You are currently browsing the archives for the contactless payment category

Guitar with a contactless reader

One thing I really love -other than contactless systems, of course- is the music. Although not being able to play as much as I did in the past, I’ve been playing guitar for years. When I bumped into the article of Mobile Money Exchange, I was really excited: The guitar of the street band has a contactless reader attached to the headstock and it accepts contactless cards. What an innovative idea!

When you see a street band in a metro or on the street, the main motivation of giving a few bucks is to support the musicians. But these guys have even better idea, they are supporting some charity and a contactless readers ensures this, simply because there’s no cash included! When you wave your Barclays contactless card against the headstock of the guitar, you simply donate a fixed amount of money to a charity. (Help a London Child, in this case for 5 pounds)

I love the idea and I am now hoping this idea to be implemented by transport operators, banks, loyalty system providers who are actively using contactless cards.

Paypal moves into contactless space

Paypal is definitely the most important online payment system provider in the online world. Yet, it seems they are quite enthusiastic about the real world. And of course, the leading online payment service provider goes for the coolest method; over the contactless interface! Near Field Communications World refers to the interview with the Paypal President Scott Thompson on The Wall Street Journal.

Transactions are processed by Bling Nation, so merchants need to obtain a BlingBox to accept Paypal contactless stickers. Paypal customers must get the contactless sticker from a Bling merchant prior to making a transaction. The sticker is supposed to be attached to the back of the handset.

The big picture suggests that Paypal customers will be able to access their accounts in real merchant locations via their contactless stickers attached to their phones. According to Bling Nation, sticker is compliant with NFC, so it will be available to customers without a stick when the secure element dilemma is resolved and ordinary people have NFC enabled phones.

There are no technical details on the payment application itself, so I assume it is secure enough to hit the streets. I think the below issues are very critical and must be addressed -if not already done so:

– The authenticity check of the card and the POS terminal
– The verification of the card holder
– Interoperability with the existing POS network with contactless readers

Anyway, it’s an interesting move for the contactless world from a strong player!

First MicroSD based contactless payment launch in Europe

Visa Europe and Akbank -one of the big fives in Turkey- announced the first MicroSD based contactless payment application in Turkey. Akbank, Visa Europe and DeviceFidelity attended the press conference.

As I already mentioned in a previous post, DeviceFidelity’s MicroSD product is a solid solution, especially for Turkey where contactless reader penetration is almost like %2 of total POS terminals -around 32.000 contactless readers are already installed. The projected target figure is %5 of total number 1.800.000 terminals. More than 2.200.000 Visa&MasterCard contactless credit cards have been issued in Turkey by 10 different banks. Contactless usage is on constant increase but not as much as anticipated.

I was unofficially informed that only Blackberry is supported for the time being, but I was unable to confirm it.

It’s a great success for Akbank to commercially launch a handset based payment application. Now I am waiting for the announcement of the availability of the application process as an Akbank customer, which will be by the end of this year!

EMVCo released handset requirements for contactless mobile payment

By maintaining the specifications of the banking card applications, EMVCo has a huge effect on banking card business. Visa and MasterCard developed their own implementations (VSDC and M/Chip respectively) based on EMV specifications. They are almost identical, they have a few configuration changes. Contactless applications payWave and PayPass are also based on EMV specifications, however they were developed before EMVCo released a contactless specification.

It seems EMVCo is ahead of Visa and MasterCard this time, they released requirements for contactless payments by handsets. There are already implementations of Visa and MasterCard’s applications on handsets, but all of them have been dropped before launch -after pilot phase.

Basically, a mobile application is a user interface for accessing the EMV compliant payment application running on the secure element of the handset. Secure element can reside on the NFC controller of the handset or on the SIM card.

What EMVCo requires for these applications are;

  • Application should have a soft/hard key for easy access. If it’s a soft key, it must be accessible from the main/home screen.
  • Application should inform the handset/card holder when a contactless transaction is in place.
  • Application should be secured by a password and it should be configurable to enable/disable the application.
  • There should be an indication of contactless capability, just like the bluetooth icon.
  • Handset shall provide a mechanism to notify the application when it is powered off.

It is a good effort to draw the boundaries of the environment and will lead the players in the industry to have a single user experience. It seems we will see more mobile payment applications on the market -hopefully in the commercial level rather than pilots.

Original document can be found here.

Laks : A futuristic company in contactless gadgets

Not so long, about 10 years ago, if someone had told you that you could process a payment transaction with your watch, you’d probably laugh. But things have changed in an enormous speed and since last few years, this definitely possible and there are people actually doing this now.

