Download The Mondex Value

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Virtual currency law in the United States wikipedia, lookup

Debit card wikipedia, lookup

Loyalty program wikipedia, lookup

Merchant account wikipedia, lookup

EFTPOS wikipedia, lookup

Transcript
The Mondex Value-Card Scheme
A Mid-Term Report
Roger Clarke
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version 2.0 of 15 February 1996
© Xamax Consultancy Pty Ltd, 1997
Chapter from Clarke R. 'Chip-Based Payment Schemes: Stored-Value Cards and Beyond' Xamax Consultancy Pty
Ltd, Canberra, September 1996
This document is at http://www.anu.edu.au/people/Roger.Clarke/EC/Mondex.html
Abstract
Mondex is a technically mature implementation of the value-card concept. It is in large-scale trial in the United
Kingdom, and trials have commenced or are in preparation in several other countries. It is promoted as a cash-like
replacement for cash transactions. Mondex chip-cards are issued by financial institutions, value is downloaded from
linked accounts, and transactions are undertaken at terminals which are (mostly) off-line. Mondex cards can be
accepted by all kinds of merchants, at self-serve devices in such locations as car-parks, and in telephones. The
scheme supports transfers not only between consumers and merchants, but also directly between consumers.
The security features of the scheme appear to be quite sufficient for it to be viable. The commercial risks appear to
be contained, particularly from the perspective of the card-issuer. Many of the primary consumer concerns appear to
have been addressed, but a number of aspects remain unclear.
A limited transaction trail is maintained on each card, and on each terminal. This carries the identity of the card, and,
depending on the particular implementation, a short, confirmatory identifier for the card-holder. In principle, only
the card-issuer is aware of the relationship between the card identifier and the account-holder. The scheme is not
'anonymous', as some the early promotional material suggested, and the advertising slogan 'Mondex is Cash' implies.
It is technically 'pseudonymous', and it generates a significantly more intensive transaction trail than cash. The
substantive privacy-invasiveness of the basic scheme does not appear to be great; but the potential effects are
substantial. At least from an Australian perspective, Mondex's privacy strategy has not been well-articulated, and
this may result in some difficulties in the scheme gaining acceptance in Australia.
Contents
Introduction
General Overview
Motivation for, and Structure of, this Report
The Scheme's Functions and Devices
The Process
Security Design
Commercial Interests of the Participants
The Interests of Non-Participants
Personal Data in the Mondex Scheme
The Consumer Privacy Interest
Mondex's Approach to Privacy
Future Developments
Summary
1. Introduction
This document provides an overview of the Mondex value-card product, and in particular of the version on trial in
Swindon in the United Kingdom since mid-1995. The document's purpose is to provide sufficient detail about the
scheme that analysis can be undertaken, but in a fairly compressed and readily digestible form.
The sources used in compiling the document included Mondex's own printed materials and web-pages; detailed
discussions with three of Mondex's staff between November 1995 and January 1996; a visit to the Mondex shopfront in Swindon; and an inspection of half a dozen retail sites in the main street of Swindon on 5 December 1995.
No access has been sought or provided to commercial-in-confidence documents, and no independent interviews
have been conducted with any retailers or users.
I acknowledge the willing assistance of Mondex staff, especially Robert Caplehorn, Caroline Hadshar and Garry
Ireland. Efforts have been made to keep errors of fact and contentious interpretations to a minimum. In particular,
the first version of this document was reviewed by Mondex staff, resulting in a number of clarifications. Evaluative
comments are those of Xamax alone.
2. General Overview
The purpose of the Mondex scheme is to provide a chip-card based payment mechanism that is sufficiently
inexpensive that it can be used for very small purchases and hence function as a substitute for cash. It has been
promoted using the slogan "Mondex is cash"; and marketed as being "electronic cash on a card", "developed to truly
replicate the core features of cash and to be a real alternative to traditional notes and coins", and able to be used "in
the same way as cash, but with some key benefits over traditional cash".
The savings in cash-handling costs are intended to attract retailers, and the convenience is intended to attract
consumers. As a result, card-issuers are to make savings in transaction costs, and may also be able to generate
revenue. In addition, it is possible that the scheme may support medium- and even high-value payments.
The company Mondex International (MI) functions as developer, owner and marketer of intellectual property, and
franchiser of rights to use the technology. It is owned by two of the U.K.'s largest banks, the NatWest and the
Midland, but early franchisees are also to be investors in MI, which will result in a gradual dilution of the proportion
held by the original shareholders. Franchises are being sold on a regional basis. Sales to date cover the United
Kingdom (taken up by the NatWest and Midland), 12 East Asian countries (owned by the Hong Kong and Shanghai
Banking Corporation - HSBC), and Canada.
The Mondex value-card scheme comprises:
 chip-cards programmed to receive, store and issue value;
 cash-issuing devices capable of uploading value onto the card;
 cash-receiving devices capable of receiving value transferred off the card; and
 ancillary devices which can perform restricted functions.
The cards are only to be available to consumers from card-issuers, and each Mondex card is associated with a
particular account with a financial institution. Mondex International states that card-issuance is restricted to banks, at
least at this stage.
The devices are manufactured by a variety of companies, including Dai Nippon Printing Co. Ltd/SPOM Japan Co.
Ltd, De La Rue Fortronic, General Information Systems Ltd, Hitachi, NCR, Oki and Panasonic/Matsushita. The
marketing channels for the devices are to include not only card-issuers but also, at least in the case of wallets
(described later), appliance stores.
Mondex was initiated by NatWest in 1990. The Midland Bank joined as an investment partner in 1993. Since 1992,
the scheme has been in live test within one of NatWest's major computer centres, Goodman's Fields in London.
About 6,000 NatWest staff use 3 ATMs and 12 points of sale in the centre's restaurants, coffee bars and shop, and
have conducted over a million transactions.
A field trial was commenced in July 1995 in Swindon, in the Thames Valley 100 km west of London. The city and
suburbs involved in the project have an economically-acive population in the range 150-200,000, and demographics
which replicate those of the U.K. as a whole. After the first three months, there were 700 participating merchants,
8,000 cards and cumulative turnover of a quarter of a million pounds. A small employee pilot was commenced by a
U.S. bank, Wells Fargo, in July 1995, and another large-scale trial was announced in November 1995 to be
conducted in Guelph, Ontario commencing in 3Q 1996.
3. Motivation for, and Structure of, this Report
During the last decade, a succession of pilot schemes have established the technical feasibility of value-card
schemes (see, for example, Clarke 1993 on the Swiss PTT scheme in Biel/Bienne). Whether such schemes are
commercially viable, however, depends on acceptance and adoption by card-issuers, merchants and consumers; and
avoidance of proscription or life-threatening measures by regulatory authorities. One of the most significant risk
factors affecting adoption is privacy, and this assessment accordingly places considerable weight on that aspect of
the Mondex scheme.
This Report commences with an outline of the various components of the Mondex scheme, and then describes the
process whereby value is transferred. This is followed by assessments of the role that personal data plays in the
scheme, and of its security features. The interests are then examined of both the scheme's participants and of other
parties, with particular attention paid to privacy aspects. Brief observations are offered about possible future
developments. A summary is provided.
