The ECSG point on Internet of Things (IoT) applied to card payments

The ECSG pays a special attention to those technologies that enable new business models for the deployment of card payments. Internet of Things (IoT) systems are basically a network whose terminal nodes are smart devices. They act as a source of data that are transmitted to a central system for further processing. IoT devices are deployed in a certain physical area, which is under the control of a central computing system.

IoT devices are designed to capture some information from the physical environment where the device is located, and to process and transmit them to a remote platform. The nature of this information varies depending on its intended application. For instance, it can be biological data or data used in the fields of robotics or logistics. The IoT device may also enable remote access to the card account data needed to initiate a payment. In that case, the IoT device should feature security properties to preserve the integrity and confidentiality of these data, both at rest and in transit. That’s the reason why card technology is used to implement IoT devices.

Moreover, the behaviour of IoT devices presents similarities in the way cards and terminals interact. For instance, in the well-known smart fridge example, an IoT device has been designed to check the absence of some food items and generate a purchasing order. In a similar way, a Contactless Terminal detects the presence of a card to initiate a payment transaction. Once concluded and in the absence of another card, the terminal remains in a static state, until a new card is detected.?

?IoT technology paves the way to a much more interconnected world, considering the impressive progress in terms of the volume of processed data that the new generation of Mobile Networks, such as 5G, supports. The flow of data generated by IoT devices can be analysed in real-time through powerful algorithms in central mainstreams. These computing systems may be boosted by Artificial Intelligence software, “educating” the whole IoT system to improve its performance.

Card payment systems are also composed of terminals capturing card data and communicating with central servers for decision. Those servers also execute complex algorithms, especially for fraud detection purposes. Yet IoT systems were not primarily intended to support payments and security and data protection were not integrated in the design of most IoT systems. In addition, card payment systems are highly standardised to ensure the interoperability of cards, terminals and processing components.

Instead, depending on their application, IoT systems show a broad diversity of components and technical configurations. IoT systems are at the beginning of their operational life and proprietary solutions inevitably prevail. Therefore when connecting IoT devices to card payments systems it is fundamental that the core features of the card payment system, interoperability and security are preserved.????

This was the starting point for the ECSG investigation of card payments initiated directly or indirectly by IoT devices. ECSG experts identified and discussed a series of IoT use cases as well as the functional requirements for their implementation. A preliminary high-level technical architecture supporting these use cases was agreed. However, in the real world, the multiplicity of IoT solutions being rolled-out does not allow the ECSG experts to integrate this technology in the SEPA Cards Standardisation Volume yet.

Another critical aspect that the ECSG needs to evaluate is the impact of the upcoming Cybersecurity European Regulations on IoT systems. Because of their distributed nature and the multiplicity of devices, IoT systems are considered as cyber-vulnerable.?Specific certifications may have to be mandated and the ECSG needs to understand first their overlap with the existing certification process that the industry uses for the components of card payment systems.???????

In the meantime, several ECSG members are testing IoT solutions for different use cases in the card payments domain. It is still too early to draw conclusions on the most appropriate technical architectures and therefore which key functionalities the ECSG could standardise. Yet the ECSG keeps on monitoring the best IoT market developments. We expect the ECSG Volume v11 to include requirements for IoT card payment transactions.