Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2019
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version 2.0 of 15 February 1996
© Xamax Consultancy Pty Ltd, 1997
Chapter from Clarke R. 'Chip-Based Payment Schemes: Stored-Value Cards and Beyond' Xamax Consultancy Pty Ltd, Canberra, September 1996
This document is at http://www.rogerclarke.com/EC/Mondex.html
Mondex is a technically mature implementation of the value-card concept. It is in large-scale trial in the United Kingdom, and trials have commenced or are in preparation in several other countries. It is promoted as a cash-like replacement for cash transactions. Mondex chip-cards are issued by financial institutions, value is downloaded from linked accounts, and transactions are undertaken at terminals which are (mostly) off-line. Mondex cards can be accepted by all kinds of merchants, at self-serve devices in such locations as car-parks, and in telephones. The scheme supports transfers not only between consumers and merchants, but also directly between consumers.
The security features of the scheme appear to be quite sufficient for it to be viable. The commercial risks appear to be contained, particularly from the perspective of the card-issuer. Many of the primary consumer concerns appear to have been addressed, but a number of aspects remain unclear.
A limited transaction trail is maintained on each card, and on each terminal. This carries the identity of the card, and, depending on the particular implementation, a short, confirmatory identifier for the card-holder. In principle, only the card-issuer is aware of the relationship between the card identifier and the account-holder. The scheme is not 'anonymous', as some the early promotional material suggested, and the advertising slogan 'Mondex is Cash' implies. It is technically 'pseudonymous', and it generates a significantly more intensive transaction trail than cash. The substantive privacy-invasiveness of the basic scheme does not appear to be great; but the potential effects are substantial. At least from an Australian perspective, Mondex's privacy strategy has not been well-articulated, and this may result in some difficulties in the scheme gaining acceptance in Australia.
Motivation for, and Structure of, this Report
The Scheme's Functions and Devices
Commercial Interests of the Participants
The Interests of Non-Participants
Personal Data in the Mondex Scheme
The Consumer Privacy Interest
Mondex's Approach to Privacy
This document provides an overview of the Mondex value-card product, and in particular of the version on trial in Swindon in the United Kingdom since mid-1995. The document's purpose is to provide sufficient detail about the scheme that analysis can be undertaken, but in a fairly compressed and readily digestible form.
The sources used in compiling the document included Mondex's own printed materials and web-pages; detailed discussions with three of Mondex's staff between November 1995 and January 1996; a visit to the Mondex shop-front in Swindon; and an inspection of half a dozen retail sites in the main street of Swindon on 5 December 1995. No access has been sought or provided to commercial-in-confidence documents, and no independent interviews have been conducted with any retailers or users.
I acknowledge the willing assistance of Mondex staff, especially Robert Caplehorn, Caroline Hadshar and Garry Ireland. Efforts have been made to keep errors of fact and contentious interpretations to a minimum. In particular, the first version of this document was reviewed by Mondex staff, resulting in a number of clarifications. Evaluative comments are those of Xamax alone.
The purpose of the Mondex scheme is to provide a chip-card based payment mechanism that is sufficiently inexpensive that it can be used for very small purchases and hence function as a substitute for cash. It has been promoted using the slogan "Mondex is cash"; and marketed as being "electronic cash on a card", "developed to truly replicate the core features of cash and to be a real alternative to traditional notes and coins", and able to be used "in the same way as cash, but with some key benefits over traditional cash".
The savings in cash-handling costs are intended to attract retailers, and the convenience is intended to attract consumers. As a result, card-issuers are to make savings in transaction costs, and may also be able to generate revenue. In addition, it is possible that the scheme may support medium- and even high-value payments.
The company Mondex International (MI) functions as developer, owner and marketer of intellectual property, and franchiser of rights to use the technology. It is owned by two of the U.K.'s largest banks, the NatWest and the Midland, but early franchisees are also to be investors in MI, which will result in a gradual dilution of the proportion held by the original shareholders. Franchises are being sold on a regional basis. Sales to date cover the United Kingdom (taken up by the NatWest and Midland), 12 East Asian countries (owned by the Hong Kong and Shanghai Banking Corporation - HSBC), and Canada.
The Mondex value-card scheme comprises:
The cards are only to be available to consumers from card-issuers, and each Mondex card is associated with a particular account with a financial institution. Mondex International states that card-issuance is restricted to banks, at least at this stage.