4. The Scheme's Functions and Devices
(a) The Mondex Chip and Card
All Mondex value-transfer occurs between Mondex chips. At this stage at least, the chip is custom-built, and solesourced from Hitachi. It is anticipated that there will be successive generations of chips, and a more advanced chip is
to be used for the national roll-out subsequent to the Swindon trial. The chip is installed into a couple of speciallydesigned and -manufactured devices, and on Mondex cards.
The Mondex card is a chip-card, sometimes called a 'smart card'. It is a normal 'credit-card'-sized plastic card with a
small microcomputer chip embedded in it, compliant with the international standard ISO 7816. The Mondex card
also carries a magnetic stripe, but this is to provide a migration path from existing to future technology, and plays no
role in the Mondex value-transfer scheme. The card bears the Mondex logo, and the visual design is expressly
intended to convey the image of English bank-notes.
At this early stage, the Mondex card is a single-purpose card, supporting the value-card application only; and the
card is linked with an associated account. There is no theoretical limit to the maximum-value that could be set for
Mondex cards, but Mondex International have stated that it was likely to be set at the same level as the largest cashwithdrawal permitted from an ATM (currently [[sterling]]500 in the U.K. and $500 in Australia). Future releases are
to support multiple currencies; and may support additional functions such as credit-card, debit-card, identity-card or
health data.
By late 1995, about 8,000 Mondex cards had been issued in Swindon, and this was approaching 10,000 by year-end.
(b) Value-Transfer from Consumer to Merchant
Value can be transferred from one card to another using the following devices:
 'Mondex Retailer Terminals'. In excess of 750 merchants are participating in the Swindon scheme, most
with a single terminal, but some (primarily supermarkets and department stores, with a significant number).
Hence there are of the order of 1,000 in operation. The terminal is a compact device containing:
 the retailer's Mondex card;
 a socket to receive the customer's card;
 a numeric key-pad supplemented by a small number of special-purpose function keys;
 a one-line display oriented to the cashier;
 a port to which a one-line display oriented toward the customer can be connected;
 sufficient additional persistent memory for an audit trail of the most recent 300 transactions,
comprising, for each transaction, the PID of the card, the value and the date-time stamp;
 a clock; and
 a power-board;
 special-purpose retailer terminals. These are devices designed for situations other than the conventional
retail point of sale. An example currently in use is for parking stations, whose payment points are
unattended, and which must therefore be operated by the customers themselves;
 British Telecom (BT) public payphones. The 300 payphones in the trial area have been converted to
accept the Mondex card. They also accept cash and/or conventional telephone cards and, in a few cases,
credit cards;
 BT business or personal telephones. These are available in limited quantities at present (c. 400 devices),
and are intended primarily for retailers who wish to upload value from their retailer's card to their bank
accounts without leaving their own premises;
 'Mondex wallets'. These are hand-held, calculator-style devices, containing a similar set of capabilities to
the retailer terminal, but in a form suitable for both individuals and mobile sales staff. The wallet is
available in two forms at present, manufactured by Oki and GIS respectively. One has space for two
Mondex cards; whereas the other has a single bay for a Mondex card, and has the circuitry for the owner's
card built into the device. There are few in use at present. They are to be sold as a consumer and small
business appliance in, for example, electrical goods stores.
(c) Value-Download onto Mondex Cards
Value can be down-loaded from the account linked to the card. The devices at which this can be performed are:
 ATMs which have been adapted to cater for the card. In Swindon at present, there are 3 or 4 of these for
each of the NatWest and Midland Banks;
 BT public payphones. At present only the 300 within Swindon have been adapted; and
 BT business and personal telephones, primarily on retailer's premises.
(d) Value-Upload from Mondex Cards
The devices which support download from the card-holder's account also support upload from a Mondex card to the
linked account.
(e) Value-Transfer between Mondex Cards
It is also possible to transfer value between any pair of cards, whether they are used by a retailer or a consumer,
using:
 BT public payphones. At present only the 300 within Swindon have been adapted; and
 BT business and personal telephones, primarily on retailer's premises; and
 Mondex wallets.
(f) The Checking of Card-Balances
Card-holders can view the balances on their cards in several ways:
 every card-holder is being issued with a personal balance-reader, which is a small, battery-operated,
throwaway device attached to a key-ring (or 'key-fob');
 some retailers (e.g. the Sainsbury's supermarket chain) have installed retailer-premises balance-readers
near the entrances to and exits from their stores, to enable customers to check their balances as they enter
the store and/or as they approach the checkout counter;
 Mondex telephones, both public and private, display the balance on the card; and
 Mondex wallets display the balance on the card.
(g) The Checking of the Latest 10 Transactions
The latest 10 transactions are recorded on the card, and can be displayed:
 on Mondex telephones, both public and private; and
 using a Mondex wallet.
(h) Locking and Unlocking the Card
The card-holder can 'lock' their card with a single keystroke, disabling any transfer of value from the card as well as
display of the last 10 transactions. In order to 'unlock' the card, a Personal Code Number (PCN) must be keyed.
Locking can be performed using a wallet or a telephone, both public and private, but not a retailer terminal or a
balance-reader. The PCN can only be changed using a wallet or a private Mondex telephone; and cannot be
performed at any other devices, not even public Mondex phones.
5. The Process
(a) The Issuing of Mondex Cash From a Bank Account
Cards are linked to a card-holder's account with a participating financial institution. The card-holder initiates a
withdrawal of value from their account, and onto the card. This can be done through devices provided by the bank
concerned (ATMs) or BT telephones; it cannot be done through retailers' terminals. The transaction requires not
only the presentation of the Mondex card, but also the keying of the PCN.
(b) The Mondex Cash-Payment Process
Value-transfer is undertaken between two Mondex chips. In the most common case of use at a staffed sales point,
the cashier:
 takes the card from the customer;
 places it in the retailer's terminal;
 keys the value (which is displayed for both the cashier and the customer);
 strikes a key to commit the transaction;
 removes the card from the terminal;
 tears off the receipt; and
 gives the card and the receipt to the customer.
At present, cashiers at most sites have to double-key the amount, once into the electronic cash register (ECR) and
once into the Mondex retailer's terminal; and hence transactions commonly produce two receipts. The Sainsbury's
supermarket chain has already integrated the retailer's terminal with their existing ECRs, enabling single entry into
the ECR, and providing a single receipt from the ECR showing the word 'Mondex' in the payment-type (where
'Cash' or 'Credit Card' would otherwise appear).
There are several different configurations within which two Mondex chips may conduct a transaction:
 in the most common scenario of retail sales in a shop, described above, the active elements are a chip on
a Mondex card used by a consumer, and a chip on the retailer's Mondex card inside a Mondex Retailer
Terminal;
 in the case of retail sales where the salesperson is on the move (e.g. in a marketplace, or in door-to-door
sales), the chip in the customer's Mondex Card transfers value to a chip in the salesperson's Mondex
Wallet. In the Oki-manufactured wallet, the chip is built into the wallet itself; whereas in the GISmanufactured wallet, the wallet is essentially inert, and has two docks, one for the customer's card and one
for the salesperson's;
 for transactions between consumers, and between two cards in the same set, e.g. belonging to a single
household, the wallet can be used in the same manner as that used by a mobile salesperson;
 for telephone calls, the value is transferred from the caller's Mondex card to a Mondex chip held by the
telephone company (presumably at exchange level, but possibly at one or more central locations).
An additional configuration is planned but not yet implemented: payment over public data networks such as the
Internet and perhaps cable TV. This would require both the payer and the payee to have Mondex terminals
attached to their PCs/TVs.
