Solving the challenges with mobile NFC Payments – Part 2

As discussed in Part 1 of this blog post, mobile NFC payments have some challenges. This post will look at how wearable payments work and how they can meet these challenges.

Enter wearables

In October 2015, Mastercard and NXP announced something that might have been the start of the solution: New Program that can Turn any Wearable into a Payment Device. Following this, several announcements have been done on wearable or IoT payment (like this, this, or this). While several of these are quite distant for the average consumer, the wearable device payments are already here.

Especially two major challenges can be met with wearable payments: iOS support and speed at checkout.

Payments using wearables basically works by provisioning the payment credentials onto the wearable device. This can be done during production, but only allows for simple, static, pre-paid solutions. However, by connecting the wearable to a mobile app and use the app as a proxy for credential provisioning, there are (almost) no limits to what cards possible to add. In addition, this allows for real-time lifecycle management of the credential stored on the device.

What does this mean?

  1. Remove the NFC block on iOS device. Even if your customer is using an iPhone, she/he can deploy payment cards on his wearable device through the open Bluetooth channel. During payment, she will use the NFC channel on his wearable, circumventing the close control Apple has put on their devices.
  2. Always at hand - literally. Paying using a wearable device, such as a smart watch, bracelet or even a ring, removes the need of finding the device in the first place. Tap your wrist or hand towards the payment terminal, and the purchase is performed within milliseconds. You can’t do it cooler - or faster!

Hype or future?

Obviously, payment through wearables has its advantages. The big question that remains whether it is only a hype, or if we actually will see people tapping their wrists to get their favorite sub on their way home from work.

Apple Pay through Apple Watch has been around for about three years. Even so, analytics report of a slow start. Similarly, Samsung Pay has been available on Samsung Gear devices since 2015. These solutions have had a limited list of supported Issuers, but as the list of supported Issuers is growing, the use is growing at high speed.

A user research conducted by Seqr showed that 61 % of all users wanted to pay with a wearable device. Furthermore, it showed that more than 70 % would have no worries about the security of such a solution.

MeaWallet has seen an increase in OEM vendors – well established as well as small start-ups – that reaches out to us to learn more about our offerings for wearable payments.

In summary, we see that wearable payments are coming, and we believe they are coming fast. We might be too far into 2017, but 2018 might prove to be the Year of Wearable Payments.

Do you want to learn more about wearable payments and what it can do for you? Click here to download fact sheet or leave us a message to have one of our sales representatives get in touch.

 


How Does HCE Address the EMV Goals?

Before following up the last post about wearable payments, we serve you a guest post. This post will look into the HCE technology and how it relates to the EMV security standard. Written by Christian Maas at Mea's business partner ti&m, the original blog post can be found here.

Not a day goes by without new mobile payment apps popping up or the Original Equipment Manufacturers, also called OEMs, launching their own mobile wallets (Apple Pay, Samsung Pay, Android Pay) in additional countries. Especially Switzerland plays an interesting role by focusing on the payment solution TWINT to solve the local mobile payment needs. However, regardless of the payment app and underlying technology, all solutions need to balance usability and security in order to justify a valid business case.

This article introduces Host Card Emulation (HCE) as the standard technology stack for your Android-based payment app and addresses how it meets the main EMV (Europay International, MasterCard, and VISA) goals to ensure secure payments at the Point of Sale (POS).

Understanding the role of Host Card Emulation

HCE is the term used to describe the entire ecosystem of mobile payment solutions on Android-based devices, which do not have access to a Secure Element (SE) or a Trusted Execution Environment (TEE). Usually, SE and TEE rely on proprietary hardware security to store and access sensitive keys such as the Card Master Key (CMK), whereas HCE solves this by using mobile device software in combination with a remote server.

There are various stakeholders in the HCE ecosystem, which play an important part in providing a seamless and secure payment experience to the cardholder. Ranging from a secure payment app that builds the user interface to initiate a mobile payment, to a trusted Wallet Service Provider (WSP), and finally, a Tokenization Service Provider (TSP) that replaces the PAN with a payment token (DPAN).

