A Cash-Free Society

To use digital payments it is necessary to have a digital infrastructure, point-of-sale terminals, computer networks, and clearing systems for handling transactions between banks, credit card systems, and so on. These are all discussed below.

In a digital economy, all points of sale must be able to take a digital payment. Today we achieve this by having a terminal that may be connected to the cash register. Most terminals can accept cards with a magnetic stripe or cards with a chip. Newer terminals will also be able to handle cards with an embedded RFID¹ chip for tap-to-pay functionality. With NFC² and Bluetooth³ radio communication, the terminal can also connect to smartphones, either for mobile payment or tap-to-pay functionality.

Providers of terminals and payment systems know that retailers will not install systems that can be used by only by a few customers; nor will they want to have many different terminals lined up at the cash register. This forces the providers to cooperate, either by agreeing on a standard or allowing for one terminal to handle different systems. On the other hand, customers want to choose how they pay and will expect that the merchant can handle different credit cards or different electronic payment systems. This requires cooperation between banks, credit card companies, and retailers. However, experience from many countries shows that this is achievable; the customers can get flexibility and the retailers will get a one-size-fits-all system.

Terminals need to have a network connection to be able to verify cards and transaction amounts, and also to transmit the data from the transactions. Some retailers also use this connection to compute discounts—for example, based on the items the customer has bought. While such two-way communication was impractical with low-speed networks, it is now achievable with broadband connections. It is, of course, important that payment does not become a bottleneck.

We traditionally think of a payment terminal as something that is installed at the retailer, but this can just as well be a device that is owned by the customer, such as a smartphone. This opens up many new possibilities, including very simple identification and payment systems. I explore these possibilities below.

1. The customer buys, maintains, and handles the equipment, both hardware and software.

4. The smartphone is always online and can be connected to websites, email, and more.

5. The ID mechanisms of the phone, fingerprint reader, iris scanner, face recognition or passwords, can be used, sometimes avoiding another set of identification.

6. Phones have a display that can be used to select items, to offer additional data, and to provide forms for input.

9. The receipt can be presented in many different formats, including those that can be read digitally.

Companies are eager to develop new apps that utilize these advantages. For example, Ruter, the company handling local area traffic in Oslo, developed a ticket app that turned out to be highly successful and has been downloaded more than one million times. According to Ruter, more than half of Oslo commuters used the app in 2017, giving Ruter one of the highest mobile phone usage percentages in the world.

The app utilized all the advantages mentioned above. The customer maintains the equipment (1), has user experience (2), downloads and installs the software as an app (3). The app can be used everywhere and receipts can now be stored on the phone, on a website, or sent as email (4). After setting up an account, registering the name, credit card, and so on, access is given directly by using the ID mechanism of the phone (5). Tickets can now be bought just by entering the zone or destination in a customized user interface (6). By using the fact that phones can be located, the input part can be simplified by automatically suggesting the from-place (7). After the ticket is bought, the actual ticket is stored on the phone with a countdown mechanism to show validity (8). The ticket is presented as a QR code that can be read digitally when entering a train or a bus, or by a screen that one can show to the bus driver (9).

With smartphone applications such as this one, the payment is an integrated part of the system. This will be an important enforcer of a cash-free society. Digital payments are no longer just a replacement of the previous cash transactions, but offer something very different. Now the actual payment may be just a part of the whole transaction. In the example above, the transaction has many parts: finding a route, retrieving the time of departure, choosing a ticket, and paying. As we have seen, the actual payment is just a small part, often performed just by a button click.

Now smartphones are also being introduced as a way of paying at a terminal—for example, at a retailer. Then the NFC capabilities of the terminal may be used, using the phone as a tap-to-pay card. Other possibilities are that the store offers a QR code or a phone number for identification. In the first case, the customer will use an app to read the code (by taking a picture); in the other one, he or she enters the phone number to identify the receiver. Both systems require no installation on the supplier’s side. This makes these systems convenient for small retailers, such as those selling local goods at a market booth or, for example, paying for parking or tolls in rural areas.