The devices are manufactured by a variety of companies, including Dai Nippon Printing Co. Ltd/SPOM Japan Co. Ltd, De La Rue Fortronic, General Information Systems Ltd, Hitachi, NCR, Oki and Panasonic/Matsushita. The marketing channels for the devices are to include not only card-issuers but also, at least in the case of wallets (described later), appliance stores.
Mondex was initiated by NatWest in 1990. The Midland Bank joined as an investment partner in 1993. Since 1992, the scheme has been in live test within one of NatWest's major computer centres, Goodman's Fields in London. About 6,000 NatWest staff use 3 ATMs and 12 points of sale in the centre's restaurants, coffee bars and shop, and have conducted over a million transactions.
A field trial was commenced in July 1995 in Swindon, in the Thames Valley 100 km west of London. The city and suburbs involved in the project have an economically-acive population in the range 150-200,000, and demographics which replicate those of the U.K. as a whole. After the first three months, there were 700 participating merchants, 8,000 cards and cumulative turnover of a quarter of a million pounds. A small employee pilot was commenced by a U.S. bank, Wells Fargo, in July 1995, and another large-scale trial was announced in November 1995 to be conducted in Guelph, Ontario commencing in 3Q 1996.
During the last decade, a succession of pilot schemes have established the technical feasibility of value-card schemes (see, for example, Clarke 1993 on the Swiss PTT scheme in Biel/Bienne). Whether such schemes are commercially viable, however, depends on acceptance and adoption by card-issuers, merchants and consumers; and avoidance of proscription or life-threatening measures by regulatory authorities. One of the most significant risk factors affecting adoption is privacy, and this assessment accordingly places considerable weight on that aspect of the Mondex scheme.
This Report commences with an outline of the various components of the Mondex scheme, and then describes the process whereby value is transferred. This is followed by assessments of the role that personal data plays in the scheme, and of its security features. The interests are then examined of both the scheme's participants and of other parties, with particular attention paid to privacy aspects. Brief observations are offered about possible future developments. A summary is provided.
All Mondex value-transfer occurs between Mondex chips. At this stage at least, the chip is custom-built, and sole-sourced from Hitachi. It is anticipated that there will be successive generations of chips, and a more advanced chip is to be used for the national roll-out subsequent to the Swindon trial. The chip is installed into a couple of specially-designed and -manufactured devices, and on Mondex cards.
The Mondex card is a chip-card, sometimes called a 'smart card'. It is a normal 'credit-card'-sized plastic card with a small microcomputer chip embedded in it, compliant with the international standard ISO 7816. The Mondex card also carries a magnetic stripe, but this is to provide a migration path from existing to future technology, and plays no role in the Mondex value-transfer scheme. The card bears the Mondex logo, and the visual design is expressly intended to convey the image of English bank-notes.
At this early stage, the Mondex card is a single-purpose card, supporting the value-card application only; and the card is linked with an associated account. There is no theoretical limit to the maximum-value that could be set for Mondex cards, but Mondex International have stated that it was likely to be set at the same level as the largest cash-withdrawal permitted from an ATM (currently [[sterling]]500 in the U.K. and $500 in Australia). Future releases are to support multiple currencies; and may support additional functions such as credit-card, debit-card, identity-card or health data.
By late 1995, about 8,000 Mondex cards had been issued in Swindon, and this was approaching 10,000 by year-end.
Value can be transferred from one card to another using the following devices:
Value can be down-loaded from the account linked to the card. The devices at which this can be performed are:
The devices which support download from the card-holder's account also support upload from a Mondex card to the linked account.
It is also possible to transfer value between any pair of cards, whether they are used by a retailer or a consumer, using:
Card-holders can view the balances on their cards in several ways:
The latest 10 transactions are recorded on the card, and can be displayed:
The card-holder can 'lock' their card with a single keystroke, disabling any transfer of value from the card as well as display of the last 10 transactions. In order to 'unlock' the card, a Personal Code Number (PCN) must be keyed.
Locking can be performed using a wallet or a telephone, both public and private, but not a retailer terminal or a balance-reader. The PCN can only be changed using a wallet or a private Mondex telephone; and cannot be performed at any other devices, not even public Mondex phones.
Cards are linked to a card-holder's account with a participating financial institution. The card-holder initiates a withdrawal of value from their account, and onto the card. This can be done through devices provided by the bank concerned (ATMs) or BT telephones; it cannot be done through retailers' terminals. The transaction requires not only the presentation of the Mondex card, but also the keying of the PCN.
