Monthly Archives: September 2009

Contactless Payments : American and European Way

Posted by on September 29, 2009 No comments

When it comes to card business, almost everything is different between US and Europe. US market is huge and very mature. US never migrated to EMV, while Europe has almost completed the migration. (Well mostly)

EMV is the defining point between these two markets. Europe has chosen the card to be the safest and made a huge investment. Now European cards have the ability to process an offline PIN, validate itself to the POS terminal prior to online authorization, generate dynamic signature of each transaction (cryptogram), validate the host system, etc. In the US, POS terminals just read out the mag stripe data and send the transaction to the issuing host for authorization.

In this context, contactless transactions work in the same way. US contactless cards just send the mag stripe data over RF interface instead of the mag stripe reader and everything else is almost the same. However, there’s a slightly different security enhancement which may change the things. Each contactless transaction is sent to host by generating an unique transaction counter, which can not be done in the mag stripe world. Big step.

In Europe, contactless transactions are offline. Visa and MasterCard release specifications for online too, but this was just for compliance with the US network. Offline means the card application needs to authorize the transaction without asking to any central host. To be able to do this, you just need to have a smart application inside the chip which can store some smart decision making data. This is the main difference between Europe and the US.

In the US, contactless only chips can be used without any interaction with the mag stripe. But in Europe, this is simply not possible. The chip needs to be dual interface, meaning that it should work both from contact and the contactless interface.

With the introduction of contactless payments, US market began developing into another era, while for Europe, it was a natural extension to the contact applications. Once again Europe choses the expensive and the safest way while US goes from the opportunistic path.

Practical barriers of NFC

Posted by on September 28, 2009 No comments

NFC is the most popular issue among the payment system providers, mobile network operators, banks, transport authorities and the list continiues. It offers so much for all parties involved. The most common understanding of people is to use the mobile phone as a contactless payment device or a contactless tag. In this scenario;
-Customer uses a great device for eveything
-Mobile network operator has a great product that ensures the customer loyalty and more data transfer
-Application provider extends its application to a one more media and is making plans for adding more functionality to the application running on the phone.

Well everyone seems happy; but up to now, this scenario has never been realized in Europe in the commercial world other than pilot programmes. There are some big barriers waiting on the road:

First of all, the technology is not mature enough. Well actually not the technology but the party who controls the power has not been decided yet. I am referring to the infamous SWP protocol. There are two possible positions of the NFC controller on the phone. It’s either in the handset or in the SIM card. This practically means that if the mobile network operator or the customer him/herself is going to decide what to install/use on the phone. If the secure element resides on the SIM card, that means no one can do anything without the authorization of the mobile network operator. With the introduction of the SWP (Single wire protocol) SIM card can host an application that uses the contactless interface provided by the handset. This opens a whole new world of opportunities to the mobile network operators. (I am planning to have a separate post for this) But on the other hand it forces the application owners to work closely with mobile network operators, moreover they can not do anything that the mobile network operator does not approve.

Secondly, the killer application like transportation is quite complex and have many different players involved. There are already also complex scenarios of owning, using, renewing a transportation schema contactless card and when a handset comes into the picture things go more complicated.

Another issue is the personal taste. Researches indicate that people change to their phones in every two years and the question what is going to happen to the balance on the previous phone? How will the balance be transferred to the next phone?

I believe NFC will create a great deal of changes in our daily life and payment habits, however it will take some time.

Contactless card market in Turkey

Posted by on September 24, 2009 1 comment

As a Turkish professional and being already spent 14 years in card business in Turkey, I’d like to summarize the current situation of contactless card market in Turkey.

Turkey has a highly active card business in terms of figures and technology. It is in the top 3 countries in Europe according to Visa EU and MasterCard Europe. Detailed figures of Turkish market is accessible through BKM’s web site.

EMV migration started in Turkey in 1999 and it’s one of the most mature countries in terms of EMV compatible POS/ATM terminals and cards. (Excluding debit cards which are all online PIN based)

So, under these circumstances, the next thing for Turkey was of course contactless business. Almost all major banks already have contactless cards and POS terminals, most of the other banks have projects or plans for contactless.

Contactless reader penetration is also quite impressive. For example, when you go for a coffee in a Starbucks, you will see a contactless card reader attached to the POS terminal. If your bill is less than 35 TL (20 EUR) you have the chance to pay it via your contactless credit card without PIN or signature. Total transaction lasts no more than 30 seconds.

Unlike many other countries, banks own the POS terminals, so the migration was smooth. Current infrastructure did not change, only the external contactless readers have been deployed. OTI and Verifone (Vivotech) covers almost all the market, but Sagem (now Ingenico) has built in contactless readers as well.

Gemalto is the major player in the card vendor market. AustriaCard, E-Kart (G&D) and Oberthur are the followers.

There are a few card personalization offices in Turkey. Plastkart is the exclusive partner of Gemalto, Provus and Bilesim are the other players. Oberthur is also working on its own personalization bureau.

There are also NFC pilot projects from Turkcell with Garanti Bank and Akbank. Turkish Interbank Card Association (BKM) is working on handling the TSM role for NFC.

I think this is a general outline of Turkish contactless card market. There’s whole another story for transportation market, which I’ll cover in another post.

Introduction to ISO 14443

Posted by on September 24, 2009 No comments

ISO 14443 is a collection of rules regulating the contactless smart cards and readers working at  13.56 Mhz. The main idea is to create a interoperability between contactless smart cards and contactless card readers.

There are 4 parts of ISO 14443:

Part 1 – Physical characteristics

With the introduction of contactless chips in different forms like watch, stickers, keyrings, etc, this part has been obsolote in the last years. Originally it was defining the dimension of the contactless cards based on ISO 7810. In general, card and the reader are referred as PICC and PCD. PICC stands for Proximity Integrated Circuit Card and PCD stands for Proximity Coupling Device.

Part 2 – RF interface

Part 2 defines the characteristics of the power transferred to card for enabling the contactless transactions. Power is transferred by the reader to card using a frequency modulation of 13.56 Mhz. (+/- 7 Khz is accepted)

There are 2 famous types of communication signal interfaces; Type A and Type B.  Although many people think that type is equal to Mifare and type is Calypso, it’s simple not true.

Part 3 – Initialization and anti-collision

In the contact card world, only one card is possible in the reader slot, but in the contactless world, this is not always the case. Part 3 deals with selecting a card in the RF field. Anti-collision is basicly selecting one card at a time and holding the other cards in the field idle for the next transaction.

Part 4 – Transmission protocols

Part 4 defines the high level data transmission protocol between the card and the reader.

ISO 14443 does not define any operating system of a card or reader or any application running on each end.

Gemalto acquires Trusted Logic

Posted by on September 24, 2009 No comments

Worldwide software solution developer for smartcards, terminals and consumer devices Trusted Logic has been acquired by Gemalto. See the Press release for details.

Gemalto had already acquired Multos and Mifare4mobile before and now the company is holding a unique position among the card vendors.