Connect with us

Glossary

Blockchain forks: as explained by Leonhard Weese, Bitcoin Assoc. of H.K.

Who can change the rules of a distributed ledger, and what happens when they try.

Published

on

When developers attempt to change the rules of a blockchain – such as the value of a new block of mined crypto-currency, or who is allowed to access data, or how a smart contract operates – the fallout can be unpredictable. Extreme cases can, and have, led to ‘forks’, and the act of splitting a blockchain in two can be disruptive.

As more financial institutions explore moving operations, recordkeeping and even trading to blockchains, forks are likely to become events to avoid. Although forks should have minimal to zero impact on a well-governed blockchain, it’s helpful to understand why they occur.

Above all, you want to be sure such events don’t touch the operations and integrity of your business.

Blockchain and other types of distributed-ledger technology (DLT) are decentralized and therefore hard to change. Bugs need fixing, systems need upgrading, conditions need amending. All require consensus, validation by a majority of ‘nodes’ (the computers of block miners, app developers and end users) on the network.

This means that even if a bank develops its own blockchain, the nature of DLT means it gives away control. The network’s consensus mechanism is in charge, and anyone can (and probably will!) propose a change.

The difficulty of consensus
This sort of thing happens all the time, and most changes are designed to avoid disruption, assuming there exist reasonable governance regarding the consensus rules (the voting process, the terms under a private blockchain’s articles of association). Nonetheless, blockchains that exist for enterprises, as opposed to those which simply mint and trade Bitcoin and other crypto-currencies, are subject to the same processes of change.

Under Bitcoin’s consensus system, a block – a history of transactions – is added to the chain every ten minutes, each one referencing the block that immediately preceded it.

New blocks must be validated by the majority of nodes on the network; if the data is confirmed, the block gets added to everyone’s database. To upgrade a network – if, for example, a miner wants the next block to be worth BTC50 instead of the current BTC12.5 ­– would require changing the rules so that new blocks, operating under new parameters, are accepted.

Therefore adding new players to the blockchain can change the economics, says Leonhard Weese, president of the Bitcoin Association of Hong Kong, from a talk he gave to members. “Whoever gives permission has control over the network and could force new rules.”

Software forks
This is where forks come in to play. A software upgrade released by anyone involved in a blockchain – a miner, an app developer, even a user – creates a ‘software fork’. These things happen all the time and most are routine and harmless. Many are compatible and “boring”, says Weese, because it is usually in everyone’s interest to have the same apps running on their system. Ideas that are popular will get adapted; unpopular ones wither, and life goes on.

But sometimes a schism arises because the miners, developers and users of a blockchain fundamentally disagree on a proposed change. In the worst case, the system forks and two new ecosystems emerge.

“In a split, you get two competing blocks both referencing the same preceding block,” Weese said. “You get two chains running in parallel. Every bitcoin in the original chain is now spendable in both new chains. So it means that people can spend their old bitcoins twice.”

Civil war!
This is obviously a problem for the integrity of the system, and a fork therefore sets off civil wars among the community, as players attempt to game the system in their favor. There is no regulator to prevent front-running, spoofing and all other manner of market manipulation.

Changes that reject old formats effectively turn their back on original blocks, and demand the network shift to the new rules or risk a hard fork, in which competing and mutually exclusive chains exist.

This creates problems. Imagine a hot wallet that is holding investors’ tokens. A hard fork ensues, and those existing tokens suddenly can be spent in their original form – as well as in the new form.

This actually happened in 2016 with Ethereum, in which a dispute saw the community split between regular ether and the new Ether Classic.

Weese said: “This was the first time the question arose about custody of Ether…as a custodian, was I obligated to give [investors] back your Ether, or both your Ether and your Classic?”

Hard fork, soft fork
Forks and the turmoil they can unleash are one reason why the value of Bitcoin and other alternative currencies has been so volatile – which is a hindrance to its broader acceptance, and a brake on liquidity.

Not all forks are the same. The Ethereum split was a ‘hard’ fork, meaning the proposed change meant current nodes would no longer recognize the old blocks. This is an example of a change that rejects old formats.

