cost and design of terminal hardware, the burden imposed by public key management along with compatibility for legacy systems (MasterCard Worldwide, 2010).

15

Vendors such as MasterCard (2010) believes that encryption can never truly be end-toend, since all encrypted data must be decrypted and then re-encrypted as transactions move through the processing system. Further, it is believed that even with end-to-end encryption there will be brief moments in which the points of decryption and system handling PANs in the clear would be unprotected from sophisticated attacks. The potential points of compromise introduced via the decryption and re-encryption means that while this data is in the clear, it can be used for any purpose. In the short term, stop gap solutions such as encrypting data between the point of interaction and the acquiring host system are seen as viable for merchants. This stop gap solution may be the best solution at this time as from MasterCard’s perspective, “the extension of end-toend encryption across the entire transaction cycle is not a short-term prospect and probably not a strategically sound alternative to the full implementation of EMV Chip technology in the long term” (MasterCard Worldwide, 2010, p. 4). Risk Based Authentication Risk Based Authentication (RBA) is a multifactor authentication solution which strengthens traditional password-based systems by assigning levels of risk to each authentication request. Login and other activities are evaluated in real-time by tracking various risk factors associated with each access request, such as existing password, the user’s device, as well as activity such as recent account activity (RSA, 2013). Risk Based authentication also allow issuers and card holders to experience improved fraud detection and reduced fraud losses to issuers, quick checkout times along with the potential elimination of the need for card holder registration in some applications. For MasterCard RBA is used with its SecureCode to allow issuers the opportunity to examine every MasterCard SecureCode authentication which is presented and then passed to a decision matrix. Typically greater than 80% of transactions would

16

be considered as low risk and thus would require no further authentication, allowing the cardholder to proceed with the transaction uninterrupted. Because the issuer may have a transaction history for a card holder, the issuer may be able to consider the transaction as low risk. Alternatively about 15 – 18% of transactions would be considered as medium risk which would force the user to perform additional authentication through methods such as a series of challenges or SMS OTP passwords. Less than two percent of transactions can be categorized as high risk. This would automatically result in a failed transaction for the cardholder (MasterCard Worldwide, 2011). Visa also leverages RBA via its Visa Consumer Authentication Service allowing for real-time risk-based transaction analysis (pressreleases.visa.com, 2012). Freeze It While the above solutions address various methods of securing credit cards, none of them address the issue with lost, stolen or misplace cards. Discover Freeze It was launched on April 15, 2015 and adds an additional layer of security protection, allowing Discover card members the opportunity to “freeze” or “unfreeze” their cards in the event of it being lost, stolen or misplaced (discoverfinancial.com, 2015). Freeze It operates as an on/off switch for the credit card allowing its owners to “turn off” the card preventing it from being used for purchases, cash advance and balance transfers. This can be done via a mobile device, online or over the telephone, while at the same time providing notification to the card owner if a transaction was declined during the time their account was “frozen” (discoverfinancial.com, 2015).

Consumer Transaction Controls (CTC) Visa introduced Consumer Transaction Controls (CTC) which allows cardholders the ability to set restrictions such as spending limits, impose channel restrictions such as no ecommerce, prohibit international transactions or temporarily suspend an account if it is ever

17

misplaced, lost or stolen. CTC helps to reduce fraud by integrating with the issuer’s authorization system to prohibit transactions that the cardholder chooses to block. When authorization is being performed, the issuer validates the transaction against a list of predefined customer spending criteria. Alerts can also be setup to monitor card blocks or used independently to monitor the card security and or account spending. These alerts can contain the transaction amount, time and date, alert type and the type of purchases thus allowing the cardholder to take immediate action if he/she senses fraud. Another important feature of CTC is the ability to leverage “relationship cards” which allows for dependents, caregivers or other entities to have a secondary copy of the card that the primary card holder can track and manage (Visa, n.d.). Defense in Depth/Layered Approach Defense in depth requires that security be built in at every layer of the transaction process. This can and should include physical security as well as logical security. Ultimately, addressing credit card security will require an approach which leverages a combination of the above identified solutions via defense in depth or layered security. Verifone (2015), recommends a multi-pronged approach which uses EMV, Encryption, Tokenization and a Secure Commerce Architecture as a method for securing the card payment process. This method represents the best alternative to mitigating fraud associated with credit card as it addresses the problem through various part of the transaction. Similarly, First Data focuses on EMV along with Encryption and Tokenization as a method for mitigating card fraud (First Data, 2012). Plasticless Alternative Payment Methods Within the USA, for year 2003 the value of cash (banknotes and coin) issued was estimated to be around US$724.17 billion. For 2004, 2005, 2006 and 2007 the numbers were US$754.86, US$793.99, US$820.14, US$828.91 respectively (bis.org, 1999). According to

18

ATM Marketplace (2011), through the period 2015 usage of cash within the USA was expected to decline by three percent, a total of around US $200 billion annually. For person to person transaction, it was projected that in 2015, there would have been US$101 billion less cash than was spent in 2010, this would be a decline from 53 to 41%. Survey conducted by creditcards.com showed that for Americans, in 2014 only 9 percent of respondents choose to pay with cash. When compared to 35% who prefer to pay with credit card and 43% who choose to pay with debit card (creditcards.com, n.d.), it is clear that the transition from paperless to plasticless alternatives has begun and that “cash” is no longer king. According to Federal Reserve System (2013), during the period 2009-2012 the number of checks in the USA declined by one billion. The decline reflects consumer’s replacement of checks with alternative payment methods. For the year 2012, there were 2.5 billion annualized bill payment transactions conducted via online banking or mobile banking applications. From a plasticless alternative payment perspective, digital payment systems such as Android Pay, Apple Pay, Samsung Pay, PayPal, AliPay, BitCoins and Biometrics stand out. While each of these have their own strengths, they also have their weakness and barriers to adoption. Most of these plasticless alternative payment methods however, attempt to leverage the ubiquitous nature of the mobile phones and or other mobile devices. Additionally, these devices leverage technology from Near Field Communication (NFC) emulation of cards via Secure Element (SE) or Host Card Emulation (HCE) to usage of Bluetooth Low Energy (BLE), Magnetic Secure Transmission (MST) and Quick Response (QR) Codes. These underlying technologies also present different challenges for their adoptions. These challenges range from requirement for investment infrastructure to user education and implementation along with cost.

19

However, the biggest challenge is the enrollment and ID & verification of the cardholder whose account is being provisioned onto a mobile device (Jamieson, 2015). Digital Payment Systems Digital payment methods have been considered as the most disruptive force the payment industry has seen in decades according to Accenture (2015). There are a number of entrants currently vying for this space with some of the more notable ones being AliPay which dominates China, ApplePay, AndroidPay, SamsungPay, PayPal and more recent entrants such as CurrentC which is a backed by Wal-Mart, BestBuy and Target. Additionally, Mobile Network Operators (MNO) Verizon, T-Mobile and AT&T’s Softcard (formerly Isis) along with card providers such as ChasePay, MaterCard, Visa, and automotive manufacturer Ford with its Ford Pay and LG Pay via its White Card make for an interesting future with mobile payment technology and plasticless alternatives. As with any new technology and as with EMV, there has been slow adoption of mobile payment technologies within the USA.

Figure 5. Mobile device being used to complete payment (Pozin, 2015)

The first impediment for mobile payment is having a smartphone and not just any mobile phone. While as of 2014, 87% of the USA adult population had a mobile phone, only 71% of those were considered smartphones. Of this 71% only 22% reported conducting a mobile payment during 20

2013 to 2014 (Board of Governors of the Federal Reserve System, 2015). Figure 5 above illustrates how a mobile phone is used when performing an in-person payment transaction. While there is a large and further growing population of users of smartphones, it is significant to note that one of the biggest reasons for low adoption is the little acceptance of contactless payment and the infrastructure within the USA Market. The first contactless card was introduced in the USA in 2004. However, various reasons including convenience of magnetic stripe, minimal incremental spend and modest merchant uptake have led to its sluggish adoption rate (Smart Card Alliance, 2015). Accepting of mobile payment via NFC for example, requires a compatible Point-of-Sale (POS) terminal, of which each terminal costs hundreds of dollars. At the beginning of 2015, there were millions of NFC payment terminals available ready to accept payments globally. However, this number is small when compared to the 10s of millions of terminals which are available. In the United Kingdom (UK) for example, there were a total of 304,137 terminals which were owned by a bank in November 2015. This is an increase of 45.8% when compared to the previous year. At the same time, there were 127.5 million contactless transactions which was a 219.8% over the previous year for a value of $1.24 Billion Pounds Sterling an increase of 238.3% from the previous year (The UK Cards Association Limited, 2015). From MasterCard’s perspective, the UK leads the way with contactless transactions with the numbers of cards in circulation growing by 188% when compared and expenditures growing by 375% from Q4 2014 to Q4, 2015 (paymentscardsandmobile.com, 2016) In Canada, contactless payment began to gain acceptance on the heels of EMV deployment. At the end of 2014 across categories such as pharmacy, grocery, QSR, etc, there were 80% penetration of contactless terminals across Canada representing 10 to 20% of total

21

transactions. Overall penetration of contactless terminals was around 30% (BMO, CIBC, RBC, Scotiabank, TD, National Bank of Canada, 2015). In other countries contactless payments have also taken off. In Australia, users have started to ditch traditional payment methods in favor of contactless payments. Additionally, during the period November 2013 to November 2014, contactless payments accounted for 60% of all debit card transactions while Westpac reported that contactless payments was expected to reach Australian 3 billion by the end of 2015. Japan, with greater than 1 million NFC enabled POS is the largest deployment in the world. More importantly, Japan had one of the fastest rollout of technology in this space with 47 million users in three years. Poland, another hotbed for digital payment services is already Visa’s largest market for contactless payments within Europe in terms of transaction volume. Contactless payment at POS already has a very high 75% support (Ray, 2015). However, plans are already in place for all terminals to support contactless payment methods by the end of 2017. In Singapore, it is becoming more common to pay with a wave of a card over a reader as more cards are rolled out and more merchants come onboard. In Taiwan, there are over 900,000 thousand contactless transactions per month with the top five telecom providers heavily promoting NFC enabled mobile transactions and payments. Across major stores, taxis, restaurants, malls and movie theaters, there are over 24,000 contactless terminals. It is also important to note that Taiwan has strong contactless infrastructure in place and a long record of NFC trials. Turkey also has strong contactless support with 60,000 POS terminals fitted with contactless readers (Ray, 2015). While the rest of the world has moved forward with contactless payments and infrastructures and even with the immediate concern pertaining to the lack of contactless

22

supporting infrastructure within the USA, the number of terminals is expected to grow in the USA as merchants continue to replace their terminals in order to comply with EMV mandate (Deloitte, 2015). Importantly also is that nearly all large US merchants had either begun or completed conversion to chip enabled terminals. Terminal providers also states that nearly all terminals being shipped at present supports NFC. This will also contribute towards the speedy growth of the contactless payment system ecosystem (aitegroup.com, 2015). From a comparative perspective and according to (BNY Mellon, 2014), mobile payments in Africa outpaced those from holders of bank accounts, with Kenya emerging as a regional leader. Similarly, China was projected to have a mobile payment market valued at $84 Billion at the end of 2015. This number is up from $7.6 Billion in 2012. The Chinese market is expected to double in size each year (BNY Mellon, 2014). The USA mobile payment market is expected to reach $142 Billion by 2019 which is up from $52 Billion in 2014 (Forrester, 2014). Overall, it is estimated that the mobile payment market will total up to $117 Trillion by 2017 (Goliya, 2015). Importantly also, is that most of the components to enable mobile payments have already been falling into place over the past few years. By purchasing apps, downloading songs or even purchasing cloud storage, users have already been providing this information to a range of vendors (Deloitte, 2015). Mobile payments typically leverages NFC enable smartphones which takes advantage of terminals which currently supports the NFC compatible point-of-sale terminal (Consumer Action, 2015). However, some vendors have chosen to use technologies such as MST, Bluetooth and or QR Code either in conjunction with NFC or by themselves.

23

Apple Pay. Launched in October 2014, Apple Pay is Apple’s mobile payment app which is considered to be a secure, simple, safe and more useful & private way to pay. Your card details are never shared when you use the app and in fact is not even stored on your device when using the Apple Pay app via an iPhone, Apple Watch or iPad. Using the Apple’s Touch ID or by double clicking on the screen, using the features of the NFC antennae in the iPhone 6 and 6s, a user can make a payment without opening an app or waking the display. Credit card numbers are not stored on the device and when a payment transaction is being performed, card numbers are not sent to merchants but instead a unique number (token) is sent, ensuring purchases are safe and secure. Users can add their existing iTunes credit card to Apple Pay by simply entering the card security code (apple.com, n.d.). Additionally, a user can use the phone’s camera to capture the information on the credit, debit or store card, then fill in any additional information needed (support.apple.com, n.d.). Apple Pay can be considered very secure as it does not store the actual card numbers on the phone but instead assign each card a unique device account number, which is encrypted and securely stored in the phone Secure Element (SE), a dedicated chip which can be found in the iPhone, iPad and Apple Watch. When purchases are made, the device account number along with a transaction specific code is used for processing of that payment, resulting in no sharing of your actual card number with the merchant or transmitted with your payment. Additionally, every transaction on an iPhone or iPad requires the usage of Touch ID or a passcode while an Apple Watch must be unlocked. This ensures only the owner of the devices can make payments. If your device is lost or stolen you can suspend your Apple Pay or alternatively wipe your device remotely using Find My iPhone (apple.com, n.d.).

