You are currently browsing the archives for the emv category


Cloud vs Payment

With the introduction of Apple Pay -and HCE before that, we started hearing about cloud payments. My initial reaction to cloud payment was “what kind of payment isn’t already in the cloud?”

In generic terms, cloud refers to data and applications that are not stored locally, but over the internet which people can access from any device, anywhere, any time just by having an internet connection.

When it comes to payment, everything was already in the cloud for like ages. The access devices to cloud was plastic cards and payment terminals. Everything was happening through online systems which was simply cloud.

So what is cloud payment in this context?

Cloud payment refers to the tokenization of current payment forms (plastic cards and their numbers) into the cloud. The device (generally a mobile phone) storing the card number has only the token of the real card number. What is token? Token is a replacement of the actual number that is usable only for a certain period of time. So that if someone steals your account information (card number), it will simply be not usable.

Almost anywhere in the world, except the US, having the card number and the expire date or the magstripe data -which is readable by off the shelf readers- isn’t enough for making a payment transaction. Thanks to EMV and 3D Secure/SecureCode, you need more than than card data, you need password and cryptographic keys. Rest of the world has been migrating to more secure payment era but the US is the weak link for a long time. Now with the cloud payment -and the EMV mandates for the US of course, US is getting on board as well.

Cloud payment is actually tokenization. Tokenization requires a smart device which can communicate with the tokenization server over internet and tokenize (change)  the sensitive card data. And of course the smart device is a smart phone. In today’s world, when we say smart phone, we mean Apple and Android. They are different ecosystems but have the same usability approach to smart phone owners.

Apple finally integrated the NFC chip into the iPhone 6. Apple worked on the payment experience a lot and have come up with something just as expected from Apple. A very convenient user experience and a very tightly controlled environment.

Android has been playing with NFC for a longer time but everyone else was waiting for Apple to get on board for mass adaptation. Android has almost same workflow with Apple, with one big exception; the payment application is software based while Apple took the more secure way -hardware. From the end user perspective, everything is mostly same.

So, what now? It is time to talk about contactless terminals. Apple and Android ecosystem is getting ready for the cloud payments, yet the biggest requirement is still the acceptance devices. Hopefully, Apple will be the main driver here. But for that to happen, Apple must move outside the US. Europe and Asia has had a contactless wave before but it didn’t hit the masses. With the cloud payment, I am hoping that it will be different this time.

We are waiting…

My article on E-Finance & Payments Law & Policy Journal

I wrote an article for E-Finance & Payments Law & Policy, a monthly journal published in the UK, about Turkey’s payment industry and the mobile payment trends. It was published on the October 2012 issue.

I tried to give an outline of the payments space in Turkey and headed over to mobile payments. Here it is:

Turkey’s payments industry and the inhibitions to m-payments

Turkey is one of the forerunners of innovative payments technology and openly intends to be a ‘cashless society’ by 2023. One of the most advanced countries in Europe in terms of countactless mobile payments, Burak Ilgicioglu, a Card & Payment Systems, Business Analysis Manager at Yapi Kredi Bank, Turkey, discusses Turkey’s successes so far in regards to mobile payments and the factors hindering widespread adoption.

Turkish banks have a very good history of developing successful card based payment products. All banks have installment products which work mostly as a personal finance product. When people are shopping for a high definition TV, they usually check the campaigns from banks to choose the electronics retailer from installment numbers. There is no finance charges or fees for installment transactions when the customer pays on the due date. All the banks have loyalty programs where customers earn bonus points, just like the frequent flyers programs in the US/UK. This even helps the government fight the shadow economy. Card payments are encouraged by the regulating bodies of the economy. The motto of BKM (the interbank card centre founded by Turkish banks) for 2023 is to reach a ‘cashless society’ on the 100th anniversary of the republic. Today, 30% of Turkey’s total GDP is processed by banking cards. Turkish banks started the card payment business back in the 80s.