This has been possible by a company -Laks, whose vision is beyond most of the people in both card payments and watch industry. Laks is a Vienna based company developing very cool watches that have a dual interface chip slot and the watch has an antenna inside the watch. The antenna plugs into a specific type of SIM sized dual interface chip produced specifically to fit in this environment. There is the possibility of running many applications on the chip. Actually there is the possibility of requesting any kind of chip in this form, which means that sky is the limit for implementing a chip application inside a watch. Laks also has native mifare chip embedded into the watch. Although I’ve never asked, I am sure that they can fit any kind of chip inside a watch.

Watches come with the antenna, while the dual interface chips do not necessarily. If so, personalization process must be processed while the chip is in the watch, which is something hard to do when personalizing huge volumes.

In Turkey, Garanti Bank launched a product based on Laks watches a few years ago. It was a little bit early, however it was still a very innovative product. In Turkey, there were efforts to develop a payment product based on Laks’ watches, which some of them had already passed the proof of concept phase, unfortunately they were never launched.

Maybe, the commercialization did not happen due to the fact that watch is a personal thing (like a mobile phone in the NFC case) and a payment product bundled in a personal stuff might not sound good to people. But I am sure there will be some contactless projects based on watches and Laks will definitely have a big role in this picture. There are more interesting watches other than having a contactless capability in Laks’ web site, worth to visit.

Payment vs. ticketing

Contactless cards are penetrating into more and more market segments day by day. The three most common use cases of contactless cards are clearly ticketing, payment and access control. Now let’s skip the access control and compare the ticketing and payment use cases.

Work Flows

Functional requirements of a contactless ticketing application are generally store a balance, contract, expire date and a log space. Typical work flow of a contactless ticketing transaction is as follows:

  • Identify the card in the field
  • Authenticate the card and the ticketing terminal
  • Read the contract from the card
  • Read the previous transaction logs -if necessary
  • Compute the fare
  • Debit the card with the fare
  • Write the transaction log

When it comes to payment, the work flow of a contactless EMV payment is as follows:

  • Identify the card in the field
  • Authenticate the card and the terminal
  • Debit the card
  • Store the transaction log

As you can see, the main difference of the payment and the ticketing work flow is the fare calculation based on some variables like contract type of the card and the previous transactions performed and stored in the application. This is something EMV is still uncapable of. Both Visa and MasterCard are already working on ticketing extensions of payWave and PayPass, however they will still have many barriers ahead even if the specification are completed and first samples are out for testing.

Authentication and cryptography

EMV relies on RSA and Triple DES, while ticketing applications use mainly DES variants and AES. Contactless EMV transactions are quite secure with DDA (Dynamic Data Authentication) and it is a perfect solution for an interoperable environment of different banks.

Almost all ticketing systems are proprietary and each transport operator or provider has its own application. Every system has its own infrastructure and interoperability between ticketing systems are quite rare. So each system has its own authentication alghoritm and of course key types and lengths.

Main differences

EMV is designed for securing the transaction between card and terminal, terminal and host systems, host system and the card. It’s the underlying standard of Visa, MasterCard and JCB. Each organization has its own application of EMV but essentially they are mostly identical. Contactless ticketing application depend heavily on the chip platform and operating system they are using. Every transport authority, system integrator or solution provider has its own ticketing application. There are efforts in Europe to standardize the ticketing applications but they are not mature enough yet. So basically ticketing is proprietary for now.

Some time in the near future, payment and ticketing is supposed to meet on the NFC platform, but it seems it’s still a long way there.

M-Pesa, the most innovative mobile payment system

Think of a country where most of the people don’t have basic bank accounts. Most of the population live in outskirts or villages far away from city life. Robbery is the second name of the capital city -Nairobi. Yes, I am talking about Kenya, one of the most beautiful countries in Africa.

Around 2 years ago, the biggest mobile network operator Safaricom started a mobile money transfer system called M-Pesa which now became the most innovative mobile payment system throughout the world. It was created for responding the underbanked population for their basic money transfer needs. There was no legal infrastructure to regulate the system, government could do it after 6 months of the launch. Now it’s projected that almost one third of every Kenyan has an active M-Pesa account.

So, what is M-Pesa, how do people use it? M-Pesa is a money transfer program managed via cell phones. All the cell phones are compatible since the application was developed on the SIM card. All Safaricom SIM cards have the M-Pesa application pre-installed, so all you need to do is to register the service. Even I was -as a foreigner- able to register it within hours by using my passport only.

What really great is that there are no hardware terminals installed, both users and distribution network use the same SIM-centric approach. For registering, you simply need to apply to an M-Pesa agent. Agent keys in the typical personal information to his/her cell phone and you receive the notification in hours. The application is protected by a PIN, which is created during the registration, so it is secure enough.

With an M-Pesa account, you can send and receive money, withdraw cash from ATMs, shop at certain points and now the latest news is that you can even link your account to a bank account. What would an average Kenyan want more from a mobile network operator?

