There’s been a lot of rumors around iPhone’s new release, iPhone 4 that it would come with an NFC chip but unfortunately it didn’t. It’d be a huge step for the contactless space -could also be a huge step for a proprietary system fully controlled by Apple, now we will wait for iPhone 5.

But wait, if you really want to see iPhone in action for contactless payment, you are in luck. Wireless Dynamics has a great solution for that; iCarte.

Luckily, I am part of an iCarte project here in Turkey. Yapi Kredi Bank and Visa deployed this iCarte project. Wireless Dynamics is the hardware and software provider while G&D is the TSM for personalization. Inside the smartcard within the iCarte, Visa Mobile Payment Application is running. And Visa Mobile Gateway is used for life cycle scripting.

iCarte is basically an integrated smart card and antenna attached to iPhone. Both iPhone 3 and 4 are supported. On top of the hardware, of course there is the software. Wireless Dynamics has a great app that enables the payment.

First you need to personalize the smart card embedded in the iCarte. After that, you need to verify yoıurself to the smart card with your PIN (passcode in Visa’s terminology). If you are the person that Yapi Kredi has authorised (Yapi Kredi is the issuer in this case) you are good to go with your iPhone for contactless payments.

When you first start the app, hardware is checked and connection is established.

After a successful start-up, you need to activate the application. This practically means you must personalize the Visa Mobile Payment Application.

Now you are ready to go.

With the iCarte, you can also save personal details of the transaction. iCarte -like other mobile payment solutions- is more secure than other contactless payment media. You can choose to enter your PIN before processing a transaction. This is optional, you can do this once and let the application process the payment without and verification.

I think it is the most usable (and practically the only) solution for the moment for contactless payment with iPhone.

We are clearly in the smart cards era. From set top boxes to access control systems, passports to -of course- payment systems run on these little security tokens. There are thousands of smart cards applications running on smart cards worldwide ranging in these business fields.

When it comes to payment systems, Visa and MasterCard are the strongest influencers and the rule setters. Visa and MasterCard started EMVCo in 1994 when smart cards were ready to run payment applications. EMVCo released first payment application standards in late 90’s which led Visa and MasterCard to develop their own payment applications based on EMV.

Visa’s application is called VSDC (Visa Smart Debit Credit) and MasterCard’s application is called M/Chip. They are quite similar but have many configuration differences in terms of bank’s parameter management on the application.

Naturally, it started with contact versions. It was primitive, when compared with the current versions, but far more advanced for their magstripe ages. Banks did not even use the offline PIN feature simply because the market was not ready at the time. UK was the first country to migrate to use the offline PIN -which they called Chip&PIN -after a critical mass has been reached. Turkey was the second national migration to PIN usage. (I was personally part of it)

What EMV provided is basically a security layer to existing infrastructure and offline capabilities like offline PIN verification, offline data authentication and offline payment. It came with many updates; cards have changed, terminals have changed and of course back office systems have changed.

Then hardware (chips) evolved into contactless space. Both Visa and MasterCard developed dual interface (or a.k.a contactless) versions of their applications. MasterCard was faster, they released a stable application years before Visa and named it PayPass. US was the first country to implement PayPass.

In the mean time, US never had left the old magnetic stripe cards. As a result, US had hybrid cards; a contactless only chip with magnetic stripe. US version of contactless applications work only online, while EMV versions can work both online and offline. US version has only one security enhancement over contact magstripe – a dynamic CVV code.

Visa released the application later under the name of payWave.

The basic difference between Visa and MasterCard’s contactless applications is that MasterCard uses the standard EMV flow while Visa uses a shortcut bypassing many EMV steps. It is arguable which one is better, but my personal taste is with MasterCard.

When it comes to mobile, MasterCard is still ahead of Visa. They have a working Mobile PayPass application for a while. That’s why current NFC pilot programmes run MasterCard. Visa is now ready to kickstart a mobile version of payWave -which is called Visa Mobile Payment Application, VMPA.

So, what is new in the mobile versions? First, now there is a user interface for the application from the mobile device on which the cardholder can activate the application, change PIN, view transactions, etc. Mobile versions have the capability to be managed over the mobile network operator’s (MNO) OTA (over the air) channel. OTA is also the personalization interface of the application. Banks are now able to communicate with the application anytime they need to. (Of course not that much easy as it sounds)

Since the applications run on SIM cards (or the secure elements, as per popular phrase) now banks have a mandatory partner on their customer; the MNOs. Personalization and the life cycle script management runs over the MNO’s OTA infrastructure. Also issuing a new card process is a brand new one. MNO is highly involved in any step during the life of a mobile payment application.

SIM is owned and controlled by the MNOs so banks are now forced to share the SIM with competing banks. MNOs create and rent the mobile wallet to banks and other service providers.

Also, application version control is now handled by MNOs. Visa and MasterCard now have another customer; the MNOs.

This is a brief history of Visa and MasterCard’s smart card applications from contact to mobile. We will see how this will evolve even more interesting. And I believe it will not take more time than it did before.

By maintaining the specifications of the banking card applications, EMVCo has a huge effect on banking card business. Visa and MasterCard developed their own implementations (VSDC and M/Chip respectively) based on EMV specifications. They are almost identical, they have a few configuration changes. Contactless applications payWave and PayPass are also based on EMV specifications, however they were developed before EMVCo released a contactless specification.

It seems EMVCo is ahead of Visa and MasterCard this time, they released requirements for contactless payments by handsets. There are already implementations of Visa and MasterCard’s applications on handsets, but all of them have been dropped before launch -after pilot phase.

Basically, a mobile application is a user interface for accessing the EMV compliant payment application running on the secure element of the handset. Secure element can reside on the NFC controller of the handset or on the SIM card.

