A smart speaker walks into a bar and orders a cup of coffee:
– Dang, I forgot my wallet!
– Oh wait! I am the wallet.
Jokes aside, IoT payments are a lucrative new battlefield for FinTechs, banks, and OEMs (brands) — the same crowd attacking the mobile payment space.
But may we suggest looking more into the IoT sphere? For one, it’s still not that crowded. Secondly, it’s surging in profitability. According to Matt Good (the senior vice president and general manager of Elan Advisory Services) in an interview with PYMNTS, the volume of wearables payments may top $500 billion this year. Lastly, IoT painfully lacks viable digital wallet solutions to facilitate growth.
Why digital wallets are the key to capitalizing on IoT commerce
One-quarter of European shoppers expect to start using contactless payments with wearables — smartwatches, keyrings, stickers, bracelets or another form of a wearable device.
The Smart Payment Association mirrors that data and anticipates that 72% of new wearable devices shipped will be used in payments this year (though they made this forecast in 2017).
Why the financial space needs wearables and IoT devices.
The rising popularity of branded mobile wallet apps also serves as a great proxy for the rising consumer interest in cardless payments. Already, you can choose to store your card in:
- Apple Pay
- Samsung Pay
- Amazon Pay
- Garmin Pay
- Fitbit Pay
- Chase Pay
- Or any other “Pay” you fancy
Our quick guide to navigating the mobile wallet landscape
The mobile wallet market is ripe. Wearable digital wallets are on the rise. But the question remains: Who will dominate the IoT payment landscape as it comes of age — new or existing players?
As we highlighted in our first post about IoT commerce, every connected device can now become a payment enabler, resulting in a multitude of cross-industry use cases.
- Smart Home: Connected food/supply ordering, maintenance payments, consumer credit payments, pay-per-use billing for rented equipment
- Utilities: Smart meters, P2P electricity trading, pay-per-use payments
- Automotive: In-car commerce, in-car entertainment, connected parking payments, pay at the pump, pay-per-use insurance
- Wearables: Smartwatches, fitness trackers, jewelry, and stickers can be used for both retail and P2P payments
- Retail: Contactless cashier-less stores, smart vending machines
- Smart cities: Transportation and mobility payments, tax and government services payments
- Manufacturing: Automated supply ordering, predictive maintenance payments, servitized offerings
Now connect this multitude of use cases with the fact that the financial industry has finally worked out a secure, unified framework for processing remote transactions — the EMVCo Secure Remote Commerce (SRC) framework.
EMVCo is defining a technical framework and specification that enables a merchant to obtain a consistent, secure payload of customer payment information that can be used to facilitate authorization through existing channels.
In essence, this is a new method for securely tokenizing payments that drastically reduces security risks and allows customers to view how their credentials and personal data are used and stored. Mastercard, Visa, American Express, and Discover are jointly supporting this protocol. And here’s what this means for everyone interested in embedding payment functionality: SRC can unify the payment experience across channels and create a “single button in the digital world for consumers to use to check out,” to quote Jess Turner, EVP of Digital Payments and Labs of North America at Mastercard in an interview with PYMNTS.
Even better news? The EMVCo framework was specifically designed to accommodate the emerging payment experiences enabled by IoT and voice-activated devices. So yes, you already have a pretty solid based for launching new IoT wallet solutions.
6 main steps to create a digital wallet for IoT payments
This needs to be said first: the security of IoT devices has been questioned a lot. But after a series of false starts, most device manufacturers are finally on the fast track to success, as the latest cybersecurity trends illustrate.
Combining payments with IoT initially raised some valid security concerns — an issue EMCo prominently addresses with tokenization. Tokenization is a secure method for protecting a customer’s sensitive information such as account numbers and card numbers with a unique digital identifier (token). This token is exchanged with another IoT device during an online or NFC payment.
Here are six steps you should take when creating a digital wallet for IoT payments.
1. Understand the new token-enabled payment flow
To illustrate this, let’s use a connected car with an embedded in-dash wallet as an example. To get started, you need to load your card to the car wallet. Once you do, the following data will be automatically dispatched to the card issuer for tokenization:
- Primary account number (PAN)
- Cardholder name
- Cardholder address data for verification
- Device data
- CDCVM from the connected device (optional)
All of the above will be stored as tokens in your car wallet. If someone manages to hack into your car (or any other IoT) wallet, all they’ll get is a useless string of numbers — not your actual credit card details.