However, without good Internet coverage, the smartphone will be impotent. While some countries have coverage in all population centers, there may be others with only sporadic coverage. We should expect that this situation will improve. The functionality of the smartphone will in itself generate pressure for better coverage. We will come back to these forms of payments in Chapter 9.

In order to get online updates of accounts, which are important both to give a good overview of transactions and to avoid overdraft, point-of-sale terminals of any type need to be online. This will be most efficient when the terminals are on a broadband computer network. This is becoming the standard today in most modern countries. Telephone lines and coaxial cables are being replaced by fiber-optic cables that offer a significant increase in bandwidth. The advantage for the customer and the store is that digital payments can be performed very quickly, in most cases much faster than cash transactions. As we have seen, high bandwidth also opens the way for new applications, such as those that can compute discounts immediately.

Mobile networks are also moving toward greater bandwidth. Thus, a payment using a smartphone may also be expedient, at least where there is good network coverage.

Transactions that are received from point-of-sale terminals and smartphones must be sent to the correct bank or credit card broker. This is performed by a clearing system. Countries that have a good national system will have a clear advantage in this regard. Then the transaction can be forwarded to any bank or credit card issuer, independent of where it originated. That is, there is no delay in the transaction, even if the customer and store use different banks.

In some countries, such as the United States, an account number is unique only in the bank that created the account. This makes it somewhat more complicated to perform bank-to-bank transactions. The Automated Clearing House in the United States is considered an anachronism by global standards.⁴ In many other countries an account number is unique on a national level, making it unnecessary to add additional information for bank-to-bank transfers. Several countries, such as the Scandinavian, also have a common clearing house for all banks.

As we saw in Chapter 5, early credit cards were used to make an impression on a paper slip. Although they had much in common with checks, an advantage was that the customer did not have to bring a check form, as the retailer had the necessary paper slips. Of course, the cards also offered credit.

The data on the card consisted of the customer’s name and account number and also the expiration date. The amount had to be filled in by hand, the slip had to be signed, and then the transaction had to be verified by calling the credit card issuer. Then the slips had to be transported to the bank and the transactions registered in the various accounts.

All of the data is now formalized, as are the processes. With the high number of transactions, this is a system that is the ideal application for modern computer technology. As we have seen, inexpensive terminals and reliable computer networks enabled this development. The data on the credit card, now with a magnetic stripe or a chip, can be read automatically. The amount can be typed on the terminal or, even better, received directly from the cash register. Verification can be performed online in a transaction between the terminal and a central server, and all the further processes can be performed automatically based on the digital data.

Signatures, which are not easy to incorporate in a digital system, have been replaced by a PIN code. The advantage is that the PIN can be offered using any type of keyboard and the verification is a very simple process. With signatures, special tablets would have had to register the signature and a complex process would have been required to compare this to the signature registered at the bank. In practice, such a process would not work. The alternatives would have been either accepting all signatures that looked somewhat like the original, with the possibility of accepting an illegal signature, or risking that legal signatures were not accepted. If we return to our ideas of formalization, we see that while the PIN code is formalized for an operation such as verification, the signature is only partly so.

In a digital credit card system with online verification, humans can be taken out of the loop. This results in an efficient system that can handle a very high number of transactions, in practice many thousands per second. Transactions can be handled immediately so that, in principle, all accounts can be updated at any time. Digital systems also provide a set of statistical data that will provide valuable information for all stakeholders.

A debit card withdraws the transaction amount from the bank account directly, which means the customer must have the necessary funds available in the account. The advantage for the store is that it gets its money immediately and the transaction fees are much lower than for credit cards.

In some countries the fee on a debit card transaction may be as low as a few cents (see Chapter 14). With broadband terminals and automatic processing, users can take advantage of the speed of modern computer technology. Because there is no credit and usually no other perks, costs are kept to a minimum. In a digital society, the debit card transaction may be the default, with no fees for the customer, while users will have to pay additional fees for the more expensive variants, such as credit cards or cash.