(c) The Recovery of Value Into the Bank Account
The card-holder can at any time initiate a transfer from the card back to the account. This can be done at a Mondex
ATM or Mondex phone, public or private. Value from a card cannot be transferred to any bank account other than
that with which the card is associated.
6. Security Design
It appears that little information is publicly available concerning the scheme's security features. This section is
accordingly based on an analysis of security risks, supplemented by a moderate amount of surmise.
The scheme is subject to a range of technical risks, including:
 a valid chip falsely adding to the value in a card;
 a valid chip falsely failing to deduct from the value in a card;
 a bogus chip falsely adding to the value in a card;
 a bogus chip falsely failing to deduct from the value in a card; and
 a bogus chip falsely representing itself to contain value.
Accidental losses may occur where a valid Mondex chip contains, or has downloaded to it, software which
malfunctions under some circumstance or circumstances. This is largely a question of validation of the design and
its implementation, and quality control in its modification.
Fraudulent losses may occur where a valid Mondex chip contains, or has downloaded to it, software which has been
manipulated to function in some manner other than that intended by the designers. The software embedded in a chip
is, however, generally regarded as being incapable of subsequent manipulation, and, if the proper procedures are
used, incapable of being examined or copied. It therefore appears that this risk can be largely addressed through
conventional organisational controls supplemented by straightforward technical controls relating to copies of the
software.
Fraud could also be perpetrated through the use of a bogus chip. This requires that the perpretator know sufficient
about the internal design that a design can be produced whose behaviour (and especially external behaviour) is
sufficiently similar to a real Mondex chip in the same circumstances. This might be achieved through access to a
copy of the official design, e.g. by acquisition of hard-copy, magnetic, optical, or electronic copy, or dependence on
the memory of someone who is privy to the entire design or at least critical portions of it.
Alternatively, it may be possible to 'reverse-engineer' the design, by examining the responses a valid card provides
to a set of stimuli. This would only reveal sufficient about its internal functions if the behaviour were non-variant, or
varied in a manner whose pattern could be detected from a practicably small set of tests.
The material provided at the shop-front in Swindon is silent about the security techniques used. The web-pages,
however, offer information in two locations, which have been interwoven below:
"IC cards offer a high level of protection against software attack and protection against
physical attack or re-engineering. They also offer scope for considerable enhancement as
technology advances. "Each time a Mondex card is used, the chip on the card generates a
unique 'digital signature', which can be recognised by the other Mondex card involved in
the transaction. This 'digital signature' is the guarantee that the cards involved are
genuine Mondex cards and that transaction data is unmodified. This recognition process
also identifies the card for which the cash is intended - so funds cannot be intercepted by
a third party. "The security will be frequently changed so that fraudsters or hackers
intending to target Mondex will find a fast-moving zig-zagging target that will make their
efforts to break it unrewarding. By continually changing and increasing the complexity of
the development program, Mondex is designed to stay ahead of increasingly
sophisticated criminals. The complexity of this security is so great that we believe it will
not be economically viable for even highly organised crime to break it".
In fact the Swindon trial is using a symmetric encryption scheme, which involves both chips using the same secret
key for encryption and decryption. By the time of rollout of the nationwide scheme, inherently more secure
asymmetric encryption techniques will be used. Two technical risks are the possibility that the key-length may be
sufficiently short that it may be able to be 'cracked' by brute force methods; and the feasibility of an intercepted code
being re-used by bogus cards in order to give the impression of 'real' Mondex value being transferred.
Which participants are subject to each of the various risk-exposures is discussed in the following sections.
7. Commercial Interests of the Participants
It does not appear that the terms of contract among Mondex, device-suppliers and card-issuers are publicly
available. The terms applying between card-issuers and retailers probably are available, but have not been acquired
or analysed as part of this project. The Conditions applying to cardholders are available, however, and have been
considered. The apportionment of risk outlined in this section is therefore a mix of information and guesswork.
The fiduciary duties of the directors of the companies which participate in a Mondex scheme requires that they take
reasonable care to assess and manage risk. It is to be expected that the participants in the Swindon trial have done so.
It is also to be expected that the central bank of an economy in which the scheme is implemented would conduct
such an assessment. Finally, it is to be expected that competitors and potential collaborators and licensees will also
have conducted analyses, including monitoring of the data traffic between Mondex cards. It does not appear that the
reports arising from any such analyses are publicly available.
Individual consumers are unlikely to undertake risk assessments in the way that companies are expected to. They are
also unlikely to behave with the same degree of planned and self-interested consistency expected from companies. It
is not known whether any consumer advocacy body, whether governmental or independent, has performed an
assessment on behalf of consumers.
(a) Card-Issuers
The use of Mondex cards seems likely to replace large numbers of relatively low-value, primarily cash transactions.
Cash-handling is expensive for financial institutions, and for some other potential card-issuers such as telephone
companies; and hence considerable cost-savings may be possible.
Secondarily, Mondex card transactions may replace cheques (particularly in countries such as the U.K., where a
large number of retail transactions are conducted using cheques supported by cheque-guarantee cards). These are
also expensive, and cause considerable delays at the point of sale; and hence this displacement would also be
welcomed by card-issuers, because it will make their cards more attractive to merchants and consumers alike.
Mondex card transactions are likely to be cheaper than debit-card transactions (which involve on-line
communications with the card-issuer or its agent), and certainly cheaper than credit-card transactions (which involve
substantial data-handling and insurance costs). Any displacement of these that occurs would also be likely to be very
welcome.
By offering Mondex cards, card-issuers provide an additional service to their clients. If consumers value that
service, or some aspects of it, Mondex card-issuers may accordingly keep a larger proportion of their existing
customers, and gain a proportion of customers from competitors who do not offer the same or an equivalent service.
If such an advantage eventuates, it may be sustainable for a modest period of time, until the same, an equivalent, or
an alternative scheme is implemented by the late adopters. By that time, Mondex card-issuers may have made
significant gains in market share at the expense of their direct competitors.
Finally, if consumers perceive the Mondex scheme to offer them significant benefits, card-issuers may be able to
charge fees for their customers' use of it, and gain revenue as a result.
The card-issuers appear to have limited their commercial risk-exposure to about the same level as that they face with
current payment schemes (Cardholder Conditions 1.4(ii) and 2.1-2.7).
(b) Retailers
From the retailer's viewpoint, the transaction is almost as quick and as simple as receiving the correct amount of
cash. It is quicker, simpler and less error-prone than receiving a larger amount of cash and calculating and counting
out change. It is considerably quicker, simpler and less error-prone than cheques supported by cheque-guarantee
cards, manual credit-card transactions, pseudo-on-line credit-card transactions, and on-line debit-card transactions.
Additional effects of the Mondex scheme are:
 it provides an additional, alternative form of payment, and thereby increases customer service;
 it enables a reduction in the cash balance carried, which reduces the risk of robbery, and possibly insurance
costs; and
 it simplifies reconciliation at the end of the cashier's shift, which has indirect benefits in terms of labour
costs and/or customer service levels.
In order to offer Mondex payments, retailers must acquire a modest amount of equipment, and integrate it into their
point-of-sales operations. They run the risk that insufficient consumers may use the scheme to make it worth the
investment. There is also the possibility that inadequacies in the scheme's design may reflect badly on the retailer,
e.g. the inability to download value from the customer's bank account at the point of sale. In the unlikely event that
other forms of payment were not carried by the retailer's customers, there would be the risk that some transactions
could not be consummated, because of the lack of an acceptable means of payment.
