iWave and the Payment System
ELECTRONIC PAYMENT SYSTEMS have been around for decades since the time computers and electronic communications are made available to financial institutions. Traditional monetary instruments such as cash, checks, and letters of credit have been replaced by credit cards and debit cards in modern payment systems.
This white paper tackles iWave’s role in the implementation of electronic payment systems in the Philippines. How did iWave start with this type of system? What are the significant payment system implementations of iWave? Where will iWave go after more than twenty years of implementing payment systems? These are the questions that this white paper would answer.
PHONE BANKING: THE VERY FIRST TASTE
iWave has been fortunate to have had association with Equitable Banking Corporation (EBC), and Equitable Card Network (ECN) in its early years. In supplying these companies with software applications, iWave was inducted in the world of Payment Systems.
EBC was a major bank in the MegaLink switch consortium. Together with the other founding members, the bank pioneered implementations in the realm of Payment Systems. There was the Phone Banking System initiative, where usual transactions done in the Automated Teller Machine (ATM) can be performed over the telephone. This offered convenience to cardholders especially in making funds transfer and (later on) utility payments. iWave at that time was maintaining the MegaLink switch system. The interface to the Integrated Voice Response System (IVRS) and the modifications in the member bank interface in MegaLink, as well as the modifications in the ATM front-end system of EBC acting as the authorization processor of the bank for Phone Banking transactions, were all provided by iWave.
This can be considered as the earliest exposure of iWave in the field of Payment Systems. In this implementation, in a way, iWave has touched several facets of the Payment System – from the delivery channel interface, to the gateway, down to the authorization processor.
PAYLINK: THE MAJOR LEAP
Over the years, the ties with EBC, MegaLink, and ECN proved rewarding. ECN in the early 90’s had the largest network of Point-Of-Sale (POS) terminals. ECN provided merchants with Electronic Funds Transfer (EFT) terminals for credit card payments. With ECN’s vast POS network and MegaLink’s growing number of member banks, the two institutions forged an alliance that gave birth to PayLink – the very first debit card payment system in the country. PayLink enables cardholders of MegaLink member banks to pay for goods and/or services using their ATM cards. For the first time, the use of ATM cards has been extended beyond the ATM itself.
iWave once again has been in the forefront of this implementation. iWave provided the interface between MegaLink’s switch system and ECN’s POS network gateway. Modifications in MegaLink’s switch system of course, has been put into place to route these POS transactions to member banks for authorization. iWave also provided the modifications in EBC’s ATM front-end system that recognized these POS transactions coming from MegaLink, and consequently processed them.
VIRTUAL BANKING: A PEEP INTO THE FUTURE
MegaLink has pioneered several more worthwhile initiatives such as debit bills payment over the ATM and the Phone Banking System. It also expanded its network by joining forces with the other switch consortium, BancNet. In both initiatives, iWave played a major role being the systems provider of MegaLink (and quite a number of MegaLink member banks). It is however, the collaboration of iWave with Urban Bank that paved the way for iWave’s implementation of Internet-based payment systems.
Prior to the establishment of the Virtual Banking Development Laboratory (VBDL), a joint venture between iWave and Urban Bank, most payment system implementations of iWave are Electronic Data Interchange (EDI)-based. EDI systems are more business to business, and peer to peer, requiring bilateral agreements on communication protocol and messaging standards. Although, the Virtual Banking System that iWave developed for VBDL can still be considered as EDI-based, it nonetheless implemented cutting-edge technology at that time – components of Internet-based systems such as the use of Microsoft’s Internet Information Services (IIS), and custom browsers for its user interface.
iWave developed the Corporate Virtual Banking System where corporate account holders of Urban Bank were given PC terminals preloaded with the application that enables the corporation to perform just about all teller transactions including stocks and foreign currency management in the convenience of their offices. With dedicated communication lines running from the corporate client to the bank, transactions were fast, secured, and reliable.
Virtual Banking extended to Urban Bank’s individual account holders. Qualifying account holders were given PC terminals preloaded with the Home Banking System, packaged with communications peripherals (such as dial-up modems). With the system, account holders can perform virtually all teller transactions (except of course for withdrawal).
Because Urban Bank did not use passbooks (i.e., account holders were issued with ATM cards only; they can use the ATM card to transact over the teller as well), the clients (corporations and individuals alike) with the PC terminals, have virtual banks in their premises. The Virtual Banking System can definitely be considered as a predecessor of the currently available banking and payment systems over the Internet.