24

During the first 72 hours of its launch, there was a total of 1 million cards registered (Bailey, 2014). However, as of October 2015 while the growth was continuing it has however slowed (Reuters, 2015). Among iPhone 6 and 6 Plus users the usage rate of persons using their iPhone as of October 2015, to leverage Apple Pay was only 16.6%. This increase was only a 5.6% when compared to November 2014 which was at nine percent. When asked why they were not using Apple Pay, most persons state they were comfortable with their current payment method. However, this was closely followed by persons not knowing how Apple Pay works. For persons that do use Apple Pay at checkout, it was felt that from an ease of use perspective Apple Pay was about the same as their traditional payment methods (pymnts.com, n.d.) (see Figure 6).

Figure 6. Adoption rate of Apple Pay (pymnts.com, n.d.).

Apple Pay faces some of the same problems as other payment systems namely malware targeting the OS, lost and or stolen devices, etc. From a malware perspective, Apple iOS may be more resilient because of it being closed source, making it unlikely for malicious software to be introduced into the ecosystem. By leveraging the Touch ID (fingerprint) feature, the risk of authorizing fraudulent transactions will significantly be reduced especially those associated with phishing. This same level of protection would not be available for “jailbroken” phones which allow unverified apps which can intercept Apple Pay transactions (trendmicro.com, 2015).

25

Importantly, inadequate customer identification and verification (ID&V), may result in increase incidence of account takeover fraud as was highlighted in March 2015. A vulnerability in the Apple Pay registration process allowed malicious users to register card accounts which were obtained from past retail breaches with the Apple Pay payment system (Broderick, 2015). Finally, while number of merchants who accept Apple Pay and other contactless payment methods continues to grow this number is still significantly small when compared to the actual contact based terminals which are deployed. However, this situation is already starting to change as can be seen with the most recent announcement by ExxonMobil (2016) that it now accepts Apple Pay at more than 6,000 Exxon and Mobil branded retail stores. This number is expected to jump to more than 8,000 by mid-year. Android Pay. Google rolled out its Android Pay in September 2015 to more than 1 million stores in the USA (officialandroid.blogspot.ca, 2015). The Android Pay app comes preinstalled on Android phones with versions 4.4 or greater and allows for the storage of an unlimited number of gift, credit, loyalty and debit cards in the app. Android Pay leverages NFC’s Secure Element (SE) as well as Host-based Card emulation technologies as part of its mobile payment solution. Introduced in Android 4.4, Host-based Card Emulation (HCE) is a card emulation method which does not leverage the NFC Secure Element and allows an Android app to emulate a card to talk directly to the NFC reader (developer.android.com, n.d.). Whereas in the SE all card information and credentials are stored in the hardware-based SE, HCE allows these information to be stored anywhere other than the SE. One typical location for this data to be stored is in the “cloud”. Other location where this data can be stored includes either a trusted execution environment or a virtual software-based infrastructure on the mobile device. In the

26

case of Android Pay, it leverages the cloud for storing cards and credential information. One of the challenges involve with leveraging the cloud instead of the SE is that real-time retrieval from the cloud may pose a challenge as network latency may result in poor network performance (smartcardalliance.org, 2014). Host Card Emulation is currently being supported by card providers such as MasterCard (newsroom.mastercard.com, 2014) and Visa via its payWaveenabled accounts (investor.visa.com, 2014). While HCE has its advantages, it also has some disadvantages. The primary disadvantage of this emulation method is that your data is being stored in the cloud, thus making it owned and or controlled by a third party other than yourself or your issuing institution. More importantly, an application which is running on the mobile OS is much more exposed to attacks than an applet which is running within the SE and the risk associated may be too high for payments. Utilizing cryptography, software tamper proofing, encryption along with device fingerprinting may assist in mitigating the effects of attacks targeting the underlying OS. Ultimately, techniques such as tokenization, geolocation, device fingerprinting, strong user authentication along with storage of credentials in a TEE or SE and risk scoring may assist in mitigating any security concerns associated with HCE (smartcardalliance.org, 2014). While Anrdoid Pay primarily leverages HCE, it also leverages the device memory in order to complete some offline purchases (Consumer Action, 2015). Once the user has the Android Pay app installed, he or she can either enter the credit card information needed for verification or in some cases take a picture of the card using the phone’s camera. Android Pay leverages tokenization which are virtual numbers assigned to each card (Consumer Action, 2015). This mean that during a transaction, the actual card number is not transmitted to the merchant. Additionally, Android Pay encrypts and store all payment data on

27

Google servers. In order to use Android Pay, a screen lock must be setup on your phone for additional security (Consumer Action, 2015). However, it must be noted that while as of April 3, 2015, less than 1% of Android devices were affected by potentially harmful apps (Constantin, 2015), the number of malicious mobile apps targeting Android stood at 97% as of June 2015 (Millman, 2015). These numbers should obviously be a cause for concern and as a result mobile phones users need to take extra effort towards ensuring their system is secured by installing where possible anti malware application such as antivirus, antispyware, etc. By 2019, it is anticipated that globally, Android will have a mobile operating system market share of 82% according to Statista (2016) this consists of vendors such as Samsung, HTC, Sony, etc. (see Figure 7 below). It can be expected that malicious actors will target this OS more as was previously identified with 97% of malicious mobile apps targeting Android. This challenge becomes greater when one considers that it is much more difficult to upgrade devices running older operating system as the Android market is very fragmented (Sawers, 2015).

Figure 7. Mobile operating system market share (statista.com, 2016).

According to Kharif (2015) banks and retailers are expected to take on Apple Pay and Android Pay by competing for a portion of the projected $210 billion dollars which is expected 28

to be spent on transactions made by tapping a phone in 2019. It is also expected that before the end of 2016, each of the top 11 issuers of credit and debit card will have their own version of Pay. This shift may have already started with Capital One mobile app, establishing it as Capital One Mobile Wallet app which runs on Android & iOS. Capital One’s app also leverages Apple Pay and the most recent version was actually designed with Apple Pay in mind (Capital One, n.d.). From a security perspective Capital One uses its SureSwipe technology which allows users to sign in to the mobile app with a quick custom pattern rather than an alpha numeric password (Capital One, n.d.). MasterCard also has Mobile PayPass which leverages the global interoperability and security of EMV along with existing NFC PayPass and can be used at both PayPass M/Chip 4 and PayPass magnetic stripe terminal. Additionally, Mobile PayPass leverages the secure element on the mobile phone to secure the payment credential. Mobile PayPass uses three ways to make fast and secure payments. Low value transactions are completed similar to that of a regular PayPass enabled card. However, for transactions of a higher value a Personal Identification Number (PIN) is used in combination with the tap as a method to reduce fraud risk (MasterCard Worldwide, 2012). MasterCard’s Mobile PayPass leverages “tags”. These tags are tiny stickers that attach to the back of a mobile phone and provides the same protection as the ones provided by PayPass cards while being fast and secure (mastercard.ca, n.d.). Samsung Pay. Launched in September 2015, Samsung Pay is believed to be better than Apple Pay and Android Pay because of its support for older retail terminals. Samsung Pay uses both NFC and Magnetic Secure Transmission (MST) to transmit payment information. By supporting both NFC and MST, Samsung Pay is able to work at almost all retailers who have

29

terminal and there will be no need for them to invest in technology to upgrade their infrastructure to support this additional payment method (Cipriani, 2015). MST emits a magnetic signal which mimics the magnetic strip on a traditional credit card. When using Samsung Pay with a terminal that supports MST, the MST technology sends a magnetic signal from the mobile device to the payment’s terminal card reader. This allows it to emulate swiping a physical card at the terminal without having to upgrade the terminal software and or hardware. As with the other mobile payment solutions, Samsung Pay also leverages tokenization which allows it to keep payment information private and secure. MST is considered to be more secure than traditional payment method while being as secure as paying with NFC (samsung.com, n.d.). However, because this transaction is still considered a magnetic stripe transaction, if there is fraud as a result of this transaction, the merchant would still be responsible, as the liability shift is now in effect since October, 2015 (Jamieson, 2015). In order to perform a transaction, a user must first register the card by scanning it with the phone, accept the terms of service and then finally enter a verification code to confirm the card ownership. Once this is completed, during a transaction all that is needed for authorization of a transaction is for the user to place their finger on the home button for fingerprint authorization (Cipriani, 2015). A key advantage of MST and similar to NFC, is its reduced risk of identity theft and card fraud. The requirement for MST to be in close proximity of the terminal to complete a payment, means that it is also difficult to intercept card information while lessening the interaction between the card holder and a second or third party (Pineda, 2015). The most important difference and ultimately the advantage however, between Samsung Pay and its competitors’ payment methods is that no upgrade is required for existing terminals.

30

Samsung Pay recently reached a milestone of about 5 million registered users, processing over 500 million dollars within its first 6 months, with its strongest adoption rates within the USA and South Korea. During 2016 Samsung Pay is expected to continue its expansion in China, followed later in the year will be Australia, Brazil, Singapore, Spain and the UK. Samsung is also expanding its partnership with major banks and partners in the aforementioned countries along with major card networks such American Express, Master Card, Visa and China Union Pay (Samsung, 2016). AliPay. Founded in 2004, AliPay has grown to become the online payment processing leader in China, processing 80 million transactions per day which includes processing of 45 million transactions via its AliPay Wallet app (Shih, 2014). With over 300 million users with an average daily transaction rate of 80 million transactions, AliPay commanded 83% of China’s third-party mobile payment market share as of 2014. Its mobile app AliWallet had 190 million active users. Walmart’s acceptance of AliPay mobile payment across its chain of stores in China (Boden, 2015) along with AliPay handling 40 types of social services and public sector transactions which include paying medical bills, traffic tickets, local security and provident fund queries, booking appointments at marriage registration offices along with renewing exit-entry permits for Hong Kong and Macao (Feifei, 2016) bodes well not only for AliPay but also for mobile payment technologies in general. It is believed that AliPay will grow towards becoming a more integral part of peoples’ life, as it will be used to access even more government and social public services in the future (Feifei, 2016). For 2015, 65% of online payment transactions in China were done via a mobile device as compared to 49% in 2014 (Waring, 2016). AliPay’s recent partnership with Uber also further deepens its mobile services, allowing Uber China customers to pay their fare using Uber when they are out of the country (Russell, 2016).

31

The significance of AliPay effect on the mobile payment market can be seen from its AliPay Wallet, which was used to transfer a total of RMB 4 billion in cash an amount equivalent to US$642 million with 24 hour period of the Chinese New Year Eve. This number is up significantly when compared to the RMB$200 million or US$32.1 million which was transferred during the 7-day period of the Chinese New Year the year before (Millward, 2015). AliPay allows users to use either QR Code or NFC. However, the QR code technology is more popular in China. Unlike some of the other payment providers, AliPay goes beyond the typical retail purchases by also allowing payment at some vending machines, subway stations, cabs in addition to some retail stores (McDermott). While many believe in the potential of Near Field Communication (NFC), in places like Europe for face-to-face transaction it has not taken off as yet as the infrastructure is not in place. Using QR codes for payments relies less on physical infrastructure (A.T. Kearney Korea LLC, 2013). Originally invented to track automotive parts in manufacturing plants, QR Codes have found their way into many different processes and technologies including payments. QR Codes are two dimensional matrix bar codes which are used for encoding information in both vertical and horizontal direction. To read the data, an image of the code is captured with the smartphone camera and then QR Code reader software decodes the image. When used in mobile payments, the QR Code is referred to as “one-click” and after scanning the QR Code, the user is then redirected to an intermediate payment agent. (Krombholz, et al.). An example of where mobile is not just mobile phone is the case of Google’s Glass usage of QR codes (support.google.com, n.d.). From a security perspective QR Codes have been abused as an attack vector for social engineers. Attackers encode malicious links into these codes that may lead to malicious sites