Value-transfer is undertaken between two Mondex chips. In the most common case of use at a staffed sales point, the cashier:
At present, cashiers at most sites have to double-key the amount, once into the electronic cash register (ECR) and once into the Mondex retailer's terminal; and hence transactions commonly produce two receipts. The Sainsbury's supermarket chain has already integrated the retailer's terminal with their existing ECRs, enabling single entry into the ECR, and providing a single receipt from the ECR showing the word 'Mondex' in the payment-type (where 'Cash' or 'Credit Card' would otherwise appear).
There are several different configurations within which two Mondex chips may conduct a transaction:
An additional configuration is planned but not yet implemented: payment over public data networks such as the Internet and perhaps cable TV. This would require both the payer and the payee to have Mondex terminals attached to their PCs/TVs.
The card-holder can at any time initiate a transfer from the card back to the account. This can be done at a Mondex ATM or Mondex phone, public or private. Value from a card cannot be transferred to any bank account other than that with which the card is associated.
It appears that little information is publicly available concerning the scheme's security features. This section is accordingly based on an analysis of security risks, supplemented by a moderate amount of surmise.
The scheme is subject to a range of technical risks, including:
Accidental losses may occur where a valid Mondex chip contains, or has downloaded to it, software which malfunctions under some circumstance or circumstances. This is largely a question of validation of the design and its implementation, and quality control in its modification.
Fraudulent losses may occur where a valid Mondex chip contains, or has downloaded to it, software which has been manipulated to function in some manner other than that intended by the designers. The software embedded in a chip is, however, generally regarded as being incapable of subsequent manipulation, and, if the proper procedures are used, incapable of being examined or copied. It therefore appears that this risk can be largely addressed through conventional organisational controls supplemented by straightforward technical controls relating to copies of the software.
Fraud could also be perpetrated through the use of a bogus chip. This requires that the perpretator know sufficient about the internal design that a design can be produced whose behaviour (and especially external behaviour) is sufficiently similar to a real Mondex chip in the same circumstances. This might be achieved through access to a copy of the official design, e.g. by acquisition of hard-copy, magnetic, optical, or electronic copy, or dependence on the memory of someone who is privy to the entire design or at least critical portions of it.
Alternatively, it may be possible to 'reverse-engineer' the design, by examining the responses a valid card provides to a set of stimuli. This would only reveal sufficient about its internal functions if the behaviour were non-variant, or varied in a manner whose pattern could be detected from a practicably small set of tests.
The material provided at the shop-front in Swindon is silent about the security techniques used. The web-pages, however, offer information in two locations, which have been interwoven below:
"IC cards offer a high level of protection against software attack and protection against physical attack or re-engineering. They also offer scope for considerable enhancement as technology advances. "Each time a Mondex card is used, the chip on the card generates a unique 'digital signature', which can be recognised by the other Mondex card involved in the transaction. This 'digital signature' is the guarantee that the cards involved are genuine Mondex cards and that transaction data is unmodified. This recognition process also identifies the card for which the cash is intended - so funds cannot be intercepted by a third party. "The security will be frequently changed so that fraudsters or hackers intending to target Mondex will find a fast-moving zig-zagging target that will make their efforts to break it unrewarding. By continually changing and increasing the complexity of the development program, Mondex is designed to stay ahead of increasingly sophisticated criminals. The complexity of this security is so great that we believe it will not be economically viable for even highly organised crime to break it".
In fact the Swindon trial is using a symmetric encryption scheme, which involves both chips using the same secret key for encryption and decryption. By the time of rollout of the nationwide scheme, inherently more secure asymmetric encryption techniques will be used. Two technical risks are the possibility that the key-length may be sufficiently short that it may be able to be 'cracked' by brute force methods; and the feasibility of an intercepted code being re-used by bogus cards in order to give the impression of 'real' Mondex value being transferred.
Which participants are subject to each of the various risk-exposures is discussed in the following sections.
It does not appear that the terms of contract among Mondex, device-suppliers and card-issuers are publicly available. The terms applying between card-issuers and retailers probably are available, but have not been acquired or analysed as part of this project. The Conditions applying to cardholders are available, however, and have been considered. The apportionment of risk outlined in this section is therefore a mix of information and guesswork.
The fiduciary duties of the directors of the companies which participate in a Mondex scheme requires that they take reasonable care to assess and manage risk. It is to be expected that the participants in the Swindon trial have done so. It is also to be expected that the central bank of an economy in which the scheme is implemented would conduct such an assessment. Finally, it is to be expected that competitors and potential collaborators and licensees will also have conducted analyses, including monitoring of the data traffic between Mondex cards. It does not appear that the reports arising from any such analyses are publicly available.
