Making payments with an implant

2020-02-10_14-04-35-firefox

IF YOU ARE INTERESTED IN USING A PAYMENT IMPLANT, PLEASE FILL OUT THIS QUESTIONNAIRE!

TL;DR - the only real legit way to make EMV contactless payment work is to comply with EMV requirements and bring all the players to the table. This is actively being worked on at VivoKey.

That said, let me explain…

Payment is a tricky thing… I mean, what is a payment? Transfer of value… well that can mean many things… but what you are probably thinking about is an EMV payment which looks something like this…

EMV Payments or “contactless payment”

EMV stands for EuroPay, Mastercard, Visa, and it is a standard created by those companies for chip & PIN and contactless payment at terminals. This is what your contactless credit and bank cards use, and it is what Apple/Samsung/Google/Fitbit/etc Pay technologies also use. However, EMV is extremely complex in both chip technology used and the multitude of standards, certifications, and corporate partner approvals that must go on in order to get your “payment instrument” to work with EMV. Many companies work for years and spend upwards of a million dollars just to get their otherwise ready-to-go payment products into the EMV market.

At this point in time, the major payment networks that enable global settlement (payment) between your personal bank and the merchant’s bank are not interested in authorizing implantable devices on their network. To be clear, VivoKey has had chip implant technology that can work with payment terminals for years… the problem is that the players involved are not allowing it to happen out fear that public outcry will damage their brand.

Cloning EMV is not possible

The idea of cloning your payment card into an implant is a common question, but the reality is that’s not going to happen either. The chips used in payment cards are far more sophisticated than those used in simple RFID or NFC devices. Like VivoKey implants, they employ cryptographic processors to enable secure communication between card and payment terminal, and protection of those cryptographic keys is no joke… they require serious high security facilities to even handle the cards when they are programmed with account data (called “personalization”). Regardless of that fact, you can simply use a payment terminal to spit out decrypted payment data from contactless payment cards… but you still don’t have the keys required to encrypt payment data in a way that will allow terminals to read it.

Closed loop payments

Closed loop payments use chips and methods which are far less secure, and so you might see some examples of people “paying with a chip implant” at a vending machine or at a point of sale system… but they may be paying using a closed loop system. A good example of this is when students get an ID card they can use for transit and around campus for food, access, snacks, etc. Those cards typically only work with a limited number of terminals and vending machines in and around the campus. Those types of cards are called “closed loop systems” because of the way carry a private “balance” (like a credit) either in the card itself (called a “stored value” card) or in a proprietary and closed accounting system (database), and they get “topped up” using a credit card, cash, or other means… but it all typically happens outside the traditional global banking and payment system. These closed loop systems can be used to make various forms of payment around campus and with certain vendors in the outside world, but they are not part of the global payment system. Kinda like CCTV means “closed circuit TV” for private security cameras, closed loop systems are private and operate only within a closed controlled environment. The same goes for many types of loyalty cards, ride share car access, or other types of transit systems that use their own technologies to enable cashless payment. These are all forms of payment, and in some cases those cards can be cloned to an implant, or made implantable directly through conversion (more about this below).

Here is an example of a closed loop (very insecure) payment being made with a NExT chip at a vending machine. This is not a credit card or bank card payment, and such it is not possible to pay elsewhere outside this closed loop system with the NExT chip implant.


(youtube)

PayPal, Venmo, and other “alt” payment technologies

When it comes to alternative point of sale payment technologies, PayPal is making an effort to plant itself into the payment terminals of various stores, and solutions like Venmo are proposing an “out of band” payment solution which allows customers to pay vendors through a mobile app. In this case, there was a lot of “buzz” (pun!) generated when a Buzzfeed reporter implanted an xNT chip to make payments using Venmo. While it is very interesting, it was a complete hack job that required participation from a former Venmo engineer and the vendor, wherein the end result was a completely insecure method to prove it could be done. The reporter’s Venmo wallet key had to be given to the vendor to make the transfer. Therefor the wallet key had to be stored insecurely on the xNT, and the solution would never work in the real world because everyone you did business with would have a copy of your wallet key. Still, it’s very interesting.


(youtube)

Until Venmo or PayPal or other payment stakeholders become interested in implant technology, these solutions will be edge cases and proofs of concept only.

Bitcoin & Cryptocurrencies

Blockchain technologies like Bitcoin work differently from typical payment schemes in a very significant way. It’s not called out often… in fact, I’ve never heard this comparison explained before, but it is critical to the future of all payment. Blockchain is a mathematical construct wherein all users have “wallets” and those wallets are simply a pair of keys - a public key and a private key. If you don’t know what PKI is, you might want to read up a bit first. The public key is used by everyone “the public” to send bitcoin to that wallet “address” (the public key is the wallet’s address on the blockchain network). All private keys are kept private (obviously) because they are the only keys that can be used to send bitcoin from wallets. A transaction that transfers bitcoin from one wallet to another is crafted using the private key of the sending wallet, the public key of the receiving wallet, and the amount to be sent. That transaction is cryptographically signed and sent to the blockchain network for validation (the sending wallet has bitcoin to spend) and processing (addition of the transaction to the blockchain ledger).

The important thing to note here is that the sender crafts the transaction and pushes the money to the receiver. This type of transaction models how cash works. When you buy something with cash, you don’t hand your wallet over to the vendor and trust they only take what is owed. It’s important to understand that cryptocurrencies model how cash works during a transaction… where the receiver asks for an amount and the sender is tasked with transferring the proper amount to the receiver… and the private key used to do that is kept private… the vendor never sees or has access to the one piece of information that would open your entire wallet to them (or anyone else who happened to get that key).

Currently, in just about any other type of digital commercial transaction where banks and/or cards are involved, the exact opposite is true. You expose your one and only “key” (your credit card or bankcard number) to every single vendor you do business with, effectively handing over your entire wallet to them, and hope they only take what is owed, and pray they protect your account data somehow so nobody else can get access to it and empty your bank account or rack up a ton of credit card charges. It’s like leaving a copy of your house key in every door you’ve ever walked through. It’s completely stupid, outrageously expensive to police, and it’s the only way banks and the “card” industry works at the moment.

Conversion

One of the only viable options at the moment to have an EMV capable payment implant is to convert working contactless “mini payment cards”, key fobs, or certain other contactless payment devices able to be converted. Check out this link to see what is possible;

The down side is that these expire and will have to be removed or replaced every 2-4 years.

Walletmor

Finally we have Walletmor, a legitimate attempt at pushing implantable payment forward. This may be an option for you if you are a citizen residing within the EEA or Switzerland.

More reading

29 Likes