BKM was founded in 1990 as the national switch, clearing and settlement processor. Turkey started issuing EMV cards in 1999 and by the end of 2011, the migration was complete. All the ATM and POS terminals now support EMV. All credit cards are EMV with the exception of debit cards; almost all the debit cards are still magnetic stripe. Thanks to Chip&PIN migration, which started in 2007, all credit cards are used with offline PIN.

Contactless

Turkey is one of the most advanced countries in Europe in terms of contactless and mobile payments. By the end of Q2 2012, 14 out of 27 banks in the card issuing business have reported that they are issuing contactless cards. More than 6 million contactless cards have already been issued. Turkey is a credit card country, most of these contactless cards are credit cards. There are, a limited number of debit and prepaid contactless cards, the majority are credit cards.

Contactless projects started to emerge in Turkey in 2006, when the Chip&PIN migration was still underway. Unlike the US market, Visa and MasterCard forced banks to use EMV for contactless in Europe. This practically means both offline and online transactions are possible due to the contactless interface. This also led to the fast development of NFC products as the natural extension of contactless cards. Contactless has been gaining momentum in Turkey for the last few years. But just like other countries issuing contactless cards, there are some drawbacks blocking the boom. The main reason is the acceptance infrastructure. There are more than 2 million POS terminals in Turkey and only 60,000 of them have contactless readers installed. It is much lower, when we compare the percentage of contactless cards with the total number of cards, which is 6 million and 51 million respectively. Another obstacle for contactless penetration is that there is not much benefit for both customers and retailers when it comes to contactless. Although some merchants – like Starbucks – are already forwarding customers to the contactless interface to speed up the transaction – there is still a long way to go.

NFC

Despite contactless cards facing issues, which have stalled penetration, NFC products have been rolled out in the last two years. We have seen NFC products in different form factors, from Micro SD cards to antenna SIMs or dongles for iPhone. As for banks, unlike contactless, there is another player on the table, which claims an even bigger share of the customer base: the MNO (mobile network operator). By nature, NFC products work on mobile handsets, especially on SIM cards. As a result, banks and MNOs share the customer. Currently more than five banks already have commercial NFC products available on different phone and SIM cards. There are three MNOs in Turkey and all of them are actively involved in NFC projects. Current regulations in Turkey require all payment transactions to be processed exclusively through banks, so MNOs are working with many banks at the same time. Almost all the pilot or commercial NFC programs throughout the world feature a single bank and MNO, but in Turkey, all the MNOs have wallets involved with more than one bank at the same time. The physical wallet experience has almost become a reality in the Turkish mobile payment products. Each MNO has already invested in their own TSM (trusted service manager) infrastructure and mobile wallet products. Yet there is still no ISIS-like cooperative organization between the MNOs and it seems unlikely it will happen in the future. There are indeed many NFC products commercially available on the market, but the most important player in the game is still missing: the customer. The number of NFC products sold is very low, when compared with traditional card products; there are many reasons for this. We can count the current contactless issues as one. In addition, NFC products require users who have a clear understanding of the personalization process, which is mostly, performed by the customer themselves. Customers are supposed to apply for a card account, install an application to their mobile phone, then authenticate themselves to the payment application on the phone. If everything goes well, then they will surely struggle to find places where contactless cards are accepted. Customer experience has still not been worked out entirely.

Mobile payments

Although the current picture doesn’t seem to be very promising, there are a great deal of good signs that mobile payments will be the next big thing in Turkey. All MNOs have dedicated teams for mobile payment services. MNOs are considering mobile payments as part of the mobile wallet product in which people will be utilizing location based campaigns, transport ticketing, access control, loyalty card aggregators, couponing and smart posters. For MNOs, it is still more like a loyalty tool, rather than a revenue generator. Banks are experimenting with mobile payment products. Banks’ perception of mobile payment products is not just buying a cup of coffee with the mobile phone. Banks consider the mobile payment experience as a step into the mobile world where the future lays. P2P payments are increasing and banks are positioning themselves in the game. Location based campaigns are another big step for the Turkish banks which already run very successful campaigns for card payments. High value payments over mobile devices will enable banks to penetrate new business models. Money transfers between bank accounts and mobile phone numbers are already a reality in Turkey, yet it will gain another perspective when NFC meets the masses with more prepaid products. Turkey is definitely a big country for card payments. It will be bigger when the mobile payment experience is part of the daily life and NFC will be the enabler of this evolution.

