10/30/2014 1

I NTELLI GENT TRANSACTI ONS

paymentpathways Intelligent Transactions

RichardO’Brien–President8742W.HigginsRd.#240Chicago,IL60631+1312-346-9400richard.obrien@paymentpathways.com

1

ITU-T Rec. X.1255 (09/2013) Framework for discovery of identity

management information

Geneva – September 22, 2014

10/30/2014 2

AgendaDiscovery of Trusted Credentials

Framework for discoveryidentity-related information | and its provenance

• Contribution Scope

• Problem statement

• Illustrative Use Case

• Benefits

• Objective

• Rationale

• Components

10/30/2014 2

10/30/2014 3

Contribution scopeDiscovery of Trusted Credentials

Framework for discoveryidentity-related information | and its provenance

• Information being identified such as services, processes and entities

• Identity-related information attributes including, such as visual logos and human-readable site names

• Other attributes and the functionality of applications

• Description of a data model and a protocol to enable meta-level interoperability for representation, access and discovery of the information referenced above in heterogeneous IdM environments.

Dis

co

very

De

sc

rip

tio

n

10/30/2014 3

10/30/2014 4

Problem statementThe case for security-by-design

4

• This puts financial account information at risk for unauthorized debits – adding costs of counter-measures to protect data

• 60% to 70% of the world’s population have no Internet access and no bank account

• Diasporas and disadvantaged youth lack full participation in the electronic economy

Wastes human capitalThwarts economic growthPerpetuates the digital divide

• Need cannot be addressed with traditional bank, debit, credit or telcostored value identifiers that expose dual credit/debit functionality

10/30/2014

Receiving payments electronicallyrequires divulging | bank account or card numbers

10/30/2014 55

Federated Registries

Greenlist®

Deposit-only payment addresses

5

Illustrative Use Case

Transaction identifier masking bydata minimization & use limitation

10/30/2014 6

Student’s Bank

School’s BankTeacher

$

4

5

2

Notification

Notification

$

1 Payor authenticates and inputs Greenlist® ID/VID to pay

2 Portal SW queries Greenlist, obtains VID to match and LCA identifier

3 Payor verifies payee is correct. Submits amount to pay.Bank pays Linked Credit Account (LCA) identifier

4 Non-repudiable payment routes to payee’s LCAPayee’s bank notified

5 Payee notified (when and amount) funds to arrive

3

1

ACH or EFTNetwork

Student10/30/2014 6

Illustrative Use CaseIncentive merit payments

in education

10/30/2014 7

Privacy• No personal information given to

merchants or any third parties

Risk• No merchant fraud risk, greatly

reduced consumer fraud risk• No repudiation risk• No accounting reconciliation risk

Cost • Significantly more cost efficient

Teacher Empowerment• Academic rewards• Behavioral rewards

Human Capital Growth• Involve local businesses• Narrow digital divide

Financial Education• Lifelong skillset for students• Families learn by osmosis• Inclusion in electronic economy

10/30/2014 7

BenefitsIncentive merit payments

in education

10/30/2014 8

ObjectivesIncentive merit payments

in education

• Teach the value of saving and watching dollars grow• Parents and Teachers engaged in the learning process• Financial Education to impact every grade level

Pilot Design ObjectivesFinancial Education | expected outcomes

Education as THE Critical Success FactorFinancial Education | recognition, skills and inclusion

• Consistently superior user experiences• Right content at the right time• Delightful rewards recognize academic achievement

10/30/2014 8

10/30/2014 9

RationaleIncentive merit payments

in education

Banks incented to introduce Youth SavingsCivic Leadership | corporate sponsorships

• Spending may vary widely on technology

• Resources inconsistently applied so access, tools and courseware can lag, especially in impoverished areas.

• Multi-tenant SaaS platform to deliver and track incentive-merit payments for millions of students.

• Entities can govern, fund, configure, operate, measure and assess the virtuous circle of incentive payments. By recognizing achievement at every stage student life, the authority of the mentor is reinforced.

10/30/2014 9

10/30/2014 10

ComponentsFederated registries

• Persistently identifiedo Self contained

o Self described

o Self aware

• Integral access control

• Extensible

Digital objects

• Contain digital objects• Are themselves, digital objects• Repository Synchronization

Protocol (RSP)• Platform independent

Repositories

• Search engines• Databases• Digital information• Digital objects

Useful for discovery

• Persistent identification• Distributed architecture• Registrar provenance

Handle system

10/30/2014 10

10/30/2014 11

Pilot ProofsFederated Registries

Application

Legacy

Ecosystem

Stateof Need

Federation

Stateof Technology

Enterprise

Stateof Practice

Scale and Governance

Enabling Technology

Authorization

Application

ApplicationSpecific

Access ControlLists

Organization

VPN,VirtualDirectories, etc.

Role Based AccessControl

Community of Interest

PKI, SAML, TrustFrameworks, etc.

Attribute BasedAccess Control

Cross SectorMarketplace

TrustmarkFramework

Policy BasedAccess Control

Source: Georgia Tech Research Institute

Past, present and future

10/30/2014 11

10/30/2014 12

Instructions

Notifications Permissions

Authentication

Greenlist

Attribute

Bindings

Lifelong attribute bindings

10/30/2014 12

10/30/2014 13

© 2014 Payment Pathways, Inc. © 2014 Payment Pathways, Inc.

& Digital Objects!

