Visa and MasterCard in the mobile space

We are clearly in the smart cards era. From set top boxes to access control systems, passports to -of course- payment systems run on these little security tokens. There are thousands of smart cards applications running on smart cards worldwide ranging in these business fields.

When it comes to payment systems, Visa and MasterCard are the strongest influencers and the rule setters. Visa and MasterCard started EMVCo in 1994 when smart cards were ready to run payment applications. EMVCo released first payment application standards in late 90’s which led Visa and MasterCard to develop their own payment applications based on EMV.

Visa’s application is called VSDC (Visa Smart Debit Credit) and MasterCard’s application is called M/Chip. They are quite similar but have many configuration differences in terms of bank’s parameter management on the application.

Naturally, it started with contact versions. It was primitive, when compared with the current versions, but far more advanced for their magstripe ages. Banks did not even use the offline PIN feature simply because the market was not ready at the time. UK was the first country to migrate to use the offline PIN -which they called Chip&PIN -after a critical mass has been reached. Turkey was the second national migration to PIN usage. (I was personally part of it)

What EMV provided is basically a security layer to existing infrastructure and offline capabilities like offline PIN verification, offline data authentication and offline payment. It came with many updates; cards have changed, terminals have changed and of course back office systems have changed.

Then hardware (chips) evolved into contactless space. Both Visa and MasterCard developed dual interface (or a.k.a contactless) versions of their applications. MasterCard was faster, they released a stable application years before Visa and named it PayPass. US was the first country to implement PayPass.

In the mean time, US never had left the old magnetic stripe cards. As a result, US had hybrid cards; a contactless only chip with magnetic stripe. US version of contactless applications work only online, while EMV versions can work both online and offline. US version has only one security enhancement over contact magstripe – a dynamic CVV code.

Visa released the application later under the name of payWave.

The basic difference between Visa and MasterCard’s contactless applications is that MasterCard uses the standard EMV flow while Visa uses a shortcut bypassing many EMV steps. It is arguable which one is better, but my personal taste is with MasterCard.

When it comes to mobile, MasterCard is still ahead of Visa. They have a working Mobile PayPass application for a while. That’s why current NFC pilot programmes run MasterCard. Visa is now ready to kickstart a mobile version of payWave -which is called Visa Mobile Payment Application, VMPA.

So, what is new in the mobile versions? First, now there is a user interface for the application from the mobile device on which the cardholder can activate the application, change PIN, view transactions, etc. Mobile versions have the capability to be managed over the mobile network operator’s (MNO) OTA (over the air) channel. OTA is also the personalization interface of the application. Banks are now able to communicate with the application anytime they need to. (Of course not that much easy as it sounds)

Since the applications run on SIM cards (or the secure elements, as per popular phrase) now banks have a mandatory partner on their customer; the MNOs. Personalization and the life cycle script management runs over the MNO’s OTA infrastructure. Also issuing a new card process is a brand new one. MNO is highly involved in any step during the life of a mobile payment application.

SIM is owned and controlled by the MNOs so banks are now forced to share the SIM with competing banks. MNOs create and rent the mobile wallet to banks and other service providers.

Also, application version control is now handled by MNOs. Visa and MasterCard now have another customer; the MNOs.

This is a brief history of Visa and MasterCard’s smart card applications from contact to mobile. We will see how this will evolve even more interesting. And I believe it will not take more time than it did before.

Isis becoming a TSM

Isis is a unique approach to contactless space formed by the three mobile network operators in the US; AT&T, T-Mobile and Verizon. It certainly is one of its kind, no other country has had a such organization to handle a new functionality on the mobile phones.It sounded quite exciting.

In the new era, banks and MNOs seem to confront each other -I do not agree, though. MNOs in the US got together to handle it. And they started it in the most US way possible; they announced that they were starting a new payment scheme. They must have thought that they had all the components needed to start a new payment scheme: a mobile network, customer data with constant interaction and distribution channels. However it didn’t take more than a few months for Isis to recognize that it is a far more complicated task to do with what they have. There are thousand other issues to consider and Isis was not prepared for that.

Then on May, Isis announced that they have cancelled the original plan and now they are ready to reconcile with existing payment schemes. And after all, it seems that Isis is turning into a giant TSM for US banks.

It is a reasonable point for me to see that Isis is now a gateway between the banks and the mobile wallet. Isis will develop a mobile wallet in which banks, transport authorities and any other service provider can co-exist with each other. And it is a huge step that all the carriers are in the game; banks and customers will be free to choose (and switch) Isis will play a central role to manage all the applications to reside on a mobile wallet. It is at least a successful step at the mobile wallet wars for the MNOs.

Although it did not start with the current targets, I think Isis is a revolutionary step for the NFC era. Isis will definitely help NFC to reach masses. I will be watching!

Mobile phone reading data from a watch!

Due to an NFC project I am currently involved in, I have an iCarte dongle from WDI. Luckily, I also happen to have a Mifare watch from LAKS from a previous project.