32

which allows execution of malicious code. Additionally, an attacker can modify selected modules from white to black and vice versa which will result in an override of the originally encoded content. Of significant importance is that most of the QR Code readers which are available for Android were not able to detect phishing attacks. However, steps such as usage of digital signature may contribute to mitigating this risk (Krombholz, et al.). PayPal. Founded in 1998 PayPal has been at the forefront of plasticless alternative payment methods. For 2015 a total of 28% of PayPal’s 4.9 billion payment was done via a mobile device. With 179 million customers, PayPal’s ecosystem creates a secure system for conducting business either online, in-store or on mobile devices. PayPal is available in over 200 countries allowing payments in more than 100 currencies (paypal.com, n.d.). PayPal’s acquisition of Paydiant (paydiant.com, 2015) along with its focus on “New Money”, allows it to leverage the ubiquity of the mobile phone to do things faster, easier, more secure and less expensive, while leading transformation across the financial system. Through New Money, PayPal intends to enable faster, simpler and more inclusive ways for managing and moving money with “One Touch”, without having to enter credit card information, shipping and billing address, or typing logins or passwords (Fisher, 2016). From a security perspective, Paydiant leverages tokenization saving all data in the cloud and does not store any account or sensitive information on the mobile device. All communication is encrypted while the data encoded in the token is in no way tied to the customer. Additionally, by leveraging fingerprint technology, Paydiant ensures only authorize usage of the mobile device. More importantly, in the case of a lost mobile device users can deactivate their mobile wallet without the need to notify the card issuer as all data is stored securely on Paydiant’s servers. Transaction tokens are only valid for one transaction and is never

33

tied to the actual transaction or representative of the transaction. By leveraging multiple level of consumer authentication, the device and their card information along with not displaying card data even as a token, security for this transaction has been drastically improved (paydiant.com, n.d.). From a payment technology perspective, Paydiant’s solution leverages QR Code, Bluetooth Low Energy (BLE) and NFC communication. This allows Paydiant to support almost any last-inch physical medium (paydiant.com, n.d.). ChasePay. ChasePay was launched on October 26, 2015 and was presented as a better payment experience for in-store, in-app and online purchases. Chase started off by partnering with some of the world’s largest merchants, namely Wall-Mart, Target, Best Buy and Shell which are all members of the Merchants Customer Exchange (MCX). With Chase’s 94 million customer base, it is expected to improve customer experience while driving down cost. Like most other mobile payment methods, Chase Pay leverages tokenization which makes the process secure and will work on virtually all smartphones (chasepay.com, 2015). While customers will be able to pay at gas stations or drive through with their smartphone. An interesting feature of Chase Pay is the ability to take a picture of a receipt and pay with Chase Pay. Considering 50% of US households are Chase customers and Chase being number 1 in credit and debit card volume within the USA with $707 billion in sales in 2014, it is expected that Chase will leverage this base to grow its mobile payment service. Chase Pay leverages the Quick Response (QR) Codes technology (chasepay.com, 2015). LG Pay “White Card”. LG Pay White Card is shaped similar to a regular credit card, but its aim is to store multiple credit cards within this one card (see Figure 8). Working with the knowledge that older people may not be as comfortable with mobile payments, LG is targeting this payment solution towards the older population, as they tend to spend more money than

34

others. With LG Pay, card companies can manage everything as the transactions do not go through LG servers (etnews, 2016).

Figure 8. LG Pay “White Card” (etnews, 2016).

Adoption Rate of Alternative Digital Payment Digital payments as a group is expected to account for up to 60% of total transactions in 2017 which is up from 43% in 2012, with mobile payments expected to take up to 70% of that market share. This growth rate varies by regions and within countries, with USA and UK generally using the more traditional methods of credit or debit card. Alternatively, significant growth is being seen within the Middle East and Africa with 66% and Asia Pacific with 63% (GP Bullhound LLP, 2014). Within the North America market, there were about 18% or about 72 million mobile payment users in 2015. Within Europe this number was around 13.7% with Asia Pacific, Africa, Latin America and the Middle East coming in at 37.3, 24.8, 4.1 and one percent respectively. This continued growth is expected to be significant with majority of this growth coming from the Asia Pacific Region but with a far higher percentage coming from USA and Europe (McDermott). 35

More importantly, mobile payments tend to be very effective in serving the underdeveloped regions around the world. China’s Tibet region had 83% of its online transactions done via a mobile device. Similarly, Guizhou, Gansu, Shaanxi and Qinghai provinces were at 80% (Shuang, 2016). This transformation is much the same in India and Kenya where mobile is literally transforming the market. Another example of the potential for mobile payment and how mobile technology serves the underserved is Pakistan where there are 140 million mobile phone subscribers, even though there are only 37 million bank accounts. In the case of Haiti less than one percent of the population have access to loan yet greater than 85% of the population have access to mobile phones. In Kenya, 75% of the population have a mobile phone with 85% of them using it for mobile payments and or banking. (McDermott) It is also very important to understand, that in a world which is moving towards the Internet of Things (IoT), a mobile device will not only refer to mobile phones but also to watches, glasses and or anything that connects to the Internet and or provides the ability to make a payment. However, ultimately the acceptance rate of consumers will depend on mobile payment solutions being able to convince card users to leave their wallet at home while also sharing their card data details with different provider (McDermott). Security Concerns of Digital Payment Methods While these systems may have individual security built in, the underlying NFC technologies by itself does not guarantee security and is required that the applications take care of the security concerns. However, NFC does a pretty good mitigating and addressing some of the security concerns associated with mobile payments. First NFC’s short communication range of less than 4 centimeters ensures that users have knowledge of the person or device they are interacting with, thus reducing the possible effects of any type of eavesdropping or person-in-

36

the-middle attack. Additionally, the close proximity or “tapping” requirement for NFC enabled devices, makes it very difficult to “skim” while also reducing the possibility of eavesdropping. Additionally, mobile phone providers should ensure that once the screen is locked, the NFC component should be disabled (Cavoukian, 2011). Of greatest significance is that the transaction is dynamic in nature and can only be used one time only and for that specific transaction. Thus if someone was able to intercept the data while a contactless transaction is being performed, the intercepted data cannot be used for creating a counterfeit card. However, it is important to note that since the Primary Account Number (PAN) and expiry date are still transmitted in the clear, it is possible this data can be used for CNP transaction (Jamieson, 2015). The most significant security concern around NFC is not so much an NFC issue but a mobile phone issue. No amount of encryption or application software would be able to protect a consumer from a lost or stolen phone. This is an important factor as according to Consumer Reports (2015), 5.2 million Americans had their phones stolen or lost in 2014 this number is up from 2013 where 4.5 million phones were lost and or stolen. To mitigate the effects of a lost or stolen phone, users should ensure their phones lock screen is password protected. Conversely, if someone loses a mobile phone that is encrypted and has a password protected lock screen the chances of gaining the owner’s information is far less (nearfieldcommunication.org, n.d.). Ultimately, in some cases using a mobile device may be safer than carrying a card. Another concern surrounding mobile payments, relates to inadequate customer identification and verification, which may result in increase incidence of account takeover fraud. This was best highlighted by the vulnerability which was identified in March 2015 which exposed Apple Pay to fraud. The vulnerability allowed malicious users to register card accounts which were obtained from past retail breaches to be registered with Apple Pay. From the

37

perspective of the Apple Pay security concern, this vulnerability was really a failure of the bank’s authorization process which failed to cancel the cards prior to them being used in Apple Pay. This vulnerability has been mitigated at this time (Broderick, 2015). According to Jamieson (2015) being able to truly confirm a customer’s ID will become a critical component of the entire process, since even though the mobile apps may have the best security, the potential still exists for fraud risk. An example of this in the case of a weak process for user validation in which a stolen card or card number may be used to register a card in the mobile app. Once successful, the stolen card can be used to conduct transactions without any restrictions. This can possibly go on until the legitimate user detects the fraud. A strong identification and verification process is essential to ensuring that these scenarios does not exist and or are mitigated. Additionally, any payment credential request should be sent to the issuer of the credential to review and not to the mobile app provider. Leveraging additional data such as device information, mobile payment application ID, information relating to verification method such as passcode or fingerprint would also help to improve the identification and verification process (BMO, CIBC, RBC, Scotiabank, TD, National Bank of Canada, 2015). Finally, while not so much an issue with the NFC, mobile phone app or user identification and verification (ID&V) security, the underlying operating system (OS) which powers the phone should also be considered, as these have the potential of introducing malicious software (i.e. viruses, spyware, etc) which may be able to retrieve information from the mobile phone and or the apps that may compromise the owner’s information. The number of mobile malware continues to grow with a 61% increase in the number of attacks within the period 20142015. These attacks target both Android and iOS devices users (Baheri, 2016).

38

Crypto Currency Crypto Currency or Virtual Currency are names used to for this segment of plasticless alternative payment technology which relies on cryptography. Crypto currency can be considered as a currency which relies on cryptography to generate the currency and validate the transactions. It operates in a decentralized manner via a peer-to-peer network eliminating the need for central authority such as banks. These currencies are considered private and anonymous in nature and are stored in digital wallets while also being a fast, convenient and guaranteed way to transfer funds around the world without going through a financial institution (CryptEX, n.d.). With a market capitalization of over US $5 Billion dollars (coinmarketcap.com, 2016) as of February 7, 2016, Bitcoin is by far the largest provider of crypto currency and thus crypto currency is typically associated with Bitcoin. Its next two competitors Ripple and Ethereum have market capitalizations of US$283 million and US $227 million respectively. While currently a niche technology, virtual currency as a plasticless alternative also is an area which can see significant future growth. Mobile payments may have a relatively easier path to becoming an accepted and standard payment method, however, the same may not be true for virtual currencies. Similarly, while almost all (if not all) countries of the world have legislation for dealing with physical currency, most of them currently do not have any for dealing with virtual currency. With this consideration, there are however a small number of countries notably China and Brazil which have enacted legislation which specifically addresses virtual currencies. Figure 9 below provides a representation of bitcoin.

39

Figure 9. Image of Bitcoin representation (cryptocoinsnews.com, n.d.)

In the case of Brazil, it enacted Law No. 12865 which among other things allows for the creation of virtual currencies, including bitcoins (Library of Congress, 2015). In the case of China, the Central Bank along with other government ministries and commission have issued Notice on Precautions Against the Risk of Bitcoins (Library of Congress, 2015). While no formal laws has been enacted in Europe, in (Skatteverket v David Hedqvist, 2015) the court stated that transactions to exchange traditional currencies for units of the ‘bitcoin’ virtual currency (and vice versa) constitute the supply of services and that these transactions are exempted from Value Added Tax (VAT). Russia recently introduced a draft code, proposing to introduce criminal and administrative punishment for money surrogates such as crypto currencies (forklog.net, 2015). The biggest impediment to virtual currency becoming ubiquitous as a plasticless alternative, is the risk whether real or perceived that involves with mining such currencies. Mining in this case refers to a network of computers which synchronize transactions to create

40

hashes which are variant of data structures called blockchains. These transactions are repeated until one is found with a low enough numerical value (Rosenfeld, 2011). According to Consumer Financial Protection Bureau (2014) Consumer Advisory, some of these risks include being hacked, fewer protections in comparison to a bank or credit card along with it being used for scams by fraudsters. Additionally, virtual currency can be more expensive to use than cash or credit card. More importantly, virtual currency can still be considered as experimental and if you lose your private keys, you basically lose all your funds. There is no resetting of passwords, etc. to help you recover those funds. This loss of funds can have serious implications as was seen with the bankruptcy filing of Mt. Gox bitcoin exchange. Mt. Gox was reported to be the world’s largest bitcoin exchange. Its bankruptcy resulted in the loss of a reported $484.7 million with an additional 850,000 bitcoins being lost allegedly by hackers (McMillan, 2014). This loss also adds to speculation that Bitcoin is a Ponzi scheme or a pyramid scheme as perceived by (O'Brien, 2015). More importantly, the fact that Bitcon Foundation board members stated that it is “effective bankrupt” (Farivar, 2016) along with the Security and Exchange Commission (SEC) charging Trendon T. Shavers of Bitcon Savings and Trust (BTCST) for running a Ponzi scheme which consisted of 700,000 bitcoins at a value of $60 Million (SEC, 2013) and ultimately SEC issuing an investor alert for Ponzi Schemes using virtual coins (SEC Office of Investor Education and Advocacy), it is clear that the risks associated with bitcoins may just be too many for some. As there are negatives with plasticless alternatives like virtual currencies such as BitCoins, so also are there positives. Some of the benefits expected from virtual currencies include increased privacy via a pseudo-anonymous system, lower cost per transaction since there are no third-party intermediary, along with less of an impact of inflation on purchasing power

41

since there is no central government or bank to control the currency (Murphy, Seitzinger, & Murphy). As a sign of confidence companies such as Microsoft, Dell and Expedia have stated that they accept Bitcoins as a method of payments which is done via a third party which converts the bitcoin to cash and then provides it to the aforementioned companies (Davidson, 2015). As was mentioned previously bitcoins are supposed to eliminate the middle persons but clearly the model used by Dell, Microsoft and Expedia shows that there is still space for the middle person. While there is Internal Revenue Service (IRS) guidance on how virtual currency will be treated from a tax perspective within the US, there is currently no known rules or regulation which determines the usage of virtual currency at the US Federal level. States such as New York, California and Connecticut are leading the initiatives to enact regulations for how business using virtual currency can and cannot be conducted. The New York State Department of Financial Services “Chapter I. Regulations of the Superintendent of Financial Services Part 200. Virtual Currencies” Section 200.3 “ states No Person shall, without a license obtained from the superintendent as provided in this part, engage in any Virtual Currency Business Activity” (New York State Department Of Financial Services). As of September 22, 2015, New York had already issued its first “bit license” to bitcoin company Circle Internet Financial. This adds legal backing for bitcoin operations within New York. Similarly, California Senator Dababneh proposed Bill AB-1326 Virtual Currency, which proposes similarly to New York, that each person conducting business in virtual currencies should have a license which was granted by the Commission of Business Oversight (leginfo.legislature.ca.gov, 2015). The Electronic Frontier Foundation (EFF) believes that the bit license model is bad news for privacy and free speech (act.eff.org, n.d.), while it also is a license

