MeaWallet sign Merchant Tokenization agreement with Axepta BNP Paribas

30. January 2019 – MeaWallet and Axepta BNP Paribas has entered into an agreement to deliver Multi-Scheme EMV® Merchant Tokenization to the Italian market.

Axepta BNP Paribas, is one of the leading payment service providers (PSP) in Italy. As one of the most innovative PSPs in Italy, Axepta BNP Paribas will enable Merchant Tokenization as a new offering to their customers. After a thorough process considering multiple vendors, the Company selected MeaWallet with their Merchant Tokenization Platform as their partner to provide this innovative service to Italian merchants.

Mea Merchant Tokenization connects merchants, PSPs and acquirers to the Mastercard Digital Enablement Service (MDES), the Visa Token Service (VTS) and the American Express Tokenization Service. This way they can benefit from each of the globally interoperable and scalable tokenization platforms through one easy integration.

What is Merchant Tokenization?

The way we pay is changing. Consumers are now using their PC, smartphones, wearable devices and even cars to buy goods and services. To reduce fraud and to enable faster and more secure checkout, the EMV® schemes (Mastercard, Visa, Amex, Discover, JCB & Union Pay) has launched Merchant EMV Tokenization.

Digital payment solutions provider, MeaWallet, launched last year a new payment tokenization solution for Merchant, that delivers Mastercard, Visa and American Express tokenization services through a single connection.

Up till now merchants and PSPs have stored the personal account number (PAN) in a PCI DSS certified solution. In tokenization the PAN is disconnected from the merchant and replaced with a unique identifier called a payment token. The ‘mapping’ between the real PAN and the payment tokens is safely stored in the token vault. The payment tokens for each merchant has a specific Merchant ID, so the token only can be used by the right merchant. The tokens are using the same transaction flow as the original PAN. In the end, this gives better security, less fraud and an increased buying experience for the consumers.

Mea Merchant Tokenization

A key benefit of Mea Merchant Tokenization is that it enables merchants to ensure its customer’s stored card payment details remain valid throughout the card expiry and reissuance process, without the customer needing to update them manually. This guards against the loss in sales that results from out of date card transactions being automatically declined. In a token-on-file model, the issuer ensures that new cards are automatically mapped to the merchant’s payment token. This removes the need for the customer to update their credentials and thus enhances their buying experience.

"Since 2013, MeaWallet has worked with the major payment schemes to deliver their payments technologies to financial institutions” comments Jan Ivar Ljosland, CEO of MeaWallet. “We are very proud to selected as the partner of Axepta BNP Paribas to deliver this innovative service to the Italian market. We see Merchant Tokenization as a natural next step for EMV tokenization and a proof that this technology will truly change the way we pay.

Mea Merchant Tokenization complies to the specifications and requirements of each payment scheme and is delivered as a fully hosted service from MeaWallet’s secure PCI-DSS certified data center.

Tokenization has become a cornerstone of secure digital payments and is the core focus for MeaWallet” adds Ljosland. “We support card issuers, payment service providers and other financial institutions with both the knowledge and the technology solutions needed to simplify their implementation of tokenization services, so they can focus on delivering value added services and other digital features that differentiate them in the marketplace”.

Tokenization replaces sensitive card credentials, typically stored as card-on-file, with a merchant-specific token. In October 2018, Mastercard announced that it will enable token services on all cards by 2020 to make online transactions simple, seamless and secure.

Mastercard, American Express and Visa have, through their proprietary digital platforms, built tokenization and digitization solutions to support eCommerce merchant transactions. These platforms comply with EMV® Payment Tokenization, which utilizes tokens coupled with transaction cryptograms in order to bring EMV security to card-on-file transactions.

For more information on the evolution of tokenization, go to www.meawallet.com/products/ to download our lightweight eBook and MeaWallet’s Merchant Tokenization fact sheet, or contact us to set up a call!

 

 


Why Overhauling their Card UX is a Quick Win for Banks

Why Overhauling their Card UX is a Quick Win for Banks

The flood of new digital technologies, business models and stakeholders entering the payments industry is challenging banks’ capacity to retain customers. Making quick strides to dramatically improve their payment card user experience is an easy win, says Lars Sandtorv, CEO MeaWallet.