Whenever we think of Host Card Emulation, we tend to focus on transaction flows rather on what “card emulation” actually stands for. The secure payment app is the equivalent to the card program that runs on the plastic card’s contact chip. As a result, the payment app ensures that a valid EMV transaction is sent to the Near Field Communication (read about NFC here) reader at the Point of Sale.

As EMV transactions evolved towards being recognized as the more secure solution compared to magnetic stripe based payments, all HCE participants, such as software and hardware vendors, card issuers and card schemes, have aimed for the same security levels and market acceptance.

Does HCE live up to the EMV standards?

The main goals of EMV are to reduce fraud by the following measures:

  • Validating authentication of payment card (chip),
  • requesting cardholder verification,
  • validating transaction integrity, and
  • using risk management parameters.

Validating authentication of payment card (chip):

This means it should not be possible to copy a payment card or compromise the application programs on the chip. How can HCE solve this issue?

  1. After installing on the mobile device, each payment app has its unique instance ID.
  2. Registering the payment app on the device includes the storage of a device fingerprint at the HCE wallet server.
  3. The provisioning of a payment token to the software/hardware key store of a mobile device results in a unique combination of payment app instance ID, device fingerprint, and DPAN.
  4. Before replenishing limited-use Session Keys (SKs), the HCE wallet server validates the combination of the provisioned payment token, payment app instance ID, and device fingerprint.

In essence, the previously described steps make it difficult for a fraudster to request valid SKs from the HCE wallet server for a payment app that resides on a different device.

Requesting cardholder verification

You should be able to confirm that you are the cardholder by a method that is either dependent on the POS, transaction amount or other attributes. EMV allows several Cardholder Verification Methods (CVMs): Cardholder’s signature comparison by the merchant, validation of the PIN by either the issuer or the POS terminal, or “no CVM” at all, in case of low value/risk transactions. Now, what does cardholder verification look like for HCE?

  1. Card-Like User Experience (CLUE) – the payment app follows the same user experience as a regular contactless payment: tap and pay. Depending on the country, card schemes and POS terminals, Low-Value Transactions (LVTs) sometimes do not require cardholder verification. For a High-Value Transaction (HVT), the cardholder still has to enter his PIN at the POS.
  2. Consumer Device Cardholder Verification Method (CD-CVM) – users can authenticate themselves to the device via a fingerprint scan, password or swipe pattern.
  3. Flexible User Experience (FLUE) – this is a combination of CLUE and CD-CVM, but not solely one or the other.

The listed categories above give issuers and banks a flexible set to build a payment experience, which is in alignment with their standards and risk tolerance.

Validating transaction integrity

It is important to make sure that the transaction is not altered on the way between POS, card network, and the card issuer. Apart from using various sets of encryption keys and transaction identifiers, HCE exchanges a payment cryptogram based on DPAN-derived SKs to validate transaction integrity on the issuer side.

Using risk management parameters

Each stakeholder within the EMV ecosystem should be able to apply risk measures. Which safeguards does HCE put into place?

  1. Fraud systems are able to inspect the frequency of SK replenishment. In case of malicious behavior, the HCE wallet server can suspend the DPAN and stop the renewing of SKs.
  2. The payment app can only hold a small pool of SKs which minimizes the number of offline payments (the device has no internet connection) the fraudster could potentially make.
  3. Only allowing the provisioning of payment tokens on mobile devices that provide certain security standards, e.g. version of fingerprint readers, operating versions, etc., will reduce risk as well.
  4. Velocity tracking of LVTs without HVT in between.

This list is not complete, but it gives an idea of options issuers and banks can use to lower the risk of their HCE wallet service.

Conclusion

HCE product companies constantly work on security concerns to maintain reliable payment solutions. It is a fast growing market, which competes with the established OEM pays. However, competition is good, and in particular when it comes to security. It keeps the pressure high to not lose the cardholder’s trust.

ti&m logoMea logo


Wearable payments – hype or the future?