The retailer must trust that the amount displayed on the terminal's screen has actually been credited to the value on
the retailer's Mondex card, and must train their staff to check the amount visually. This would appear to be under the
control of the Mondex chip in the retailer's card, and hence the risk of a programming error and fraud by Mondex
may be borne by the retailer.
Depending on the terms of their contracts with their card-issuer, retailers may also run the risk that value-transfers
onto the retailer's Mondex card, which were processed in good faith, may not be honoured by their bank. There is
the risk of the retailer's Mondex card being lost, or the functionality damaged beyond repair and recognition, e.g. by
an accident such as standing on it, or an electrical malfunction in the terminal. It appears likely that the onus would
be on the retailer to prove the value that is contained in a damaged or lost card. This may or may not be feasible,
depending on the internal design and data-capacity of the retailer terminals, including the nature of the medium in
which the transaction trail is stored.
A risk exists that cashiers may issue unauthorised credits. To counter this risk, Mondex retailer terminals are
configured such that they can be set to 'receive-only'. In this mode, Mondex value cannot be paid out of the chip in
the terminal without a code being entered, presumably by a supervisor.
5. The Process
(a) The Issuing of Mondex Cash From a Bank Account
Cards are linked to a card-holder's account with a participating financial institution. The card-holder initiates a
withdrawal of value from their account, and onto the card. This can be done through devices provided by the bank
concerned (ATMs) or BT telephones; it cannot be done through retailers' terminals. The transaction requires not
only the presentation of the Mondex card, but also the keying of the PCN.
(b) The Mondex Cash-Payment Process
Value-transfer is undertaken between two Mondex chips. In the most common case of use at a staffed sales point,
the cashier:
 takes the card from the customer;
 places it in the retailer's terminal;
 keys the value (which is displayed for both the cashier and the customer);
 strikes a key to commit the transaction;
 removes the card from the terminal;
 tears off the receipt; and
 gives the card and the receipt to the customer.
At present, cashiers at most sites have to double-key the amount, once into the electronic cash register (ECR) and
once into the Mondex retailer's terminal; and hence transactions commonly produce two receipts. The Sainsbury's
supermarket chain has already integrated the retailer's terminal with their existing ECRs, enabling single entry into
the ECR, and providing a single receipt from the ECR showing the word 'Mondex' in the payment-type (where
'Cash' or 'Credit Card' would otherwise appear).
There are several different configurations within which two Mondex chips may conduct a transaction:
 in the most common scenario of retail sales in a shop, described above, the active elements are a chip on
a Mondex card used by a consumer, and a chip on the retailer's Mondex card inside a Mondex Retailer
Terminal;
 in the case of retail sales where the salesperson is on the move (e.g. in a marketplace, or in door-to-door
sales), the chip in the customer's Mondex Card transfers value to a chip in the salesperson's Mondex
Wallet. In the Oki-manufactured wallet, the chip is built into the wallet itself; whereas in the GISmanufactured wallet, the wallet is essentially inert, and has two docks, one for the customer's card and one
for the salesperson's;
 for transactions between consumers, and between two cards in the same set, e.g. belonging to a single
household, the wallet can be used in the same manner as that used by a mobile salesperson;
 for telephone calls, the value is transferred from the caller's Mondex card to a Mondex chip held by the
telephone company (presumably at exchange level, but possibly at one or more central locations).
An additional configuration is planned but not yet implemented: payment over public data networks such as the
Internet and perhaps cable TV. This would require both the payer and the payee to have Mondex terminals
attached to their PCs/TVs.
(c) The Recovery of Value Into the Bank Account
The card-holder can at any time initiate a transfer from the card back to the account. This can be done at a Mondex
ATM or Mondex phone, public or private. Value from a card cannot be transferred to any bank account other than
that with which the card is associated.
6. Security Design
It appears that little information is publicly available concerning the scheme's security features. This section is
accordingly based on an analysis of security risks, supplemented by a moderate amount of surmise.
The scheme is subject to a range of technical risks, including:
 a valid chip falsely adding to the value in a card;
 a valid chip falsely failing to deduct from the value in a card;
 a bogus chip falsely adding to the value in a card;
 a bogus chip falsely failing to deduct from the value in a card; and
 a bogus chip falsely representing itself to contain value.
Accidental losses may occur where a valid Mondex chip contains, or has downloaded to it, software which
malfunctions under some circumstance or circumstances. This is largely a question of validation of the design and
its implementation, and quality control in its modification.
Fraudulent losses may occur where a valid Mondex chip contains, or has downloaded to it, software which has been
manipulated to function in some manner other than that intended by the designers. The software embedded in a chip
is, however, generally regarded as being incapable of subsequent manipulation, and, if the proper procedures are
used, incapable of being examined or copied. It therefore appears that this risk can be largely addressed through
conventional organisational controls supplemented by straightforward technical controls relating to copies of the
software.
Fraud could also be perpetrated through the use of a bogus chip. This requires that the perpretator know sufficient
about the internal design that a design can be produced whose behaviour (and especially external behaviour) is
sufficiently similar to a real Mondex chip in the same circumstances. This might be achieved through access to a
copy of the official design, e.g. by acquisition of hard-copy, magnetic, optical, or electronic copy, or dependence on
the memory of someone who is privy to the entire design or at least critical portions of it.
Alternatively, it may be possible to 'reverse-engineer' the design, by examining the responses a valid card provides
to a set of stimuli. This would only reveal sufficient about its internal functions if the behaviour were non-variant, or
varied in a manner whose pattern could be detected from a practicably small set of tests.
The material provided at the shop-front in Swindon is silent about the security techniques used. The web-pages,
however, offer information in two locations, which have been interwoven below:
"IC cards offer a high level of protection against software attack and protection against
physical attack or re-engineering. They also offer scope for considerable enhancement as
technology advances. "Each time a Mondex card is used, the chip on the card generates a
unique 'digital signature', which can be recognised by the other Mondex card involved in
the transaction. This 'digital signature' is the guarantee that the cards involved are
genuine Mondex cards and that transaction data is unmodified. This recognition process
also identifies the card for which the cash is intended - so funds cannot be intercepted by
a third party. "The security will be frequently changed so that fraudsters or hackers
intending to target Mondex will find a fast-moving zig-zagging target that will make their
efforts to break it unrewarding. By continually changing and increasing the complexity of
the development program, Mondex is designed to stay ahead of increasingly
sophisticated criminals. The complexity of this security is so great that we believe it will
not be economically viable for even highly organised crime to break it".
In fact the Swindon trial is using a symmetric encryption scheme, which involves both chips using the same secret
key for encryption and decryption. By the time of rollout of the nationwide scheme, inherently more secure
asymmetric encryption techniques will be used. Two technical risks are the possibility that the key-length may be
sufficiently short that it may be able to be 'cracked' by brute force methods; and the feasibility of an intercepted code
being re-used by bogus cards in order to give the impression of 'real' Mondex value being transferred.
Which participants are subject to each of the various risk-exposures is discussed in the following sections.
7. Commercial Interests of the Participants
It does not appear that the terms of contract among Mondex, device-suppliers and card-issuers are publicly
available. The terms applying between card-issuers and retailers probably are available, but have not been acquired
or analysed as part of this project. The Conditions applying to cardholders are available, however, and have been
considered. The apportionment of risk outlined in this section is therefore a mix of information and guesswork.
