PyramID – PSD2 payments solution

Due to the onerous security requirements in the new European Payment Directive (PSD2) there has never been a better time for new disruptive technologies to change the face of the global Payments and Identity industries.

Today’s providers of payments from November 2017 not be able to use their current technology to make payments within Europe as they fall foul of two key components of PSD2; all transaction data has to be anonymous and if breached not be able to be re-used. This means that within every payment transaction, no customer data or card data can ever be held or transferred by merchants. This stops all hacking opportunities. Without any customer data or card details there is nothing for a hacker to steal.

Facebanx’s PyramID payment solution is the only one on the market today that can offer a solution that solves these two security components of PSD2. By utilising only the 16 digit number of a card transaction via a banking app, randomized 16 digit numbers can be generated that pass through current EMV rails and end up back at the issuing bank. Only when the issuing bank has matched the number received from EMV and from within their app, will payment be accepted.

This simple payment process means that no data is ever held by the merchant so they would be invulnerable to an attack. If the number was intercepted it could only be used once and not therefore be resold on the dark web.

Bimodality as a Security Tool

Traditional methods of protecting payments are based on the use of pins and passwords. Unfortunately, this approach does not guarantee absolute security, as both pins and passwords can be easily stolen. For payments within Europe, due to the introduction of PSD2, there is now a need for a completely different level of protection. To authenticate the customer and create a one—time card number Facebanx’s PyramID uses biometric data from the user for both face and voice. Each of these parameters is unique for every person; they cannot be stolen or forged. Through the use of Facebanx’s technologies, customers can be assured that their payments will always remain protected.

What is PyramID

The fundamental principle of PYRAMID is the idea that when a transaction is conducted online or in-store every issuing bank expects to receive a one time card number generated on a mobile device sent via two independent channels.

PYRAMID requires that every issuing bank utilise their own mobile app in order for the customer to make a payment and not an independent wallet. The customer will have to access their issuing banks app in order to choose the card they want to make their payment with. In order to access the app the customer must use a biometric of the issuing banks choice.

The PYRAMID solution requires that the app generates a one time card number as soon as a customer has accessed their banking app and chosen a preferred payment card. As soon as this transaction is started the card number will be instantly sent to the issuing bank via the mobile device’s app and sent directly to the banks server. Then, depending on the type of transaction, a second copy of the one time card number will be; copied over to a PC, entered into a mobile check out page or swiped into a POS terminal in-store.

The PYRAMID solution allows the bank therefore to receive two simultaneous one time card numbers from two independent sources. The bank will only release payment once these two matching one time card numbers have been received.

To make the payment additionally secure the bank will also receive biometric data from the mobile device via the app. It will also be able to use device recognition as well as geo location to make additional security checks.

My using PYRAMID the one time card number if stolen from either of the channels becomes redundant, as it is a one off number. It can’t be resold or reused by any other individual. Not only is the data useless if stolen, is it completely anonymous, no information of the transaction associates the customer to the one time card number thus satisfying a major requirement of PSD2.

As the bank is only looking to receive a matching set of numbers, the data such as name and expiry date are not relevant to confirm the payment. The customer could, if they chose to, make up a name and expiry date on the check out form and the payment would still be processed successfully.

PYRAMID is the only process that currently provides the ability to be anonymous and independent via multiple sources.

An example of a customer journey using a PYRAMID based solution.

A customer’s journey is the same as if they were paying via a mobile wallet. There is nothing in addition to this that they need to do. During the login of their banks wallet (the app) they will have to use a preferred biometric which could be one from: face recognition, fingerprint, voice recognition and iris recognition. Each issuing bank can offer their customers the choice of which biometric they prefer.

Depending on the customer’s preferred choice of payment method there are three different payment scenarios:

  • 1. PC and mobile device
  • 2. Mobile only
  • 3. POS and mobile for in-store purchases

PC and Mobile

An example of a customer journey of a purchase from a PC is as follows:

The customer chooses goods to purchase on a PC and ends up at the check out page on within a merchants website. The check out page requests that the customer enter the standard details from a credit card such as name, card type, card number, expiry date and CVV.

The customer in order to obtain the necessary information simply opens their phone and accesses their issuing banks app. The app would be opened using a PIN or password and a biometric as a second factor authenticator. Once the app was open the customer then chooses the card they want to pay from.

The mobile phone screen then generates a credit card looking image that would have on it all of the necessary information the customer required in order to fill out the merchants check out page. It would have a one time 16 digit card number, CVV and expiry date. The CVV and expiry date are not necessary for the transaction, they are simply there to provide information for the customer to fill in on the website. It would be too much of an education piece initially to tell the customer that they can simply make up the expiry date and CVV number and even their name instead of having to copy it across from the mobile device as in order to make the process secure all the banks need is the 16 digit one time card number!

Once the 16 digit one time card number was entered into the website the customer would click enter and the payment would go through in the same way as normal. There would be no additional time issues that would slow down the process.

The bank will received the first one time card number as soon as the customer chose the appropriate card to pay from within its mobile device. This number would be automatically dispatched to the bank over 3G or Wi-Fi as soon as the number was generated. Whilst the customer was transferring the data across to their PC the bank would be waiting to receive a second replica one time card number via EMV. Only once the bank had received these two matching one time card numbers via two independent channels would it then release the funds to the merchant’s bank for the amount requested.

Mobile only

When checking out on a mobile device the customer is required to enter the details of their card into the merchants check out page. In order for the customer to be able to do this, they will have to be able to click on a link within the payment area of the checkout that opens their banking app. The customer will then enter their password or PIN and a biometric of their choice. Once successful they will then choose which card to use for payment and the one time card number, CVV and expiry date will be generated. This will be auto filled into the websites check out area. The customer will be returned to the check out page and then clicks enter to make the purchase.

The bank will have received the one time card number from their own mobile app and will receive the same number from the merchants account. The one time card number will be generated from the mobile device but sent to the issuing bank via two routes, the mobile app and EMV from the merchants website or app.

POS and mobile for in store purchases

This is the same as the PC and mobile customer journey except that the customer uses NFC payment via the merchant’s POS terminal to pay. The customer simply opens their mobile app and chooses the card that they want to pay from and then simply swipes their mobile device over the POS terminal in order to pay.

Flow chart of payment process

  • Customer chooses goods
  • Customer presents goods to pay
  • Customer chooses mobile wallet and opens Paypal/ Bank app to select choice of card – customer is requested to confirm they are the individual by using face recognition. Customer’s device creates a one time card number.
    • 3a Face recognition matched on device and or/
    • 3b Face recognition matched at the issuing banks server
  • Customer presents mobile device to POS machine in store using NFC. If online customer enters one time card number details into checkout area.
  • Merchant terminal communicates to merchant bank
  • Merchant bank seeks authorization from issuing bank
  • Customers face recognition and one time card number checked on issuing bank and compares to the merchants simultaneous one time card number plus data. If they match then…
  • Issuing bank authorizes transaction
  • Merchant processes payment