Non-bank payment service providers

From Blindside

1 What is it
2 Impact & Maturity assessment
3 Information Assurance issues
4 Timescale
5 Examples
6 Comments (attributed)
7 Organisations
8 Documents & research papers
9 Experts (academic, practitioner)

[edit] What is it

There are two types of non-bank payment service providers: payment services that handle ordinary official currencies, and e-money systems that create their own new currencies. The prime example of the former is the widely used Paypal (now owned by eBay), which makes it possible to send money to anyone anywhere in the world who has an email address. Unsuccessful examples of the latter included such schemes as Cybercash, which was created in the mid 1990s and used cryptography to secure and anonymise payments. and Mondex. A third type is just beginning to emerge: virtual worlds that have their own internal currencies; Second Life's currency, Linden dollars, has an official exchange rate of L$237 to US$1, allowing people who sell goods and services in-world to cash out their earnings and live off them in the physical world.

Paypal, which was set up as early as the mid 1990s, became popular because the service provided a quick, low-cost way for strangers to pay each other for goods and services sold across the net. Over time, as the service's functionality increased, it became a way for ordinary people selling small quantities of items across the Internet to accept payment by credit card, a boon to small businesses and individuals who would find it difficult to get credit card authorisation otherwise. There has been some debate about whether Paypal should be subject to regulation by (for example) the Financial Services Authority, since the service holds payments and accounts balances on behalf of its users, and can freeze accounts for suspected fraud without warning.

E-money systems have had a much rockier ride. The earliest ones were innovative and clever, but the cryptographic systems that created them were difficult for users to understand and trust; they were therefore understandably reluctant to exchange real money for unfamiliar funds whose existence seemed uncertain. Paypal succeeded by building on familiar currencies and banking/credit card systems.

Nonetheless, attempts to create acceptable e-money systems will continue because there is a common belief that micropayments would enable new forms of ecommerce; the transaction costs of using credit cards, for example, are too high to allow, for example, an online music service to charge a quarter-cent to listen to a song. In 2002, the FSA created a framework under which private organisations could issue their own forms of e-money.

[edit] Impact & Maturity assessment

There are two issues with a potential impact on information security. One is the reliability of financial service providers, who will inevitably collect large amounts of data on consumers. Should large-scale failure or malpractice cause the release of consumer information, the reputational risk will rub off on all those who maintain large databases with consumer information, including government.

The other issue is the systemic threat posed by the creation of fiat currencies outside the control of the Bank of England or the Treasury Department. Regarding this, the threat is that government fails to extract adequate information from those who use reward points, airmiles, etc. to protect the nation's economy.

We assign an Impact Level of 3 to this, and a Maturity Level of 1. The points systems referred to above are replicas of 'green stamp' programmes of past generations. The next level of commercial offerings will be considerably richer and potentially more dangerous.

[edit] Information Assurance issues

Answer: what seem to be the likely information assurance issues of the emerging technology under discussion

[edit] Timescale

Is the impact of this emerging technology felt - now (less than 18 months) - in 2-5 years? - in 5-25 years - longer-term than that even

[edit] Examples

net.wars: A money of our own, by Wendy M. Grossman (May 10, 2002).

[edit] Comments (attributed)

It seems inevitable that as more and more payment services are deployed that are vulnerable to online fraud, the constant factor will be a stream of complaints from honest citizens that ‘I didn't do that’ or ‘I was cheated into doing that – I thought I was paying $2 for a parking meter in Baltimore and here I’m being billed $2000 for casino chips in Macao’. The contentious technologies will also change – the headline issue might be ACH scams this year, and RFID transaction forwarding in five years' time32. But there must be robust means of dealing with customer complaints; otherwise not only will confidence be lost, but the incentives needed to track down wrongdoers and to improve systems will be suboptimal. Ultimately, it’s only the providers of payment services who can fight fraud; only they have access to all the data, and the ability to evolve the system. If the banks (and nonbanks) don’t take the pain, they won’t take the strain..

Ross Anderson