Whether on a card or a handset, payments will be more secure
Like two trains speeding toward one another in the dead of night, EMV and near field communication seem poised for a collision in the U.S.
Rapid fire NFC announcements occur daily and reports that two major U.S. banks will begin issuing EMV cards to frequent overseas travelers suggest it is only a matter of time before the two technologies meet.
But will it be a collision or a meld? Most likely any type of NFC payment transaction will be as secure, if not more so, than a traditional EMV transaction. “EMV works better on a phone than it does in a card,” said Dave Birch, director at UK-based Consult Hyperion at the Smart Card Alliance Annual Conference held in May.
Mobile phones may also prove to be safer than cards, Birch said. “If someone steals your phone you notice,” he added. Some have said that people typically notice a missing mobile phone in less than an hour versus up to 24-hours to notice a missing payment card.
EMV is the payment security standard of choice in virtually every industrialized country in the world except the U.S. But this is likely changing as forces in the U.S. align for an EMV enabled payment infrastructure.
And NFC may actually be the enabler to bring EMV to the U.S. “NFC is attached to EMV, it’s difficult to talk about one without the other,” says Murat Guzel, COO and general manager of the SmartSoft Group, a Eurasian payment services company that is setting its sites on the North American market.
In the U.S. it may be quicker to enable NFC than EMV, Guzel suggests, because there are more contactless payment terminals deployed than EMV contact terminals. Surveys also show that customers are interested in mobile payment. A MasterCard survey released in May found that 62% of Americans who use a mobile phone would be open to using their device to make purchases.
Where NFC and EMV diverge
It is important to separate a technology like NFC from an implementation such as EMV. A smart card is a technology that can be used for many purposes including access control, single sign-on, loyalty or payment. In the same way, NFC is a technology that can be used for many purposes of which payment is certainly one.
The question centers on the specific payment implementation to be conducted via an NFC handset. It could be a proprietary closed-loop system, a contactless system using U.S. model of magnetic stripe data emulation or it could be a contactless EMV solution.
In the U.S., contactless payments are not based on EMV. Instead, they use a Magnetic Stripe Data (MSD) configuration that is supported in MasterCard’s PayPass and Visa’s PayWave products. For the rest of the world, contactless EMV has been the choice as most countries deploying contactless payment cards have already migrated to contact EMV. MSD would have been a step backward in terms of transaction security for those countries.
So the question for the U.S. market becomes whether to push the older, but deployed, MSD implementation to NFC or join the rest of the world and use EMV for NFC payments.
“Nearly all NFC mobile payments being discussed at present are EMV based,” says David Worthington, principal consultant for payment and chip technology at Bell ID.
But can the deployed infrastructure of point-of-sale terminals and backend systems support contactless EMV on a card or a phone? The simple answer is “Yes,” explains Worthington, “but it would be necessary to update the POS software. This might be a configuration change or replacement terminal application depending on what was originally deployed.”
The responsibility to update the software would fall to the terminal manager. Depending on the environment, this could be the actual merchant, the acquirer, processor or even the terminal supplier if it provides management services.
In its report, Card Payments Roadmap in the U.S., the Smart Card Alliance highlighted that contactless terminals deployed in the U.S. would typically require a firmware upgrade, including an EMV Level 2 software kernel and application upgrades. In some cases this process can be done via remote download, but in many cases it will require the merchant to return the terminal to the manufacturer for upgrade.
With proper software, a contactless terminal can support both magnetic stripe data and EMV. This would be the logical solution for the U.S. as it would provide a migration path from the currently deployed contactless cards to new contactless EMV cards and NFC devices.
Similarly, an NFC device can be configured with multiple payment options. “Initially for the U.S., the NFC phone EMV application can be configured to support full EMV and MSD as well,” says Worthington. “So it will work at legacy devices from the POS terminal deployments of the last decade.” In this way, the NFC device itself becomes the bridge between existing POS devices and upgraded or EMV-ready terminals.