Individual consumers are unlikely to undertake risk assessments in the way that companies are expected to. They are also unlikely to behave with the same degree of planned and self-interested consistency expected from companies. It is not known whether any consumer advocacy body, whether governmental or independent, has performed an assessment on behalf of consumers.
The use of Mondex cards seems likely to replace large numbers of relatively low-value, primarily cash transactions. Cash-handling is expensive for financial institutions, and for some other potential card-issuers such as telephone companies; and hence considerable cost-savings may be possible.
Secondarily, Mondex card transactions may replace cheques (particularly in countries such as the U.K., where a large number of retail transactions are conducted using cheques supported by cheque-guarantee cards). These are also expensive, and cause considerable delays at the point of sale; and hence this displacement would also be welcomed by card-issuers, because it will make their cards more attractive to merchants and consumers alike. Mondex card transactions are likely to be cheaper than debit-card transactions (which involve on-line communications with the card-issuer or its agent), and certainly cheaper than credit-card transactions (which involve substantial data-handling and insurance costs). Any displacement of these that occurs would also be likely to be very welcome.
By offering Mondex cards, card-issuers provide an additional service to their clients. If consumers value that service, or some aspects of it, Mondex card-issuers may accordingly keep a larger proportion of their existing customers, and gain a proportion of customers from competitors who do not offer the same or an equivalent service. If such an advantage eventuates, it may be sustainable for a modest period of time, until the same, an equivalent, or an alternative scheme is implemented by the late adopters. By that time, Mondex card-issuers may have made significant gains in market share at the expense of their direct competitors.
Finally, if consumers perceive the Mondex scheme to offer them significant benefits, card-issuers may be able to charge fees for their customers' use of it, and gain revenue as a result.
The card-issuers appear to have limited their commercial risk-exposure to about the same level as that they face with current payment schemes (Cardholder Conditions 1.4(ii) and 2.1-2.7).
From the retailer's viewpoint, the transaction is almost as quick and as simple as receiving the correct amount of cash. It is quicker, simpler and less error-prone than receiving a larger amount of cash and calculating and counting out change. It is considerably quicker, simpler and less error-prone than cheques supported by cheque-guarantee cards, manual credit-card transactions, pseudo-on-line credit-card transactions, and on-line debit-card transactions.
Additional effects of the Mondex scheme are:
In order to offer Mondex payments, retailers must acquire a modest amount of equipment, and integrate it into their point-of-sales operations. They run the risk that insufficient consumers may use the scheme to make it worth the investment. There is also the possibility that inadequacies in the scheme's design may reflect badly on the retailer, e.g. the inability to download value from the customer's bank account at the point of sale. In the unlikely event that other forms of payment were not carried by the retailer's customers, there would be the risk that some transactions could not be consummated, because of the lack of an acceptable means of payment.
The retailer must trust that the amount displayed on the terminal's screen has actually been credited to the value on the retailer's Mondex card, and must train their staff to check the amount visually. This would appear to be under the control of the Mondex chip in the retailer's card, and hence the risk of a programming error and fraud by Mondex may be borne by the retailer.
Depending on the terms of their contracts with their card-issuer, retailers may also run the risk that value-transfers onto the retailer's Mondex card, which were processed in good faith, may not be honoured by their bank. There is the risk of the retailer's Mondex card being lost, or the functionality damaged beyond repair and recognition, e.g. by an accident such as standing on it, or an electrical malfunction in the terminal. It appears likely that the onus would be on the retailer to prove the value that is contained in a damaged or lost card. This may or may not be feasible, depending on the internal design and data-capacity of the retailer terminals, including the nature of the medium in which the transaction trail is stored.
A risk exists that cashiers may issue unauthorised credits. To counter this risk, Mondex retailer terminals are configured such that they can be set to 'receive-only'. In this mode, Mondex value cannot be paid out of the chip in the terminal without a code being entered, presumably by a supervisor.
From the consumer's viewpoint, purchasing transactions are simplified, because the same item has to be handed over on each occasion a purchase is made; no search for appropriate denominations of notes and coins is necessary.
The consumer needs to invest some concentration at the point of sale, to ensure that the total appearing on the customer-viewable display is accurate (in the case of simple purchases), or credible (in the case of multiple-item purchases). In addition, trust is needed, that the amount debited to the card is the same as that displayed. This is much the same as with purchases using any other form of value except cash (where the consumer retains control through choice of the notes and coins tendered, and the ability to count the change). As an adjunct to the development and maintenance of that trust, readers are being provided capable of displaying the balance and the last ten transactions. These are of some consequence, but they do not add up to a particularly substantial protection.