Another way to put it: a hard fork broadens the rules, with proposals that let you do new things – such as increase the value of newly minted blocks, or change permissions, or redefine smart contracts. To enable the new rules means turning your back on how things were done previously.

The alternative is a soft fork, which has a softer ring to it. But soft forks are troublesome too.

Soft forks tight or restrict the existing rules. Current nodes will accept new blocks, and new nodes (new network players) may recognize both old and new blocks (depending on how the rule change is framed).

This sounds very amicable. But, Weese says, it’s actually “coercive”. Once a change wins consensus under such changes, the minority has no leverage to oppose it. Under a hard fork, the minority can carry on the old rules by sacrificing membership in the broader network.

Under a soft fork, Weese says, the consensus becomes a tyranny, and new blocks created under the old rules are likely to lose some or all of their market value, because no one will validate them: exchanges won’t trade them and investors won’t buy them. Yet the miners are expending a lot in electricity costs to mine new blocks, so real money is at stake.

Good citizens vs. malign meddlers
Proposals that lead to forks are often benign, intended by a developer to improve the system, or by a miner to increase the value of what they produce. In theory, users (exchanges, investors, enterprises and anyone with a node) can also propose changes. Thousands of such changes have been made without controversy.

But sometimes a proposal hits a nerve, threatens someone’s economic interest, or challenges political goals. And then the fights, though geeky, get nasty. And then the risk of a fork arises, with civil wars breaking out based on raw financial incentives versus the damage from a split.

The community is learning how to avoid the messiest or least responsible ways to initiate changes to Bitcoin or other alt-currencies. A little bit of care can ensure changes don’t lead to confusion that can cause tokens to disappear from people’s accounts – which has happened in the past, but at a time when the community was small and a bitcoin wasn’t worth a dollar. Today, however, alt-coins’ market cap is $50 billion, with bitcoins trading at over $1,900.

Changes can also be proposed with high thresholds of consensus and conditional new rules, so that soft forks are rendered harmless.

Some people in the community also would prefer new rule changes not only require new blocks be invalid for old nodes (i.e., for holdouts to the change), but also insist that new nodes cannot recognize old blocks. This ensures a safe hard fork: you’re either with the old currency, or you’re with the new one, and your coins cannot be spent twice.

It also protects against the ambiguity of two rival systems that can be accepted by both old and new nodes – in which case, inexorably, the blocks with the longer string of code continue to attract patronage and those blocks with the shorter string of code die off and the coins lose all value.

Does a Bitcoin fork matter?
These esoteric rules in the computer-science world could have real-world spillover: there is a proposed rule change to Bitcoin doing the rounds that would double the size of newly minted blocks. This is meant to increase supply, to accommodate the expanding community of users, and therefore increase liquidity and improve stability. But some developers hate the idea, and a hard fork in Bitcoin looms.

What does that mean for investors – and for blockchain itself?

Forks disrupt blockchain’s decentralized consensus. They create speculative events, which means there are winners and losers – and the result can mean tokens that lose some or all of their value, or which are paralyzed because of double-spending issues that can take time to resolve.

For investors, Weese advises against keeping coins on an exchange. They surrender the ability to deploy their coins during these bouts of turbulence. “A fork can happen any time, and I predict they will happen more,” he said, because a lot of people try to generate crises to game the market. The best defense is to run your own node, so at least you can control your buy and sell decisions, as well as have a say in the consensus process.

Don’t panic, either. Weese said, “It’s easy to design wallet software or nodes that can ignore these events…most of the drama is for the people who like to speculate.” But he does predict more volatility for alternative coins, as some crash and others become established tools.

As for enterprises using blockchain for their own purposes, forks are either a threat or a non-event depending on their proof of work and the algorithms they deploy for consensus, Weese says. For example, what permission rules exist in a financial institution’s blockchain? Who holds the power to propose new rules? What happens to old transactions? What’s the voting process with regards to a blockchain’s articles of incorporation?

“The idea of a Bitcoin fork is scary,” Weese said, “but forks happen, and they are becoming easier to mitigate.”