 

Contactless & NFC Ecosystem in Turkey

On 20-21st of June, I attended an event from SMi Group in London on contactless and NFC. I presented the Turkish market and Yapi Kredi’s products and services. It was a great opportunity to keep updated about the contactless & NFC space throughout Europe. I met colleagues from the industry and discussed hot topics on contactless & NFC.

You can view my presentation below.

 

iCarte : contactless payment for iPhone

There’s been a lot of rumors around iPhone’s new release, iPhone 4 that it would come with an NFC chip but unfortunately it didn’t. It’d be a huge step for the contactless space -could also be a huge step for a proprietary system fully controlled by Apple, now we will wait for iPhone 5.

But wait, if you really want to see iPhone in action for contactless payment, you are in luck. Wireless Dynamics has a great solution for that; iCarte.

Luckily, I am part of an iCarte project here in Turkey. Yapi Kredi Bank and Visa deployed this iCarte project. Wireless Dynamics is the hardware and software provider while G&D is the TSM for personalization. Inside the smartcard within the iCarte, Visa Mobile Payment Application is running. And Visa Mobile Gateway is used for life cycle scripting.

iCarte is basically an integrated smart card and antenna attached to iPhone. Both iPhone 3 and 4 are supported. On top of the hardware, of course there is the software. Wireless Dynamics has a great app that enables the payment.

First you need to personalize the smart card embedded in the iCarte. After that, you need to verify yoıurself to the smart card with your PIN (passcode in Visa’s terminology). If you are the person that Yapi Kredi has authorised (Yapi Kredi is the issuer in this case) you are good to go with your iPhone for contactless payments.

When you first start the app, hardware is checked and connection is established.

After a successful start-up, you need to activate the application. This practically means you must personalize the Visa Mobile Payment Application.

Now you are ready to go.

With the iCarte, you can also save personal details of the transaction. iCarte -like other mobile payment solutions- is more secure than other contactless payment media. You can choose to enter your PIN before processing a transaction. This is optional, you can do this once and let the application process the payment without and verification.

I think it is the most usable (and practically the only) solution for the moment for contactless payment with iPhone.

Visa and MasterCard in the mobile space

We are clearly in the smart cards era. From set top boxes to access control systems, passports to -of course- payment systems run on these little security tokens. There are thousands of smart cards applications running on smart cards worldwide ranging in these business fields.

When it comes to payment systems, Visa and MasterCard are the strongest influencers and the rule setters. Visa and MasterCard started EMVCo in 1994 when smart cards were ready to run payment applications. EMVCo released first payment application standards in late 90’s which led Visa and MasterCard to develop their own payment applications based on EMV.

Visa’s application is called VSDC (Visa Smart Debit Credit) and MasterCard’s application is called M/Chip. They are quite similar but have many configuration differences in terms of bank’s parameter management on the application.

Naturally, it started with contact versions. It was primitive, when compared with the current versions, but far more advanced for their magstripe ages. Banks did not even use the offline PIN feature simply because the market was not ready at the time. UK was the first country to migrate to use the offline PIN -which they called Chip&PIN -after a critical mass has been reached. Turkey was the second national migration to PIN usage. (I was personally part of it)

What EMV provided is basically a security layer to existing infrastructure and offline capabilities like offline PIN verification, offline data authentication and offline payment. It came with many updates; cards have changed, terminals have changed and of course back office systems have changed.

Then hardware (chips) evolved into contactless space. Both Visa and MasterCard developed dual interface (or a.k.a contactless) versions of their applications. MasterCard was faster, they released a stable application years before Visa and named it PayPass. US was the first country to implement PayPass.

In the mean time, US never had left the old magnetic stripe cards. As a result, US had hybrid cards; a contactless only chip with magnetic stripe. US version of contactless applications work only online, while EMV versions can work both online and offline. US version has only one security enhancement over contact magstripe – a dynamic CVV code.

Visa released the application later under the name of payWave.