The payments industry is on the move. As new regulations come into force a flow of new digitised payment technologies, business models and stakeholders are gaining serious traction in the market. This new school of payments is threatening to beat conventional banks at their own game. Few anticipate a wholesale demise of the banking industry as we know it, however; huge customer volumes shield most banks from serious threat. Nonetheless, it’s fair to say that banks’ grip on the market, and on their previously uncontested relationships with customers, is loosening fast. 

Central to the problem is that, compared to their fintech counterparts, banks lack the required agility to keep pace with digitalisation; something that is now demonstrably impacting their customer retention. Blaming what it dubs the ‘friction endemic in almost every legacy payment system’, a recent report from Deloitte reveals quite how quickly users are moving away from traditional payment rails.  PayPal already has 250 million users. The rising popularity of the OEM Pays (including Android Pay, Apple Pay, and Samsung Pay) provides yet further evidence. Apple Pay alone is on track to reach 200 million users by 2020.  And by then, the global transaction value of mobile payment apps is expected to reach $14 trillion. 

 

The Challenge

The challenges facing banks are particularly acute in Europe where the fintech scene is flourishing, following a boost from supportive regulations like the second Payments Services Directive (PSD2). In a recent keynote speech, European Central Bank vice-president Luis de Guindos suggested that in parallel with meeting structural challenges, the Europe’s banks must also face down increased competition from the fintech sector: “increased competition in lending, investments and payments is bound to increase pressure on retail banking revenues.”

With open banking and ‘bank direct’ payments arriving courtesy of PSD2, the ways that banks generate income is set for yet more disruption. All of this signals that banks need to find quick wins; enhancements that make the most of their current strengths. maximising revenues and offsetting rising customer attrition. This is particularly apparent for smaller banks which lack the resources to develop their own proprietary digital payment systems. 

 

The Solution

Overhauling their payment card infrastructure is one such opportunity. By collaborating with a specialist card payment platform provider, banks can make dramatic enhancements to their customer's card payment experience, making their services and their brand more attractive as a result. 

By combining support for the OEM Pays with additional services like EMV® Secure Remote Commerce (SRC), tokenization and token management facilities, banks can provide customers with greater flexibility and convenience, encouraging greater usage. 

So, what individual benefits do these capabilities bring to the table?

  • Payment-enabled bank apps
    By enabling a mobile banking app with wallet functionalities, customers can make in-store payments. This provides the flexibly to not only manage finances in the app, but also to make payments from the same environment.
  • Issued card to OEM Pays
    Connecting a banking app to the OEM Pays gives banks the potential to grow the customer base by providing a broader, more flexible solution, allowing consumers to select which wallet they’d prefer to use.
  • SRC enabled payments
    SRC is the next step in eCommerce that will enhance both security and user experience in online shopping. Customer benefits include a frictionless shopping experience via a reduced need for entering card and shipping information.
  • Greater customer control with a tokenized app
    Tokenization has become the new and modern standard to secure, provision and store card data to mobile, IoT devices and online merchants. With it, customers have the ability to enable push provisioning and manage tokens across multiple card schemes directly from the app.

 

 

Banks as brands

By improving functionality and increasing app usage, banks additionally stand to benefit from improved customer loyalty. This can lead to improved cross-selling opportunities improved usability keeps the bank’s brand front and centre in the mind of its customers leading to additional, more profitable revenue streams. 

Our mission at MeaWallet is to help our clients simplify mobile payments and support implementation. Our team is passionate about the subject and continually looking at the evolution and trends in the mobile payments space. We welcome your comments or invite you to get in touch directly with us at contact@meawallet.com 


Bilde av en iphone og en mac med blå/lilla bakgrunn

Get ready for the b.yond consortium launch

MeaWallet is a proud partner of the b.yond consortium, and we are excited to announce the launch of b.yond today. The user-friendly and innovative solutions will revolutionise the way bank innovate, the banking technology, and simplify the processes for banks.