Glossary

Federated AI, as explained by WeBank’s Yang Qiang

New ways for financial institutions to analyze big-data sets without breaching privacy and security laws.

Published

on

By

Photo: Ian Dooley on Unsplashed

You are a bank or an insurer. You need to pool data to, say, build a credit model or develop speech-recognition software. Or maybe you need to update your customer app by pulling everyone’s personal data from their smartphone to the cloud.

If you’re a very large bank or insurer, you have sufficient access to enough data to do all this by yourself (maybe). But mid-sized players don’t. And even the largest firms are finding it harder to access data that is meant to be private, secure, and maybe subject to data-localization laws.

And even if you can harness all of that data, you may lack the sheer bandwidth to move it from one server or device to another and back again.

Google faced this issue with updating app software on all the Android phones out there. Two years ago, its engineers came up with an idea: instead of trying to get their hands on everyone’s data, why not leave the data in place?

Instead, they built a model to measure how the data would respond to a Google algorithm (in this cased, an app update). Data points would be analyzed for how they respond to the algo’s parameters, but the data itself would remain private and untouched. To further protect the privacy of the underling data, encryption was added to the transmission of the parameters back to Google.

Federated learning

Put these together, and you have federated artificial intelligence: insights into data based on federating disparate, protected data points, without disrupting privacy, security, or where the data is held.

Yang Qiang, head of the A.I. team at WeBank in Shenzhen, in an interview with DigFin, says the trick to analyzing data you can’t touch involves two mathematical functions.

When you share data, it’s like a joint investment

Yang Qiang, WeBank

The first is the loss function. This is basically measuring errors, or the “cost” associated with a mathematical event. It’s a longstanding statistical tool used by insurers to model benefits versus premiums, or by banks to estimate risks of losing money on a transaction.

Loss functions can be powerful when applied to real-world situations (that is, empirical, measurable experience), but are too often based on academic hunches (as too many banks and investors did in the run-up to 2008).

The second tool is what computer scientists call gradient functions. Gradients are derivatives, measuring the rate of change of a function, in this case, the direction of a movement.

So to put this together in banker-speak: the math geniuses can test far-flung data in a Monte Carlo sequence to figure out which ones have the greatest tracking error against which scenario.

What it does

That way they can test an algorithm, like “will this program update everybody’s software”, or “will this program tell me whether this loan product is priced to make the bank money”.

What federated A.I. can’t tell you is anything about the data itself or the people or companies it involves. It can’t tell you that Lucy is a good bet for your new life insurance policy, or that Widgets’R’Us should be declined a loan.

Rather it allows companies to run big-data analytics on data sets that are otherwise out of reach. All data comes with bias. Every institution has some kind of distortions or imbalances in their data sets. Federated A.I. broadens the data pool, which smoothes out a lot of these biases and gives users a more accurate view of “the world”. That helps developers make algorithms – for trades, loans, premiums – that are more accurate than they could make if they just relied on in-house data.

“In the digital economy, data is like money,” Yang said. “When you share data, it’s like a joint investment. Machine learning and data mining let you extract knowledge from the data. Raw data is not useful, but if you have enough of it, you can still extract knowledge.”

Data sets and standards

Google has been testing federated A.I. for the B2C world of phone apps. This year, WeBank, the digital bank under Tencent, has begun backing federated A.I. for the B2B world. Both of these initiatives are open-sourced (WeBank’s uses Linux). Anyone can see the code and contribute to it.

For smaller institutions, federating A.I. makes possible access to data to test algos that would otherwise be only available to the biggest corporations. It also allows them to tap “long-tail” data, from individuals or small businesses that would not be viewed as useful to banks serving a smaller number of large clients.

Because the concept is new, however, it has a long way to go.

The first challenge is how to set standards for exchanging data without breaching privacy and security. Google has designed one model, WeBank has another, but there’s no definition yet for how to measure and exchange data.

Again in banker-speak: the world needs a SWIFT for messaging around data. Otherwise a company that wants to exchange data with WeBank may find itself in an apples-and-oranges dilemma.