42

to kill innovation and considers its bad for business as it contains significant fees and administrative hurdles (Reitman, 2015). For the Connecticut bill, applicants who intend to transmit virtual currency can have their license denied by the commissioner if the proposed business model poses undue risk to the financial consumer. The commissioner is also allowed to place different requirements such as surety bonds on the potential licensee as part of the application process (Connecticut General Assembly, 2015). While New York, California and Connecticut have decided to or are looking at putting systems in place to regulate virtual currencies, Texas have decided that virtual currencies will not be treated like money. However, Texans can use virtual currencies to purchase good and service without any regulation (Cooper, 2014). As of January 2015 there were approximately 13.7 million BitCoins in circulation. However, even though there are more and more vendors accepting BitCoins, the total transaction for the year 2014 was between 40 million and 60 million. This represents an average of around 50 to 90 thousand transactions per day (Murphy, Seitzinger, & Murphy), making this a niche market. Crypto Currencies Security Concerns/Regulations The security concerns for bitcoins are numerous when looked at from a macroeconomic perspective and the way it impacts countries and their financial system. While the individual persons have a right to be concerned about the personal finances, governments and existing financial institutions have a bigger and even more cause for concerns. The current financial system is highly regulated with governments playing a major role having their central banks as the institution which is responsible for establishing monetary policy, supervising and regulating banking system along with maintain stability in the financial system.

43

With a decentralize system such as those used by Bitcoins governments are currently unable to manage and or truly regulate this environment. However, as was previously identified above, efforts are being made to add some level of control to it. According to Financial Action Task Force (FATF) (2014), some of the potential risks of virtual currencies include greater anonymity as virtual currencies may permit transfers without adequately identifying the sender and or receiver. Another challenge relates to its decentralize nature in that there are no oversight bodies or anti-money laundering software to monitor and or identify suspicious transactions patterns. More importantly, it may be difficult for law enforcement officers and regulators to access customer transaction records as they are typically held in different jurisdictions (FATF, 2014). While the preceding may seem like there is no opportunity for law enforcement and governments to successfully control, prosecute, regulate and or identify bitcoin transactions, via the use of other tools governments have been successful in charging and in some cases prosecuting persons who use bitcoins to launder money. Working together, the US Secret Service, Internal Revenue Service-Criminal Investigations and the U.S. Immigration and Customs Enforcement’s Homeland Security Investigations were able to successfully prosecute Arthur Budovsky, founder of Liberty Reserve who pleaded guilty to laundering more than $250 million through his company (Department of Justice, Office of Public Affairs, 2016). Another prominent case of government being able to successfully prosecute criminals who leverage bitcoins for illegal activities is the case of the Silk Road’s Thomas Clark who was charged with narcotics conspiracy. It is important to note that Mr. Clark was charged while he was residing in Thailand (Department of Justice, 2015). Silk Road was an online black market which included a Bitcoin based payment system which was used to facilitate the illegal

44

commerce for illegal drugs and other unlawful goods and services (Department of Justice, 2015). While the two preceding cases were more of the prominent ones, it also shows that governments can still prosecute money launderers or persons who are caught using bitcoins for illegal activities. Most important for governments as they attend to implement policies for this new form of currency, is striking a balance between addressing risks and abuses while at the same time avoiding over regulation that may in turn stifle innovation (IMF Staff Team, 2016). Additionally governments may also be able to preempt security concerns by implementing their own virtual currency as proposed by Haldane (2015) for the Bank of England. Adoption Rate of Bitcoins? First introduced in November, 2008 via the paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System” (Satoshi Nakamoto, 2008), Bitcoin has grown to become the leader in virtual currency. As of February 7, 2016 Bitcoin had a market capitalization of over US $5 Billion dollars (coinmarketcap.com, 2016). For the first three months of 2010, the number of Bitcoins in circulation was 2.5 million. This number has seen significant growth from January 1, 2010 to December 2015 with a significant jump to 15.03 million Bitcoins in circulation (statista.com, n.d.) (see Figure 10). Bitcoin have also started to establish its presence in the physical world with 577 ATM machines being available worldwide as of February 7, 2016. A number which has also grown significantly, as at October 31, 2013 there was only one Bitcoin machine deployed (coinatmradar.com, n.d.).

45

Figure 10. Bitcoins in circulation as of Q4 2015 (statista.com, n.d.)

Bitcoin the technology i.e. blockchains is expected to continue to grow tremendously as companies such as Visa, American Express, MasterCard continue to show confidence in the technology by investing in it. Visa, Citigroup and Nasdaq’s recent investment in Chain, American Express’s investment in Abra and MasterCard’s investment in DCG (Roberts, 2015) along with Bitcoin Group being listed on the Australia Stock Exchange (ASX) and bitcoins being traded as a commodity on Nasdaq (McDonald, 2015) are definitely signs that the technology is poised to grow even further. Biometrics The newest entrant to the plasticless alternative payment industry is biometrics. In most cases, companies are trying to leverage the existing ubiquitous nature of mobile phones and payment cards infrastructure to speed up the deployment and or availability of biometric payment technologies. In other cases, the objective is to use biometrics independently of any other tools, i.e. mobile phones or cards. The biometric modalities currently being leverage are facial recognition, heartbeat, fingerprint, palm, vascular patterns, voice, retinas, iris, etc., as part of the payment process. Overall the global biometrics market is expected to be around $6.9 46

Billion by 2024. During this growth, fingerprint technology is expected to represent the largest market segment followed by facial biometrics technology. This is then followed by iris/retinal and signature based solutions respectively (Reuters, 2014). Biometrics is considered to be important for payments since it has the ability to secure transactions which are becoming more varied in type and less physical. Specifically for the payment industry, biometrics has tremendous potential in its ability to facilitate contactless card payments and online transactions (New Science, 2014). However, while biometrics may seem like the logical choice from a security perspective to protect payments, it in itself faces its own security challenges. Biometrics can be spoofed or directly attacked by submitting a stolen, copied or even a synthetically replicated trait such as fingerprint or image of a face to a sensor, allowing it to beat the biometric security system in order to gain unauthorized access by simply using play-doh, silicone or gelatin (Akhtar, 2012). In order for a fingerprint to be successfully spoofed, a representation of the original fingerprint must be had (Marasco & Ross, 2014). A more recent example of fingerprint being spoofed is that of German Defense Minister Ursula von der Leyen as reported in 2014 by the Guardian Newspaper. In this case, using a few high definition photographs which were taken of her at less than three meters away, researchers were able to create a copy of her fingerprint (Hern, 2014). Facial recognition also comes with its share of security issues which also include simply wearing adequate makeup (Galbally, Marcel, & Fierrez, 2015). Ultimately, there can be cases of extreme as was reported by Kent (2005). In this case, members of a violent gang ran down Accountant K Kumaran and demanded his Mercedes S-Class keys. In addition to the keys, they also needed his fingerprint to disarm the car’s immobilizer. In order to bypass the immobilizer, they chopped off the end of the car owner index finger with a machete.

47

Some examples of biometric payment system which have been deployed around the world are the e-ZWICH program in Ghana, Biometric Smart Card Payment system in India, CitiBank Singapore, South Africa Biometric Grant Cards and Nexus Smart Pay in Rapid City, South Dakota, USA. The biometric payment technology is being pushed by traditional payment providers such as banks and credit card providers as well as new entrants like mobile phone providers Apple, Google and Samsung. MasterCard Seflie Verification. According to (dictionary.reference.com, n.d.), a selfie is a photograph taken with a smartphone or webcam by someone who is also in the photo and is especially done for posting on social-media websites. On August 18, 2015, MasterCard announced that it was conducting trials in the US and Europe, pioneering the use of selfie and fingerprints for online payment transaction in an effort to not only make payments quicker and easier but also more safe and secure. The objective of using selfie and or fingerprint is to eventually replace the need to remember passwords when completing purchases, allowing users to blink into their smartphones or use their fingerprints to complete their transactions (Khodos, 2015). The first user trials were conducted in Netherlands with 750 card holders during the period August 19 to November 30, 2015. During the trials no password, confirmation codes or passcodes were be used. Instead, during checkout from the webstores users saw a pop-up on his or her mobile phone which allowed him or her to either scan their finger or take a selfie to authorize the transaction (newsroom.mastercard.com, 2015). The USA trials were started about a month after the program began in Netherlands, running from September to October with over 200 employees from credit unions. For this trial, rather than purchasing items, the testers were

48

performing virtual donations via a smartphone app to the Children’s Miracle Network (CMN) Hospitals (newsroom.mastercard.com, 2015). Fingerprint Impression + Tokenization. While the previous solution addressed fingerprint payments from the perspective of the mobile devices, solutions are also being proposed which leverage tokenization along with the impression of a user’s finger. It is anticipated that biometric payment through fingerprint will provide consumers with a seamless, safe and convenient payment system. The objective in this solution is to leverage the hand, i.e. fingers and palm to assign each finger or palm to one or more credit cards. As an example, your little finger may have be assigned to VISA and MasterCard while your index is assigned to American Express (see Figure 11). This solution consist of 3 stages (Garg & Garg, 2015).

Figure 11. Depiction of payment cards being assigned to various fingers and palm (Garg & Garg, 2015, p. 3)

First the bank which will issue the card enrolls the Bank Identification Number (BIN) number with the corresponding payment scheme, such as Visa, MasterCard, etc biometric server. The user is then expected to enroll with the card issuer through a process which entails the user first swiping the card(s) and then scanning their finger(s). Once this data is received by the 49

payment server, it checks its directory to determine if the BIN supports biometrics. If it does, then similar to the tokenization discussed in the EMV+tokenization the card data is then sent for tokenization. The information is then stored in a database which completes the process thus allowing users to use their fingers to complete their biometric payment at the merchant. The token server would then generate a secure token which is associated with the user’s card. This is then sent back to the payment system biometric server. The final stage of this process is where the user performs a payment authorization at the biometric POS which ultimately validates whether the credentials submitted is valid or not, thus approving or declining the transactions (Garg & Garg, 2015). Some of the benefits which are expected from this model is that the use of the tokenization technology makes the transaction very secure, since no card data is exposed during the transaction. Additionally, there is no need to carry physical cards or even NFC enabled mobile phones. It is also felt that the enhanced security may result in banks lowering interchange fees while benefiting significantly due to lesser fraud and drawbacks (Garg & Garg, 2015). Heartbeat as an authenticator. The Nymi Band is a wearable device which authenticates users to the band via their electrocardiogram (or ECG) which is considered as the heart signature (nymi.com, n.d.) (see Figure 12). Once authenticated, the user can then perform a number of activities one of which is paying for goods and or services. Nymi technology leverages existing NFC technology which already exists in other available contactless payment option (Hemmadi, 2014) thus relieving it or merchants of the need to invest in the payment infrastructure. The challenge of ensuring proper identification and verification is much the same for this technology as it is with most of the other mobile payment solutions and will ultimately become the hurdle that all vendors need to overcome. Partnering with TD and MasterCard Nymi

50

completed its first payment transaction on July 10, 2015 as part of a pilot which consisted of over 100 TD users across Canada, more specifically in Toronto, Ottawa and Regina (finance.yahoo.com, 2015).

Figure 12. Nymi Band (Nymi, n.d.)