B.yond is a consortium of financial services, all synonymous with innovation and quality, who have come together to deliver the best in cutting edge banking technology. The technological solution delivers a digital banking platform across all devices. You can shape your customer experience with the knowledge that your design will be received as intended, and that your users will have access to LaunchPad on their computer, smart phone or tablet.

The digital banking solution is readily deployable with the agility and speed required in today’s digital world. LaunchPad is designed to keep you in touch with features such as: account load, physical and virtual cards, card control, payments and transfers, tokenization, savings pots and many more features.

It allows you to launch your mobile payment solution with speed to market within 4-8 weeks with a set of out-of-the-box core features and an option to further enhance with specialized vertical add-ons. The system ensures that the customer receives the rich experience you intended them to have, using intuitive interfaces and native design.

In an ever changing and complex environment b.yond is an engine room of innovation with one simple objective... make the complex simple.

MeaWallet b.yond partner

MeaWallet contributes with security solutions

As one of Europe’s leading companies within digital payments, MeaWallet provide banks with a short time to market high-quality products, such as the Mea Token Platform which is built for enabling OEM Pays, Secure Remote Commerce and Token Management.

"MeaWallet has since the beginning in 2013 focused on EMV payment tokenization. Tokenization within EMV is the new standard, and includes issuers, PSP's, Gateways, Acquires and Merchant. In December 2018 MeaWallet became the number 1 on Mastercard Digital vendor in the world. b.yond's focus is to combine the best services from the best vendors, into a combined offer. As one of the best EMV tokenization specialist, MeaWallet is a natural part of b.yond" says Lars Sandtorv, CEO and Head of MeaWallet.

Want to learn more? Contact Lars Sandtorv at lars@meawallet.com


Webinar video: The Evolution of Payment Cards Tokenization

In this video MeaWallet and Global Processing Services explore the evolution of payment cards tokenization.

The introduction of tokenization technology has started a revolution in how we pay and interact with our payment cards. This video will enable you to learn more about how tokenization has evolved and what it will mean for the future of card payments.

You will also get a better understanding of how card issuers can leverage tokenization to:

  • Increase transactions and improve approval rates
  • Drive traffic to their apps through new innovative service
  • Increase customer loyalty and cross-selling potential

Further, it will share how you can convert these new opportunities to services for your consumers, easily using modular SDKs and services.


How tokenization is changing the way we pay

Recent years have shown an increasing shift from traditional card payments to digital payments. A continually growing number of people use mobile phones, wearables, online and in-app payments daily to pay for goods and services. With the huge growth in digital payments, it is essential to have a secure and seamless user experience across device channel and solutions. At the same time, new opportunities for consumers, banks and merchants are introduced and new business models and capabilities enter.

Click here to download MeaWallet's eBook on tokenization, describing how tokenization is moving from v1.0 to v3.0 and what implications this brings to card issuers, merchants and consumers.


MeaWallet announces VC financing

Capital investment positions Nordic digital payments platform for continued growth

March 22, 2019 – Digital payment solutions provider, MeaWallet, today announces the completion of its transition into a refinanced independent entity, following a management buyout enabled by a substantial capital injection from venture capital firm Idekapital Fund 1.

The refinancing enables MeaWallet to further develop its digital payment solutions for issuers, processors and payment-service-providers, and continue to provide uninterrupted service for its customers.

“The management buyout and backing of Idekapital has given us the freedom and resources to reposition the business for growth in 2019,” says Lars Sandtorv, CEO, MeaWallet. “Our digital payments platform is already known for its great user experience, ease of integration and powerful tokenization features. We are now focused on extending these points of difference through further development, which will benefit our existing customer base and also enable other European payments firms to capitalize on our feature-rich digital services quickly and easily.”

Idekapital strategically invests in rapidly growing Norwegian technology companies. The fund currently has a portfolio of ten companies, comprising Software-as-a-Service firms and other specialist tech businesses.