Busin

ess-t

o-B

usin

ess

Bill-P

ay &

Incen

tive

Paym

ents

n-Pilots

P2P & CNP

Mobile Payments

Cloud Services

Authentication

Authorization

Verification

Discovery

Interoperability

Attribute

Binding

GLID (“Token” or “Alias”) to ePayment address

Attribute

Bindings

Instruction

Notification PII P

erm

issio

n

Trust in the Core Creden al

A ribute Assurance

Use Cases

Applica ons

Core A ribute Binding Claims

Credentialing

10/30/2014 13

10/30/2014 14

Donor FundYear 1

Tablets and

Software$700,000

Rewards$200K

Adm. $100,000Income for SaaS providerincluding project management and donor funds recruitment costs

Direct benefitsto students

Security & Privacy Administration • Attribute Based Access Control

• Accounting

• Reporting

• SaaS vendor pays all fees on behalf of the School Districts

Attribute Assurance, User Authentication

Income for Bank: $.05 / transaction

Xfer fee @ $.15

Income for Multi-factor Authentication Provider:

$.05 / transaction

ATTRI BUTE ASSURANCE

Income for Attribute Assurance Provider:

$.05 / transaction

I NTELLI GENT TRA NSA CTI ONS

Greenlist UX (SaaS)

Donor FundsYears 2 & 3

HW & SW$900,000

Rewards$900,000

Adm. $200,000

Sustainability economics

10/30/2014 14

Project Management

10/30/2014 15

Security enhanced by eliminating intermediaries

FICAM1 (in US) | conformance

1 Federal Identity, Credential, and Access Management Fair Information Practice Principles: Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, Accountability and Auditing.

Public Identifiers Publicly discoverable, routable, ePayment address(es) Privacy Protection

NameBank or proxy supplies:

UPIC or LCA-ACH Bank Account Number

City PayNet Public PAN Debit or Credit PAN

Mobile Phone Number 1-630-880-0873

071000505 - 1348098709 071000505 - 1344230947

Greenlist ID (unique GLID)Pseudonym or PII:

"MyGreenlistID" (Unique)

International: Linked Sender GLID name@email.com 123456-123456789012-1 123456-493847605942-4

Relying Parties only receive PII that consumers wish to have divulged about

themselves

Greenlist drill-down

10/30/2014 15

10/30/2014 16

Attribute Verification

Authorization Credential ValidationCore Operations Recurring Functions Non-recurring Functions Entity

RegistrationRegistration

Authorization

1 ABAC is Attribute-Based Access Control

Identity Mapping

Authentication

BankSystem

Management and

Maintenance

Authorization Decision

Access Control Policy

Attribute Verification

Data Request

AccessRequestAuthentication

DecisionAccessRequest

Response

Credential Issuance/

Association

Student

Credential Provisioning

Credential Presentation

Credential Validation

Teacher

School

System Management

and Maintenance

Credential Validation

Data Request

Attribute Verification

Accounting

Registry

ABAC1

System Management

and Maintenance

Functional diagram

10/30/2014 16

10/30/2014 17

Leveraging CNRI’s Digital Object Architecture

International strategies

10/30/2014 17

JAPAN

PHILIPPINES

PAPUA NEW GUINEA

AUSTRALIA

NEW ZEALAND

UNITED STATES OF AMERICA

CANADA

ALASKA (USA)

COLOMBIA

VENEZUELA

BRAZIL

PERU

BOLIVIA

HONDURAS

NICARAGUA

ECUADOR

GUYANA

SURINAME

FRENCH GUIANA

COSTA RICA

PANAMA

GUATEMALA

CUBA

PARAGUAY

ARGENTINA

URUGUAY

CHILE

GREENLAND

ICELAND

REPULIC OF IRELAND

NORWAY

SWEDEN

FINLAND

DENMARK

ESTONIA

LATVIA

LITHUANIA

POLAND BELARUS GERMANY

CZECH REPUBLIC

NETHERLANDS

BELGIUM

FRANCE

SPAIN

PO

RTU

GA

L

SWITZ.

AUSTRIA

SLOVAKIA

HUNGARY

ROMANIA

BULGARIA

ITALY

UKRAINE

TURKEY GREECE

SYRIA

IRAQ

SAUDI ARABIA

YEMEN

OMAN

UAE

EGYPT LIBYA

ALGERIA

MOROCCO TUNISIA

WESTERN SAHARA

MAURITANIA

MALI

NIGER CHAD

SUDAN

ETHIOPIA

SOMALIA UGANDA

SENEGAL

GUINEA

LIBERIA

COTE D’IVOIRE

BURKINA

GHANA

NIGERIA

CAMEROON

CENTRAL AFRICAN REPUBLIC

GABON CONGO

DEMOCRATIC REPUBLIC OF

CONGO

KENYA

TANZANIA

ANGOLA

ZAMBIA

MOZA

MBIQ

UE

NAMIBIA

BOTSWANA

ZIMBABWE

REPUBLIC OF SOUTH

AFRICA

MADAGASCAR

RUSSIAN FEDERATION

KAZAKHSTAN

GEORGIA

IRAN

UZBEKISTAN

TURKMENISTAN

AFGHANISTAN

KYRGYZSTAN

TAHKISTAN

PAKISTAN

INDIA

CHINA

NEPAL

MYANMAR

THAILAND

SRI LANKA

MONGOLIA

NORTH KOREA

SOUTH KOREA

TAIWAN

CAMBODIA

LAOS

VIETNAM

MALAYSIA

INDONESIA

UK

Open

LATAM Root Registry (research phase)

Greenlist Patents Issued

US

ITU

EU

CN MEXICO

10/30/2014 18

I NTELLI GENT TRANSACTI ONS

paymentpathways Intelligent Transactions

RichardO’Brien–President8742W.HigginsRd.#240Chicago,IL60631+1312-346-9400richard.obrien@paymentpathways.com

18

Richard O’BrienPresident – Payment Pathways, Inc.8745 W. Higgins Rd. #240Chicago, IL 60631 – 312-346-9400

richard.obrien@paymentpathways.com