I was browsing the AppStore and found this great app, iCarte Reader by which you can read and write mifare chips over an iPhone with an iCarte dongle. Since I already have a cool mifare gadget, my LAKS watch, I began to impress my friends by using my iPhone to read and write data to my watch!

This is a true contactless show case for me; my phone and watch exchanging data over the contactless interface. How cool is that!

Foursquare experimenting NFC

The most popular location based mobile platform Foursquare announced that they are experimenting with NFC with NFC Android phones on Google I/O. People with the latest Android Foursquare application will be able to check in Google’s event if they have an an Android device with NFC chip.

The photo is quite self explanatory. I personally think that this is the great use case for non-payment NFC applications. However as the post also mentions, there is still a long way to go.

Mifare emulation

Mifare is definitely the most used contactless chip in the world. I’ve already covered main topics on Mifare on my previous posts. You can find it everywhere; it has been used billions of times, hacked, cloned and it is still the most popular chip in the world.

If any software product has this much of popularity in its class, the need for running it on different platforms is a must. That is what NXP did years ago. Now almost all dual interface chips -including SIM cards- have the option for running mifare as an emulation.

What is mifare emulation? Mifare emulation is actually an application running on the chip operating system. It emulates the mifare classic operating system by providing the exact same hardware and software functionality. Once it has been installed, it responds exactly like a native mifare chip to the readers transmitting mifare commands. Dual interface chips have the contact interface and mifare emulation automatically utilizes this interface. This brings the ability to personalize the mifare emulation applet over the contact interface, which is simply impossible on a native mifare chip.

It is of course very useful to have the mifare functionality on other platforms, but it has some drawbacks as well:

  • First, it has the exact same security problem with the native mifare. But this is something you must have considered while using mifare classic, so it can be skipped.
  • Mifare emulation applet is generally slower than native mifare chip while responding the mifare commands. You need to consider this if you must use native mifare chips and mifare emulation at the same time.
  • You may have to re-configure the readers if they are set to work only with native mifare classic chips.

Another tip is that some vendor’s implementation does not allow to read the Mifare UID from contact interface. This is a great barrier for personalization where you will need the UID for key diversification.

Mifare emulation applets provide an API for accessing the mifare blocks over the contact interface during run time. This way, you get the chance to update the data stored in the mifare blocks during another contact transaction.

DesFire has also been implemented as an emulation and Mifare Plus is also announced to be released next in 2011/2012.

NFC : What is it and what is not?

Since NFC related news are all around the blogosphere, (and partly in mainstream media) I would like to make some clearance on the subject.

First; what is NFC? NFC simply stands for Near Field Communications. It is a set of standards for communication over existing contactless interface based on 13.56 MHz. It is an evolutionary approach -rather than revolutionary- to contactless space. Unlike to popular belief around finance sector, it is not all about processing contactless transactions with a mobile cell phone. And unlike the popular belief around mobile developers, it is not a replacement technology over bluetooth.

NFC defines the communication standards and defines the tags specification to read and write over the contactless interface.

NFC is developed and regulated by NFC Forum, which was originally founded by Sony and NXP. Now it has many members like Microsoft, MasterCard, NEC, Renesas, Visa, Nokia, NTT-Docomo, Inside Secure, Innovision and ST. The common point of these companies are that they are mainly hardware and software companies along with service provider giants. That basically means NFC standards are developed by companies who will actually use it.

NFC chips (controllers) are generally manufactured by semiconductor companies. And other hardware companies built products using these NFC controllers. Inside Secure and NXP are the two biggest companies -that I know of- manufacturing NFC controllers. The hardware manufacturer also develops the software API which is used by the operating system of the final product for accessing the hardware resources of the NFC controller.

For example; this is what happens while using the latest Android apps which transfer files over the NFC interface:

The NFC controller embedded in the Nexus S has been integrated into the handset by the manufacturer, Samsung. Samsung also integrates the operating system that is running on top of the handset hardware and manages the basic input/output of the hardware resources for the apps running on the operating system. Underlying this, there is the NFC controller manufactured by NXP. NXP also develops the software API required to use the hardware by the Android operating system. Android creates the abstraction layer for the NFC controller so that other hardware manufacturers can also provide NFC chips by complying this API.

When people talk about making payments by their NFC compatible handset, that means they are using the contactless payment application (generally by Visa or MasterCard) running on the secure element. (the SIM card) The contactless reader communicates with the payment application via the antenna attached to the handset through the NFC controller. So NFC controller here provides the contactless communication to the payment application. The user interface to access the payment application may be in two ways; via the STK or via the operating system of the handset. STK is platform independent, but the other method is hardly linked to the mobile platform.

NFC has 3 modes:

  • Reader mode : In this mode, you can read & write any contactless chip based on ISO 14443. That is good for converting an NFC device into a contactless reader or POS terminal.
  • Card emulation mode : In this mode, application using the NFC interface acts exactly same as a contactless chip. Payment applications of Visa & MasterCard or transport ticketing applications use this mode.
  • Peer to peer mode : This is for exchanging data between two NFC devices like bluetooth, but not necessarily these devices have to be mobile phones.

So, NFC is actually name of the standard, rather than being a product or a technology. The applications/services developed over NFC is up to the developer and its commercial targets.

