RE: Thanks to all and next steps

Agreed – ISO20022 is a standard with which I have a great deal of experience in product and implementations – it is not reasonable to obsess with this for retail payments. The executive order is fundamentally ridiculous based on the fact that ISO 20022 is not inherently more or less secure than 8583 or others! It is the scheme and security around 20022 messages that provides the security. Frankly, this is another example of government attempting to “solve” a problem using the wrong tools with the implication of force which will not solve the problem and only prolong any needed adjustments. This order will be old by the time the ink dries. Completely agree with Adrian – ISO20022 in our case is little more than a larger message standard since it lacks the business objects we need for retail payments and – hence – why the EU isn’t even using it in retail.

 

+1 – let’s end this ISO20022 discussion and just make reference to standardized message formats required of schemes. Otherwise, we’ll be locked in and changing this constantly and rapidly and attempting to force a model the will create hundreds of exceptions/variants by merchants, processors, banks, and others.

 

-- 
HYPERLINK "http://www.oracle.com/"Oracle
David Jackson | Senior Director Financial Services
Mobile: HYPERLINK "tel:+16145601237"+1.614.560.1237 | VOIP: HYPERLINK "tel:+16144656654"+1.614.465.6654 
Oracle Industry Solutions Group
New York City | Columbus 

HYPERLINK "http://www.oracle.com/commitment"Green Oracle

Oracle is committed to developing practices and products that help protect the environment

 

 

From: Adrian Hope-Bailie [mailto:adrian@hopebailie.com] 
Sent: Friday, June 26, 2015 9:50 AM
To: Erik Anderson
Cc: Web Payments IG
Subject: Re: Thanks to all and next steps

 

Personally I am weary of this obsession with ISO20022. In practice this standard is predominantly used in interbank and corporate treasury payments. The use cases and pain points we are attempting to address are predominantly in the retail payments space (at least for v1) and yet I see nobody clambering to have ISO8583 considered despite this being the underpinning of almost all retail payment networks today.

The use of a messaging standard is a scheme and jurisdictional preference. I believe that we are in consensus that for v1 of the work we are doing we are not attempting to find ways to bridge schemes simply ways to find a common scheme between payer and payee and an architecture that will promote competition between schemes and wallets.

Erik is absolutely right that there is a world of regulatory pressure coming down on the system but my personal view is that this will pressure the schemes themselves to define better ways to deal with security, identity, credentials etc.

To illustrate, VISA may decide tomorrow that they want participants in their network and scheme to communicate using ISO20022 messages and also define mechanisms to secure and sign those communications. If there exists a standard way for payments to be initiated, instruments negotiated and payments data exchanged (as defined by us at the W3C) on the Web then it would follow that they will design their scheme to fit into the standard flow that all schemes use for payments on the Web, will define mechanisms for their payment instruments to be included in wallets that follow the W3C standard and further will design mechanisms for their acquiring institutions to integrate into this architecture.

There will be value in the schemes standardising on how these other things are done (auth, security etc) and there is some value in the W3C defining some of these standards (such as credentials) as it allows more of the payment flow to happen within the Web context but I personally see it as essential that we define an open standard that allows payments schemes to fit themselves into with minimal changes but that is open to new and exciting schemes that can leverage the greater competition to get some market share.

 

On 26 June 2015 at 15:28, Erik Anderson <HYPERLINK "mailto:eanders@pobox.com"eanders@pobox.com> wrote:

>From my brief exchange with some in the F2F, I interpreted the "reservation"
or skepticism was more along the lines of ISO Standards being made mandatory.


US hasnt taken a mandatory approach yet. Other countries have but not the US.

This is true in the financial services world but for security, not for something like ISO 20022 nor ISO 12812.

Obama executive order on cybersecurity issued a recommendation for a "Security Framework" that would be a NIST + ISO standard.

Short term incentive was
1) Firms who implement the Framework, in good faith, will not be punished for weaknesses identified during vulnerability assessments in their programs
2) A shift in liability if fraud/data breaches/personal information was stolen and the Framework was not followed.

The long term was to turn the Framework into a mandatory compliance mechanism that included end-to-end data security, enhanced key management mechanisms, and constant risk assessment of security/vulnerability/penetration scanning.

This will effect the W3C Web Payments. I will be pushing that the Web Payments standards go through this Government/NIST risk assessment, both at the W3C level and IETF level. This is happening and will be the hot topic within the Federal Reserve Security Taskforce.

I covered this on my presentation.

W3C Web Payment standard mandatory? ISO? X9? Not likely. Identity/Credentials = maybe. End-to-end security = absolutely.

Erik Anderson
Bloomberg R&D



 

Received on Friday, 26 June 2015 14:00:14 UTC