The basic difference between Visa and MasterCard’s contactless applications is that MasterCard uses the standard EMV flow while Visa uses a shortcut bypassing many EMV steps. It is arguable which one is better, but my personal taste is with MasterCard.

When it comes to mobile, MasterCard is still ahead of Visa. They have a working Mobile PayPass application for a while. That’s why current NFC pilot programmes run MasterCard. Visa is now ready to kickstart a mobile version of payWave -which is called Visa Mobile Payment Application, VMPA.

So, what is new in the mobile versions? First, now there is a user interface for the application from the mobile device on which the cardholder can activate the application, change PIN, view transactions, etc. Mobile versions have the capability to be managed over the mobile network operator’s (MNO) OTA (over the air) channel. OTA is also the personalization interface of the application. Banks are now able to communicate with the application anytime they need to. (Of course not that much easy as it sounds)

Since the applications run on SIM cards (or the secure elements, as per popular phrase) now banks have a mandatory partner on their customer; the MNOs. Personalization and the life cycle script management runs over the MNO’s OTA infrastructure. Also issuing a new card process is a brand new one. MNO is highly involved in any step during the life of a mobile payment application.

SIM is owned and controlled by the MNOs so banks are now forced to share the SIM with competing banks. MNOs create and rent the mobile wallet to banks and other service providers.

Also, application version control is now handled by MNOs. Visa and MasterCard now have another customer; the MNOs.

This is a brief history of Visa and MasterCard’s smart card applications from contact to mobile. We will see how this will evolve even more interesting. And I believe it will not take more time than it did before.

EMVCo released handset requirements for contactless mobile payment

By maintaining the specifications of the banking card applications, EMVCo has a huge effect on banking card business. Visa and MasterCard developed their own implementations (VSDC and M/Chip respectively) based on EMV specifications. They are almost identical, they have a few configuration changes. Contactless applications payWave and PayPass are also based on EMV specifications, however they were developed before EMVCo released a contactless specification.

It seems EMVCo is ahead of Visa and MasterCard this time, they released requirements for contactless payments by handsets. There are already implementations of Visa and MasterCard’s applications on handsets, but all of them have been dropped before launch -after pilot phase.

Basically, a mobile application is a user interface for accessing the EMV compliant payment application running on the secure element of the handset. Secure element can reside on the NFC controller of the handset or on the SIM card.

What EMVCo requires for these applications are;

  • Application should have a soft/hard key for easy access. If it’s a soft key, it must be accessible from the main/home screen.
  • Application should inform the handset/card holder when a contactless transaction is in place.
  • Application should be secured by a password and it should be configurable to enable/disable the application.
  • There should be an indication of contactless capability, just like the bluetooth icon.
  • Handset shall provide a mechanism to notify the application when it is powered off.

It is a good effort to draw the boundaries of the environment and will lead the players in the industry to have a single user experience. It seems we will see more mobile payment applications on the market -hopefully in the commercial level rather than pilots.

Original document can be found here.

Payment vs. ticketing

Contactless cards are penetrating into more and more market segments day by day. The three most common use cases of contactless cards are clearly ticketing, payment and access control. Now let’s skip the access control and compare the ticketing and payment use cases.

Work Flows

Functional requirements of a contactless ticketing application are generally store a balance, contract, expire date and a log space. Typical work flow of a contactless ticketing transaction is as follows:

  • Identify the card in the field
  • Authenticate the card and the ticketing terminal
  • Read the contract from the card
  • Read the previous transaction logs -if necessary
  • Compute the fare
  • Debit the card with the fare
  • Write the transaction log

When it comes to payment, the work flow of a contactless EMV payment is as follows:

  • Identify the card in the field
  • Authenticate the card and the terminal
  • Debit the card
  • Store the transaction log

As you can see, the main difference of the payment and the ticketing work flow is the fare calculation based on some variables like contract type of the card and the previous transactions performed and stored in the application. This is something EMV is still uncapable of. Both Visa and MasterCard are already working on ticketing extensions of payWave and PayPass, however they will still have many barriers ahead even if the specification are completed and first samples are out for testing.

