In 2020, the number of digital payment transactions grew to 779 billion, representing a vast acceleration in the adoption of digital payments around the world. The nature of these digital payments is also changing, as solutions come to market that can automate swift, convenient payments made from IoT devices.
So what are IoT payments?
In simple terms, IoT payments are payments triggered by IoT devices with a high degree of autonomy. IoT devices can include sensors, appliances, robots, drones, or other equipment. They can be triggered by specific 'events' to make automatic or semi-automatic payments.
Imagine, for example, that you have a busy work schedule and you struggle to make time to buy groceries. A smart fridge could take stock of the items inside the fridge using a smart camera, and then trigger the delivery of groceries when the inventory of items falls below a specified level without intervention from you. A company called Wiliot is even building postage-stamp-sized Bluetooth beacons that cost as low as $0.10. These beacons can report the location data of products they are attached to, thereby enabling the fridge use case to extend to the pantry.
This revolution is being driven by the maturity of digital payments and the growth of connected devices, which tripled to 38.5 billion over the five years until 2020. Another major factor that is driving the IoT payment revolution is the improvement of artificial intelligence algorithms for detecting fraudulent payments.
What are the benefits of IoT payments?
IoT payments can provide benefits to several stakeholders.
- For consumers or business users, they represent a truly frictionless experience that makes repetitive or low-value purchases easy, saving time and effort, and reducing the risk of low inventory due to a delayed purchase.
- For merchants and distributors, they are a seamless experience for customers leading to higher conversion rates, increased revenues, and more repeat customers.
- For businesses creating IoT offerings, they provide the ability to embed automated payments into their processes to enable innovative value propositions based on convenience and the direct connection between usage and payment.
Levels of autonomous payments
Level 1 (Informational) - The device has permission to access a user’s bank account. The outcome of such a transaction is only to provide information regarding the permissible data available in this bank account around payments. For example: an Amazon smart speaker at home configured to access a user’s bank account through a voice service to offer information such as their account balance, last month’s main transactions, or how much a specific device has paid in the last month on behalf of the consumer.
Level 2 (Permissioned) - The device must request the explicit consent of the user before triggering a payment. Payment permission must be granted by authentication means (e.g. biometric or non-biometric). For example: at a BP fuel station, the device asks the user for their consent with a push notification to their smartphone before triggering the refueling payment directly from their (bank) account in a system based on reading the vehicle’s licence plate, to ensure that it is the authorized user who is refueling the vehicle.
Level 3 (Conditional) - The device makes a payment automatically (without asking the explicit consent of the user) under pre-defined deterministic conditions set by the user to trigger the payment. For example: a HP smart printer in an office is configured so that when it is low in toner, an order and payment for the toner replacement is automatically triggered.
Level 4 (Fully Autonomous) - The device conducts a payment automatically using a combination of pre-defined deterministic conditions (as per Level 2) and, additionally, uses adaptive behaviors of the device depending on the context. For example: a system in London that manages an annual repair budget initiating prioritized purchases and payments to suppliers based on the elements that need attention or repair in the city at any moment such as streetlights, garbage containers, etc.
Security in IoT payments
One of the issues with IoT payments right now, is that some users are resistant to and fearful of new technologies. IoT payments are susceptible to fraud if the device or platform is hacked. Poorly designed systems could also trigger payments that are technically legal but that do not represent the true interest of the customer. Some consumer advocacy groups are also worried that elderly persons or disenfranchised groups will be excluded from “unmanned services”. Some states in the US have even legislated against cashless businesses for this reason.
It’s imperative that consumers understand and trust devices with their financial assets and trust that the service provider can allow them to roll back malicious or unintended transactions. In systems with a large number and variety of devices exchanging data over the Internet, assuring security is a major challenge. Fraudsters and cybercriminals target these payment ecosystems so the payment ecosystem needs to allow consumers to easily control their devices and payment credentials.
There are three key aspects for this payment ecosystem to evolve: Securing payment credentials, device authentication, and consumer authentication. While regulations such as the EU’s Second Payment Services Directive (PSD2) have been helpful in advancing security around digital payments, they need to evolve to meet the needs of IoT payment systems. Let’s run through each of these three key aspects:
Securing Payment Credentials:
EMVCo19 mandates a user identity and verification step before granting any token request. A similar mechanism can ensure that device owners are aware of token requests from their devices and that such requests are legitimate.
The basic requirements of PSD2 state that strong customer authentication has to be based on the use of two or more possible authentication elements, categorized as:
- Knowledge (i.e. something only the user knows, such as a password)
- Possession (i.e. something only the user has, such as a token)
- Inherence (i.e. something only the user is, such as a fingerprint or face scan)
Many IoT devices are deployed with weak security, for example, an easy to remember password (e.g. 123456789), which may then remain unchanged for extended periods. The lack of a common security framework is a problem for device manufacturers, service providers and consumers.
In addition, some payment authentication methods aren’t suitable for IoT devices due to constraints like low power and limited storage capacity. Increasingly, there is adoption of standard authentication methods such as PKI, OAuth and OIDC to serve IoT use cases of a specific scope and scale.
An IoT device by itself cannot be held accountable. Ultimate accountability rests with the person or organization using it for payment. This necessitates periodic consumer authentication. The key challenge is to apply the most convenient authentication method. When it comes to customer convenience, biometric authentication is becoming increasingly acceptable. For example, voice recognition is a good candidate for in-car payment. Authentication is not necessary before all transactions but can be required periodically, such as when a vehicle is activated.