“Idekapital has observed with interest the ongoing changes within the payment industry and sees the products of MeaWallet as strategically positioned in this landscape. Therefore, we are enthusiastic to become a significant investor in this company,” says Managing Partner, Anders Brandt, Idekapital Fund 1.

MeaWallet develops globally recognized proprietary, platform-agnostic tokenization technologies for banks and card issuers. The company is a Mastercard Engage Platinum Partner, part of the Visa Token Service Ready Program and an American Express GNS partner for Amex Pay.


The importance of a digital strategy

"Do you have a digital strategy?"

I often ask my customers this question and they all say yes! Based on today’s standard, the reality is that the definition of what a digital strategy encompasses, is unclear, and the definition depends on the type of institution we are talking with.

In this day and age, the number one device used to access the internet is the mobile phone, and a digital strategy should be more than just launching an app. It is true that in some sectors, you can get away with just an app, but in reality, the success of these apps is related to the problem that they solve and to the way this is communicated to the customer.

When we talk about payments, there are a few more challenges to consider, since the action of paying is not, and never was, a problem, as long as you have cash or a plastic card. So, it is more important to have a digital strategy for the organization, not only to bring value to the customer but also to align all the processes inside the organization to support this strategy, in a digital manner.

So, what is a digital strategy?

I can start with what is not a digital strategy. The pure digitization of the card (in an Issuer app or OEMPay), issuing the card instantly in the app, offering instant credit in the app or enabling the card into wearables. Alone, these features will not generate the ROI. It is important to leverage these investments and adapt the organization to support the strategy, in a digital way.

Digital strategy really comes alive when the organization, in addition to becoming customer-centric, adapts all internal processes, including channel and sales strategy to support this new touch-point with the customer. This means that it is necessary to understand customers’ patterns of behavior and adapt the communication and sales channels accordingly. The goal is ultimately to create value for the customer, whilst promoting the adoption of mobile payments. The app has to be perceived as a new communication channel, and not as a tool for payments/access to the bank. It is important to leverage this touch point, and allow not only to cross-sell relevant services to the customer in the context of where the app is being used, but also to provide them with the flexibility that they do not currently have by using the traditional methods of interacting with their financial institutions.

In this way, a digital strategy becomes more a matter of processes and communication than technology. Communication is key to the success of the strategy, since this new channel, besides enabling payments, has to be seen as a marketing one-to-one tool, so should not be handled by traditional business areas such as IT, Cards or Payments, but instead by Innovation / Marketing departments since the challenge is to generate a call to action in the app, and make it relevant for the user, while paying and using the bank services.

This is the stepping stone, and a good start, for a digital strategy which will enable the realization of an ROI within this digital era.

At MeaWallet, we have built a platform that enables banks to deploy digital services, including mobile payments, into the bank’s digital strategy. We would be pleased to discuss and share our experience, insight, and passion for the subject, and on these topics with you.

Our mission at MeaWallet is to help our clients simplify mobile payments and support implementation. Our team is passionate about the subject and continually looking at the evolution and trends in the mobile payments space. We welcome your comments or invite you to get in touch directly with us at contact@meawallet.com 


Mobile payments and trends in the UK

Mobile payments in the UK

Mobile payments have, in recent years, infiltrated the mainstream business propositions of some of
the well-known technology companies that design, develop, and sell consumer
electronics, computer software, and online services. Apple, Google and Samsung all provide mobile
payments services under the names of Apple Pay, Google Pay and Samsung Pay, commonly referred
to in the payments industry as the OEM Pays. These technology giants, have arguably played a
significant part in raising the collective consumer consciousness around NFC mobile payments in the
last couple of years. A number of questions remain about how far they will take their payments
proposition? What is their end game? Are they out to disrupt and compete directly with the banks?
For the moment, the answers are closely guarded and while speculation is rife, only time will tell
what the outcomes will be.

In the UK, banks are facing continuing uncertainty surrounding Brexit and how this will affect their
future business, resources are stretched as a result of competing priorities to meet regulatory
deadlines such as MiFID II, PSD2 and GDPR, and to cap it off, budgets are shrinking, and spending is
being more closely scrutinized. Considering these and other challenges, the majority of banks are
nevertheless showing signs of continuous and growing investment in technology, to address not only
regulatory issues, but also in recognition that their existing legacy systems are too inflexible and
limiting to address the needs of the bank of the future.