The card may be locked by the consumer. This denies the benefit of the outstanding value to any would-be thief, but it does not save the loss of the value by the consumer. Hence the disencentive to the thief is merely the possibility that the victim may have locked the card, and since the majority of card-holders are likely, for reasons of apathy and forgetfulness, to leave their cards unlocked most of the time, thieves are hardly likely to be dissuaded from practising their trade. Unlike cash, Mondex cards will be capable of being returned by an honest finder, via the card-issuer. The incidence of this occuring may, however, be less than dramatic.
The locking of a card creates inconvenience and an additional risk-exposure. The inconvenience arises from having to find a device at which it can be unlocked (most conveniently, but expensively, using one's own wallet; or at a public balance-reader or public payphone). The risk is that the PCN has to be keyed in order to unlock the card, and the act of keying is most probably done in public, increasing the risk of observation of the PCN by a potential thief of the card. This risk is likely to be largely borne by the consumer.
There is the risk of the consumer's Mondex card being lost, or the functionality damaged beyond repair and recognition, e.g. by an accident such as standing on it, or an electrical malfunction in a terminal. The onus appears to be on the consumer to prove the value that is contained in a damaged or lost card (Condition 1.4(ii) and 2.1-2.7). If the card is lost or unreadable, there appears to be no other record, and the value would be foregone (unless the card-issuer is prepared to accept and credit the card-holder's account for such amount as the card-holder is prepared to estimate in an affidavit).
A possible exception would exist if the card-issuer were to download all data from all merchant Mondex-cards, and maintain a complete record of all transactions against a given PID, enabling re-construction of the balance that should have been remaining on the missing card. However there are at least three leakages of transaction information:
Because this is a systematic rather than a random risk, it appears unlikely that the card-issuer would be prepared to accept it.
This analysis is in conflict with a section of text appearing on Mondex's web-pages, which states that "If the damage is so severe that it is impossible to read the balance left on the card the cardholder can claim the value back from the issuing bank". Given that this sentence is internally inconsistent, and that express conditions are likely to be read as over-riding vague marketing 'hype', it may be advisable to assume that the risk of damage beyond repair is in fact borne by the card-holder.
On the other hand, Mondex International stated during discussions that limits on card-holder liability would be set consistently with the banking law or code of banking practice or equivalent in each jurisdiction in which the Mondex card is issued or used, and hence the card-issuer would be expected to generally accept the card-holder's story.
The value that is foregone with a lost or irretrievably damaged card may be limited by downloading relatively small amounts; but this is at the inconvenience of running out of value earlier, and having to go more often to the relatively few devices capable of downloading value from the account.
A further risk is that a lost or stolen card may be used not only for the value stored on it, but also as a means of downloading additional value onto the card. Downloading is a PCN-protected transaction, but PCNs may be captured in several ways, including discovery of the PCN written on the card, or elsewhere in materials stolen or observed during the robbery; and observation of the consumer's use of the PCN at any device requiring its use, including ATMs, public and private phones, wallets, and balance-readers.
The manner of apportionment of this risk depends on the law and practice in each jurisdiction. In the United Kingdom (as in Australia), the risk of an unauthorised withdrawal would be initially carried by the card-holder. Once the loss of the card had been notified to the card-issuer, the liability might thereafter be limited (in the U.K. to [[sterling]]50, and in Australia to $50); if, however, the financial institution deemed the loss or withdrawal to have resulted from fraud or gross negligence, it would be free to force the whole of the risk onto the card-holder.
Other organisations and individuals which are not direct participants may have interests in aspects of the scheme. These are discussed in this section.
In the event that a valid card is manipulated to create value, or a bogus card is devised whose value-content has all the appearance of the value-content of a valid one, it is not entirely clear who runs the risk.
If the forged electronic cash were genuinely undetectable (which depends on the security features of the scheme, which do not appear to be publicly available), then it may be that no participant is at risk - the originator gains money by minting currency, and the currency is subject to implicit deflation because of the unauthorised and undetected increase in the money supply.
Central banks and other agencies with responsibilities for macro-economic management have a considerable interest in this aspect. Design features to address this concern may have a negative impact on other interests, including privacy.