Vascular patternrecognition. Companies such as Sthaler leverages the uniqueness of a fingerprint to build a 3D map of veins within the finger via the use of its FingoPay reader. The probability of two persons having the same vein structure is said to be 1 in 3.4 billion and it is believed that this biometric method has better recognition rate than iris. Sthaler believes that it has built the most fraud-proof payments system which is safe, simple and reliable (sthaler.com, 2015). Finger vein technology has no property of latency, the vein pattern location are consistent and they are in a position where no one can see this. This gives it immediate advantages over iris, retina, etc. The sensors which are used have no issues with finger cuts, moisture, dryness or roughness and are very difficult to spoof while having higher accuracy rates than fingerprint imaging solutions. This technology is also very easy to use, requiring little or no training for the end user (hitachi.co.jp, n.d.). One of the first deployments of this technology was Barclays during 2015, for which it was initially available to its corporate clients. Importantly, when being 51

scanned, the finger must be attached to a live body in order for the veins in the transaction to be authenticated (hitachi.com, 2014). The fact that the vein has to be attached to a live body results in an increase in security while also reducing the likelihood that someone may present the finger of a dead person to the sensor. In addition to Barclays, WorldPay and Visa have collaborated with Sthaler and conducted a three-week proof of concept in WorldPay’s cafeteria (Pymnts, 2015). In addition to scanning the veins within one’s finger, the capability also exists to scan the veins within one’s palm. Similar to scanning the veins within the finger, it is believed that this method is also much more difficult to forge (New Science, 2014) since it is also not scanning palm but what is beneath it. Fujitsu’s PalmSecure leverages over five million reference points of complex vein pattern within the palm of a hand (Fujitsu, 2015). Voice payments. ING Netherlands uses voice recognition via its mobile app to complete payment transactions. This app currently runs on devices using the Google Android or Apple iOS software, leveraging their voice biometrics technologies (nuance.com, 2015). VoiceKey, another biometric solution which allows for payments analyzes over 100 parameters of voice while also ensuring no one can complete a transaction on your behalf even if they use a recorded copy of your voice. This is considered as an advantage over retina and fingerprint biometrics technologies. This technology is currently deployed by Worldcore which is the world’s first European Union (EU) regulated institution to provide voice biometrics (worldcore.eu, 2016). SayPay also leverages a mobile app, allowing users to authorize transactions which have been originated from eCommerce checkout, bill payments, etc. SayPay uses a one-time eight digit code which the users speaks into the phone. The phone is first identified, then the user is

52

authenticated, once authentication is completed successfully the transaction is then authorized (saypaytechnologies.com, n.d.). Security Concerns of Biometrics Biometrics like any other payment solution comes with its own set of security concerns. Typically the focus of biometric security lies in the way persons may be able to replicate fingerprints, etc. However, the bigger concern lies with the digitized version of the captured biometric data. If someone is able to copy the data, it is possible he or she may be able to pose as the person owning the biometric trait. The risk of this data being compromised is real with the liability arising from an attack on this data being difficult to estimate (New Science, 2014). When Target’s customer credit card data got compromised, it simply reissued new credit cards to its customers. However, if a database consisting of users’ biometric data becomes compromised, then there is no reissuing biometric data. This can pose significant liability on the organization whose biometric data was compromised. One alternative to reducing the risk of a compromise is to provide the user with their biometric via a key fob or mobile phone as opposed to having a centralized database (New Science, 2014). The recent cyber theft which targeted the Office for Personnel Management (OPM) resulting in the loss of over 5.6 million fingerprints, shows the challenges which securing biometric data presents. While the potential for misuse of these fingerprints at present may be limited due to the nature of technology, this may change over time as the technology evolves (Peterson, 2015). Implementation Challenges for Biometrics There are quite a few challenges which may impede the deployment of biometrics at the POS. These range from infrastructure concerns, accuracy, merchants and card holder education,

53

security, adoption and payment card management and most importantly cost. The infrastructure changes required to implement biometrics can be very significant as merchant infrastructure will need to be upgraded. This may possibly make adopting biometrics an expensive proposition. The concern around the infrastructure may contribute to a lower adoption rate as it is expected that providers of the payment schemes should have built in robust infrastructure in place. One of the larger concerns, relates to the storage of biometric data securely as if this data is stolen or compromised, fraudsters can make counterfeit payments. Another significant issue also relates to the users management of the cards. Remembering which finger belongs to which card may become a big concern for the end users (Garg & Garg, 2015). Although there are organizations that provide validation for biometric solutions, lack of standards represents another challenge for biometric implementations, as currently this technology does not go through the same scrutiny as other payment methods. Industry alliances such as Fast Identity Online (FIDO) Alliance can make standardization and the use of biometrics to be done in a common and interoperable way. Biometric systems are only as secured as their weakest link, thus the entire process consisting of enrollment, usage, transmission, storing of biometric trait as well as the devices involved in the processing all need to be secured (New Science, 2014). The Biometric systems which are currently available can today meet economically the needs of almost any application. Additionally, as cost continues to decline it is becoming easier to justify the cost of using biometric (Allegion, 2014). It is projected that by 2018, the siliconbased fingerprint market will reach US$4 billion. This is being powered by the lower cost of production as well as sensors being used in various platforms as well as improvements in communication infrastructure, performance, battery life, computing power and decline in size

54

and cost (Spenser, 2012). Iris recognition technology on the other hand is not seeing its price drop as fast as fingerprint technology and as cited by Planet Biometrics (2015), the Iris modality is anticipated to be the next big thing in biometrics. However, its high associated costs will impeded its widespread installations. However, via continuous research and development as well as widen application use, it is expected that the cost for iris scan technology will be reduced. Discussion of Findings The purpose of this research was to scrutinize the current security issues facing EMV credit card payments and future payment methods. What are the available plasticless alternatives to EMV credit card payments? What are the security concerns relating to bitcoins, whether real or perceived? What are the security concerns surrounding digital payment systems such as Android Pay, Apple Pay and Samsung Pay? How does biometrics address and or mitigate security concerns, when used as a payment method? The plasticless alternatives to EMV credit card as a payment solution in relation to the future of payments lies in a number of different technologies which leverages the ubiquitous nature of the mobile phones and technologies which take advantage of the features of the human body as well as software which runs not only a mobile phone but almost any mobile or computing device as well as virtual currency. Some of these payment services are Apple Pay, Android Pay, Samsung Pay, PayPal, AliPay, BitCoins and biometrics. The plasticless alternative payment solution technology which has the greatest chance of market domination at this time lies with mobile devices, more so the mobile phone and its ubiquitous nature. The current 71% of deployed smartphones (Board of Governors of the Federal Reserve System, 2015) will eventually get to 100%. While that would be a good step, the challenge still lies in convincing the 88% who did not conduct a mobile payment in 2013-2014 to

55

do so in the future. More importantly, with a population of 323,075,505 (census.gov, 2016) mobile payment can be considered as the area which has the greatest potential for growth as a plasticless alternative payment solutions. While the Board of Governors of the Federal Reserve System (2015) have cited a few reasons for not using mobile payments, the position that other payment methods are much easier and does not have the same security concerns as mobile payments may not be true when compared with the facts. The fact remains that companies such as Target Corp, TJX Inc. and Heartland Payment Systems were all compromised resulting in losses of 40 million, 45 million and 100 million debit and or credit card records respectively while using non mobile payment solutions. These losses also had a financial impact as Target’s had a cumulative loss of $264 million as of August 1, 2015, Heartland having to pay more than $140 million in fines while TJX expenses stood over $215 million as of January 31st, 2015. Leveraging the various mobile solutions such as Secure Element, Host Card Emulation or tokenization could have provided a more secure solution as the risk associated with compromised credit and or debit card could be greatly mitigated. While Android Pay leverages both HCE and SE emulation methods, Apple Pay only uses the hardware based SE. In SE based emulations, when communication is received from the POS terminal it is rerouted to the tamper-resistant dedicated hardware component which is the Secure Element that is responsible for storing the card emulation application and associated credentials. The SE can reside in a few different place namely on a smart card chip on the handset, a Subscriber Identity Module (SIM), Universal Integrated Circuit Card (UICC) or a Secure Digital (SD) Card. When credentials are stored in the SE, each issuer is assigned a specific domain which is protected by cryptographic keys that are only accessible by the authorize participants

56

(smartcardalliance.org, 2014). While Apple Pay and Android Pay leverage the NFC emulations Samsung Pay using both NFC and Magnetic Secure Transmission (MST) to transmit payment information. When MST is used, both the merchant and the customer benefits immediately. The merchant does not have to incur additional costs for upgrading any terminals while the end user can leverage the existing mag strip technology via his/her mobile phone. Payment technologies implementations which leverages tokenization eliminates the need for storing the actual credit card numbers. It instead uses a 13-19 digit token which representation has no association with a physical card. When considering the compromise which occurred on TJX, Heartland and Target as merchants, the credit card data was stored within their site. If a tokenization solution was used then no actual credit card data would have been stored and thus ultimately no card data would have been compromised. This fact immediately differs from the position which was stated by Board of Governors of the Federal Reserve System (2015) and shows that the security concerns related other payment methods are in no way superior to that of mobile payments. While mobile payments as a plasticless alternative may provide for a more secure payment solution than the current set of credit card, EMV included, the efforts towards securing the physical card and reducing fraud via Dynamic CVV and security solutions such as Discover’s Freeze It and Visa’s Customer Transaction Control (CTL) are excellent features which brings immediate security to holders of physical cards. The most significant benefit of these features are their ability to reduce card not present as well as card present fraud transactions. Additionally, these features makes it very difficult for stolen and or misplaced card to be used without the owner’s permission.

57

As it relates to security concerns surrounding plasticless alternatives, digital payment systems such as Android Pay, Apple Pay and Samsung Pay, their biggest challenge lies within the identification and verification (ID&V) of the person(s) who is registering the card. The case of the fraud perpetrated against Apple Pay could just as easily have been done against any of the other payment methods as this attack more so targeted the payment process and not necessarily Apple Pay. The banks were the weakest link within this chain and thus since other mobile payment solutions would have to leverage these same processes as Apple Pay, the fraud could just as easily target them. The ability to truly confirm a customer’s ID will become a critical component of the entire process, since even though the mobile apps may have the best security, the potential still exists for fraud. We can see that efforts are already being made to mitigate this risk by using additional data such as device information, mobile payment application ID, information relating to verification method such as passcode or fingerprint. For the time being, this additional data will help but efforts will have to be made to ensure efforts are made to stay ahead of potential attackers because without a doubt, they will be seeking new ways to circumvent these measures. As a plasticless alternative, virtual currencies have tremendous potential also but are not as ubiquitous as mobile phones. Thus the challenge for its deployment lies in its ability to reach critical mass within a short time. More importantly, the security and or regulatory challenge for adaptation are also tremendously more significant than that of mobile phones. The security problem is beyond the immediate users and poses significant concerns for governments as the unregulated and decentralized nature of virtual currencies reduces the effectiveness of governments to properly monitor and or regulate this payment method. Monetary policies, financing of terrorism and money laundering are all components which are concerns for

58

governments and which is very difficult for them to monitor and or manage. However, the take down of Silk Road and the successful prosecution of Arthur Budovsky, founder of Liberty Reserve shows that while a challenge exist in identifying and prosecuting criminals who leverage virtual currencies the challenge can be overcome when law enforcement officials work together. Biometric as a payment methods can and more than likely will succeed especially when used in conjunction with the ubiquitous existence of mobile devices. Additionally, its ability to secure payment transactions which are becoming more varied in type and less physical will be critical as it provides tremendous potential in facilitating contactless card payments and online transactions. When used as a payment method, biometrics addresses and or mitigate security concerns by taking advantage of various features of the human body. Some of these features can be our voice pattern, heartbeat, fingerprint, vascular patter, iris, retina, etc. When used as an authentication mechanism in general biometrics can be considered the most secure method of authentication. However, while biometrics secure the payment method, the biggest concern relates to how this data is stored and secured in its digital form. The hack on the Office for Personnel Management (OPM) resulting in the loss of over 5.6 million fingerprints, shows the challenges which securing biometric data presents. While the potential for misuse of these fingerprints at present may be limited due to the nature of technology, this may change over time as the technology evolves (Peterson, 2015). More importantly also is the ability for biometric traits to be spoofed through seemingly simple methods such as taking a photograph, usage of playdoh or even using makeup. Considering the extreme measures some individuals, namely criminals may take to acquire the physical properties of a person represents another challenge one which will be unpredictable to decide on its ultimate impact. The example of criminals cutting off a person’s finger so they

59

could gain access to that person’s car may have seemed farfetched but these are realities which would become more glaring as biometrics becomes more integrated into our daily lives. Biometrics which leverages the fingerprint impression +tokenization seems like the most secure of the possible biometric payment solutions. By leveraging tokenization along with the fingerprint biometric trait, it is expected that this is most secure as no card data is ever exposed during a transaction. It is also quite possible that this additional security will not only increase security but also reduce fraud. However, ultimately time will tell how well biometric payment is adopted and how secure the payment process is. Ultimately the security of payment technologies such as EMV credit or debit card, mobile payments, biometric payment, etc., will require solutions which provides security at the various layers of the payment process. This can be achieved through defense-in-depth and must cover both physical and logical security. Verifone, Inc (2015) proposes a multi-pronged approach which uses EMV, Encryption, Tokenization and a Secure Commerce Architecture as a method for securing the credit card payment process. This method represents the best alternative to mitigating fraud associated with credit card as it addresses the problem through various part of the transaction. Similarly, First Data focuses on EMV along with Encryption and Tokenization as a method for mitigating card fraud (First Data, 2012). Risk Based Authentication (RBA)’s ability to monitor various risk factors associated with access request, existing passwords, the user’s device as well as recent activity, will continue to play a significant role in securing the payment process as monitoring a user’s payment patterns and or habits can prove an important component.