The more the merrier

The second challenge, specific to B2B federated A.I., is the need to involve vast amounts of data. In other words, the federation needs lots of members and contributors willing to share their data with the model (that is, let the data be treated, without being revealed or moved).

Yang says it is possible to reap benefits with only a few contributors. But there are different outcomes, depending on what is to be measured.

Think of it as a grid. On one axis, is the number of users or customers whose data is being reviewed. Google’s Android work is 100% on this axis: lots of users being tested for tiny amounts of data (so that a mobile phone is enough to participate).

The other grid is features (a banker might call these “factors”): credit histories, income levels, doctor visits.

If a federation includes just one bank and one insurance company or healthcare provider, there will be some overlap. Some might share the same customers. Or they might all be interested in the same factor.

Yang says user data begins to add value with just 2,000 sources, as can just a handful of seemingly unrelated corporations. But WeBank is keen to get as many companies around the world to join, particularly in financial services and healthcare.

Continue Reading

Glossary

Cybersecurity’s new mantra: keep it isolated

Financial institutions quarantine executives’ online lives while using cloud and A.I. tools for flexibility.

Published

on

Photo: Anton Sulsky on Unsplash

Defending companies from cyberattacks is about detecting outside websites, links, malware and phishing expeditions – identifying dangers and training all staff to avoid them.

But malware still gets through. At least 10% of dodgy sites, hyperlinks and attachments go undetected. Although banks, cybersecurity vendors and others are using artificial intelligence to improve their detection and defenses, the bad guys have access to the same tools.

“If I’m a bad guy, I’m going to figure out what the algorithm is doing. I’m not doing the things that A.I. is looking for,” said Amir Ben-Efraim, co-founder and CEO of Menlo Security.

This is leading vendors and some financial institutions to try a more basic, but radical, approach, which they term “zero trust”.

And it means what it says: trust nothing from the outside world, so that nothing can get in.

Zero trust

How on earth is a bank or insurance company supposed to do business if it can’t trust anyone, or anything, from outside its walls?

This is a new challenge for cybersecurity professionals, one that more financial institutions say they want, says Daniel Cheung, chief information security officer at Daiwa Capital Markets.

But zero trust is not new – it’s just new to financial world. It’s actually a classic position among sensitive government and military departments.

And if you’re wondering why your firm doesn’t let you surf the internet from work, it’s not because of fears over wasting time sharing cat videos: it’s to protect against evil code finding its way into your servers.

It requires each employee to duplicate all of their devices: so two computers per person, two switches: one for surfing the internet, the other isolated for internal corporate and database work.

Kok Tin Gan, partner at PwC covering cybersecurity and privacy, says isolation is the best tool to ensure safety.

Internet separation

SWIFT is one of the fist financial institutions that mandated network segregation for member banks.

This follows the 2016 cyber-heist against Bangladesh’s central bank, which is the biggest robbery in history in asset terms: hackers broke into the SWIFT network to send messages that looked to Bangladesh Bank like orders to transfer $1 billion out of its reserve account with the New York Federal Reserve. The fraudsters moved $101 million before Fed officials spotted problems and froze the transfers.

Since then SWIFT has required banks using its network to segregate of all connecting software.

“You must separate our messaging interface from the internet, from less critial applications,” said Saqib Sheikh, head of SWIFT’s customer security program in Asia Pacific.

As of last year, 99% of banks have complied, he told DigFin. Sheikh defines segregation as “managed isolation” instead of full isolation: “You only let known traffic come through. The traffic is encrypted and authenticated.”

Virtual isolation

An alternative to physical separation is virtual isolation, which is more productive, and cost less, according to Menlo’s Ben-Efraim.

Rather than connect directly to a website, the end user is actually surfing on a visual representation. The real session is run in a virtual machine, created just for this user and isolated from all other virtual machines.

(A virtual machine is an emulation of a computer system, using specialized hardware or software.)

“You can think of it as projecting the website to your native browser. It’s like a hologram,” Ben-Efraim said. What the user sees on her screen is taking place externally to the company.

In case the application is infected or attacked, it gets trashed. A new virtual machine will replace it when the user switches websites – say from Google to YouTube.