I personally consider M-Pesa as one of the most creative product based on a smart card platform. The SIM application alone enables the whole service as the heart of the system. Safaricom manages a pool account for all the money loaded in to M-Pesa accounts. Safaricom is not a bank, but now with the introduction of M-Kesho, people can open a bank account at Equity Bank and use the basic banking instruments through the M-Pesa application just by linking the M-Pesa account with the Equity Bank account. Another innovative step!

M-Pesa was a huge success, so Vodafone, the owner of Safaricom launched the same product in Tanzania, Afghanistan and is planning in India, Eygpt and South Africa.

It’s a true success of a smart card/SIM technology, yet I can consider as a contactless system since everything happens out of the contact interface!

Highlights from Cardist 2010

3rd Cardist Card & Smart Technologies Exhibition & Summit is held in Istanbul between 12-14 May 2010 with the main sponsorships of BKM, Visa and MasterCard.

Here are my highlights from the exhibition:

Garanti & Avea announced a mobile payment product based on mobile phones. Payment is processed by the application running on SIM card and the SIM card has an external antenna attached. This way, there’s no need for an NFC based handset, all handsets can be used with. it. Garanti Bank already has more than 1 million contactless credit cards issued and clearly the market leader in contactless payments in Turkey.

BKM, the national switch of Turkey announced the pilot project to run on NFC handsets in which BKM acts as the TSM. 6 banks are attending the pilot project.

Oytek demonstrated their NFC solutions running on Nokia 6212. The application has a paid balance, ticketing and couponing extensions. There’s also a kiosque with a contactless reader and an NFC poster application to complete the NFC picture.

Banksoft was awarded with the contactless pre-paid card program which was developed for Halk Bank’s Bank 24 Visa contactless card. Smartsoft is also awarded with their pre-paid platform as well.

Payment Cards&Mobile, which I think the best magazine on contactless systems was also present in the exhibition as they were in the last two ones.

Belbim, the technology provider of Istanbul Municipality -including the electronic ticketing for public transport- exhibited their validators and surrounding devices. Belbim has developed a DesFire application for Istanbul public transport but somehow it’s still not been released for public use.

KentKart was also present and demonstrated contactless only validators and vehicle tracking systems.

Calypso the ticketing master

When we talk about transport ticketing, Calypso is the technology we must discuss first. Calypso is a transport ticketing system built by the transport operators. It was designated to match the transport ticketing requirements from functional flow to security mechanisms. The main identifier of Calypso is that it requires a micro processor card. This enables all the security required by complex transportation environment.

So, what is Calypso?

Calypso is a ticketing application developed and maintained by Calypso Association. Calypso Association, based in Brussels, Belgium, was established by RATP and technology provider Innovatron in 1993. Later on, group of European transport operators from Belgium, Germany, France, Italy and Portugal joined the association. Calypso ticketing application is currently being used by various European public transport systems.

In the Calypso world, you can define various players into a single card (now the term “portable object” is used though, rather than “the card”) and they can share the same balance. The technical design of the application supports multi-application by nature. Different contracts can be installed on to a single card which are protected by different key sets. Each Calypso chip has a set of derived keys from master keys. DES and DESX (an implementation of DES against brute force attacks) can be used for authentication. Calypso requires its own SAM card for authentication which is a pre-requisite of modifying the data in the chip.

Unlike typical mifare designs, you are restricted by the boundaries and transaction flow developed by Calypso, but it covers almost anything that can be expected in a transport ticketing environment. Calypso applet runs on micro processor chips, so authentication is quite strong (and fast)

Calypso Association plays an innovative role towards the NFC era and they seem to be ready for the NFC evolution. (I wish I could say revolution, by the way) Calypso applet runs on various card operating systems varying from Infineon to Watchdata chips, including NXP’s JCOP family. Of course this includes any secure element in the NFC world.

Based on my personal experience, I can say that Calypso is an equivalent of EMV in the banking payment world. Both of the applications are quite well designed, already running on millions of chips and getting ready for the future.

First DESFire implementation on a SIM platform

Mifare emulation has been around for some years. Mifare emulation simply refers to an application running on a chip card operating system. The application emulates the native mifare chip and responds the mifare readers as if it is a mifare chip. Of course there are some considerations when implementing a mifare emulation. First of all, it is not native mifare and the terminal software needs to be updated accordingly to recognise the chip. Secondly, mifare emulation is not as fast as a native mifare chip so some parameters must be updated to transact with the mifare emulation applet.

These have been done since some time, but Gemalto has started a new era by implementing the DESFire application on a SIM/UICC. Even the owner of the technology -NXP, does not officialy have DESFire emulation yet. It’s a huge thing in terms of innovation. However there’s still some time before a DESFire enable transportation system is to accept an NFC handset device with a Gemalto SIM/UICC.

Gemalto has been aggressive on the contactless market almost since its start and this is clearly a result of it. Read the full press release here.