The fiduciary duties of the directors of the companies which participate in a Mondex scheme requires that they take
reasonable care to assess and manage risk. It is to be expected that the participants in the Swindon trial have done so.
It is also to be expected that the central bank of an economy in which the scheme is implemented would conduct
such an assessment. Finally, it is to be expected that competitors and potential collaborators and licensees will also
have conducted analyses, including monitoring of the data traffic between Mondex cards. It does not appear that the
reports arising from any such analyses are publicly available.
Individual consumers are unlikely to undertake risk assessments in the way that companies are expected to. They are
also unlikely to behave with the same degree of planned and self-interested consistency expected from companies. It
is not known whether any consumer advocacy body, whether governmental or independent, has performed an
assessment on behalf of consumers.
(a) Card-Issuers
The use of Mondex cards seems likely to replace large numbers of relatively low-value, primarily cash transactions.
Cash-handling is expensive for financial institutions, and for some other potential card-issuers such as telephone
companies; and hence considerable cost-savings may be possible.
Secondarily, Mondex card transactions may replace cheques (particularly in countries such as the U.K., where a
large number of retail transactions are conducted using cheques supported by cheque-guarantee cards). These are
also expensive, and cause considerable delays at the point of sale; and hence this displacement would also be
welcomed by card-issuers, because it will make their cards more attractive to merchants and consumers alike.
Mondex card transactions are likely to be cheaper than debit-card transactions (which involve on-line
communications with the card-issuer or its agent), and certainly cheaper than credit-card transactions (which involve
substantial data-handling and insurance costs). Any displacement of these that occurs would also be likely to be very
welcome.
By offering Mondex cards, card-issuers provide an additional service to their clients. If consumers value that
service, or some aspects of it, Mondex card-issuers may accordingly keep a larger proportion of their existing
customers, and gain a proportion of customers from competitors who do not offer the same or an equivalent service.
If such an advantage eventuates, it may be sustainable for a modest period of time, until the same, an equivalent, or
an alternative scheme is implemented by the late adopters. By that time, Mondex card-issuers may have made
significant gains in market share at the expense of their direct competitors.
Finally, if consumers perceive the Mondex scheme to offer them significant benefits, card-issuers may be able to
charge fees for their customers' use of it, and gain revenue as a result.
The card-issuers appear to have limited their commercial risk-exposure to about the same level as that they face with
current payment schemes (Cardholder Conditions 1.4(ii) and 2.1-2.7).
(b) Retailers
From the retailer's viewpoint, the transaction is almost as quick and as simple as receiving the correct amount of
cash. It is quicker, simpler and less error-prone than receiving a larger amount of cash and calculating and counting
out change. It is considerably quicker, simpler and less error-prone than cheques supported by cheque-guarantee
cards, manual credit-card transactions, pseudo-on-line credit-card transactions, and on-line debit-card transactions.
Additional effects of the Mondex scheme are:
 it provides an additional, alternative form of payment, and thereby increases customer service;
 it enables a reduction in the cash balance carried, which reduces the risk of robbery, and possibly insurance
costs; and
 it simplifies reconciliation at the end of the cashier's shift, which has indirect benefits in terms of labour
costs and/or customer service levels.
In order to offer Mondex payments, retailers must acquire a modest amount of equipment, and integrate it into their
point-of-sales operations. They run the risk that insufficient consumers may use the scheme to make it worth the
investment. There is also the possibility that inadequacies in the scheme's design may reflect badly on the retailer,
e.g. the inability to download value from the customer's bank account at the point of sale. In the unlikely event that
other forms of payment were not carried by the retailer's customers, there would be the risk that some transactions
could not be consummated, because of the lack of an acceptable means of payment.
The retailer must trust that the amount displayed on the terminal's screen has actually been credited to the value on
the retailer's Mondex card, and must train their staff to check the amount visually. This would appear to be under the
control of the Mondex chip in the retailer's card, and hence the risk of a programming error and fraud by Mondex
may be borne by the retailer.
Depending on the terms of their contracts with their card-issuer, retailers may also run the risk that value-transfers
onto the retailer's Mondex card, which were processed in good faith, may not be honoured by their bank. There is
the risk of the retailer's Mondex card being lost, or the functionality damaged beyond repair and recognition, e.g. by
an accident such as standing on it, or an electrical malfunction in the terminal. It appears likely that the onus would
be on the retailer to prove the value that is contained in a damaged or lost card. This may or may not be feasible,
depending on the internal design and data-capacity of the retailer terminals, including the nature of the medium in
which the transaction trail is stored.
A risk exists that cashiers may issue unauthorised credits. To counter this risk, Mondex retailer terminals are
configured such that they can be set to 'receive-only'. In this mode, Mondex value cannot be paid out of the chip in
the terminal without a code being entered, presumably by a supervisor.
(c) Consumers
From the consumer's viewpoint, purchasing transactions are simplified, because the same item has to be handed over
on each occasion a purchase is made; no search for appropriate denominations of notes and coins is necessary.
The consumer needs to invest some concentration at the point of sale, to ensure that the total appearing on the
customer-viewable display is accurate (in the case of simple purchases), or credible (in the case of multiple-item
purchases). In addition, trust is needed, that the amount debited to the card is the same as that displayed. This is
much the same as with purchases using any other form of value except cash (where the consumer retains control
through choice of the notes and coins tendered, and the ability to count the change). As an adjunct to the
development and maintenance of that trust, readers are being provided capable of displaying the balance and the last
ten transactions. These are of some consequence, but they do not add up to a particularly substantial protection.
The card may be locked by the consumer. This denies the benefit of the outstanding value to any would-be thief, but
it does not save the loss of the value by the consumer. Hence the disencentive to the thief is merely the possibility
that the victim may have locked the card, and since the majority of card-holders are likely, for reasons of apathy and
forgetfulness, to leave their cards unlocked most of the time, thieves are hardly likely to be dissuaded from
practising their trade. Unlike cash, Mondex cards will be capable of being returned by an honest finder, via the cardissuer. The incidence of this occuring may, however, be less than dramatic.
The locking of a card creates inconvenience and an additional risk-exposure. The inconvenience arises from having
to find a device at which it can be unlocked (most conveniently, but expensively, using one's own wallet; or at a
public balance-reader or public payphone). The risk is that the PCN has to be keyed in order to unlock the card, and
the act of keying is most probably done in public, increasing the risk of observation of the PCN by a potential thief
of the card. This risk is likely to be largely borne by the consumer.
There is the risk of the consumer's Mondex card being lost, or the functionality damaged beyond repair and
recognition, e.g. by an accident such as standing on it, or an electrical malfunction in a terminal. The onus appears to
be on the consumer to prove the value that is contained in a damaged or lost card (Condition 1.4(ii) and 2.1-2.7). If
the card is lost or unreadable, there appears to be no other record, and the value would be foregone (unless the cardissuer is prepared to accept and credit the card-holder's account for such amount as the card-holder is prepared to
estimate in an affidavit).