“Think of it as a disposable browser,” Ben-Efraim said.

Cloud-based or on-premise?

The user can either install virtual-machine software on his own computer, or use a cloud-based solution.

All the major cloud vendors – AWS, Google, Microsoft – now run virtual clouds for customers. On the other hand, IBM, HP and Red Hat are among the big vendors providing virtualization software on-prem.

For traveling executives and people using mobile devices, a cloud-based solution is global and comprehensive, while on-prem solutions physically tie people to specific machines.

However, some criticized that, virtual separation is not as safe as physical separation, no matter it’s via one’s own computer or through the cloud. That’s because the local session is still connected to the virtual machine to receive the virtual message. Hackers can therefore attack through this connection.

Swift’s Sheikh said that on-prem virtual machines are actually not used for enhancing security. It’s just a solution for cost efficiency.

“I can run many virtual systems on the same physical server,” Sheikh said, “Virtualization is not used as cyber-security tool.”

Adding A.I.

Jeffery Kok, vice president solution engineer at vendor CyberArk(Asia Pacific and Japan), says that adding A.I. to internet separation makes a good solution.

Even though the local session still has some kind of access to internet, the risk can be mitigated by first allowing only a single point of entry, and then second by directing A.I. tools at that single point of vulnerability.

It’s like using data analytics and self-learning techniques to train all your guns on the one door that a baddie can use to storm inside.

SWIFT has developed tools along this thinking. The two features that have greatly enhanced the network’s security after the Bangladesh attack, are segregation (described above) and automatic detect of suspicious payments. It can send warnings and block those payments, Sheikh said.

Credential

A virtual session, might be a good way to keep out dangerous code. But it can’t solve the biggest problem in cyber security: people inside an organization giving away passwords, usernames and other sensitive information.

People do this all the time, by accident. Sometimes it’s because they fall for a phishing expedition. Sometimes it’s even more mundane, particularly among staff that haven’t been well trained to be aware of basic security measures.

Vendors are therefore coming up with ways to detect when such information is at risk of escape. They have software that can check website URLs that come with email, to see wehther or not it’s legitimate – and then float a warning on the person’s computer or handheld.

Vendors can also grade outside sites, to separate the obviously dangerous from ones that might be OK if accessed in read-only mode.

Menlo’s Ben-Efraim says such solutions appear to be effective. Fewer than 1% of employees among the vendor’s corporate clients have deliberately ignored such warnings.

Continue Reading

Glossary

QR codes and the control of mobile money

Behind the humble QR code is an epic struggle over payments infrastructure.

Published

on

By

Quick question: what does “QR” stand for?

These black-and-white, square codes have exploded in payments channels, becoming ubiquitous almost overnight, especially in Asia. But QR codes have been around for a long time, and their rise is entwined with the ongoing struggle to dominate payments.

“QR” stands for “quick response”, and speed and ease of use are what makes them so useful. QRs are a two-dimensional version of the (one-dimensional) bar code. Bar codes were introduced in the U.S. in 1952 as a way of letting machines read data describing the object on which the code is printed – like the price of a can of soup that gets scanned at a supermarket checkout counter.

China’s “techfin” companies Alibaba and Tencent made QRs relevant to payments. Credit-card companies, having built a gigantic industry on their own technology, now face competitors out to displace their payment infrastructure using humble QRs.

Setting the standard

To understand why QRs have become a big deal, let’s take a quick look at the development of traditional payments. Banks began issuing charge cards in the 1950s and 1960s, forming networks that would become VISA and Mastercard, among others.

These groups in term formed a standard in 1995, EMV, to foster compatibility among “smart cards” using computer chips to store and transmit information. EMVCo, the association set up to manage these standards, now also includes American Express, China UnionPay, Discover Financial and JCB International.

Credit-card companies now face competitors out to displace them using QRs.

Guillaume Yribarren, head of marketing for financial institutions at Idemia, a Paris-based maker of card chips and technology, explains how these work.