Another class of organisations with interests in this area is law enforcement agencies. They are concerned about the control of existing ways of 'washing' or 'laundering' the proceeds of crime, and about the emergence of new ways. They want to see all transactions, or at least all transactions of significant value, to be identified as to the payer and payee, and hence traceable. Anonymous payment mechanisms are therefore likely to excite their opposition, and pseudonymous schemes are likely to be viewed with less enthusiasm than identified ones.
Taxation agencies have reason to be concerned about the collectability of revenue on behalf of the government. Revenue arising from the flow of value through accounts held with financial institutions has been increasingly important to many governments in recent years.
It is possible that the Mondex scheme's effects on these flows may be neutral. On the other hand, retailers may be successful in conducting an increasing proportion of their business, both inflows and outflows, using Mondex cards. To the extent that they were to net the effect of the two, the apparent cash flow through their accounts would be reduced, and with it government revenues. Retailers do precisely this now with cash transactions, but the scope for doing so might be increased by the Mondex scheme.
Previous sections have considered commercial and other aspects of the scheme. The crucial issue of privacy remains, and is addressed by this and the following two sections.
Mondex cards are designed to be associated with an account. Card-issuers require some amount of information about the account- and card-holders, in order to protect their own commercial interests, and in some jurisdictions perhaps also in order to comply with domestic law. There appears to be only a limited amount of additional personal data which may be needed by card-issuers in order to support a Mondex card (in particular, a list of the PIDs of the cards which are associated with each account). Some card-issuers may choose to seek additional data, e.g. for market research or marketing purposes.
Because the value is transferred reliably and securely at the point of sale, there is no apparent reason why retailers should seek additional information from customers. Indeed, there may be a medium-term impact whereby fewer consumers keep accounts with retailers, and hence there could be an actual decrease in the data kept by retailers about their customers. This, of course, runs counter to the current tendency for more intense retailer-customer 'loyalty' relationships, and any such effect may therefore be swamped.
There is no apparent reason why Mondex itself would have any relationship with a Mondex card-holder. The only circumstance in which it handles personal data is for audit / risk management purposes.
Data is collected by the card-issuer in relation to the download of value onto the card, which is of course also a withdrawal from the associated account. Similarly, data about each upload/deposit is recorded. This is essentially the same as conventional withdrawals and deposits.
The impacts of the scheme on the frequency and scale of withdrawals, and hence the intensity of the transaction trail, are difficult to predict. To the extent that Mondex card-payment replaces identified cheques, credit-card vouchers and on-line debit transactions with pseudonymous Mondex cash, it would reduce the data intensity of the audit trail. On the other hand, frequent small-value downloads to the card could increase the intensity of the trail.
No data is gathered by retailers, because, at least at this stage, there are no value-download or upload-facilities available at retailer premises, or which otherwise involve retailers. Telephone companies generally and British Telecom in particular may, however, be a special case, because it may in principle be able to accumulate into a database information about value-download and value-upload transactions conducted at public and private telephones.
In general, data is not gathered by Mondex itself, because its business is the provision of licences to use the technology, and it is not involved in the operational aspects of the Mondex scheme. An exception arises in respect of the audit / risk management function, which involves transfer of samples of transaction data.
Value-transfer transactions occur between Mondex chips. Where the chips are located in the same device, there is no need for any network connection, and they are performed 'off-line'. In these circumstances, transaction data is recorded in three locations:
Mondex International claims that the general scheme does not require that any personal identification data be carried on the card or passed to other cards with which it conducts transactions. However, in the Swindon trial, and hence the proposed U.K. implementation, incomplete or confirmatory identification data about the card-holder is included. In the case of the Midland Bank this comprises the card-holder's initials, and in the case of NatWest it is the first 7 characters of the card-holder's surname. Depending on how this feature is used, it may have quite limited implications, or dramatically change each Mondex implementation's privacy profile.
The latest-ten-transactions data recorded on Mondex cards could be used as a means of building up a transactions database, but it would be a labour-intensive and error-prone mechanism, for consumer and retailer alike.
On the other hand, the terminal transaction-trail provides the retailer with the opportunity to download the data into a transaction database. The value of such a database appears to be limited, however, because it contains nothing about the goods or services sold (because it carries the total value only, and no detail of the line-items that make up the complete transaction), and hence is of little use as an inventory-maintenance tool or even as a basis for sales-analysis or market research; and it contains only an incomplete customer identifier (currently initials or first 7 letters of surname). Provided that the precision of the identifier remains very low, it would appear to have limited potential as a marketing tool.
In general, the card-issuer is not involved in an off-line Mondex transaction, and has no direct access to the data flow; and Mondex itself has no part to play in the use of the scheme, and also has no access to the data flow. An exception exists in relation to audit / risk management, which involves occasional samples of transactions.