A possible exception would exist if the card-issuer were to download all data from all merchant Mondex-cards, and
maintain a complete record of all transactions against a given PID, enabling re-construction of the balance that
should have been remaining on the missing card. However there are at least three leakages of transaction
information:
 from merchants' cards which are submitted late for value-downloading to the merchant's bank-account;
 from merchants' cards which overflow the maximum storage limit (which is currently 300 transactions);
and
 from payments onto Mondex cards in wallets, some of which will be consumers' cards with only a 10transaction limit, and others of which will be merchants' cards which are used in a 'Mondex-cash economy',
and seldom presented for down-loading to a bank account.
Because this is a systematic rather than a random risk, it appears unlikely that the card-issuer would be prepared to
accept it.
This analysis is in conflict with a section of text appearing on Mondex's web-pages, which states that "If the damage
is so severe that it is impossible to read the balance left on the card the cardholder can claim the value back from the
issuing bank". Given that this sentence is internally inconsistent, and that express conditions are likely to be read as
over-riding vague marketing 'hype', it may be advisable to assume that the risk of damage beyond repair is in fact
borne by the card-holder.
On the other hand, Mondex International stated during discussions that limits on card-holder liability would be set
consistently with the banking law or code of banking practice or equivalent in each jurisdiction in which the
Mondex card is issued or used, and hence the card-issuer would be expected to generally accept the card-holder's
story.
The value that is foregone with a lost or irretrievably damaged card may be limited by downloading relatively small
amounts; but this is at the inconvenience of running out of value earlier, and having to go more often to the
relatively few devices capable of downloading value from the account.
A further risk is that a lost or stolen card may be used not only for the value stored on it, but also as a means of
downloading additional value onto the card. Downloading is a PCN-protected transaction, but PCNs may be
captured in several ways, including discovery of the PCN written on the card, or elsewhere in materials stolen or
observed during the robbery; and observation of the consumer's use of the PCN at any device requiring its use,
including ATMs, public and private phones, wallets, and balance-readers.
The manner of apportionment of this risk depends on the law and practice in each jurisdiction. In the United
Kingdom (as in Australia), the risk of an unauthorised withdrawal would be initially carried by the card-holder.
Once the loss of the card had been notified to the card-issuer, the liability might thereafter be limited (in the U.K. to
[[sterling]]50, and in Australia to $50); if, however, the financial institution deemed the loss or withdrawal to have
resulted from fraud or gross negligence, it would be free to force the whole of the risk onto the card-holder.
8. The Interests of Non-Participants
Other organisations and individuals which are not direct participants may have interests in aspects of the scheme.
These are discussed in this section.
(a) Residual Risks
In the event that a valid card is manipulated to create value, or a bogus card is devised whose value-content has all
the appearance of the value-content of a valid one, it is not entirely clear who runs the risk.
If the forged electronic cash were genuinely undetectable (which depends on the security features of the scheme,
which do not appear to be publicly available), then it may be that no participant is at risk - the originator gains
money by minting currency, and the currency is subject to implicit deflation because of the unauthorised and
undetected increase in the money supply.
Central banks and other agencies with responsibilities for macro-economic management have a considerable interest
in this aspect. Design features to address this concern may have a negative impact on other interests, including
privacy.
(b) Law Enforcement Agencies
Another class of organisations with interests in this area is law enforcement agencies. They are concerned about the
control of existing ways of 'washing' or 'laundering' the proceeds of crime, and about the emergence of new ways.
They want to see all transactions, or at least all transactions of significant value, to be identified as to the payer and
payee, and hence traceable. Anonymous payment mechanisms are therefore likely to excite their opposition, and
pseudonymous schemes are likely to be viewed with less enthusiasm than identified ones.
(c) Taxation Agencies
Taxation agencies have reason to be concerned about the collectability of revenue on behalf of the government.
Revenue arising from the flow of value through accounts held with financial institutions has been increasingly
important to many governments in recent years.
It is possible that the Mondex scheme's effects on these flows may be neutral. On the other hand, retailers may be
successful in conducting an increasing proportion of their business, both inflows and outflows, using Mondex cards.
To the extent that they were to net the effect of the two, the apparent cash flow through their accounts would be
reduced, and with it government revenues. Retailers do precisely this now with cash transactions, but the scope for
doing so might be increased by the Mondex scheme.
9. Personal Data in the Mondex Scheme
Previous sections have considered commercial and other aspects of the scheme. The crucial issue of privacy
remains, and is addressed by this and the following two sections.
(a) Standing Data
Mondex cards are designed to be associated with an account. Card-issuers require some amount of information
about the account- and card-holders, in order to protect their own commercial interests, and in some jurisdictions
perhaps also in order to comply with domestic law. There appears to be only a limited amount of additional personal
data which may be needed by card-issuers in order to support a Mondex card (in particular, a list of the PIDs of the
cards which are associated with each account). Some card-issuers may choose to seek additional data, e.g. for
market research or marketing purposes.
Because the value is transferred reliably and securely at the point of sale, there is no apparent reason why retailers
should seek additional information from customers. Indeed, there may be a medium-term impact whereby fewer
consumers keep accounts with retailers, and hence there could be an actual decrease in the data kept by retailers
about their customers. This, of course, runs counter to the current tendency for more intense retailer-customer
'loyalty' relationships, and any such effect may therefore be swamped.
There is no apparent reason why Mondex itself would have any relationship with a Mondex card-holder. The only
circumstance in which it handles personal data is for audit / risk management purposes.
(b) Data About Value-Downloads and Value-Uploads
Data is collected by the card-issuer in relation to the download of value onto the card, which is of course also a
withdrawal from the associated account. Similarly, data about each upload/deposit is recorded. This is essentially the
same as conventional withdrawals and deposits.
The impacts of the scheme on the frequency and scale of withdrawals, and hence the intensity of the transaction
trail, are difficult to predict. To the extent that Mondex card-payment replaces identified cheques, credit-card
vouchers and on-line debit transactions with pseudonymous Mondex cash, it would reduce the data intensity of the
audit trail. On the other hand, frequent small-value downloads to the card could increase the intensity of the trail.
No data is gathered by retailers, because, at least at this stage, there are no value-download or upload-facilities
available at retailer premises, or which otherwise involve retailers. Telephone companies generally and British
Telecom in particular may, however, be a special case, because it may in principle be able to accumulate into a
database information about value-download and value-upload transactions conducted at public and private
telephones.
In general, data is not gathered by Mondex itself, because its business is the provision of licences to use the
technology, and it is not involved in the operational aspects of the Mondex scheme. An exception arises in respect of
the audit / risk management function, which involves transfer of samples of transaction data.
(c) Value-Transfer Data - Off-Line
Value-transfer transactions occur between Mondex chips. Where the chips are located in the same device, there is no
need for any network connection, and they are performed 'off-line'. In these circumstances, transaction data is
recorded in three locations:
 on the payer's card, which retains the following data about the latest ten transactions:
 the date and time as provided by the terminal;
 whether the transaction is a debit or a credit to the card-balance;
 the value;
 data which identifies the other party, as provided by the payee's chip; and
 the PID of the other Mondex chip with which the transaction was performed;
 on the payee's card (including a retailer's card, which may be in a retailer's terminal, a special-purpose
terminal or a wallet; or another consumer's card, using a wallet to effect the transaction). The payee's card
records the same information as is recorded on the payer's card about the latest ten transactions it is
involved in; and
 in the case of retailers' terminals and special-purpose terminals (but not wallets), in non-volatile memory
in the terminal. The terminal retains the same data as is retained by the payee's card, for a period or in a
cycle determined by the manufacturer of the terminal and/or the retailer. This is currently limited by the
card's capacity to the most recent 300 transactions.