A cash card is a plastic card that can be used in similar ways to debit or credit cards. It can be bought in fixed denominations. The main difference is that it is usually anonymous for the consumer as the card does not represent the owner. There is no connection to any personal banking account, which means the cards can be used by anyone, similar to cash. If a card is lost, the value on the card is also lost, just like cash. However, cash card transactions are not anonymous on the part of the retailer. The amount from the transaction will go into the retailer’s account, similar to payments with debit or credit cards. In this way there will be less possibility of tax evasion on the seller side than if cash had been used.

One advantage of cash cards or any type of stored value cards is that there is no need for any external connection. The value is stored on the card, in many ways similar to cash. These cards are normally used for low-value transactions, such as public transit or phone calls. Some of these cards can hold various currencies. The advantage is that the user gets the exchange rate at the time the card is loaded.

Criminals have seen the advantage of these anonymous cards: they can be bought with cash and offer the same anonymity as cash. Some financial institutions allow customers to transfer large amounts from an account to an anonymous cash or credit card. While it is not impossible to trace the use of these cards, the anonymity makes it much more difficult. There are already examples of criminals using this option to launder money using banks in other countries to perform the transfer.⁵

The anonymity has other drawbacks. When crypto-criminals have hidden all data on a victim’s PC, using a virus that runs a cryptographic algorithm, they may demand ransom money in the form of anonymous money such as cash cards or bit-coin (we shall discuss bitcoin in Chapter 11).

Anonymity for small transactions can be achieved by a “wallet” inside a credit or a debit card, instead of using a separate card. This wallet could be loaded with money from the account and then used as a cash card. The balance would be given at any time, but there would not be any registration of each item used. Cash cards or the “wallet” equivalent can be a way of giving money to children. In many countries, children aged eight or older can receive a debit card on an account, but younger children may get a cash card that can be loaded with limited amounts from the accounts of their parents.

A digital economy must be protected. In some ways this is easier than with cash-based systems. Cards can be protected by chips that make them difficult to copy. Usage can be protected by PIN codes and fingerprint scanners. Online systems where transactions are recorded as they are performed will also make the system more secure (see Chapter 15), and with debit cards and online systems it is not possible to use money that one does not have.

Many modern banking systems use smartphones for additional authentication and increased security. With both phone and PCs we get what is called a two-pass system. For example, a customer may be in the process of paying on a website. She has typed in the credit card number, the month of expiration, and her three-digit credit card verification code (CVC). The next step will be handled by the credit card issuer. A message with a keyword (the same one offered on the website) will be sent to her phone. After she has confirmed that the two keywords are identical, she will be asked to type in the PIN. That is, in order to perform the transaction, she needs her credit card details and access to both the smartphone and the PIN.

By hacking consumers’ PCs and smartphones, criminals have been able to break security systems as complex as these. In fact, it is worryingly easy to fake emails or hack a PC. We still use the SMTP email protocol—the simple mail transfer protocol in which it is quite easy to fake the sender’s address. While the text of a link in an email may appear plausible, the actual link may send the user to a very different address. Also, many users are tricked into opening dangerous attachments.⁶

When even large companies, such as Yahoo and the credit-monitoring firm Equifax,⁷ are vulnerable to hacking and virus attacks, one may wonder whether it is really possible to make a secure computer system. The complexity, many layers of code, and large number of code lines make this difficult. The main problem is that we want these systems to be accessible over the Internet. If such access were not required, we could put the computer in a locked room with no external lines and no wireless. However, we would then not be able to perform many of our daily operations—no email, no Facebook, no Google.

As was the case with cars, security for computers was something of an afterthought. The first cars went on the roads at the end of the nineteenth century. It took seventy years before car manufacturers and authorities took the problem of safety seriously. Similar to the development of cars, the idea for computer and software manufacturers has been to implement more functions rather than allocate resources to security. However, after some spectacular attacks, where personal information from millions of users has been stolen, and some smaller-scale attacks where private individuals and small companies have had all their data made inaccessible, the problem is now being taken seriously.

This book discusses payment systems. Payment always involves money or its corollaries and money has always been under attack from criminals, from armed bank robbers to muggers and counterfeiters. Digital payment systems will also be under attack. In February 2016, hackers tried to steal 951 million US dollars from Bangladesh Bank and managed to get away with more than 60 million dollars. An important final step in all computer fraud is to convert the funds into anonymous cash at one point or another. Without the cash option, criminal activities like these would be more difficult or at least easier to investigate after the crime.