Solving the challenges with mobile NFC Payments – Part 1

The history of contactless payments

Payments using NFC is nothing new - it is something we have been talking about since 2003/2004.
NFC is o
ften referred to as The radio frequency standard that could solve all problems, removing any friction from payments and removing all of the world’s checkout queues.

NFC has slowly grown popular in the form of the plastic card, but when we talk about NFC payments, I bet the average industry veteran will drift his, or her, mind to mobile NFC payments.

Mobile payments using NFC has almost been considered the Garden of Eden or the fountain of youth. And boy, has it been long expected; try do a search for “year of mobile payments”, and you will find no less than 35+ million results!

If I had a dollar for every time I heard that this year/next year will be the year of mobile payments, I’d rather be drinking Piña Colada at my private beach, rather than writing this blog post.

But something has happened. After the launch of HCE in 2013, Apple Pay and Android Pay in 2015, the avalanche of Issuer-HCE solutions launched in 2016,  in 2017 to date, I think we finally can say that mobile payment based on NFC has reached some sort of a maturity and market acceptance. Alas, the offering and acceptance vary from market to market, but the standards are set and the world is moving unified in one direction.

Solving The Challenges of Mobile NFC payments

Mobile contactless payment is in many ways a great answer to several challenges: the user “never” forgets his/her phone at home, you can combine multiple cards in one device, it makes the Issuer look forward-leaning and modern, and it provides a sense of coolness for the one using it. But even as mobile contactless are being spread, it still comes with some challenges.

Personally, I’ve been meeting with Issuers countless times the last five years, and I’ve also had first-hand experience with the eight different wallets I’ve installed and use on a regular basis. In short, the issues and concerns I’ve heard about or experienced are:

  • iOS support - only for the selected few in the selected markets that are willing to accept Apple’s terms
  • Merchant acceptance - for the user to trust the solution he must trust that it is accepted. In most markets, albeit growing, contactless acceptance is still under par.
  • SWW - SWW, or “Something went wrong” is unfortunately still a problem. With a myriad of devices, standards, payment terminals and user expectations to the speed of tap & pay, the user still ever-so-often will experience that “something went wrong”.  
  • Speed at checkout counter - Some Issuers require the user to unlock their phone, find and open app, select card, and type in PIN before they can tap - it’s not always as easy as just tap-and-pay with your contactless plastic

So how can these challenges be solved? This will be discussed in Part 2 of this blog post about wearable payments. 

 


Money 20/20 Europe

Money 20/20 - Our thoughts on Europe's biggest FinTech Conference

We’ve reached June, and this is the month of the biggest FinTech event in Europe: Money20/20 Europe. As the interest in FinTech has increased (watch trend below), so has the number of conferences covering the subject. MeaWallet is invited to about 80 conferences this year alone. We attend quite a few, but for MeaWallet, Money 20/20 definitely has a major focus.

Money 20/20 was first arranged at the Aria hotel in Las Vegas, October 2012. Mea was there with several representatives. This was the arena we were first introduced to the concept of HCE. The technology HCE revolutionized mobile payments when it was launched in Android KitKat a year later. Symptomatic to the conference the top executives and the brightest heads in the FinTech industry gathers. This is where to go if you want to understand what happens before it happens.

A quick look at the agenda might help understand why. 5 separate tracks running in parallel over three days, with 65 % C-level speakers makes the speaks worth to listen to. The attracted audience includes more or less everyone that’s interesting to talk to if you’re in the business, which makes this one of the most hectic week of the year, packed with meetings in between the selected speaks.

This year, MeaWallet will be present at booth G2 with our management, sales team and product team. If you are interested in hearing more about how our Token Platform can connect you to MDES and VTS, or just want to discuss mobile payments, drop by, or contact us to set up a meeting.

Only 3 weeks left! Come see us at #M2020EU this month! Register with code EXTRA200 to save on your pass http://bit.ly/22PdDTc