Source: Visa — How things pay for things
2. Choose your tokenization integration option
Now you need to figure out how to enable tokenization within your wallet. The most common option is to use an existing Token Service Provider (TSP). These are official entities that can provide surrogate PAN values.
For IoT payments, here are some of the popular TSPs:
- Mastercard Digital Enablement Service
- Visa Token Service
- Gemalto Trusted Services Hub
- Amex Tokenization Service
3. Map out your data storage layer
Authenticating core payment-related data such as tokens, cryptographic keys, and authentication data (for device and cardholder verification) is key to the long-term success of IoT payments.
There are two places you can store this data:
- The IoT device itself. In this case, you can protect critical data at both the hardware level (e.g. using tamper-resistant microcontrollers) and software level (e.g. with code obfuscation).
- In the cloud. A cloud services provider takes on the burden of protecting critical customer data. However, you’ll need to create a secure communication channel between the IoT device and the cloud.
How we built a secure data lake platform for a bank
4. Decide on the device authentication process
Every IoT device needs an ID that can be authenticated when it attempts to connect to the payment network or another gateway.
By assigning a unique ID to every device with your wallet installed, you can track these devices individually and effectively address suspicious behavior. For instance, if a smart fridge suddenly starts ordering an extremely high volume of food from an unknown retailer, you can revoke its payment privileges and securely investigate the matter.
Microsoft suggests the following authentication options for IoT devices:
- X.509 certificates
- Trusted Platform Module
- Symmetric keys
Digital payments security 101 — an essential primer
5. Create a seamless consumer authentication experience
The user-to-device connection is the weakest link in IoT security. Biometrics is the most likely contender to strengthen it. Here’s why:
Biometric payments already dominate the mobile channel. According to Javelin Research, mobile biometrics will authenticate $2 trillion worth of in-store and remote mobile payment transactions annually by 2023. That’s a pretty strong indicator that most consumers are on board with this authentication method and will welcome it within other mobile and connected devices.
Europe’s Strong Customer Authentication (SCA) requirement (extended to March 2021) mandates that all card-not-present transactions be authenticated with at least two of three methods:
- Something you know (password/PIN)
- Something you own (phone/hardware token)
- Something you are (fingerprint or face/voice recognition)
Considering that most IoT payments will be highly contextual, passwords are neither the smoothest nor the most secure option. Biometrics, on the contrary, offer a foolproof way of identifying individuals.
Lastly, biometrics better support behavioral security. Paired with location-based services, biometrics can tell a lot about where the user is and what they’re doing. Payment services providers can leverage that data to create cross-platform identity checks and custom levels of authentication depending on the transaction type.
For instance, voice-based or finger-based authentication can prevent your kids from ordering a bunch of candy through a smart fridge or a home voice assistant.
6. Give your wallet an attractive UX
Payments are largely invisible. But that doesn’t mean users don’t deserve an attractive mobile payment processing interface that guides them through the transaction. The biggest challenge is designing for the variety of IoT form factors we have:
- Small wearable screens
- Larger smart fridge and vending machine displays
- In-car dashboards, head units, and other types of human machine interfaces
There are also QR cashless payments, which are gradually replacing point of sale systems in the Asia-Pacific region. These will also need a separate interface within your mobile wallet app.
Discover how we helped a major German bank develop an integrated QR-based payment system
Ultimately, the screen size and operating system will dictate most of your design choices. So study those specifications in advance and ask your UX design team to create several wireframes for different payment flows.
As IoT payments move from the margins to the mainstream, the key question is who will own the payment experience and all the rich customer data that comes with it.
Already, we have several contenders including OEMs, TechFins, and FinTechs/banks. Every party can capture significant benefits from creating a digital wallet to support both person-to-device and machine-to-machine transactions. With further advances in AI and connectivity, use cases for machine-to-machine payments will surge, creating even more exciting opportunities for payment services providers.
Connect with our team to get more insights into the Internet of Payments landscape and discuss new financial software development opportunities!