While the incentive for attacking a bank or a payment system is clear, criminals also attack personal PCs and the computer systems of organizations. A common form of attack is getting users to open an attachment with malware. When executed, this may run a cryptographic algorithm on all data that is accessible to the virus program, including data on the main disks, disks that are connected to the PC, or disks that are accessible over the local network. The criminals will then ask for payment in order to provide the victim with the key they need to decrypt the data. Payment may be demanded as anonymous cash cards, but today asking for payment in a currency such as bitcoin is common. The best remedy against this form of attack is to have updated systems and offline backup, and to offer clear warnings to users to be careful when opening attachments.

However, many of these emails look genuine. They are the bait in this “phishing” attack, where the idea is to get confidential information such as user names and passwords, or to lure the user into performing transactions that benefit the criminals. This is often achieved by directing the user to fake websites that look and feel genuine.

The email notifying you of the agenda for an upcoming meeting may have an attachment. If the criminals are smart, and use time to prepare an attack on your company, there may be little difference between a genuine email and a fake.

Of course, most of these fake emails are mass-produced and sent to millions of email addresses with the hope that some will open the attachment. A common strategy is to make these phishing emails look genuine; for example, as a note on a parcel delivery from Amazon, or asking to reactivate or confirm a PayPal account, hoping that the receiver is expecting such an email. Another strategy is to offer phishing messages that most users will detect immediately as a fake, such as “click here to receive your $1000 bonus.” The idea may then be to reach those willing to follow up, in the end to pay the $100 transaction fee that is required to clear the bonus.

It is a pathetic commentary on our computer professionals that email systems fail to protect users from such simple-minded attacks. For example, if there is a difference between the displayed link and the actual link, color coding could be used as a warning. Similarly, dangerous attachments such as zip files could be displayed in red. Further, any attachment that looks suspect should be opened in a secure “sandbox”—that is, in a program that displays the contents without invoking any code. Many “ordinary” people, including elderly people, are now amateur computer users and need to be protected.

Digital payment systems can go down. Terminals may stop functioning and may lose access to the network. Problems in a power grid will have dramatic effects. Without power, many other functions will be unavailable.

A modern society is dependent on a robust and stable power supply. The only way to achieve this is to build redundancy into the system—that is, several power stations and several transmission lines. If one fails, there should be another for backup. It is problematic if many power networks are at full capacity and the business model in many countries does not encourage companies to invest in redundancy or a high level of maintenance. Therefore, there is little room for handling unexpected situations. The remedy is to invest more, but this probably needs government interference as the power companies may not be willing to pay extra for redundancy.

New battery technology may offer an excellent local power backup, since this can operate independent of other systems. Again, however, the technology is expensive and companies may not be willing to prioritize this.

Similar issues are apparent with computer networks and payment systems. They can also be made more robust by redundancy. Security can be achieved by having complete backup systems. While this may be an expensive solution, backup can often be established by agreements between the competitors in a market. For example, if one operator has problems with its mobile network, customers may be allowed to use the competitor’s networks, perhaps with a limit on the data and telephone usage to avoid congestion.

As with the power networks, the operators cannot be expected to be willing to accept the costs of good backup systems. One possibility is that the authorities fine companies for disruption in their service. With heavy fines, the companies may find it more economical to invest in reciprocal agreements with competitors or install backup systems.

In the transition from one technology to another, we often find hybrid systems that simplify the transition. Fax machines are a good example. These were widely used 30 years ago and were based on a sheet of paper. Then the only requirement was that both parties had a fax machine connected to the telephone network. While the quality would be poor and the transmission fairly slow, an advantage was that the method relied on the paper standard. Anything that was on a sheet of paper could be transmitted: printed or handwritten text, diagrams, drawings, pictures, and so on. As long as a document could be printed, it did not matter what kind of word processor, if at all, was used.