A traditional card transaction requires the consumer to give the merchant certain details which, together, form the payment credentials, he says. This includes the card’s 16-digit number (or payment account number), expiration date, and three-digit cardholder verification code (CVC).

These are sensitive credentials that allow anyone (including a thief) to execute payments. Therefore the industry developed point-of-sale (PoS) machines to authenticate the cardholder and secure the data before sending it to the merchant’s acquirer bank, which then transmits it to the bank that issued the consumer’s card – all of which takes place on the “rails” of the credit card companies, for a fee (levied on the merchant).

“Enabling this to happen across multiple cards, banks, and rails has required EMVCo to manage standards behind the scenes,” Yribarren said.

Enter the token

Coordinating chips was one thing: now the tussle is over payment tokens.

A token is a line of code that serves as an alias in place of a real PAN. It looks like a 16-digit card number, but it’s generated dynamically (that is, it changes with every transaction).

Apple was the first to introduce a token, with its ApplePay, which incorporates the account number and another number to identify the device where the token information is stored (in this case, an iPhone).

Enabling this has required EMVCo to manage standards

Guillaume Yribarren, Idemia

EMVCo helped promote tokens because it provides additional security for payments. Instead of using the “real” card credential, a surrogate value (or “token”) is generated for a specific need and can only be used under certain conditions (specific merchant, max amount, etc.). 

A payment token is used during a mobile payment in-store contactless transaction (like Apple Pay, Samsung Pay or Google Pay). A token can also be used for online payment (thanks to a “disposable virtual card” displayed in a smartphone app).

Consumers can simply tap the smartphone on a reader to make a payment, just like using an Oyster card to pay for a ride on the London underground. EMVCo made sure that using Apple Pay in a store or online would seamlessly translate tokens into the real existing payments card numbers issued by the big credit-card companies to process the transaction.

It’s the token that makes e-commerce secure. Yribarren gives the example of buying a Netflix subscription. The movie site doesn’t store your credit card’s PAN. Instead, your payment triggers a request by Netflix to ask VISA or Mastercard for a token that it can store and use instead. Because tokens can be specifically generated for a given retailer , they’re useless to hackers; if someone stole the card details from Netflix, they’d just have a token assigned to its merchant code, a fraud attempt with this token would be instantly detected and rejected. Tokens can also be assigned attributes (such as a short-term expiration date, or spending limits).

Disruption: new rails

But then came AliPay and WeChat Pay, networks that developed completely outside the payments infrastructure of banks and credit-card companies. These companies began in e-commerce and mobile gaming, and found payments were a useful tool to generate incredible scale and bolt on new services. They are closed loops.

This is not new: so is Oyster, for example. But AliPay and WeChat Pay emerged in the quasi-vacuum of a huge market, and triggered a consumption boom in China that is still just getting started. Now they are looking to expand their reach overseas.

Meanwhile PayPal’s Venmo became a popular closed-loop consumer-to-consumer payments tool in the U.S., while more recently, some banks in Asia (DBS, CITIC and HSBC) have launched their own closed-loop payment apps.

But unlike Venmo, the Chinese techfins got their start using QR codes, which are easy to display, and read. Even old phones predating iPhones can read them if they have a screen. And it’s simple for a merchant to print them out. No one needs a PoS, and merchants don’t need to pay the 3% fees associated with accepting charge cards. Payments are almost real-time, so there’s no need for managing against fraud. All that is required is for a merchant and a consumer to both use the same system, such as AliPay, which settles the transaction without involving a bank or other payments provider.

Connecting to the closed loop

Of course at some point, these proprietary systems need to touch the outside world and established payment networks. These gateways began as top-ups via credit cards or bank transfers. And that’s where EMVCo comes back into the picture, because the big credit-card companies want to create QRs that are interoperable or using their existing rails. They are threatened by the advance of systems that otherwise don’t need them.

There are two ways a QR payment can work, depending on who does the scanning: the merchant, or the consumer?

Let’s take a consumer, in this case a Chinese tourist in Paris. Her phone is offline, to avoid roaming charges, but she wants to use AliPay to go shopping at Galeries Lafayette (which, due to the number of Chinese visitors, accepts AliPay and WeChat Pay).