Challenger banks, increasingly present in the UK market, are gaining traction along with the monikerof “disrupter”. Some challenger banks, now offer services going beyond traditional current accounts
and are actively targeting specific segments such as SMEs and Corporates. Their clear advantage is
in their ability to develop their technology stacks by eschewing models of bespoke development in
favor of off the shelf solutions and strategic partnerships with FinTech companies. They are not
bound by the legacy constraints of the traditional banks.
One common feature of the tech giants, banks and challenger banks is their burgeoning interest in
mobile payments.

The mobile payments landscape in the UK is dominated by the OEM Pays. It is not really surprising
that with all the pressures outlined above that banks, and, to a lesser degree, challenger banks have
adopted Apple, Google and Samsung as the lynchpin of their consumer mobile payments strategy.
By rolling out the OEM pays, they are, arguably taking the path of least resistance. There is, some
would argue, value in the relative ease of rolling out a mobile payments service backed by a trusted
name in technology.

For the end customer, NFC enabled mobile phones are the norm, as is the brand association. The
OEM Pay platforms on offer are ready and enabled straight out of the box. Add a funding source –
credit or debit card – and the service “just works”.

One very successful use case in the UK is around transport. TfL (Transport for London), in addition
to their Oyster Card program, has enabled all their terminals for contactless and NFC payments.
Commuters are increasingly using their phones to pay for public transport. In 2017, one in 10
journeys were made with mobile devices, equating to more than 31 million journeys.

 

With the proliferation of contactless POS terminals in retail locations and the fact that most POS
terminals will be NFC enabled in Europe by 2020, we can already see momentum building. Forrester
predicts that the European mobile payments market will vault to €148 billion by 2021. Mobile in-
person payments will grow the fastest, increasing almost fivefold between 2016 and 2021, from €4.6
billion in 2016 to €22.8 billion in 2021; they will account for nearly 16% of all mobile payments in the
EU-7.

Mobile payments are gaining traction and given the fast pace of change are likely to evolve in the
coming years. But are the banks missing a trick? Could they be leveraging mobile payments as a
conduit to promote their own bank apps and value-added services? Arguably, yes. In the current
environment, OEM Pays are co-existing alongside the bank apps. By choosing to pay through an
OEM Pay, customers are disintermediated from their bank as they can “fund” their mobile payment
purchases with any card issued by any institution. While the banks are paying out a small
percentage to Apple for the Apple Pay service, Google does not charge for the service but rather
collects payment transaction data. This was also showcased in the short clip attached from a BBC documentary entitled Billion Dollar Deals and How They Changed the World.

At a time when banks are competing to retain their customers, it seems counter-intuitive to be
giving away a valuable commodity which they possess. This is data that can be analyzed and used to
upsell customers relevant products such as, personal loans, mortgages and other revenue
generating products and services. It is the glue that can create sticky customer relationships and
retain their custom over the course of changing life events. By combining the mobile payment
functionality (be it as Issuer Pay and/or OEM Pay) into the single bank app, both parties benefit. The
bank, gains greater visibility on the habits and ensuing trends of their customers, together with the
added value of being able to target products and services tailored to their needs. For consumers, it
gives them a choice of payment options all the while using a single trusted app for all their payment
and banking needs.

At MeaWallet, we have built our platform to turn banks’ mobile payment aspirations into reality and
support the evolution of their mobile strategy. We would be pleased to discuss and share our
experience, insight and passion for the subject with you. Leave a message to have Regional Sales Director of the UK, Ness Diwan, get in touch.

 

 

 


Solving the challenges with mobile NFC Payments – Part 2

As discussed in Part 1 of this blog post, mobile NFC payments have some challenges. This post will look at how wearable payments work and how they can meet these challenges.