While the fax machine was a godsend in the early 1980s, it has fallen out of use in most places today. By sending documents as attachments to emails, or submitting them to websites, material can be transmitted immediately in high-quality form. This option requires that the relevant standards are in place and that the receiver has the software to read the documents in the right format, such as a PDF or a Microsoft Word file. There is no longer a need for fax machines in most settings; this was an intermediate system, a link in the evolution from letters to digital transmissions.

The fax machine can be compared to another intermediate machine in the automatic teller machine (ATM). ATMs are useful when cash is the norm and where retailers are still cash-based. That is, the ATM is a connection from the digital back to cash. Some advanced ATMs are also able to receive cash. However, once every store starts accepting cards, the ATM will lose its purpose. It seems foolish to move cash from the ATM to the store when the card can just as easily be used in the store. The only need for cash will then be person-to-person transactions, but as we shall see, several new digital systems are also offered to handle these operations.

Therefore, ATMs are disappearing in countries with a digital economy. It was an intermediate technology that is being replaced by further advances in digital payment systems. Also, ATMs are expensive to run and maintain. Quite sophisticated mechanics are required in order to offer the right amount of bills. The machine needs to be loaded regularly, and all procedures need to be foolproof, since money is involved. There is also a need for protection, both to protect the customer’s card from criminals who try to capture the information on the card by installing readers on top of the card slot in the machines, and the ATM itself. There have been several spectacular attacks on ATMs where the criminals have used explosives or heavy equipment to get at the cash. We shall study the decline of the ATM in Chapter 14, where we present the case of a country that has moved far in the direction of a digital economy.

There has been an interesting development in many African countries, which may lack a good banking infrastructure but have a good infrastructure for mobile networking. This is used for deposits, withdrawals, transfers, and for payment of goods, all the functions that we require of a banking system. An example is M-Pesa, a mobile phone-based money transfer system in which customers can deposit and withdraw cash from a network of agents, often the shops that sell airtime. Here the shops perform the same function as an advanced ATM, both supplying and receiving cash. Amounts are transferred to other persons,; also sellers of goods, by using a menu on the phone. In Kenya, M-Pesa is used by more than 17 million Kenyans, two-thirds of the adult population.⁸

The system has been extended to offer loans and saving accounts. Salaries can also conveniently be paid through M-Pesa. Offering a good and inexpensive payment and “bank system” to a developing country where the traditional banking systems were missing seems to have positive side effects. More money is now run through the open economy, and start-ups now have a base on which to build their business.

Something similar is happening in Myanmar, where fewer than one in ten people have a bank account, but close to 90 percent have a mobile phone; many people in that country use Wave Money, a service that processes 100,000 transactions a month.⁹

In this chapter I have presented the infrastructure for digital payments. In most developed countries this is already in place, augmented by the fact that smartphones also may be used for making payments. This implies that one can perform a digital payment at any place, perhaps as long as there is a network connection. A smartphone also provides backup—for example, if the terminal at a store does not accept your credit card. It seems that the phone also will be the basis for a digital economy in developing countries.

¹ Radio-frequency identification (RFID). Cards with an RFID chip can be read just by holding the card close to the reader.

² Near-field communication (NFC). A set of communication protocols using radio transmission between two devices, such as a point-of-sale terminal and a smartphone.

³ Bluetooth is a wireless technology for exchanging data over short distances.

⁴ Rogoff, Kennet (2016) Curse of cash, Princeton University Press.

⁵ Nasjonalt Tverretatlig Analyse- og Etterretningssenter (NTAES), Nyere Betalingstjenester, 2017 (in Norwegian).

⁶ Even some banks have not understood how vulnerable email is. I have received emails from banks with a “log-in here” link. This is highly vulnerable as it enables others to copy the email, change the link and the send it as spam, hoping to cheat some customers. Banks should always ask customers to use the standard means of accessing their web systems, by typing the URL, searching on Google, or by inserting a shortcut icon.

⁷ Learning the lessons of Equihack, The Economist, September 16, 2017.

⁸ The Economist, May 2, 2015.

⁹ The Economist, October 14, 2017.

Chapter 8 Infrastructure for Digital Payments