IoT payments adoption data
Today, consumers and merchants expect payments to be increasingly frictionless, or even invisible. An example of frictionless payments are in-app purchases authorized by facial recognition. Invisible payments take this one step further, as the customer doesn’t need to take additional action to trigger and complete the payment.
The attitudes of Gen-Z are driving this expectation. Gen-Z is the first “digitally native” generation. They expect a smooth digital customer experience, including that payments become increasingly frictionless and invisible.
At the same time, merchants are looking for ways to increase conversion rates in their stores, whether brick-and-mortar, online or omnichannel. Merchants are increasingly accepting payment via mobile apps such as Apple Pay, AliPay, PayPal, Samsung Pay and WeChat Pay.
Moving from frictionless to invisible payments often requires IoT payments. In physical stores, we see merchants exploring the “walk-in/walk-out” concept, where shoppers simply enter a store, pick up goods, and leave. The payment is automatically processed in the background using data such as facial recognition to determine who to charge for purchases.
By 2023, the rapidly growing market of IoT payments is expected to reach $27.6 billion. The markets that will benefit from this development include retail, automotive, smart city and smart housing, to name just a few.
For consumers, three alternative payment models that can potentially be used for IoT payments are described below.
- Major international card schemes have been successfully deploying non-card payment through payment tokenization. Today, one of the most common uses of debit and credit card tokenization is to emulate a payment card with a mobile phone, using Near Field Communication (NFC) to initiate a transaction, where the tokenization replaces the Primary Account Number (PAN).
- With Instant Payments, banks are able to execute money transfers in near-real-time. This means that, if a payer wants to pay someone in Europe, the beneficiary is able to receive the money within seconds, assuming that both the payer and the beneficiary are customers of banks participating in the SCTinst (SEPA Instant Credit Transfer) scheme.
- One of the most discussed technologies for IoT payments today are cryptocurrencies, based on a distributed ledger, which bring attractive technical features to an IoT environment. Since the ledger is distributed, it allows IoT devices to perform peer-to-peer transactions with or without the involvement of a trusted third party.
Implementation of IoT payments for consumers and organizations
Let’s talk about how IoT payments will be implemented for consumers and organizations. There are a variety of key technologies that businesses will be required to master.
|Perhaps the most important step is ensuring trusted IoT devices. This means that IoT devices need to have embedded cryptographic hardware, with enough computing power to ensure the integrity of data before it is transmitted. This can be achieved with different levels of security: secure elements, trusted execution environments (TEE) or white boxes. The identity of an IoT device can also be provided by a Physically Unclonable Function (PUF) enclosed in trust zones or secure elements. These functions provide a unique identity to each specific device. |
In order to process payments on behalf of the device owner, there is a need for authentication. These could include authentication protocols like FIDO Universal Authentication Framework, which provides strong authentication through public key cryptography.
An IoT payment device must ensure that all communications and processes are secured end-to-end in the device lifecycle, from the device’s own security component to the payment issuer back-end system. Key considerations include changes of ownership, expiration of payment credentials, application end-of-life and device end-of-life.
The diversity of IoT platforms and network protocols complicates interoperability between IoT applications, preventing IoT from reaching its full potential. To address IoT interoperability it is necessary to allow IoT services to communicate in a common language and assure security levels for the connectivity and exchange of data across different platforms.
Most IoT devices rely on wireless communication technology. The two major categories that we see are LPWAN (Low-power Wide-area Network) and 5G. LPWAN can operate on both the licensed and unlicensed radio spectrum. On the other hand, 5G operates only in the licensed radio spectrum. Depending on the use case, and the corresponding business case, one technology will be more suitable than the other. Therefore, it is likely that LPWAN and 5G will co-exist.
The main advantage of LPWAN is its low power consumption, enabling the battery life of sensors to last 10+ years depending on data transmission frequency. The first implementations of 5G are providing better bandwidth and lower latency and enabling the connection of a very high number of IoT devices.
IoT devices collect large amounts of data that can fuel machine learning algorithms and neural networks to predict consumer behavior. Extensive training on user behavior and the transactional context is needed to effectively implement the capability to execute truly autonomous payments (at level 3) on behalf of and with the full confidence of a human user.
Additionally, Blockchain technology is a cryptography-driven solution with the potential to use a distributed decision model to replace existing centralized architectures. As it is based on peer-to-peer technology, distributed ledger technology stacks can perfectly fit a highly distributed IoT ecosystem.
POV: Asia Digital Landscape - IoT Payments in China
Hema is one of the best-known stories related to China’s recent payments renaissance. The country has been a massively successful adapter of digital payments, through apps like WeChat Pay and Alipay. Hema, an offline-online retail store by Alibaba, took the comfort that regular people have with digital payments in China and ran with it.
The store is similar to Amazon Go, but has expanded much quicker, with Hema opening 100 stores in the time that Amazon opened eight Amazon Go stores.
Hema customers download the store’s app, and can then scan a QR code on each item so that it is added to their shopping cart. By scanning these QR codes, customers can also find nutritional information, customer reviews, recipes and more. The Hema app also remembers customers' prior purchases, so that your shopping experience can become highly personalized.
Your Hema app is linked to your Alipay wallet, and you can simply do a quick facial recognition scan to pay for your items and leave the store.
To sum this all up, IoT payments are the future of payments. Already, in countries where IoT infrastructures have flourished and internet access is high, these forms of payment are beginning to grow. While the security and trust of systems need to improve before a large-scale change towards IoT payments truly happens, there are already suitable use cases available that are widely adopted today.