Authentication and cryptography

EMV relies on RSA and Triple DES, while ticketing applications use mainly DES variants and AES. Contactless EMV transactions are quite secure with DDA (Dynamic Data Authentication) and it is a perfect solution for an interoperable environment of different banks.

Almost all ticketing systems are proprietary and each transport operator or provider has its own application. Every system has its own infrastructure and interoperability between ticketing systems are quite rare. So each system has its own authentication alghoritm and of course key types and lengths.

Main differences

EMV is designed for securing the transaction between card and terminal, terminal and host systems, host system and the card. It’s the underlying standard of Visa, MasterCard and JCB. Each organization has its own application of EMV but essentially they are mostly identical. Contactless ticketing application depend heavily on the chip platform and operating system they are using. Every transport authority, system integrator or solution provider has its own ticketing application. There are efforts in Europe to standardize the ticketing applications but they are not mature enough yet. So basically ticketing is proprietary for now.

Some time in the near future, payment and ticketing is supposed to meet on the NFC platform, but it seems it’s still a long way there.

Highlights from Cardist 2010

3rd Cardist Card & Smart Technologies Exhibition & Summit is held in Istanbul between 12-14 May 2010 with the main sponsorships of BKM, Visa and MasterCard.

Here are my highlights from the exhibition:

Garanti & Avea announced a mobile payment product based on mobile phones. Payment is processed by the application running on SIM card and the SIM card has an external antenna attached. This way, there’s no need for an NFC based handset, all handsets can be used with. it. Garanti Bank already has more than 1 million contactless credit cards issued and clearly the market leader in contactless payments in Turkey.

BKM, the national switch of Turkey announced the pilot project to run on NFC handsets in which BKM acts as the TSM. 6 banks are attending the pilot project.

Oytek demonstrated their NFC solutions running on Nokia 6212. The application has a paid balance, ticketing and couponing extensions. There’s also a kiosque with a contactless reader and an NFC poster application to complete the NFC picture.

Banksoft was awarded with the contactless pre-paid card program which was developed for Halk Bank’s Bank 24 Visa contactless card. Smartsoft is also awarded with their pre-paid platform as well.

Payment Cards&Mobile, which I think the best magazine on contactless systems was also present in the exhibition as they were in the last two ones.

Belbim, the technology provider of Istanbul Municipality -including the electronic ticketing for public transport- exhibited their validators and surrounding devices. Belbim has developed a DesFire application for Istanbul public transport but somehow it’s still not been released for public use.

KentKart was also present and demonstrated contactless only validators and vehicle tracking systems.

Contactless Payments : American and European Way

When it comes to card business, almost everything is different between US and Europe. US market is huge and very mature. US never migrated to EMV, while Europe has almost completed the migration. (Well mostly)

EMV is the defining point between these two markets. Europe has chosen the card to be the safest and made a huge investment. Now European cards have the ability to process an offline PIN, validate itself to the POS terminal prior to online authorization, generate dynamic signature of each transaction (cryptogram), validate the host system, etc. In the US, POS terminals just read out the mag stripe data and send the transaction to the issuing host for authorization.

In this context, contactless transactions work in the same way. US contactless cards just send the mag stripe data over RF interface instead of the mag stripe reader and everything else is almost the same. However, there’s a slightly different security enhancement which may change the things. Each contactless transaction is sent to host by generating an unique transaction counter, which can not be done in the mag stripe world. Big step.

In Europe, contactless transactions are offline. Visa and MasterCard release specifications for online too, but this was just for compliance with the US network. Offline means the card application needs to authorize the transaction without asking to any central host. To be able to do this, you just need to have a smart application inside the chip which can store some smart decision making data. This is the main difference between Europe and the US.

In the US, contactless only chips can be used without any interaction with the mag stripe. But in Europe, this is simply not possible. The chip needs to be dual interface, meaning that it should work both from contact and the contactless interface.

With the introduction of contactless payments, US market began developing into another era, while for Europe, it was a natural extension to the contact applications. Once again Europe choses the expensive and the safest way while US goes from the opportunistic path.