The battle for EMV-compliant QR codes is just heating up

She generates a QR on her phone, which the sales clerk at Galeries Lafayette scans to get the shopper’s token (the store has to be online for this to work). The token contains her name, the name of her bank, her PAN, her expiration date, and her CVC. 

The merchant enters the amount to be paid, scans the customer’s phone for her QR to download a token, and processes that information. This process is basically the same as if the shopper tapped a contactless credit card. 

The second way this works is if the customer scans the merchant’s QR code, which may be printed out at the cashier counter. In this case, the consumer’s mobile must be connected to the internet. When she scans the QR code, Galeries Lafayette generates a token with the amount, the currency, and the store’s information. This token is sent to the shopper’s phone, which passes it on to AliPay’s servers, which confirm the payment back to the merchant.

QR compatibility?

The process for doing this via, say, Apple Pay, is the same – it’s just that Apple Pay will rely on VISA or Mastercard rails, while AliPay uses its own.

EMVCo is trying to push a generic QR standard that allows any merchant or device to read a compliant code. An AliPay or WeChat Pay is only usable when the consumer and the merchant are on the same platform. VISA, on the other hand, is accepted everywhere.

The battle for EMV-compliant QR codes is just heating up. The traditional payment-tech companies now recognize that QRs are going to spread in emerging markets, where credit-card infrastructure is still new and under-developed. The ease for merchants to print out or display a QR, without needing a PoS machine, makes it the perfect tool for the rapid adoption of mobile and digital payments, replacing cash.

But whose QR? Will QRs remain tied to closed-loop systems like AliPay and WeChat Pay? Will these techfins decide they will generate more international business if they conform to EMVCo standards? Will they want to join EMVCo – and will they be admitted into the club?

And how quickly can these competing standards drill down into local markets, where there are plenty of domestic credit cards based on purely local payments infrastructure, unconnected to international rails?

Going local

The rise of domestic payment networks is alluring to both Chinese techfins as well as to traditional card companies. One way to plug into these emerging sources of business is to work with local authorities to make local payments compatible with international ones. But the faster way is to roll out QR codes.

Will these codes by EMV-compliant? Or will the battle go chain by chain, store by store, as retailers, taxi companies and restaurants have to select among multiple payment networks?

In theory, EMVCo is easier because it means instant compatibility with the global majors, but it requires adopting traditional PoS machines and Western IT infrastructure, which aren’t “QR native” – and don’t cater to most Chinese consumers.

The tip of the spear

EMVCo spent years helping promote contactless payments, particularly in the U.S., where consumers were habituated to swipe cards and security in the form of Personal Identification Numbers. In some developed countries like Australia, contactless is now the dominant technology. While Venmo is popular in America as a C2C service, Apple Pay and other mobile payments have only tiny market share.

AliPay and WeChat Pay, on the other hand, have completely skipped cards altogether; everything’s just done by exchanging tokens via mobile phones (usually for debit cards, rather than credit). Moreover they have used QR codes to make payments so easy that they have become “superapps” paying out employees’ salaries and other daily needs, well beyond discretionary spending. They are so comprehensive in China that they have effectively shut out credit-card companies (which is why even China UnionPay is a promoter of EMV).

As the techfins look to take their proprietary systems abroad, they are putting traditional payment rails at risk. QR codes are the surface technology that makes it easy to use mobile payment rails. EMVCo is campaigning to ensure these rails use the same gauge, making them able to carry anyone’s tokens. But Western standards also mean Western costs, while Chinese QRs do not.

The opening phases of the battle depends on whether merchants rely on Chinese consumers, but long-term prospects are about controlling the future of mobile money. The humble QR code is more than a simple tool to transmit information: it is the tip of a massive, complex spear.

Continue Reading

DigFin direct!

Get your daily download

 

Sign up for our free newsletters – delivering our story headlines straight to your inbox!

List choice

Copyright © 2017 Digital Finance Media Limited. All rights reserved.

Blockchain forks: as explained by Leonhard Weese, Bitcoin Assoc. of H.K.