What EMVCo requires for these applications are;

• Application should have a soft/hard key for easy access. If it’s a soft key, it must be accessible from the main/home screen.
• Application should inform the handset/card holder when a contactless transaction is in place.
• Application should be secured by a password and it should be configurable to enable/disable the application.
• There should be an indication of contactless capability, just like the bluetooth icon.
• Handset shall provide a mechanism to notify the application when it is powered off.

It is a good effort to draw the boundaries of the environment and will lead the players in the industry to have a single user experience. It seems we will see more mobile payment applications on the market -hopefully in the commercial level rather than pilots.

Original document can be found here.

Contactless cards are penetrating into more and more market segments day by day. The three most common use cases of contactless cards are clearly ticketing, payment and access control. Now let’s skip the access control and compare the ticketing and payment use cases.

Work Flows

Functional requirements of a contactless ticketing application are generally store a balance, contract, expire date and a log space. Typical work flow of a contactless ticketing transaction is as follows:

• Identify the card in the field
• Authenticate the card and the ticketing terminal
• Read the contract from the card
• Read the previous transaction logs -if necessary
• Compute the fare
• Debit the card with the fare
• Write the transaction log

When it comes to payment, the work flow of a contactless EMV payment is as follows:

• Identify the card in the field
• Authenticate the card and the terminal
• Debit the card
• Store the transaction log

As you can see, the main difference of the payment and the ticketing work flow is the fare calculation based on some variables like contract type of the card and the previous transactions performed and stored in the application. This is something EMV is still uncapable of. Both Visa and MasterCard are already working on ticketing extensions of payWave and PayPass, however they will still have many barriers ahead even if the specification are completed and first samples are out for testing.

Authentication and cryptography

EMV relies on RSA and Triple DES, while ticketing applications use mainly DES variants and AES. Contactless EMV transactions are quite secure with DDA (Dynamic Data Authentication) and it is a perfect solution for an interoperable environment of different banks.

Almost all ticketing systems are proprietary and each transport operator or provider has its own application. Every system has its own infrastructure and interoperability between ticketing systems are quite rare. So each system has its own authentication alghoritm and of course key types and lengths.

Main differences

EMV is designed for securing the transaction between card and terminal, terminal and host systems, host system and the card. It’s the underlying standard of Visa, MasterCard and JCB. Each organization has its own application of EMV but essentially they are mostly identical. Contactless ticketing application depend heavily on the chip platform and operating system they are using. Every transport authority, system integrator or solution provider has its own ticketing application. There are efforts in Europe to standardize the ticketing applications but they are not mature enough yet. So basically ticketing is proprietary for now.

Some time in the near future, payment and ticketing is supposed to meet on the NFC platform, but it seems it’s still a long way there.

3rd Cardist Card & Smart Technologies Exhibition & Summit is held in Istanbul between 12-14 May 2010 with the main sponsorships of BKM, Visa and MasterCard.

Here are my highlights from the exhibition:

Garanti & Avea announced a mobile payment product based on mobile phones. Payment is processed by the application running on SIM card and the SIM card has an external antenna attached. This way, there’s no need for an NFC based handset, all handsets can be used with. it. Garanti Bank already has more than 1 million contactless credit cards issued and clearly the market leader in contactless payments in Turkey.

BKM, the national switch of Turkey announced the pilot project to run on NFC handsets in which BKM acts as the TSM. 6 banks are attending the pilot project.

Oytek demonstrated their NFC solutions running on Nokia 6212. The application has a paid balance, ticketing and couponing extensions. There’s also a kiosque with a contactless reader and an NFC poster application to complete the NFC picture.

Banksoft was awarded with the contactless pre-paid card program which was developed for Halk Bank’s Bank 24 Visa contactless card. Smartsoft is also awarded with their pre-paid platform as well.

Payment Cards&Mobile, which I think the best magazine on contactless systems was also present in the exhibition as they were in the last two ones.

Belbim, the technology provider of Istanbul Municipality -including the electronic ticketing for public transport- exhibited their validators and surrounding devices. Belbim has developed a DesFire application for Istanbul public transport but somehow it’s still not been released for public use.

KentKart was also present and demonstrated contactless only validators and vehicle tracking systems.

When it comes to card business, almost everything is different between US and Europe. US market is huge and very mature. US never migrated to EMV, while Europe has almost completed the migration. (Well mostly)

EMV is the defining point between these two markets. Europe has chosen the card to be the safest and made a huge investment. Now European cards have the ability to process an offline PIN, validate itself to the POS terminal prior to online authorization, generate dynamic signature of each transaction (cryptogram), validate the host system, etc. In the US, POS terminals just read out the mag stripe data and send the transaction to the issuing host for authorization.

In this context, contactless transactions work in the same way. US contactless cards just send the mag stripe data over RF interface instead of the mag stripe reader and everything else is almost the same. However, there’s a slightly different security enhancement which may change the things. Each contactless transaction is sent to host by generating an unique transaction counter, which can not be done in the mag stripe world. Big step.

In Europe, contactless transactions are offline. Visa and MasterCard release specifications for online too, but this was just for compliance with the US network. Offline means the card application needs to authorize the transaction without asking to any central host. To be able to do this, you just need to have a smart application inside the chip which can store some smart decision making data. This is the main difference between Europe and the US.

In the US, contactless only chips can be used without any interaction with the mag stripe. But in Europe, this is simply not possible. The chip needs to be dual interface, meaning that it should work both from contact and the contactless interface.

With the introduction of contactless payments, US market began developing into another era, while for Europe, it was a natural extension to the contact applications. Once again Europe choses the expensive and the safest way while US goes from the opportunistic path.