Where the Mondex chips involved in a transaction are located at distance from one another, a network connection is necessary. Two applications appear to be operational in Swindon:
It does not appear that any information is in the public domain which explains what data is recorded by whom, in these circumstances. It appears that the Mondex chips used by both the payer and the payee would record the data concerning the latest ten transactions. Furthermore, it appears to be technically possible for the telephone company or retailer involved in a transaction to capture the transaction data into a permanent database. Given that there are specifications in existence whereby terminal manufacturers can gain access to the transaction data in order to maintain an audit trail, it seems reasonable to assume that BT's own equipment at exchange-level or at a central location, and the BT-supplied private telephone, may be capable of gathering a transaction-trail.
The Cardholder Conditions refer to an 'Exception Log', which is "a record, inside the Purse [which is in turn defined as "a store of Mondex Cash"], which can be read and printed and which holds particulars of any irregular or incomplete transactions". The term is used in clause 5.2, which enables Mondex or the card-issuer to rely on the log as conclusive evidence.
Mondex International stated that the first 1 million transactions in its Goodman Fields pilot generated about 30 such exception records. Unless the scheme becomes a great deal more error-prone, or the feature is subverted to additional purposes, this aspect does not appear to generate personal data of sufficient intensity to be of any value or threat for other than its original purpose.
This is considered in three sub-sections, dealing with respectively the direct and substantive privacy-invasiveness of the scheme, and the potential for additional privacy invasions.
The volume of personal data held by the card-issuer remains much the same as in the case of counter and ATM-based cash operations, in that withdrawals and deposits which were previously in the form of cash and cheques become downloads to and uploads from the card. Secondary effects may cause an increase or decrease in the intensity of the data held.
Retailers would now hold additional data compared to the current circumstances, because previously unidentified cash transactions are being replaced by electronic transactions which generate a transaction trail including the PID of the card and, at least in the case of the U.K. implementation, a partial identifier.
Neither is a precise or direct identifier of the individual, however, nor even of the individual's account. This is because the cross-index between the PID and the account, and hence the individual who owns the account, is held by the card-issuer; and the identification data is not at this stage at least, sufficiently precise to be used as a key.
A factor which serves to obscure the trail is that the card-holder may not be the same person as the owner of the account. For example, it is feasible, at least in principle, for value on a Mondex card to be given as a gift. The gift-giver would use his PCN to download value onto a new card. The recipient could spend the value on the card, but, provided that the giver did not provide the recipient with the PCN, the recipient would be unable to download any further value onto the card, because it would be associated with the giver's account. It would seem much more practicable for the giver to transfer funds onto the recipient's own card, using a telephone or wallet.
In practice, it appears unlikely that account-holders will arrange for the issue of cards except within closely associated groups (in particular families and companies); and hence the privacy-protection afforded by this aspect is minimal.
In summary, the Mondex scheme appears to have fairly limited direct and substantive negative effects on individual privacy; but this statement must be qualified in a number of respects:
The Mondex scheme embodies significant potentials for substantial privacy impact. A far higher intensity transaction-trail comes into existence, involving of the order of 5-10 cash transactions per day which were previously unidentified. This can be compared with existing trails arising from cheque, credit-card and debit-card transactions, which are more typically in the range 5-10 per week than per day. These transactions are associated with an identified card, the holder of which is recorded on a card-issuer database, and which may, depending on the particular implementation, also contain an identifier for the card-holder themselves.
Ways in which the potential could be translated into an actual increase in privacy-invasiveness include:
The basic Mondex scheme appears to be relatively privacy-benign. However, because it involves a substantial additional trail of pseudonymous transactions, it creates the potential for substantial additional privacy invasions.
Mondex International claims to have adopted a very positive approach to privacy. On the other hand, several examples provided below suggest that either the company had a deficient privacy strategy, or the company failed to articulate its privacy strategy, or the company under-invested in its implementation. This comment is made from the perspective of the Australian marketplace. Mondex staff are candid in their assessment that awareness and concerns about privacy aspects of value-card schemes are much higher and better-informed in Australia than in any other marketplace with which they are currently engaged.
One example is that the word 'privacy', and even the concept, appear to be entirely missing from the application form, the Cardholder Conditions, and the brochures available from the shop-front in Swindon; whereas the rights of Mondex and card-issuers to hold and disclose personal data about the card-holder are established in forthright terms (Condition 1.12).