Mondex International claims that the general scheme does not require that any personal identification data be carried
on the card or passed to other cards with which it conducts transactions. However, in the Swindon trial, and hence
the proposed U.K. implementation, incomplete or confirmatory identification data about the card-holder is
included. In the case of the Midland Bank this comprises the card-holder's initials, and in the case of NatWest it is
the first 7 characters of the card-holder's surname. Depending on how this feature is used, it may have quite limited
implications, or dramatically change each Mondex implementation's privacy profile.
The latest-ten-transactions data recorded on Mondex cards could be used as a means of building up a transactions
database, but it would be a labour-intensive and error-prone mechanism, for consumer and retailer alike.
On the other hand, the terminal transaction-trail provides the retailer with the opportunity to download the
data into a transaction database. The value of such a database appears to be limited, however, because it contains
nothing about the goods or services sold (because it carries the total value only, and no detail of the line-items that
make up the complete transaction), and hence is of little use as an inventory-maintenance tool or even as a basis for
sales-analysis or market research; and it contains only an incomplete customer identifier (currently initials or first 7
letters of surname). Provided that the precision of the identifier remains very low, it would appear to have limited
potential as a marketing tool.
In general, the card-issuer is not involved in an off-line Mondex transaction, and has no direct access to the data
flow; and Mondex itself has no part to play in the use of the scheme, and also has no access to the data flow. An
exception exists in relation to audit / risk management, which involves occasional samples of transactions.
(d) Value-Transfer Data - On-Line
Where the Mondex chips involved in a transaction are located at distance from one another, a network connection is
necessary. Two applications appear to be operational in Swindon:
 at Mondex-enabled public payphones, calls can be paid for using a Mondex card. It appears that the
payment involves transfer across the telephone network to a Mondex chip in an exchange or at a BT central
site;
 at both Mondex-enabled phones, both public and private, it is possible to conduct a payment
transaction with another party who inserts their Mondex card into another Mondex-enabled public
payphone or private phone. This can be used for a variety of purposes, including secure payments under
tele-marketing and telephone-ordering scenarios; and for download of value onto the card of another
member of a family or employee of a company.
It does not appear that any information is in the public domain which explains what data is recorded by whom, in
these circumstances. It appears that the Mondex chips used by both the payer and the payee would record the data
concerning the latest ten transactions. Furthermore, it appears to be technically possible for the telephone
company or retailer involved in a transaction to capture the transaction data into a permanent database.
Given that there are specifications in existence whereby terminal manufacturers can gain access to the transaction
data in order to maintain an audit trail, it seems reasonable to assume that BT's own equipment at exchange-level or
at a central location, and the BT-supplied private telephone, may be capable of gathering a transaction-trail.
(e) Exception Data
The Cardholder Conditions refer to an 'Exception Log', which is "a record, inside the Purse [which is in turn defined
as "a store of Mondex Cash"], which can be read and printed and which holds particulars of any irregular or
incomplete transactions". The term is used in clause 5.2, which enables Mondex or the card-issuer to rely on the log
as conclusive evidence.
Mondex International stated that the first 1 million transactions in its Goodman Fields pilot generated about 30 such
exception records. Unless the scheme becomes a great deal more error-prone, or the feature is subverted to
additional purposes, this aspect does not appear to generate personal data of sufficient intensity to be of any value or
threat for other than its original purpose.
10. The Consumer Privacy Interest
This is considered in three sub-sections, dealing with respectively the direct and substantive privacy-invasiveness of
the scheme, and the potential for additional privacy invasions.
(a) The Mondex Scheme's Substantive Privacy-Invasiveness
The volume of personal data held by the card-issuer remains much the same as in the case of counter and ATMbased cash operations, in that withdrawals and deposits which were previously in the form of cash and cheques
become downloads to and uploads from the card. Secondary effects may cause an increase or decrease in the
intensity of the data held.
Retailers would now hold additional data compared to the current circumstances, because previously unidentified
cash transactions are being replaced by electronic transactions which generate a transaction trail including the PID
of the card and, at least in the case of the U.K. implementation, a partial identifier.
Neither is a precise or direct identifier of the individual, however, nor even of the individual's account. This is
because the cross-index between the PID and the account, and hence the individual who owns the account, is held by
the card-issuer; and the identification data is not at this stage at least, sufficiently precise to be used as a key.
A factor which serves to obscure the trail is that the card-holder may not be the same person as the owner of the
account. For example, it is feasible, at least in principle, for value on a Mondex card to be given as a gift. The giftgiver would use his PCN to download value onto a new card. The recipient could spend the value on the card, but,
provided that the giver did not provide the recipient with the PCN, the recipient would be unable to download any
further value onto the card, because it would be associated with the giver's account. It would seem much more
practicable for the giver to transfer funds onto the recipient's own card, using a telephone or wallet.
In practice, it appears unlikely that account-holders will arrange for the issue of cards except within closely
associated groups (in particular families and companies); and hence the privacy-protection afforded by this aspect is
minimal.
In summary, the Mondex scheme appears to have fairly limited direct and substantive negative effects on
individual privacy; but this statement must be qualified in a number of respects:
 the scope for retailers, telecommunications companies and tele-marketing organisations to collect
transaction data into a database;
 the existence, definition and precision of the card-holder identification data held on the card and passed to
other cards with which transactions are undertaken;
 any material inaccuracies in the information on which the analysis is based; and
 any material changes to the specifications or implementation details.
(b) The Mondex Scheme's Potential Privacy-Invasiveness
The Mondex scheme embodies significant potentials for substantial privacy impact. A far higher intensity
transaction-trail comes into existence, involving of the order of 5-10 cash transactions per day which were
previously unidentified. This can be compared with existing trails arising from cheque, credit-card and debit-card
transactions, which are more typically in the range 5-10 per week than per day. These transactions are associated
with an identified card, the holder of which is recorded on a card-issuer database, and which may, depending on the
particular implementation, also contain an identifier for the card-holder themselves.
Ways in which the potential could be translated into an actual increase in privacy-invasiveness include:
 the retailer may link the PID with the customer. Possible ways in which this may occur are:
 personal knowledge by the cashier of the card-holder, noted at the time of the transaction;
 provision by the card-holder of their PID (e.g. by joining a 'loyalty scheme' which requires or
requests that information);
 provision by the card-holder of identifying information at the time of the transaction (e.g. by
filling out a warranty card); and
 capture by the retailer of additional data scanned from the card (e.g. by optical character
recognition of printed or embossed data, or from the magnetic-stripe);
 the retailer may gain access to at least some of the card-issuer's data. Scenarios under which this could
arise include merger, alliance and contract between the two organisations. Where the card-issuer is a
financial institution, this would appear to be a breach of banker-client confidentiality; but firstly the law of
confidence is a highly qualified and unreliable privacy protection, and secondly it seems unlikely that all
card-issuers will be banks;
 the card-issuer may gain access to at least some of the retailer's data. This may arise from the
formation of merger or alliance between a card-issuer and one or more retailers, or could be a condition of
contract between the card-issuer and retailers, possibly in return for consideration. There are many
jurisdictions in which such an arrangement would be legally permissible, irrespective of the views of
consumer lobbies or of individual consumers; and
 some third party may gain access to both the transaction trail gathered by one or more retailers and
a card-issuer's index. This may be:
 a private sector corporation (e.g. by way of contract, or by corporate sale, takeover or alliance); or
 a government agency (e.g. by exercise of its demand powers under some statute). The most
obvious agencies which might be expected to exercise such powers, either exceptionally or
perhaps even routinely, would appear to be taxation agencies, benefit-paying agencies, law
enforcement bodies and the emergent specialist surveillance agencies which exist or are being
formed to undertake such programs as data matching and the monitoring of large cash
transactions.