60

At the time of this writing, no technology or technology solution is 100% secure. Therefore, a compromise has to be made. That compromise comes in the form of the implementation of EMV along with the opportunity to move from paperless to plasticless alternatives. These measures currently represents the best opportunities for mitigating the effects of compromised credit card data at present and in the future. Future Research and Recommendations The implementation of EMV cards within the USA, presents the USA with the best opportunity for immediately addressing card present fraud while at the same time improving card security. Based on the deployments which have been seen around the world, it is expected that card present fraud will decrease. As a result, future research should be done to compare the effects of EMV implementation within the USA vs that of other parts of the world as it relates to its ability to reduce and or mitigate card present fraud. The flip side of EMV’s ability to reduce card present fraud, is its inability to reduce card not present fraud. Evidence has shown that card not present fraud has increased significantly wherever the deployment of EMV has been done. Future research should be conducted to determine if this trend has been the same within the USA or whether the USA was able to prevent this based on experiences seem from other deployments around the world. While biometrics payment systems presents the best possible option for securing the payment infrastructure, the cost for deploying the infrastructure to support the various biometric traits remains costly. Therefore, future research should be conducted to determine the market share of biometric payment systems and its ability to truly increase the security of payment systems.

61

Leveraging the ubiquitous nature of mobile phones and other mobile devices for payments represents a significant ability to take advantage of digital payment systems. However, similarly to the infrastructure to support biometric payment systems, mobile payment systems have not had the infrastructure support in place. The future however looks bright as currently the number terminals being deployed that supports mobile payments has been increasing. Future research should be conducted to determine the market share of mobile payments when compared to traditional card payment methods. Recommendation It will be futile for anyone to debate the ubiquitous existence of the mobile phone and other mobile devices. Therefore, leveraging these technologies as a plasticless alternatives to increase the security of payments makes the most sense. Additionally, vendors who currently only rely on NFC based technologies for payments at the Point of Service (POS) terminals should consider licensing the Magnetic Secure Transmission (MST) technologies which is owned by Samsung. By supporting this technology, a greater amount of mobile devices would be able to immediately complete mobile payments while new Near Field Communication (NFC) based communication technologies are being deployed. Of significant importance is also need to sensitize the public on the benefits of mobile payments as compared to that of credit cards. These benefits if properly marketed could see a significant spike in the number of mobile payments being conducted. The benefits range from the greater convenience that mobile phones provide to the very much more secure nature of mobile payments. By far the security which is achieved from leveraging mobile payment technologies such as NFC, MST, Bluetooth Low Energy, QR Codes, etc via mobile payments outstrips that of the physical card. The fact that credit card data is not actually transmitted and

62

that a onetime token is used makes it more difficult for card to be reused. However, extreme vigilance is needed as sooner rather than later malicious users may find ways to compromise this technology and payment process. Finding ways also to reduce the setup time and steps needed for mobile payments should also be an area of focus, as while younger mobile payment users would see these steps as normal, more mature mobile payment users may see these steps as an impediment to adoption. If the payment industry is unable to move faster to mobile payment solutions which leverage card emulation technologies, then a greater push is needed towards securing the physical card. While EMV addresses the card present fraud situation, it does not overall secure the credit card. Like most of the existing card based technologies, a static Customer Verification Value (CVV) can still be found on these EMV based cards. Moving to dynamic CVV increases the security of the physical card while reducing fraud. Obviously, the number of numbers used for the dynamic CVV will determine the probability of generating one of these numbers successfully and still compromising the payment process. For Dynamic CVV, providers of payment cards should consider using numbers greater than the typical 3 digits which are found on the back of the current set of cards. Similarly to Discover's Freeze IT and Visa's Consumer Transaction Controls, additional card providers should consider solutions which allow users to have more control of their card as these measures not only give users better control over their cards but also addresses issues with reducing fraud. While there are a number of solutions which can be used to secure the payment system, ultimately all of this data needs to travel across a network infrastructure. Implementing end-toend encryption provides the ultimate security for data related to the payment infrastructure.

63

Heartland Payment's attempt to ensure end-to-end encryption should be a model which is followed by all payment providers. As it relates to virtual currencies, governments should be proactive taking the necessary steps to enact laws and or regulations for how their society should deal with virtual currency. One thing technology has thought us, is that it waits on no one. Therefore, if governments simply standby and allow virtual currency to be used without being regulated, the potential for it being abused could be drastically enhanced. While this may be counter to the way virtual currencies are supposed to operate, the reality is there is a need for regulatory control or someone or something which controls how these currencies are used and who is held accountable for issues encountered owners of these currencies.

64

References 3 Delta Systems. (2016). Understanding Tokenization. In R. Ricker, Understanding Tokenization (p. 5). 3 Delta Systems. A.T. Kearney Korea LLC. (2013). European Payments Strategy Report: Winning the Growth Challenge in Payments. A.T. Kearney Korea LLC. Accenture. (2015). 2015 North America Consumer Digital Payments Survey: When it comes to payments today, the customer rules. Accenture. act.eff.org. (n.d.). Stop the BitLicense. Retrieved from act.eff.org: https://act.eff.org/action/stopthe-bitlicense Aite. (2014). EMV: Lessons Learned and the U.S. Outlook. Aite. aitegroup.com. (2015, February 12). More than half of U.S. POS terminals to be EMV chipenabled by year-end: Merchants who delay in upgrading to EMV chip will be exposed to US$1.1 billion in counterfeit credit card fraud losses. Retrieved from aitegroup.com: http://aitegroup.com/more-half-us-pos-terminals-be-emv-chip-enabled-year-end Akhtar, Z. (2012). Security of Multimodal Biometric Systems against Spoof Attacks. Ph.D. in Electronic and Computer Engineering Dept. of Electrical and Electronic Engineering University of Cagliari. Allegion. (2014). Allegion biometric hand readers increase security at University of Central Florida sororities. Allegion. apple.com. (n.d.). Secure, simple, and even more useful. Retrieved from apple.com: http://www.apple.com/apple-pay/?cid=wwa-us-kwg-features-com atmmarketplace.com. (2011, January 12). Study: U.S. consumer use of cash expected to decline by nearly $200 billion by 2015. Retrieved from atmmarketplace.com: http://www.atmmarketplace.com/articles/study-us-consumer-use-of-cash-expected-todecline-by-nearly-200-billion-by-2015/ Baheri, A. (2016, January 13). The Dangers of Downloads: Securing Mobile Devices in 2016. Retrieved from fireeye.com: https://www.fireeye.com/blog/threatresearch/2016/01/the_dangers_of_downl.html Bailey, B. (2014, Tuesday 8). Apple Pay had 1 million activations in first 3 days: Cook. Retrieved from ctvnews.ca: http://www.ctvnews.ca/sci-tech/apple-pay-had-1-millionactivations-in-first-3-days-cook-1.2074580 bis.org. (1999). CPSS – Red Book statistical update. BIS. Retrieved from bis.org: http://www.bis.org/cpmi/paysys/unitedstatescomp.pdf BMO, CIBC, RBC, Scotiabank, TD, National Bank of Canada. (2015). Payments Security White Paper . BMO, CIBC, RBC, Scotiabank, TD, National Bank of Canada. 65

BNY Mellon. (2014). Global Payments 2020: Transformation and Convergence. The Bank of New York Mellon Corporation. Board of Governors of the Federal Reserve System. (2015). Consumers and Mobile Financial Services 2015. Washington, DC 20551: Board of Governors of the Federal Reserve System. Retrieved from http://www.federalreserve.gov/econresdata/consumers-andmobile-financial-services-report-201503.pdf Boden, R. (2015, May 14). Walmart to accept Alipay mobile payments in China. Retrieved from nfcworld.com: http://www.nfcworld.com/2015/05/14/335234/walmart-to-accept-alipaymobile-payments-in-china/ Broderick, M. (2015, May 28). Apple Comes to Payments. Retrieved from cacm.acm.org: http://cacm.acm.org/news/187597-apple-comes-to-payments/fulltext Business Wire. (2016, February 17). EMV Merchant Adoption Slower Than Expected : TSG survey estimates 37% of U.S. card-accepting merchants are EMV-ready four months after the liability shift. Retrieved from businesswire.com: http://www.businesswire.com/news/home/20160217005243/en/EMV-MerchantAdoption-Sl... Canadian Bankers Association. (2014). Credit Card fraud in Canada: High-level fraud trends from Payment Card Partners and Visa Canada internal statistics. Canadian Bankers Association. Capital One. (n.d.). Capital One - SureSwipe - No More Password Typos. Retrieved from capitalone.com: https://www.capitalone.com/campaigns/sure-swipe/ Capital One. (n.d.). Capital One and Apple Pay - Better Together. Retrieved from capitalone.com: https://www.capitalone.com/online-banking/mobile/apple-pay/ Cavoukian, A. (2011). Mobile Near Field Communications (NFC) - “Tap ‘n Go” Keep it Secure & Private. Toronto, Ontario: Information and Privacy Commissioner of Ontario. census.gov. (2016, February 28). U.S. and World Population Clock RSS icon. Retrieved from census.gov: http://www.census.gov/popclock/ Center for Strategic and International Studies (CSIS), McAfee. (2014). Net Losses: Estimating the Global Cost of Cybercrime - Economic impact of cybercrime II. Santa Clara, CA 95054: Center for Strategic and International Studies. CFPB. (2014). Risks to consumers posed by virtual currencies . Consumer Financial Protection Bureau . chasepay.com. (2015, October 26). Chase Announces CHASE PAY. Retrieved from chasepay.com: https://www.chasepay.com/press/ Cheney, J. S. (2010). Discussion Paper - Payment Card Center. Ten Independence Mall, Philadelphia, PA 19106-1574: Federal Reserve Bank of Philadelphia. 66

Choudhary, S. K. (2012). EMV Compliance in the U.S. - Now is the time to make the transition to EMV. Capgemini. Cipriani, J. (2015, September 30). Here's why Samsung Pay is way better than Apple Pay and Android Pay. Retrieved from fortune.com: http://fortune.com/2015/09/30/samsung-payreview/ coinatmradar.com. (n.d.). Bitcoin ATM Industry Statistics / Charts. Retrieved from coinatmradar.com: http://coinatmradar.com/charts/ coinmarketcap.com. (2015, September 19). Crypto Currency Market Capitalization. Retrieved from coinmarketcap.com: http://coinmarketcap.com/ coinmarketcap.com. (2016, Feb 7). Crypto-Currency Market Capitalizations. Retrieved from coinmarketcap.com: https://coinmarketcap.com/ Connecticut General Assembly. (2015, January). AN ACT CONCERNING MORTGAGE CORRESPONDENT LENDERS, THE SMALL LOAN ACT, VIRTUAL CURRENCIES AND SECURITY FREEZES ON CONSUMER CREDIT REPORTS. Retrieved from cga.ct.gov: https://www.cga.ct.gov/2015/FC/2015HB-06800-R000177-FC.htm Constantin, L. (2015, April 3). Fewer than 1% of Android devices affected by potentially harmful apps. Retrieved from computerworld.com: http://www.computerworld.com/article/2905973/fewer-than-1-of-android-devicesaffected-by-potentially-harmful-apps.html Consumer Action. (2015). Consumer Action: Educationa and advocacy since 1971 - Mobile Payment Guide 2015. Consumer Action. consumerreports.org. (2015, June 11). Smartphone thefts drop as kill switch usage grows. Retrieved from consumerreports.org: http://www.consumerreports.org/cro/news/2015/06/smartphone-thefts-on-thedecline/index.htm Cooper, C. G. (2014, April 8). SUPERVISORY MEMORANDUM - 1037. Texas Department of Banking. Retrieved from rt.com: https://www.rt.com/business/texas-bitcoin-regulationcurrency-257/ creditcards.com. (n.d.). Payment method statistics: Cash far from king in the payments landscape. Retrieved from creditcards.com: http://www.creditcards.com/credit-cardnews/payment-method-statistics-1276.php CryptEX. (n.d.). What is a Crypto-currency? Retrieved from cryptex.ca: http://cryptex.ca/#AboutUs cryptocoinsnews.com. (n.d.). History of Cryptocurrency. Retrieved from cryptocoinsnews.com: https://www.cryptocoinsnews.com/cryptocurrency/