PAYMENT GATEWAY: DELVE INTO THE WEB
iWave’s relationship with ECN continued to flourish in the late 90’s. By this time, a lot of merchants worldwide has been actively moving their services and more importantly their payment channels in the World Wide Web. ECN’s merchants were no exception. They were hopping onto the bandwagon. One particular ECN merchant was San Miguel, Inc. The beer company erected a web portal for their distributors where they can take orders. They partnered with ECN so that credit card payment can be performed by the distributors through the web portal. Naturally, ECN sought for iWave’s expertise in bridging the web portal and ECN’s payment processor. This produced iWave’s Payment Gateway.
A set of program codes were given to the beer company. These codes are to be placed in the payment page of the merchant’s web portal. What the codes do is reroute the payment page of the merchant web portal to ECN’s secure payment page. Data keyed-in by the distributor in ECN’s secure payment page are then sent to the Payment Gateway where they are built into an ISO8583 (i.e., financial messaging protocol) request message sent to ECN’s EFT Master (payment processor) for authorization.
Naturally, this first implementation was successful. iWave has successfully stepped into the Internet domain of payment systems. A new and exciting delivery channel, the Internet, has proven to be a massive source of payment transactions. Needless to say, the ECN merchants connected to the Payment Gateway grew to a staggering number.
AEON-SPOT: SPOTLIGHT IN THE NEW MILLENIUM
With the integration of the Internet as a delivery channel for payment transactions to the mission critical applications of financial institutions, we saw a morphing of services. Financial products were rebranded, and new (or morphed) services were introduced.
Aeon Credit Services, Inc. in Hong Kong for instance, one of iWave’s biggest clients introduced Aeon-SPOT. This is a watered-down, more cautious approach in using the Internet in payment systems. The reason for the cautious approach is mostly due to the security issues in the Internet. It’s funny actually because the Philippines has been more bold in exploiting the Internet for payment systems compared to its more financially stable neighboring countries.
Aeon-SPOT works this way. A cardholder can visit a merchant’s website and “order” goods. These orders are logged onto an order server. The cardholder now goes to the nearest ATM. New transactions can be performed in the ATM. The cardholder retrieves his or her orders (the ones made in the merchant’s website earlier). iWave’s ATM front-end system retrieves the orders from the order server and displays them on the ATM screen. The cardholder can opt to cancel or pay for the ordered goods. If payment is chosen, the ATM front-end system requests for authorization from the back-end processor. Once approval is gotten, the order server is notified so that the order is tagged as paid. The cardholder is then prompted to select whether the paid goods are to be picked-up or delivered. Corresponding fees and notifications are then communicated to the order server.
Whether this implementation has been successful or not in the Hong Kong market, iWave was introduced to more approaches (no matter how crude or complicated) in handling payment transactions.
RPS: A DIAMOND IN THE ROUGH
Even though ECN has fully embraced the use of the Internet in their payment systems, it has never set aside the EFT terminals. The growth in the number of merchants came with a growth in the number of recurring payment transactions. This posed a unique problem in ECN. Merchants have to charge a batch of cardholders on a monthly basis, for instance. Let us say the merchant is a fitness gym, and its members are charged monthly for their membership subscription. What ECN did is manually post the transactions from cardholder data sent over by the merchants. To ease and automate the operations, ECN thought of building a system that would accept merchant billing files and automatically post them to their backend processor. ECN sought for iWave’s assistance in building the system.
iWave designed and built the Recurring Payment System (RPS). The system actually emulates an EFT terminal. The system just like an EFT terminal sends POS transactions including reconciliation (i.e., settlement and batch upload) to ECN’s backend processor. It’s more advanced than an EFT terminal in the sense that it processes billing files containing thousands of payment transactions.
Finally, at this juncture iWave has touched the end-point of the delivery channel. iWave for the longest time has been involved with authorization processors, gateways, switches, and interface/drivers to delivery channels. With RPS, iWave has touched all the facets of a payment system.
RPS is a source of pride and inspiration because it was implemented in the year 2000. After 14 years, it is still being used (now) by Banco de Oro (BDO) on a daily basis. BDO acquired ECN together with Euitable-PCI. As such, ECN systems such as the RPS are being utilized by BDO. The simple but effective design of the RPS is the reason why it is still being used.
RPS: KEEPING UP WITH THE TIMES
BDO decided to upgrade their RPS. In 2014, iWave will be upgrading the RPS. In keeping up with the times, iWave drew a new design for RPS. The objectives of the upgrade are to render convenience to the merchants, remove limitations in processing that are existing in the stand-alone system, and incorporate web technology. Of course, the payment system functionality will not be changed.
SECURITY: THE CURRENT SCENARIO
We have not seen any major alteration, or introduction of new schemes in the payment systems after the Internet was integrated in the delivery channels. Enhancements in payment systems are more focused on securing the transactions.