The basic Mondex scheme appears to be relatively privacy-benign. However, because it involves a substantial
additional trail of pseudonymous transactions, it creates the potential for substantial additional privacy invasions.
11. Mondex's Approach to Privacy
Mondex International claims to have adopted a very positive approach to privacy. On the other hand, several
examples provided below suggest that either the company had a deficient privacy strategy, or the company failed to
articulate its privacy strategy, or the company under-invested in its implementation. This comment is made from the
perspective of the Australian marketplace. Mondex staff are candid in their assessment that awareness and concerns
about privacy aspects of value-card schemes are much higher and better-informed in Australia than in any other
marketplace with which they are currently engaged.
One example is that the word 'privacy', and even the concept, appear to be entirely missing from the application
form, the Cardholder Conditions, and the brochures available from the shop-front in Swindon; whereas the rights of
Mondex and card-issuers to hold and disclose personal data about the card-holder are established in forthright terms
(Condition 1.12).
Another example is the claim, made both explicitly and implicitly on Mondex's original web-pages, that "Mondex
transactions are anonymous". This was misleading, and materially so, because, as discussed above, Mondex cash is
pseudonymous rather than anonymous. Mondex International advised that the initial version of the web-pages was
less carefully phrased than other documents: the core precept was 'private', whereas the term 'anonymous' was used
in the web-pages. The word 'anonymous' was removed in early 1996. However the continued use of the expression
"Mondex is cash" carries the same similar implication.
A brief answer to the 'frequently asked question' "what about privacy?" is provided in Mondex's web-pages, and
because it is the only information that appears to be provided, it is reproduced below in full:
"In everyday use Mondex transactions are anonymous, just like cash. However, if the
card is lost, a unique 16-digit identity number stored on the chip [the PID], which will
have been registered by a card-providing bank against the personal details of the
customer, may be used in order to return the card to its rightful owner. Cards also
contain a "purse narrative". The customer's narrative would contain the names of the
retailers - letting them know where they have used their card [sic - they could be
expected to already know where they have used their card]. Only a cardholder will have
access to the statement entries on their card which detail transactions. A cardholder will
be able to lock their card and prevent unauthorised access".
It appears that neither the brochures nor the web-pages notify the card-holder that transaction data including the PID
of the card is stored in the retailer's Mondex card, and in the memory within the retailer's terminal, and, in the case
of transactions with the telecommunications company, possibly in that company's records also. Mondex says that
there is no requirement that it do so, because under the Data Protection Act 1984, it claims that the data is
technically not 'personal data'.
Further evidence of inadequacies in Mondex's strategic planning in relation to privacy is provided by its clumsy
handling of its dealings with a public interest group, Privacy International. The ambiguous use of the term 'audit
trail' resulted in a complaint by that organisation to the U.K. Trading Standards Board, on the grounds that Mondex
claimed its scheme to be as anonymous as cash when in fact there is an audit trail containing an indirect identifier.
Although the complaint has been withdrawn and that particular matter has subsided, the media coverage may prove
to have been detrimental to the Mondex scheme's image.
If Mondex's privacy strategy had been fully articulated, the documentation would not have been so deficient in its
treatment of matters which are important to some consumers, and which may transpire to be critical to public
acceptance of the product; and its staff would have been sensitive to, and aware of the nature of, privacy concerns,
and trained to deal appropriately with such issues.
12. Future Developments
The Mondex scheme is currently being trialled, and gives every impression of functioning successfully, at least in a
technical sense. It is to be expected that it will change as it matures and experience is gained. It is also to be
expected that the details of its implementation may be significantly different in different marketplaces, to reflect
different commercial traditions, different needs, different institutional structures and processes, and different
balances of power among private sector organisations and between the private sector and relevant government
agencies.
If consumer acceptance is relatively slow, further changes may need to be made to make it more attractive to
consumers; whereas if it gains quick and substantial acceptance, the scope for changes to be forced by the consumer
movement will be limited. Retailers, to some extent, and card-issuers to a much greater degree, are in a position to
bring about further modifications and enhancements.
Large corporations in particular seem likely to be interested in a greater intensity of data, in order to support their
consumer market research and consumer marketing efforts. Law enforcement and tax collection agencies are likely
to be concerned about any drift away from identified (and therefore traceable and taxable) transactions towards
pseudonymous or anonymous transactions. This is likely to be particularly so, given the trends during recent years
towards ever-greater intensity of identified transaction-trails, and the considerable enthusiasm elements of the public
sector have evidenced for automated surveillance of the population in general.
In many countries, the existing privacy laws were largely motivated by the needs of both the private and the public
sectors to legitimate and entrench their uses of personal data. Most 'watchdog' agencies have limited powers and
limited resources, and some are constrained by significant amounts of 'red tape'.
Policy agencies and legislators in many countries have sensed a change in the mood of the public relating to privacy,
and a new round of privacy law is in the offing. Particularly in view of their inherent mysteriousness, and the
credible stories about hidden uses of data, consumer privacy concerns may well focus on chip-card based payment
schemes.
If that is the case, anonymous and pseudonymous schemes may prove to be particularly attractive to the public.
Mondex may be a big winner if such a movement occurs, provided that it is in fact, and remains, a pseudonymous
scheme, and consolidation of the transaction trail, and inter-relationship between the data and the index remain most
unusual occurrences and do not become routinised.
13. Summary
The conclusions drawn in this document are necessarily tentative, because of the extent to which it has been
necessary to interpolate and surmise. Subject to that qualification, the Mondex value-card scheme has the following
features:
 in use, it is in many respects fairly closely analogous to cash payment, and offers the prospect of
considerable savings of cost and time, to card-issuers, to retailers and possibly also to consumers;
 the scheme is technically and commercially mature and well-articulated, in the sense that a significant
proportion of the strategically important factors appear to have been effectively addressed;
 the entry cost for all participants appears to be relatively low;
 it meshes in a straightforward manner with existing bank procedures, in that the download of value onto a
card is simply a withdrawal resulting in a secure exchange with a remote chip rather than the delivery of
notes;
 there is no ability to download value to the card from retailer's premises, because download to the card
requires an on-line connection between the bank and the card, and retailer's terminals are not on-line (or at
least are not at this stage);
 depending on the terms and conditions that are applied, consumers may carry considerable risk exposure;
 unlike conventional cash payments, which are genuinely anonymous, Mondex transactions with retailers
are pseudonymous: the retailer retains a record of the PID number of the card with which business was
transacted, and the PID number is an indirect identifier of the account-holder and payer;
 the Mondex scheme's substantive privacy implications appear to be limited, provided that transaction data
is not consolidated, and the protections of the consumer identity overcome;
 the Mondex scheme's potential privacy implications are considerable;


there is little evidence that Mondex International appreciates the strategic importance of the privacy issue,
and, at least in marketplaces which are sensitive to privacy issues, this may hamper the scheme's success;
and
the Mondex scheme has considerable implications for several aspects of government.