Global EMV deployment and adoption
|Region||EMV cards||Adoption rate||EMV terminals||Adoption rate|
|Canada, Latin America, and the Caribbean||182,185,043||26.4%||2,000,000||55.6%|
|Africa and the Middle East||16,841,874||13.7%||348,000||62.5%|
|Europe Zone 1||555,688,434||65.4%||9,400,000||84.7%|
|Europe Zone 2||22,817,271||11.5%||457,800||61.2%|
Figures reported in September 2010 and represent the latest statistics from American Express, JCB, MasterCard and Visa.
¹ Figures do not include data from the United States.
Deploying new payment technologies takes a lot of time, said Richard Oliver, executive vice president with the Federal Reserve Bank of Atlanta at the Smart Card Alliance Annual Conference. Canada’s EMV deployment took five years and the move away from checks has been given a seven to eight year timeline in the UK.
Mobile in the U.S. seems on a faster pace but there’s a lack of focus, Oliver said. He called for a central organization, similar to NACHA in the payments industry, to help. Elements of a successful U.S. mobile payments scheme include an open wallet stored on a secure container on the mobile device that uses dynamic authorization. “It needs to simulate chip and PIN,” he added.
In Turkey SmartSoft, TurkCell and PlastKart deployed a model that could accelerate the adoption of NFC in the U.S. The project’s Trusted Service Manager was the first in Europe to be approved by MasterCard. It enables payment and other application to be securely loaded on to a device’s SIM card.
A Trusted Service Manager is the bridge between banks and mobile operators enabling the secure transmission of data to mobile devices. Using a Trusted Service Manager for administration of payment products gives banks more control and enables the consumer to have access to more information.
TurkCell is offering its customers mobile payments with its NFC-enabled Mobile Wallet, NFC Gateway and Over the Air Platform. The service will be available for payments but also transportation, loyalty and other services in the near future. “Our NFC Gateway infrastructure enables multiple applications over one SIM card,” says Ali Salci, head of Mobile Financial Services at TurkCell. “As a result, the mobile phone can be used as a mobile wallet and you can load bank cards onto your SIM from participating banks.”
The Trusted Service Manager model also solves some of the business case issues that have plagued NFC deployments. Both mobile operators and banks have tried to figure out ways to make money via NFC. With the Trusted Service Manager the bank buys space on the mobile device’s SIM from the mobile operator. The bank still makes money off of interchange from merchants when a transaction is conducted.
Using the Trusted Service Manager, the customer downloads an application to the device, explains SmartSoft’s Guzel. Then the official payment card data would be securely loaded from an Over the Air transaction once the cardholder was authenticated.
But how does NFC rank compared to EMV from a security perspective? Contactless payment technology is often the subject of controversy in the mainstream media with claims that someone can walk by and grab your credit card data.
NFC, while using the same protocol as contactless payments, would increase security because the credit card data would only be transmitted after the user enters a PIN to activate it, says Worthington.
“From an EMV point of view the difference between a contact and contactless transaction is how contactless is used for lower-value transactions,” Worthington says. In traditional card-based EMV deployments, small transactions can be conducted without PIN entry. When a threshold amount is reached, for example 50 euros, a PIN becomes mandatory.
In a NFC deployment of EMV, it is likely that a user will enter a PIN on the handset with every transaction. Thus, NFC could enable higher-limit transactions without requiring a PIN at the point of sale device.
NFC can also enable banks to give more information to cardholders enabling greater security, Worthington says. When a cardholder makes a transaction at a point of sale the card is swiped, maybe a PIN is entered or a signature jotted down, but that’s it. With NFC the device can present more information and confirm the transaction with a user. The NFC application can also enable a user to make payments or find out about deals in the area.
Will the card go away?
With the seeming inevitability of NFC the discussion of the wallet on the phone has started again. Guzel, however, says the physical wallet won’t go away anytime soon because the older generation won’t want to give up a plastic card and it will take awhile for ATMs to adapt in order to get cash.