You may be revealing more information than needed whenever you disclose your personal identity, such as a driver’s license. And that information may be misused by the party from which you buy a product or service. Consumers are not in control of their data today, and there is a need for evolved standards and technology like homomorphic encryption to protect digital identities. These were some of the concerns expressed by Robert Schukai, Executive Vice President, New Digital Infrastructure and Fintech at Mastercard, when he delivered the keynote address at the Secure and Private Compute Summit (Virtual) on July 6. Schukai also outlined some of the initiatives undertaken by the New Digital Infrastructure Group at Mastercard – backed by Mastercard’s data principles. It’s digital identity service aims to counter consumer data privacy challenges for financial transactions.
By Brian Pereira, Editor-in-Chief, CISO MAG
The New Digital Infrastructure Group at Mastercard is focused on developer outreach, engaging with the Fintech community and with its cryptocurrency work. It is also regarded as Mastercard’s open banking organization. The Group wants to bring about change in how digital identities are exchanged during financial transactions. And it has achieved some success with its digital identity service called “ID” in markets like the U.S., Europe, and Australia. This has also opened up new opportunities and exciting applications that were not possible earlier due to concerns about consumer data privacy.
“Today, we are at a critical juncture at how data is used. We see a real need for consumers to be in control of their data — for consumers to feel like they had a say in how it was used,” said Schukai. “At Mastercard, we took this seriously, and we established our data principles in 2019… these were principles that every single employee at Mastercard buys into today.”
Mastercard Data Principles
According to Schukai, Mastercard believes that four things should take place when it comes to treating personal data with “decency.”
- You own the data. You produce data every day, so it belongs to you.
- You control your data. You have the right to understand and control how your data is shared and used.
- You as a consumer should benefit from the use of data.
- Mastercard will protect that data. Your data will be kept secure and used responsibly.
“It is important to set up those data principles today because digital identity and open banking are highly complementary businesses,” said Schukai. “We believe users should only have to share the data that is absolutely necessary at the time of the transaction, and this is our focus for any company that we work with or any use case that is out there.”
Enabling Open Banking
Open Banking, which was introduced in January 2018, has been a topic of many conversations as it gives consumers and third-party financial institutions flexibility for financial transactions. According to Investopedia, open banking is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions, through the use of application programming interfaces (APIs).
Mastercard already operates an open banking solution in Europe, and in 2019, it acquired Finicity, a leader in the open banking space in North America.
Open banking got a major boost after regulatory rules were established for it in the U.S., EU, and Australia. For instance, in Europe, it is known as PSD2 (Second Payment Services Directive), and it is forcing the biggest banks to open up and share their data. The is enabled by standardized API access to information in bank accounts. While open banking has been around since 2018, there are still some major creases to be ironed out before it really takes off. However, the opportunities and benefits have been a big draw for both consumers and financial services organizations.
“This gives you tremendous leverage and opportunity — to create services and offerings for new account opening, for lending or credit decisioning. That was one of the things we found most compelling from a Mastercard perspective,” said Schukai.
He alluded to certain applications like controlling credit scores, which are possible due to open banking.
“People could upload their data in a product like the Experian Boost to raise their credit score, so that they can then turn around and secure a mortgage to a company like Rocket Mortgage. This is powered by the Finicity open banking solution, and it lets you get a mortgage very quickly. That ability to move data and use your data for lending and credit decisioning all require a combination of knowing who the person is, to be able to ….to successfully unlock that data. To secure and use it responsibly.”
Enabling Technologies and Techniques
To enable these open banking applications, organizations need to adopt certain privacy-enhancing technologies. There are techniques such as differential privacy, trusted execution environment, secure multi-party computing, and homomorphic encryption. And each of these has its range of complexity, capability, and security requirements. Companies must do their due diligence when choosing a technology.
Schukai informed that Mastercard is invested in homomorphic encryption. It also introduced a program to engage with tech companies that specialize in payments and security.
“Personally, I think homomorphic encryption is a phenomenally exciting technology. We see great value in querying data where it lives. It’s about performing computation in the ciphertext space and returning results of those queries, all this without decrypting. For us at Mastercard homomorphic encryption is an ideal technology when you are dealing with sensitive data that you do not want to sling around but would prefer to leave in its location.”
Data is encrypted at rest and in transit. But it has to be decrypted for processing, and that presents security and privacy challenges. This is now solved by homomorphic encryption, which enables ciphertext data to be processed without the need to decrypt it.
Homomorphic encryption is already coming into the mainstream, though it makes huge demands on computing resources.
Read our stories on Homomorphic encryption
Legislative Compliance Challenges
Schukai said Mastercard is also working to help companies cope with legislation challenges at the local, regional, and international level.
“When you layer data principles with legislative compliance, you see the problems that we face in using data and using data safely. We need to think about multiple layers of security including tokenization and encryption that protect information. We need to think about regulations like GDPR — and Mastercard has launched a My Data portal so that individuals everywhere can see and manage their personal information that Mastercard holds. It gives you the opportunity to remove that data if you do not want it to be stored there any longer,” he said.
Schukai also feels the need for world-class anonymization solutions that protect data while enabling analytics under the GDPR. This will be exceptionally critical for data usage for consumers.
“As a company, we are embedding data responsibility principles into our product development process. We even provide controls over the use of data, including opt-outs for marketing data. We want to be able to unlock the power of data, but we need to unlock that data sensibly and responsibly. And for us at the highest level of security, when we are combining assets like user identity and banking information, we are very proud to be using technologies like homomorphic encryption as a way of leaving data where it sits, complying with national regulation, performing queries against data sets without moving the data and overturning the results of those queries in a safe, effective, and proper way, to unlock the types of solutions that consumers want.”
While Mastercard is doing its bit to secure consumer data, the Government of India thinks it should be more transparent by storing a copy of consumer transactional data on servers on Indian soil. On Wednesday, the Reserve Bank of India banned Mastercard from issuing new credit and debit cards to consumers, and this is a major setback to the U.S. company.
In a notification, the RBI said Mastercard had not complied with data storage rules from 2018 that require foreign card networks to store Indian payments data “only in India” so the regulator can have “unfettered supervisory access”.
Digital Identity Service
Mastercard is taking its digital identity service (called “ID”) to other markets such as Australia. In November 2020, it did a beta launch for its reusable digital identity solution with Optus, a major Australian telecom company. This will provide Optus’ customers a simpler and more secure way to prove their identity online and in-store. To quote from a press release: In using ID, Optus will strengthen its identity verification and authentication process while retaining its “best-in-class, digital-first customer experience.”
About the Author
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).