Enter wearables

In October 2015, Mastercard and NXP announced something that might have been the start of the solution: New Program that can Turn any Wearable into a Payment Device. Following this, several announcements have been done on wearable or IoT payment (like this, this, or this). While several of these are quite distant for the average consumer, the wearable device payments are already here.

Especially two major challenges can be met with wearable payments: iOS support and speed at checkout.

Payments using wearables basically works by provisioning the payment credentials onto the wearable device. This can be done during production, but only allows for simple, static, pre-paid solutions. However, by connecting the wearable to a mobile app and use the app as a proxy for credential provisioning, there are (almost) no limits to what cards possible to add. In addition, this allows for real-time lifecycle management of the credential stored on the device.

What does this mean?

    1. Remove the NFC block on iOS device. Even if your customer is using an iPhone, she/he can deploy payment cards on his wearable device through the open Bluetooth channel. During payment, she will use the NFC channel on his wearable, circumventing the close control Apple has put on their devices.
  1. Always at hand - literally. Paying using a wearable device, such as a smart watch, bracelet or even a ring, removes the need of finding the device in the first place. Tap your wrist or hand towards the payment terminal, and the purchase is performed within milliseconds. You can’t do it cooler - or faster!

Hype or future?

Obviously, payment through wearables has its advantages. The big question that remains whether it is only a hype, or if we actually will see people tapping their wrists to get their favorite sub on their way home from work.

Apple Pay through Apple Watch has been around for about three years. Even so, analytics report of a slow start. Similarly, Samsung Pay has been available on Samsung Gear devices since 2015. These solutions have had a limited list of supported Issuers, but as the list of supported Issuers is growing, the use is growing at high speed.

A user research conducted by Seqr showed that 61 % of all users wanted to pay with a wearable device. Furthermore, it showed that more than 70 % would have no worries about the security of such a solution.

MeaWallet has seen an increase in OEM vendors – well established as well as small start-ups – that reaches out to us to learn more about our offerings for wearable payments.

In summary, we see that wearable payments are coming, and we believe they are coming fast. We might be too far into 2017, but 2018 might prove to be the Year of Wearable Payments.

Do you want to learn more about wearable payments and what it can do for you? Click here to download a factsheet.

Our mission at MeaWallet is to help our clients simplify mobile payments and support implementation. Our team is passionate about the subject and continually looking at the evolution and trends in the mobile payments space. We welcome your comments or invite you to get in touch directly with us at contact@meawallet.com 


How Does HCE Address the EMV Goals?

Before following up the last post about wearable payments, we serve you a guest post. This post will look into the HCE technology and how it relates to the EMV security standard. Written by Christian Maas at Mea's business partner ti&m, the original blog post can be found here.

Not a day goes by without new mobile payment apps popping up or the Original Equipment Manufacturers, also called OEMs, launching their own mobile wallets (Apple Pay, Samsung Pay, Android Pay) in additional countries. Especially Switzerland plays an interesting role by focusing on the payment solution TWINT to solve the local mobile payment needs. However, regardless of the payment app and underlying technology, all solutions need to balance usability and security in order to justify a valid business case.

This article introduces Host Card Emulation (HCE) as the standard technology stack for your Android-based payment app and addresses how it meets the main EMV (Europay International, MasterCard, and VISA) goals to ensure secure payments at the Point of Sale (POS).

Understanding the role of Host Card Emulation

HCE is the term used to describe the entire ecosystem of mobile payment solutions on Android-based devices, which do not have access to a Secure Element (SE) or a Trusted Execution Environment (TEE). Usually, SE and TEE rely on proprietary hardware security to store and access sensitive keys such as the Card Master Key (CMK), whereas HCE solves this by using mobile device software in combination with a remote server.

There are various stakeholders in the HCE ecosystem, which play an important part in providing a seamless and secure payment experience to the cardholder. Ranging from a secure payment app that builds the user interface to initiate a mobile payment, to a trusted Wallet Service Provider (WSP), and finally, a Tokenization Service Provider (TSP) that replaces the PAN with a payment token (DPAN).