67

Davidson, J. (2015, January 9). No, Big Companies Aren’t Really Accepting Bitcoin. Retrieved from time.com: http://time.com/money/3658361/dell-microsoft-expedia-bitcoin/ Deloitte. (2015). Contactless mobile Contactless mobile momentum. Deloitte. Department of Justice. (2015, December 4). Manhattan U.S. Attorney Announces Arrest And Unsealing Of Charges Against Senior Adviser To The Operator Of The “Silk Road” Website. Retrieved from justice.gov: http://www.justice.gov/usao-sdny/pr/manhattan-usattorney-announces-arrest-and-unsealing-charges-against-senior-adviser Department of Justice, Office of Public Affairs. (2016, January 2). Founder of Liberty Reserve Pleads Guilty to Laundering More Than $250 Million through His Digital Currency Business. Retrieved from justice.gov: http://www.justice.gov/opa/pr/founder-libertyreserve-pleads-guilty-laundering-more-250-million-through-his-digital developer.android.com. (n.d.). Host-based Card Emulation. Retrieved from developer.android.com: https://developer.android.com/guide/topics/connectivity/nfc/hce.html dictionary.reference.com. (n.d.). selfie. Retrieved from dictionary.reference.com: http://dictionary.reference.com/browse/selfie?s=t discoverfinancial.com. (2015, April 15). Press Release - Discover’s New Freeze ItSM Tool Lets Cardmembers Immediately Halt New Purchases from Home or On-the-Go. Retrieved from discoverfinancial.com: http://investorrelations.discoverfinancial.com/phoenix.zhtml?c=204177&p=irolnewsArticle&ID=2035358 EMV Migration Forum. (2015). Implementing EMV® in the U.S.:How the U.S. Common Debit AIDs Facilitate Debit Transaction Routing . Princeton Junction, NJ, 08550: EMV Migration Forum. EMV Migration Forum. (2015). Understanding the 2015 U.S. Fraud Liability Shifts. EMV Migration Forum. EMVCo. (2014). EMV Payment Tokenisation Specification - Technical Framework. In EMVCo, EMV Payment Tokenisation Specification - Technical Framework (p. 9). EMVCo. etnews. (2016, January 28). [Exclusive] Introduction of LG Pay ‘ White Card’. Retrieved from english.etnews.com: http://english.etnews.com/20160128200003 ExxonMobil. (2016, March 8). ExxonMobil Launches Speedpass+ Mobile Payment App with Apple Pay . Retrieved from news.exxonmobil.com: http://news.exxonmobil.com/pressrelease/exxonmobil-launches-speedpass-mobile-payment-app-apple-pay Farivar, C. (2016, April 6). Bitcoin Foundation is “effectively bankrupt,” board member says. Retrieved from arstechnica.com: http://arstechnica.com/business/2015/04/bitcoinfoundation-is-effectively-bankrupt-board-member-says/ 68

FATF. (2014). FATF REPORT: Virtual Currencies Key Definitions and Potential AML/CFT Risks. FATF. Federal Reserve System. (2013). The 2013 Federal Reserve Payments Study: Recent and LongTerm Payment Trends in the United States: 2003 - 2012. Federal Reserve System. Feifei, F. (2016, Jaunary 15). Alipay being used by 100 million to access public-sector transactions. Retrieved from chinadaily.com.cn: http://www.chinadaily.com.cn/business/2016-01/15/content_23100380.htm Figliola, P. M. (2015). The EMV Chip Card Transition: Background, Status, and Issues for Congress. Congressional Research Service. finance.yahoo.com. (2015, February 11). Nymi, TD and MasterCard Announce World's First Biometrically Authenticated Wearable Payment Using Your Heartbeat. Retrieved from finance.yahoo.com: http://finance.yahoo.com/news/nymi-td-mastercard-announceworlds-120000526.html First Data. (2012). EMV and Encryption + Tokenization: A Layered Approach to Security. First Data Corporation. Fisher, G. (2016, February 8). Introducing New Money: PayPal’s Vision for The Future of Commerce. Retrieved from paypal.com: https://www.paypal.com/stories/us/introducingnew-money-paypals-vision-for-the-future-of-commerce forklog.net. (2015, December 20). A Draft Bill Implying Bitcoin Legalization Introduced in the Russian Parliament. Retrieved from forklog.net: http://forklog.net/a-draft-bill-implyingbitcoin-legalization-introduced-in-the-russian-parliament/ Forrester. (2014, November 17). US Mobile Payments To Reach $142 Billion By 2019. Retrieved from forrester.com: https://www.forrester.com/US+Mobile+Payments+To+Reach+142+Billion+By+2019//E-PRE7454 Fujitsu. (2015). Fujitsu PalmSecure: The solution for user-friendly and reliable authentication – more secure than the competition: A guideline for biometric authentication. Munich, Germany: Fujitsu Technology Solutions GmbH. Galbally, J., Marcel, S., & Fierrez, J. (2015, January 7). Biometric Antispoofing Methods: A Survey in Face Recognition. Retrieved from ieeexplore.ieee.org: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6990726 Garg, R., & Garg, N. (2015). Model, Developing a Secured Biometric Payments. R Systems International Limited. gemalto.com. (2015, October 13). Gemalto protects banks and card issuers against Card-NotPresent fraud with next generation payment security solution. Retrieved from gemalto.com: http://www.gemalto.com/press/Pages/Gemalto-protects-banks-and-card69

issuers-against-Card-Not-Present-fraud-with-next-generation-payment-securitysolution.aspx globalpaymentsinc.com. (n.d.). Chip Liability Shift. Retrieved from globalpaymentsinc.com: https://www.globalpaymentsinc.com/canada/customer-centre/industry-initiatives/chipliability-shift Goliya, K. (2015, September 10). Google pushes into mobile payment with Android Pay launch in U.S. Retrieved from reuters.com: http://www.reuters.com/article/us-google-incandroid-pay-idUSKCN0RA23320150910 GP Bullhound LLP. (2014). The Future of Oline and Mobile Payments: The Credit card is fading as a virtal and physical methods are becoming one click mobile checkouts. GP Bullhound LLP. Haldane, A. (2015, September 18). Given at the Portadown Chamber of Commerce, Northern Ireland. Retrieved from bankofengland.co.uk: http://www.bankofengland.co.uk/publications/Pages/speeches/2015/840.aspx Hayashi, F. (2012). Mobile Payments: What’s in It for Consumers? . Kansas: FEDERAL RESERVE BANK OF KANSAS CITY. Hemmadi, M. (2014, November 3). The future of payments is wearable, and it’s already here. Retrieved from canadianbusiness.com: http://www.canadianbusiness.com/innovation/thefuture-of-payments-is-wearable-and-its-already-here/ Hern, A. (2014, December 30). Hacker fakes German minister's fingerprints using photos of her hands . Retrieved from theguardian.com: http://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministersfingerprints-using-photos-of-her-hands hitachi.co.jp. (n.d.). Finger Vein Authentication Technology. Retrieved from hitachi.co.jp: http://www.hitachi.co.jp/products/it/veinid/global/introduction/fingervein.html hitachi.com. (2014, September 5). Barclays first in UK to launch new Biometric Reader for customers - Hitachi's Finger Vein Authentication technology set to revolutionise account security in UK. Retrieved from hitachi.com: http://www.hitachi.com/New/cnews/month/2014/09/140905.html IMF Staff Team. (2016). IMF Staff Discussion Note - Virtual Currencies and Beyond: Initial Considerations. INTERNATIONAL MONETARY FUND. Internal Revenue Service. (2014, March 25). IRS Virtual Currency Guidance : Virtual Currency Is Treated as Property for U.S. Federal Tax Purposes; General Rules for Property Transactions Apply. Retrieved from irs.gov: http://www.irs.gov/uac/Newsroom/IRSVirtual-Currency-Guidance

70

investor.visa.com. (2014, September 02). Visa to Enable Secure, Cloud-Based Mobile Payments. Retrieved from investor.visa.com: http://investor.visa.com/news/news-details/2014/Visato-Enable-Secure-Cloud-Based-Mobile-Payments/default.aspx Jamieson, G. (2015, March 8). Interview for capstone research. (N. Alleyne, Interviewer) Jamieson, G. (2015, February 22). Review of NFC Payment Seurity. (N. Alleyne, Interviewer) Kendall, J., Schiff, R., & Smadja, E. (2014, February). Sub-Saharan Africa: A major potential revenue opportunity for digital payments. Retrieved from mckinsey.com: http://www.mckinsey.com/industries/financial-services/our-insights/sub-saharan-africa-amajor-potential-revenue-opportunity-for-digital-payments Kent, J. (2005, March 31). Malaysia car thieves steal finger. Retrieved from news.bbc.co.uk: http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm Kharif, O. (2015, October 14). Capital One Pushes Into Mobile Payments With Android App . Retrieved from bloomberg.com: http://www.bloomberg.com/news/articles/2015-1014/capital-one-pushes-into-mobile-payments-with-android-app Khodos, J. (2015, August 18). MasterCard Trials Facial and Fingerprint Biometric Payments in Europe and U.S. Retrieved from newsroom.mastercard.com: http://newsroom.mastercard.com/news-briefs/mastercard-trials-facial-and-fingerprintbiometric-payments-in-europe-and-u-s/ Kossman, S. (2015, October 1). 7 merchant tips to understanding EMV fraud liability shift. Retrieved from nasdaq.com: http://www.nasdaq.com/article/7-merchant-tips-tounderstanding-emv-fraud-liability-shift-cm526268 Krombholz, K., Fr•uhwirt, P., Kieseberg, P., Kapsalis, I., Huber, M., & Weippl, E. (n.d.). QR Code Security: A Survey of Attacks and Challenges for Usable Security. Vienna: SBA Research. leginfo.legislature.ca.gov. (2015, February 27). AB-1326 Virtual currency. (2015-2016). Retrieved from leginfo.legislature.ca.gov: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201520160AB1326 Lewis, D. (2015, May 31). Heartland Payment Systems Suffers Data Breach. Retrieved from forbes.com: http://www.forbes.com/sites/davelewis/2015/05/31/heartland-paymentsystems-suffers-data-breach/ Library of Congress. (2015, 07 01). Regulation of Bitcoin in Selected Jurisdictions. Retrieved from loc.gov: http://www.loc.gov/law/help/bitcoin-survey/ Marasco, E., & Ross, A. (2014, September). A Survey on Anti-Spoofing Schemes for Fingerprint Recognition Systems. Retrieved from http://wpage.unina.it: http://wpage.unina.it/emanuela.marasco/Marasco_ACM.pdf

71

MasterCard Worldwide. (2010). An Analysis of End-to-end Encryption as a Viable Solution for Securing Payment Card Data . MasterCard Worldwide. MasterCard Worldwide. (2011). ADVANTAGES OF A RISK BASED AUTHENTICATION STRATEGY FOR MASTERCARD SECURECODE. MasterCard Worldwide. MasterCard Worldwide. (2011). Security Matters - Payment Systems Integrity. MasterCard Worldwide. MasterCard Worldwide. (2012). ADVANCING MOBILE PAYMENTS: ADVANCING COMMERCE. MasterCard. mastercard.ca. (n.d.). MasterCard® Mobile Payments: Speed and simplicity - make life a little easier. Retrieved from mastercard.ca: http://www.mastercard.ca/cardholderservices/mobile-payments.html mastercard.us. (n.d.). A new era of payments and security: MasterCard EMV chip technology offers smarter, more secure and more efficient payments. Retrieved from mastercard.us: https://www.mastercard.us/en-us/issuers/products-and-solutions/grow-manage-yourbusiness/payment-innovations/chip-emv.html McDermott, K. (n.d.). The mobile payments revolution: How to be Ready for the Tipping Point. Payvision . McDonald, M. (2015, September 25). Bitcoin Goes Mainstream as an Investment Vehicle. Retrieved from nasdaq.com: http://www.nasdaq.com/article/bitcoin-goes-mainstream-asan-investment-vehicle-cm523775 McMillan, R. (2014, March 3). The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster. Retrieved from wired.com: http://www.wired.com/2014/03/bitcoin-exchange/ Millman, R. (2015, June 26). Updated: 97% of malicious mobile malware targets Android . Retrieved from scmagazineuk.com: http://www.scmagazineuk.com/updated-97-ofmalicious-mobile-malware-targets-android/article/422783/ Millward, S. (2015, February 19). Alibaba’s Alipay users gift US$642M in cash to their buddies for Chinese New Year. Retrieved from techinasia.com: https://www.techinasia.com/alibaba-alipay-users-gift-cash-red-envelopes-chinese-newyear Morea, D., Christiansen, P., Dragt, B., & Randolph, G. R. (2011). EMV in the U.S.: Putting It into Perspective for Merchants and Financial Institutions. First Data Corporation. Mulligan, J. (2014, February 4). time for smartcards. Retrieved from corporate.target.com: https://corporate.target.com/article/2014/02/time-for-smartcards Murphy, E. V., Seitzinger, M. V., & Murphy, M. M. (n.d.). Bitcoin: Questions, Answers, and Analysis of Legal Issues. Congressional Research Service.

