It seems EMVCo is ahead of Visa and MasterCard this time, they released requirements for contactless payments by handsets. There are already implementations of Visa and MasterCard’s applications on handsets, but all of them have been dropped before launch -after pilot phase.

Basically, a mobile application is a user interface for accessing the EMV compliant payment application running on the secure element of the handset. Secure element can reside on the NFC controller of the handset or on the SIM card.

What EMVCo requires for these applications are;

• Application should have a soft/hard key for easy access. If it’s a soft key, it must be accessible from the main/home screen.
• Application should inform the handset/card holder when a contactless transaction is in place.
• Application should be secured by a password and it should be configurable to enable/disable the application.
• There should be an indication of contactless capability, just like the bluetooth icon.
• Handset shall provide a mechanism to notify the application when it is powered off.

It is a good effort to draw the boundaries of the environment and will lead the players in the industry to have a single user experience. It seems we will see more mobile payment applications on the market -hopefully in the commercial level rather than pilots.

Original document can be found here.

Work Flows

Functional requirements of a contactless ticketing application are generally store a balance, contract, expire date and a log space. Typical work flow of a contactless ticketing transaction is as follows:

• Identify the card in the field
• Authenticate the card and the ticketing terminal
• Read the contract from the card
• Read the previous transaction logs -if necessary
• Compute the fare
• Debit the card with the fare
• Write the transaction log

When it comes to payment, the work flow of a contactless EMV payment is as follows:

• Identify the card in the field
• Authenticate the card and the terminal
• Debit the card
• Store the transaction log

As you can see, the main difference of the payment and the ticketing work flow is the fare calculation based on some variables like contract type of the card and the previous transactions performed and stored in the application. This is something EMV is still uncapable of. Both Visa and MasterCard are already working on ticketing extensions of payWave and PayPass, however they will still have many barriers ahead even if the specification are completed and first samples are out for testing.

Authentication and cryptography

EMV relies on RSA and Triple DES, while ticketing applications use mainly DES variants and AES. Contactless EMV transactions are quite secure with DDA (Dynamic Data Authentication) and it is a perfect solution for an interoperable environment of different banks.

Almost all ticketing systems are proprietary and each transport operator or provider has its own application. Every system has its own infrastructure and interoperability between ticketing systems are quite rare. So each system has its own authentication alghoritm and of course key types and lengths.

Main differences

EMV is designed for securing the transaction between card and terminal, terminal and host systems, host system and the card. It’s the underlying standard of Visa, MasterCard and JCB. Each organization has its own application of EMV but  essentially they are mostly identical. Contactless ticketing application depend heavily on the chip platform and operating system they are using. Every transport authority, system integrator or solution provider has its own ticketing application. There are efforts in Europe to standardize the ticketing applications but they are not mature enough yet. So basically ticketing is proprietary for now.

Some time in the near future, payment and ticketing is supposed to meet on the NFC platform, but it seems it’s still a long way there.

Here are my highlights from the exhibition:

Garanti & Avea announced a mobile payment product based on mobile phones. Payment is processed by the application running on SIM card and the SIM card has an external antenna attached. This way, there’s no need for an NFC based handset, all handsets can be used with. it. Garanti Bank already has more than 1 million contactless credit cards issued and clearly the market leader in contactless payments in Turkey.

BKM, the national switch of Turkey announced the pilot project to run on NFC handsets in which BKM acts as the TSM. 6 banks are attending the pilot project.

Oytek demonstrated their NFC solutions running on Nokia 6212. The application has a paid balance, ticketing and couponing extensions. There’s also a kiosque with a contactless reader and an NFC poster application to complete the NFC picture.

Banksoft was awarded with the contactless pre-paid card program which was developed for Halk Bank’s Bank 24 Visa contactless card. Smartsoft is also awarded with their pre-paid platform as well.

Payment Cards&Mobile, which I think the best magazine on contactless systems was also present in the exhibition as they were in the last two ones.

Belbim, the technology provider of Istanbul Municipality -including the electronic ticketing for public transport- exhibited their validators and surrounding devices. Belbim has developed a DesFire application for Istanbul public transport but somehow it’s still not been released for public use.

KentKart was also present and demonstrated contactless only validators and vehicle tracking systems.

EMV is the defining point between these two markets. Europe has chosen the card to be the safest and made a huge investment. Now European cards have the ability to process an offline PIN, validate itself to the POS terminal prior to online authorization, generate dynamic signature of each transaction (cryptogram), validate the host system, etc. In the US, POS terminals just read out the mag stripe data and send the transaction to the issuing host for authorization.

In this context, contactless transactions work in the same way. US contactless cards just send the mag stripe data over RF interface instead of the mag stripe reader and everything else is almost the same. However, there’s a slightly different security enhancement which may change the things. Each contactless transaction is sent to host by generating an unique transaction counter, which can not be done in the mag stripe world. Big step.

In Europe, contactless transactions are offline. Visa and MasterCard release specifications for online too, but this was just for compliance with the US network. Offline means the card application needs to authorize the transaction without asking to any central host. To be able to do this, you just need to have a smart application inside the chip which can store some smart decision making data. This is the main difference between Europe and the US.

In the US, contactless only chips can be used without any interaction with the mag stripe. But in Europe, this is simply not possible. The chip needs to be dual interface, meaning that it should work both from contact and the contactless interface.

With the introduction of contactless payments, US market began developing into another era, while for Europe, it was a natural extension to the contact applications. Once again Europe choses the expensive and the safest way while US goes from the opportunistic path.