Another example is the claim, made both explicitly and implicitly on Mondex's original web-pages, that "Mondex transactions are anonymous". This was misleading, and materially so, because, as discussed above, Mondex cash is pseudonymous rather than anonymous. Mondex International advised that the initial version of the web-pages was less carefully phrased than other documents: the core precept was 'private', whereas the term 'anonymous' was used in the web-pages. The word 'anonymous' was removed in early 1996. However the continued use of the expression "Mondex is cash" carries the same similar implication.
A brief answer to the 'frequently asked question' "what about privacy?" is provided in Mondex's web-pages, and because it is the only information that appears to be provided, it is reproduced below in full:
"In everyday use Mondex transactions are anonymous, just like cash. However, if the card is lost, a unique 16-digit identity number stored on the chip [the PID], which will have been registered by a card-providing bank against the personal details of the customer, may be used in order to return the card to its rightful owner. Cards also contain a "purse narrative". The customer's narrative would contain the names of the retailers - letting them know where they have used their card [sic - they could be expected to already know where they have used their card]. Only a cardholder will have access to the statement entries on their card which detail transactions. A cardholder will be able to lock their card and prevent unauthorised access".
It appears that neither the brochures nor the web-pages notify the card-holder that transaction data including the PID of the card is stored in the retailer's Mondex card, and in the memory within the retailer's terminal, and, in the case of transactions with the telecommunications company, possibly in that company's records also. Mondex says that there is no requirement that it do so, because under the Data Protection Act 1984, it claims that the data is technically not 'personal data'.
Further evidence of inadequacies in Mondex's strategic planning in relation to privacy is provided by its clumsy handling of its dealings with a public interest group, Privacy International. The ambiguous use of the term 'audit trail' resulted in a complaint by that organisation to the U.K. Trading Standards Board, on the grounds that Mondex claimed its scheme to be as anonymous as cash when in fact there is an audit trail containing an indirect identifier. Although the complaint has been withdrawn and that particular matter has subsided, the media coverage may prove to have been detrimental to the Mondex scheme's image.
If Mondex's privacy strategy had been fully articulated, the documentation would not have been so deficient in its treatment of matters which are important to some consumers, and which may transpire to be critical to public acceptance of the product; and its staff would have been sensitive to, and aware of the nature of, privacy concerns, and trained to deal appropriately with such issues.
The Mondex scheme is currently being trialled, and gives every impression of functioning successfully, at least in a technical sense. It is to be expected that it will change as it matures and experience is gained. It is also to be expected that the details of its implementation may be significantly different in different marketplaces, to reflect different commercial traditions, different needs, different institutional structures and processes, and different balances of power among private sector organisations and between the private sector and relevant government agencies.
If consumer acceptance is relatively slow, further changes may need to be made to make it more attractive to consumers; whereas if it gains quick and substantial acceptance, the scope for changes to be forced by the consumer movement will be limited. Retailers, to some extent, and card-issuers to a much greater degree, are in a position to bring about further modifications and enhancements.
Large corporations in particular seem likely to be interested in a greater intensity of data, in order to support their consumer market research and consumer marketing efforts. Law enforcement and tax collection agencies are likely to be concerned about any drift away from identified (and therefore traceable and taxable) transactions towards pseudonymous or anonymous transactions. This is likely to be particularly so, given the trends during recent years towards ever-greater intensity of identified transaction-trails, and the considerable enthusiasm elements of the public sector have evidenced for automated surveillance of the population in general.
In many countries, the existing privacy laws were largely motivated by the needs of both the private and the public sectors to legitimate and entrench their uses of personal data. Most 'watchdog' agencies have limited powers and limited resources, and some are constrained by significant amounts of 'red tape'.
Policy agencies and legislators in many countries have sensed a change in the mood of the public relating to privacy, and a new round of privacy law is in the offing. Particularly in view of their inherent mysteriousness, and the credible stories about hidden uses of data, consumer privacy concerns may well focus on chip-card based payment schemes.
If that is the case, anonymous and pseudonymous schemes may prove to be particularly attractive to the public. Mondex may be a big winner if such a movement occurs, provided that it is in fact, and remains, a pseudonymous scheme, and consolidation of the transaction trail, and inter-relationship between the data and the index remain most unusual occurrences and do not become routinised.
The conclusions drawn in this document are necessarily tentative, because of the extent to which it has been necessary to interpolate and surmise. Subject to that qualification, the Mondex value-card scheme has the following features:
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 60 million in early 2019.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 11 July 1997 - Last Amended: 11 July 1997 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/Mondex.html