72

nearfieldcommunication.org. (n.d.). Security Concerns with NFC Technology. Retrieved from nearfieldcommunication.org: http://www.nearfieldcommunication.org/nfc-security.html New Science. (2014). New Science: Transaction Security - Biometrics for payments. newscience.ul.com. New York State Department Of Financial Services. (n.d.). NEW YORK CODES, RULES AND REGULATIONS - TITLE 23. DEPARTMENT OF FINANCIAL SERVICES - CHAPTER I. REGULATIONS OF THE SUPERINTENDENT OF FINANCIAL SERVICES - PART 200. VIRTUAL CURRENCIES. New York State Department Of Financial Services. newsroom.mastercard.com. (2014, February 19). MasterCard to Use Host Card Emulation (HCE) for NFC-Based Mobile Payments. Retrieved from newsroom.mastercard.com: http://newsroom.mastercard.com/press-releases/mastercard-to-use-host-card-emulationhce-for-nfc-based-mobile-payments/ newsroom.mastercard.com. (2015, August 18). First Tech Federal Credit Union and MasterCard Announce First U.S. Biometric Payments Pilot. Retrieved from newsroom.mastercard.com: http://newsroom.mastercard.com/press-releases/first-techfederal-credit-union-and-mastercard-announce-first-u-s-biometric-payments-pilot/ newsroom.mastercard.com. (2015, August 18). Netherlands first test country for credit card payments with identity recognition. Retrieved from newsroom.mastercard.com: http://newsroom.mastercard.com/eu/nl/press-releases/netherlands-first-test-country-forcredit-card-payments-with-identity-recognition-2/ nuance.com. (2015, July 28). ING Netherlands Launches Voice Biometrics Payment System in the Mobile Banking App Powered by Nuance. Retrieved from nuance.com: http://www.nuance.com/company/news-room/press-releases/ING-Netherlands-LaunchesNuance-Voice-Biometrics.docx Nymi. (n.d.). Product Specs. Retrieved from nymi.com: https://nymi.com/product_specs nymi.com. (n.d.). Introducing The Nymi Band. Retrieved from nymi.com: https://www.nymi.com/the-nymi-band/ oberthur.com. (2014, 10 9). World first: OT announces availability of first payment card integrating dynamic security codes to secure online transactions. Retrieved from oberthur.com: http://www.oberthur.com/world-first-ot-announces-availability-of-firstpayment-card-integrating-dynamic-security-codes-to-secure-online-transactions/ oberthur.com. (n.d.). Fraud is increasingly shifting to “card-not-present” (CNP) transactions carried out mainly online. Retrieved from oberthur.com: http://www.oberthur.com/motioncode/ O'Brien, M. (2015, June 8). Bitcoin isn’t the future of money — it’s either a Ponzi scheme or a pyramid scheme. Retrieved from washingtonpost.com:

73

https://www.washingtonpost.com/news/wonk/wp/2015/06/08/bitcoin-isnt-the-future-ofmoney-its-either-a-ponzi-scheme-or-a-pyramid-scheme/ Office of the Press Secretary. (2014, October 17). FACT SHEET: Safeguarding Consumers’ Financial Security. Retrieved from whitehouse.gov: https://www.whitehouse.gov/thepress-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security officialandroid.blogspot.ca. (2015, September 10). Tap. Pay. Done. Retrieved from officialandroid.blogspot.ca: http://officialandroid.blogspot.ca/2015/09/tap-pay-done.html paydiant.com. (2015, March 5). The Wall Street Journal: PayPal to Buy Mobile-Payments Firm Paydiant . Retrieved from paydiant.com: http://www.paydiant.com/about/news/221-thewall-street-journal-paypal-to-buy-mobile-payments-firm-paydiant.html paydiant.com. (n.d.). Paydiant Security . Retrieved from paydiant.com: http://www.paydiant.com/security.html paymentscardsandmobile.com. (2016, February 19). MasterCard contactless expenditure grew 375% in 2015 . Retrieved from paymentscardsandmobile.com: http://www.paymentscardsandmobile.com/mastercard-contactless-expenditure-grew-375in-2015/ paypal.com. (n.d.). At PayPal, we put people at the center of everything we do. Retrieved from paypal.com: https://www.paypal.com/us/webapps/mpp/about PCI Security Standards Council. (2011). PCI DSS Tokenization Guidelines. Scoping SIG, Tokenization Taskforce PCI Security Standards Counci. Peterson, A. (2015, September 23). OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought. Retrieved from washingtonpost.com: https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-morethan-five-million-fingerprints-compromised-in-breaches/ Pineda, M. E. (2015, November 13). How does magnetic secure transmission or MST payment works? Retrieved from versiondaily.com: http://www.versiondaily.com/how-doesmagnetic-secure-transmission-or-mst-payment-works/ planetbiometrics.com. (2015, November 30). Group cites cost as barrier to wider iris adoption. Retrieved from planetbiometrics.com: http://www.planetbiometrics.com/articledetails/i/3766/desc/group-cites-cost-as-barrier-to-wider-iris-adoption/ Pozin, I. (2015, September 10). 3 Trends In Mobile Payments You Need to Know About. Retrieved from forbes.com: http://www.forbes.com/sites/ilyapozin/2015/09/10/3-trendsin-mobile-payments-you-need-to-know-about/#202f32d63619 pressreleases.visa.com. (2012, November 26). New Visa Consumer Authentication Service Combats eCommerce Fraud. Retrieved from pressreleases.visa.com: http://pressreleases.visa.com/phoenix.zhtml?c=215693&p=irolnewsarticlePR&ID=1761624 74

prnewswire.com. (2016, January 25). ABI Research Anticipates U.S. EMV Payment Card Shipments to Peak in 2016 at Approximately 617 Million Units . Retrieved from prnewswire.com: http://www.prnewswire.com/news-releases/abi-research-anticipates-usemv-payment-card-shipments-to-peak-in-2016-at-approximately-617-million-units300209011.html Pymnts. (2015, November 12). Worldpay Testing Biometric Payments. Retrieved from pymnts.com: http://www.pymnts.com/news/2015/worldpay-testing-biometric-payments/ pymnts.com. (n.d.). APPLE PAY ADOPTION. Retrieved from pymnts.com: http://www.pymnts.com/apple-pay-adoption/ Ray. (2015, February 19). 10 Countries Riding The Contactless Payments Wave. Retrieved from letstalkpayments.com: http://letstalkpayments.com/10-countries-riding-contactlesspayments-wave/ Reitman, r. (2015, August 7). A License to Kill Innovation: Why A.B. 1326—California’s Bitcoin License—is Bad for Business, Innovation, and Privacy. Retrieved from eff.org: https://www.eff.org/deeplinks/2015/08/license-kill-innovation-why-ab-1326-californiasbitcoin-license-bad-business Reuters. (2014, Nov 18). Research and Markets: The Global Biometric System Market 20142024 - Market Size and Drivers: Market Profile of the $6.9 Billion Industry. Retrieved from reuters.com: http://www.reuters.com/article/2014/11/18/research-and-marketsidUSnBw186219a+100+BSW20141118 Reuters. (2015, October 26). Apple Pay growth slows a year after launch: research. Retrieved from reuters.com: http://www.reuters.com/article/us-apple-pay-consumersidUSKCN0SK2H020151026?feedType=RSS&feedName=technologyNews Roberts, D. (2015, November 6). What Do MasterCard and Visa Think About Bitcoin? Retrieved from fortune.com: http://fortune.com/2015/11/06/visa-mastercard-bitcoin/ Rosenfeld, M. (2011, December 22). Analysis of Bitcoin Pooled Mining Reward. Retrieved from arxiv.org: http://arxiv.org/pdf/1112.4980v1.pdf RSA. (2013). RSA RISK - BASED AUTHENTICATION: For RSA Authentication Manager 8.0. RSA. Russell, J. (2016, January 3). Uber Takes Its Alipay Partnership Global To Tap Into Chinese Travelers. Retrieved from techcrunch.com: http://techcrunch.com/2016/01/31/uber-takesits-alipay-partnership-global-to-tap-into-chinese-travelers/ Samsung. (2016, February 20). Samsung Pay Continues Global Momentum in 2016. Retrieved from news.samsung.com: https://news.samsung.com/global/samsung-pay-continuesglobal-momentum-in-2016 samsung.com. (n.d.). What is MST (Magnetic Secure Transmision)? Retrieved from samsung.com: http://www.samsung.com/us/support/answer/ANS00043865/997410383/ 75

Satoshi Nakamoto. (2008, November 1). Bitcoin P2P e-cash paper . Retrieved from mailarchive.com: http://www.mailarchive.com/[email protected]/msg09959.html Sawers, P. (2015, ugust 5). Android fragmentation report: There are now 24,093 distinct devices, up 28% from last year. Retrieved from venturebeat.com: http://venturebeat.com/2015/08/05/fragmentation-report-there-are-now-24093-distinctandroid-devices-up-78-from-last-year/ saypaytechnologies.com. (n.d.). SayPay Checkout. Retrieved from saypaytechnologies.com: http://saypaytechnologies.com/saypay-checkout/ SEC. (2013). SEC Charges Texas Man With Running Bitcoin-Denominated Ponzi Scheme. Retrieved from sec.gov: http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.Ue6yZOD mp-I SEC Office of Investor Education and Advocacy. (n.d.). Investor Alert - Ponzi schemes Using virtual Currencies. Washington, DC: SEC Office of Investor Education and Advocacy. Shih, G. (2014, October 16). Alibaba affiliate Alipay rebranded Ant in new financial services push. Retrieved from reuters.com: http://www.reuters.com/article/us-china-alibabaidUSKCN0I50KJ20141016 Shuang, F. (2016, January 13). Alipay study: Smartphones are likely to replace wallets. Retrieved from ecns.cn: http://www.ecns.cn/business/2016/01-13/195616.shtml Skatteverket v David Hedqvist, C-264/14 (Fifth Chamber October 22, 2015). Smart Card Alliance. (2012). Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure? Smart Card Alliance. Smart Card Alliance. (2015). EMV and NFC: Complementary Technologies Enabling Secure Contactless Payments. Princeton Junction, NJ 08550: Smart Card Alliance. smartacquiring.com. (n.d.). The US EMV Migration: What Took So Long? Retrieved from smartacquiring.com: http://smartacquiring.com/us-emv-migration-took-long/ smartcardalliance.org. (2014). Host Card Emulation (HCE) 101. Princeton Junction, NJ 08550: Smart Card Alliance. Spenser, T. (2012, July 25). Silicon-based fingerprint sensors market projected to grow. Retrieved from biometricupdate.com: http://www.biometricupdate.com/201207/siliconbased-fingerprint-sensors-market-projected-to-grow statista.com. (n.d.). Number of Bitcoins in circulation worldwide from 1st quarter 2010 to 4th quarter 2015 (in millions) . Retrieved from statista.com: http://www.statista.com/statistics/247280/number-of-bitcoins-in-circulation/

76

statista.com. (2016). Market share worldwide smartphone shipments by operating system from 2014 to 2019 . Retrieved from statista.com: http://www.statista.com/statistics/272307/market-share-forecast-for-smartphoneoperating-systems/ statista.com. (2016). U.S. retail e-commerce sales from 2010 to 2018 (in billion U.S. dollars) . Retrieved from statista.com: http://www.statista.com/statistics/272391/us-retail-ecommerce-sales-forecast/ sthaler.com. (2015). Welcome to Sthaler. Retrieved from sthaler.com: http://www.sthaler.com/ support.apple.com. (n.d.). Set up and use Apple Pay on your iPhone or iPad. Retrieved from support.apple.com: https://support.apple.com/en-au/HT201239 support.google.com. (n.d.). Google Glass Help. Retrieved from support.google.com: https://support.google.com/glass/answer/2725950?hl=en Target Corporation. (2015). Quarterly Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934. Minnesota: Target Corporation. The TJX Companies, Inc. (2007). Quarterly Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934. Framingham, Massachusetts: The TJX Companies, Inc. The TJX Companies, Inc. (2014). 2014 Annual Report. Framingham, MA 01701 : The TJX Companies, Inc. The UK Cards Association Limited. (2015). Contactless Statistics. Retrieved from theukcardsassociation.org.uk: http://www.theukcardsassociation.org.uk/contactless_contactless_statistics/ trendmicro.com. (2015, August 1). Mobile Payment Systems: How Apple Pay Works. Retrieved from trendmicro.com: http://www.trendmicro.com/vinfo/us/security/news/mobilesafety/mobile-payment-systems-apple-pay Verifone, Inc. (2015). A MULTI-PRONGED APPROACH - EMV, ENCRYPTION, TOKENIZATION & SECURE COMMERCE ARCHITECTURE. Verifone, Inc. Visa. (2015, February 19). Canadians prioritize Security over Convenience, Speed when making Payments. Retrieved from visa.ca: http://www.visa.ca/en/aboutcan/mediacentre/news/security-overconvenience.jsp#.Vs5LjtCIdZ8 Visa. (n.d.). Visa Consumer Transaction Controls: Empower consumers to control how, when, and where their cards are used. Retrieved from developer.visa.com: https://developer.visa.com/products/vctc Voltage Security, Inc. (n.d.). Voltage Secure Stateless Tokenization: DATA PROTECTION AND PCI SCOPE REDUCTION FOR TODAY’S BUSINESSES. Voltage Security, Inc.

77

Waring, J. (2016, January 15). Mobile accounts for 65% of China’s online payments — Alipay. Retrieved from mobileworldlive.com: http://www.mobileworldlive.com/asia/asianews/mobile-accounts-for-65-of-chinas-online-payments-alipay/ Williams, B. (2010). Will End to End Encryption Save Us All? Braden Williams. worldcore.eu. (2016, February 05). VoiceKey integration completed! Retrieved from worldcore.eu: https://worldcore.eu/News/34/voicekey-integration-completed

78