Whenever we think of Host Card Emulation, we tend to focus on transaction flows rather on what “card emulation” actually stands for. The secure payment app is the equivalent to the card program that runs on the plastic card’s contact chip. As a result, the payment app ensures that a valid EMV transaction is sent to the Near Field Communication (read about NFC here) reader at the Point of Sale.

As EMV transactions evolved towards being recognized as the more secure solution compared to magnetic stripe based payments, all HCE participants, such as software and hardware vendors, card issuers and card schemes, have aimed for the same security levels and market acceptance.

Does HCE live up to the EMV standards?

The main goals of EMV are to reduce fraud by the following measures:

  • Validating authentication of payment card (chip),
  • requesting cardholder verification,
  • validating transaction integrity, and
  • using risk management parameters.

Validating authentication of payment card (chip):

This means it should not be possible to copy a payment card or compromise the application programs on the chip. How can HCE solve this issue?

  1. After installing on the mobile device, each payment app has its unique instance ID.
  2. Registering the payment app on the device includes the storage of a device fingerprint at the HCE wallet server.
  3. The provisioning of a payment token to the software/hardware key store of a mobile device results in a unique combination of payment app instance ID, device fingerprint, and DPAN.
  4. Before replenishing limited-use Session Keys (SKs), the HCE wallet server validates the combination of the provisioned payment token, payment app instance ID, and device fingerprint.

In essence, the previously described steps make it difficult for a fraudster to request valid SKs from the HCE wallet server for a payment app that resides on a different device.

Requesting cardholder verification

You should be able to confirm that you are the cardholder by a method that is either dependent on the POS, transaction amount or other attributes. EMV allows several Cardholder Verification Methods (CVMs): Cardholder’s signature comparison by the merchant, validation of the PIN by either the issuer or the POS terminal, or “no CVM” at all, in case of low value/risk transactions. Now, what does cardholder verification look like for HCE?

  1. Card-Like User Experience (CLUE) – the payment app follows the same user experience as a regular contactless payment: tap and pay. Depending on the country, card schemes and POS terminals, Low-Value Transactions (LVTs) sometimes do not require cardholder verification. For a High-Value Transaction (HVT), the cardholder still has to enter his PIN at the POS.
  2. Consumer Device Cardholder Verification Method (CD-CVM) – users can authenticate themselves to the device via a fingerprint scan, password or swipe pattern.
  3. Flexible User Experience (FLUE) – this is a combination of CLUE and CD-CVM, but not solely one or the other.

The listed categories above give issuers and banks a flexible set to build a payment experience, which is in alignment with their standards and risk tolerance.

Validating transaction integrity

It is important to make sure that the transaction is not altered on the way between POS, card network, and the card issuer. Apart from using various sets of encryption keys and transaction identifiers, HCE exchanges a payment cryptogram based on DPAN-derived SKs to validate transaction integrity on the issuer side.

Using risk management parameters

Each stakeholder within the EMV ecosystem should be able to apply risk measures. Which safeguards does HCE put into place?

  1. Fraud systems are able to inspect the frequency of SK replenishment. In case of malicious behavior, the HCE wallet server can suspend the DPAN and stop the renewing of SKs.
  2. The payment app can only hold a small pool of SKs which minimizes the number of offline payments (the device has no internet connection) the fraudster could potentially make.
  3. Only allowing the provisioning of payment tokens on mobile devices that provide certain security standards, e.g. version of fingerprint readers, operating versions, etc., will reduce risk as well.
  4. Velocity tracking of LVTs without HVT in between.

This list is not complete, but it gives an idea of options issuers and banks can use to lower the risk of their HCE wallet service.

Conclusion

HCE product companies constantly work on security concerns to maintain reliable payment solutions. It is a fast-growing market, which competes with the established OEM pays. However, competition is good, and in particular when it comes to security. It keeps the pressure high to not lose the cardholder’s trust.

Our mission at MeaWallet is to help our clients simplify mobile payments and support implementation. Our team is passionate about the subject and continually looking at the evolution and trends in the mobile payments space. We welcome your comments or invite you to get in touch directly with us at contact@meawallet.com 

ti&m logoMea logo