Security standards are created and developed by large card companies such as the EMV (Europay, MasterCard, Visa) – a worldwide standard for the inter-operation of integrated circuit cards (i.e., IC cards, chip cards, or smart cards). Even though the standard was developed by the three credit card companies, other credit card companies have implemented the EMV chip card standards. This included JCB, American Express, and Diners Club International.
The traditional magnetic stripe cards are either replaced or coupled with chip cards. This is to preclude the vulnerabilities of the traditional setup in PIN (Personal Identification Number) entry and processing. In a significant way, the implementation of smart cards with their corresponding EMV-compliant delivery channels reduces card fraud.
We also see the implementation of 3-D Secure. 3-D Secure is an XML-based protocol designed to add a layer of security for credit and debit card payments made over the Internet. Although the protocol was developed by VISA, other credit card companies have adopted the standard. MasterCard, JCB, and American Express followed suit.
There is also the 2-Factor Authentication. Passwords are no longer enough to secure user log-ins to web portals. Some payment systems implemented over the web use One-Time Password (OTP) to authenticate users. This obviously adds another layer of security for payment systems (although not exclusively used by payment systems).
iWave implemented EMV-compliance in the ATM front-end system installed in Aeon Hong Kong and Aeon Bangkok. iWave implemented 2-Factor Authentication in Bank of Commerce’s Internet Banking System through the PortWise Soft Token.
iWave’s Research and Development is currently developing a mobile token-less OTP management system, dubbed as the OTP Master.
WHERE DO WE GO FROM HERE
The chip cards did not fly as expected in the Philippine banking industry simply because of the high cost of the chip cards and hefty investment in the upgrade of the infrastructure as delivery channels (i.e., ATM, EFT terminals) have to accept chip cards. Nonetheless, these financial institutions have no choice but to comply with the Bangko Sentral ng Pilipinas (BSP) circular that orders banks to implement EMV not later than July of 2015.
We have seen recent alteration in the implementation of cards. Both magnetic stripe card and chip cards are inserted into terminals. There has to be physical contact between the card and the device in order to read information from the magnetic strip or IC chip. Becoming more and more prevalent now are the use of contactless cards. These cards use Near Field Communications (NFC) or Radio Frequency ID (RFID) technology. Such alteration in the implementation of card renders convenience for cardholders. There is no possibility for the card to be left or in the case of the ATM, eaten by the device. These RFID cards are also cheaper than chip cards and will last longer than the magnetic stripe cards.
The Octopus Card of Hong Kong is a good implementation example of these contacless cards. The card is mainly used to pay for fares for all modes of land and water transportation in Hong Kong (e.g., MTR, tram, bus, and ferry). The Octopus Card however, can also be used to pay for purchases in selected establishments such as McDonald’s and 7-11. Topping-up of the Octopus Cards aside from the vending machines can also be performed in the POS terminals of those establishments.
In the Philippines, we have been using contactless cards in our MRT. Recently, a unified ticketing system has been approved by the government which when implemented, enables cardholders to use the contactless card not only for payment of fares on public transport but also for the purchase of goods and/or services (in selected establishments) just like the Octopus Card of Hong Kong.
iWave has recognized this development in payment systems. As such, in its designs and proposals whenever applicable, the use of contactless cards are incorporated.
This is not the only aspect in the payment systems that merited iWave’s attention. Data gathering and mining, as well as statistical, and behavioral analysis can very well be married into payment systems.
Nowadays in order to advance the business, companies create strategic promotions to entice new customers and to make sure that current customers would stay. Hence, we see loyalty programs offering premium items for long-time customers, and sign-up gifts for those new customers. These programs can only be effective if built on empirical verifiable data. These data, wealth of knowledge so to speak, can be gathered from business transactions made through payment systems. This follows the concept of KYC – Know Your Customer. By exploring and analyzing detailed business transactions, literally digging through tons of data, viable patterns are unearthed which leads among others a match of demographics and merchandise. Effective promotions and marketing campaigns are based on these data mining schemes that eventually translate to more payment transactions.
Statistical and behavioral analysis not only helps institutions engaged in payment systems identify and consequently curb fraud, but also allows these institutions to streamline their operations. If a cardholder frequents a specific terminal of a particular merchant, the behavior can equate to a probable card fraud, but it can also mean that a certain cardholder of a certain age and sex likes to buy a certain merchandise on a certain frequency. The latter behavioral analysis may lead for instance to establishing a program that can make that certain merchandise a prize if the purchases of related items has reached a predetermined amount, and of course if credit cards are used as payment.
iWave can move into this direction complementing its competency in payment systems.