NFC : Hottest trend in many ways

We have seen terrific progress in the NFC world throughout the end of 2010. Here are some highlights:

  • Google released the NFC API for Android with some sample code and NFC applications immediately began to roll out. Here is a good application for exchanging a file between two Android phones via NFC. It simply replaces bluetooth interface. NFC World also posted an article on the first Android NFC apps.
  • Apple has been playing around the NFC for some time and now it seems that Apple will be joining the game -but of course with its own rules. This is another mind opening post on the subject.
  • NFC Forum released a white paper on the use of NFC in Public Transport. This has been another step for setting the boundaries of the path to a contactless future in the public transport, which is quite complicated.
  • Latest contactless iPhone payment application was announced by Yapi Kredi Bank and Turkcell – a joint project by a bank and a mobile network operator. (Available only in Turkish) It is already a commercial product and pre-registration is open for iPhone 3 and 4 owners who already have a Yapi Kredi World Credit Card and a Turkcell SIM card.

It seems that NFC will be one of the hottest topics in 2011 around the smart phone world, public transportation, mobile payments and location based projects.

Turkey’s first mobile payment application from ​​​​​​​​Garanti Bank & Avea​​​​​​​​​​​​​​​​​​​​

Garanti Bank and Avea announced the mobile payment application at Cartes 2010 and now it is commercially available in Turkey. It is basically an antenna attached to the SIM card on which there is the PayPass application resides.

The SIM card used is the Gemalto’s N-Flex product. Garanti Bank provides the payment application(s) -there more than one, the default one is a pre-paid application, while Avea is the mobile network operator. The SIM comes with a MasterCard pre-paid application, but you are free to apply to more credit cards once you have the SIM activated. The STK menu allows the user to access the applications for activating and deactivating. You can apply for a pay-as-you-go or a post paid SIM. Post paid costs 40 TL (~20 EUR) and the pre-paid one costs 20 TL (~10 EUR)

It’s a smart move from Garanti Bank, which is clearly the market leader on the contactless space in the Turkish market. The pre-installed MasterCard pre-paid application on the SIM is also a nice touch since you do not have to go through the credit card application process. It’s sold through Ave’s distribution network since you have to activate the SIM first. The product is also backed with a bonus balance of 25 TL (~12 EUR) and 100 minutes air time if you apply before the new year. There is a nice video explaining the product to end users on the product’s official web site here. (Only in Turkish)

Another product announcement at Cartes was from Bank Asya, which is almost the same service but specific to mifare based Turkish Toll Payment system for highways.

With the add-on features and the successful start-up campaign, I personally find the product highly innovative based on the current hardware and software available in the market. As a wish, I am hoping these products to build the user acceptance of the mobile payments and make the bridge between the antenna chip to SWP chips.

Nexus S

Google announced the first mainstream Android based NFC handset, Nexus S. Unlike the first Nexus, it is not an HTC device but basically a derivative product of the Samsung Galaxy S family. Even though it has its shortages, this is a huge step for the NFC era.

According to the official information, Nexus S has NXP’s PN544 NFC Controller which is compliant with SWP. That means the handset is compliant with the latest trend in the NFC world which is handing over the power to MNO and/or banks on the secure element. However, sadly, current software stack does not support access to the secure element -the SIM. This means you that can only read/write NFC tags. NFC feature can be enabled/disabled through Android settings, just like the bluetooth radio.

It will not be usable for the big ongoing pilot projects that mainly utilizes the NFC chips as a payment/ticketing media. (Unless new features will be available later on) It can only be used for reading NFC tags which will basically forward the browser to a certain URL or for reading data from a poster, etc. Or for checking in to places or venues via the handset. There is also a big opportunity to use the handset as a coupon media which is a popular business in the US -but not in Europe.

These features make me think that this is an initial device for testing the technology for non-financial projects. The popularity of the applications/projects will lead to more devices with more functionality. It is a big step for the NFC world because now an open mobile platform officially has the support for the NFC functionality and the first handset is already commercially available.

NXP and Gemalto sign licensing agreement for adding Mifare to UICC

Today, Gemalto announced that Gemalto and NXP signed a licensing agreement for adding Mifare to Gemalto’s SIM products.

Gemalto is clearly the global market leader in providing banking smart cards. What else? Gemalto also has an OTA platform for mobile network operators. Gemalto is a member of Open Handset Alliance -the organization behind Android, which officialy announced the NFC support very short time ago. They even acquired the Mifare4Mobile team from NXP two years ago. Well, putting them all together, we can say that they have “the whole package” for an NFC ecosystem.

Without a doubt, transport ticketing is the killer application for NFC and Mifare is the strongest player for hosting the transport ticketing applications. All the mifare classic hacks couldn’t change this. NXP announced that 4 byte UIDs reached the end and they will start non-unique 4 byte UIDs or 7 byte UIDs for Mifare Classic.

So adding a mifare emulation applet on top of Gemalto’s current product range means only one thing; mifare based ticketing systems have a clear path for an NFC project. Gemalto can provide an end-to-end solution for transport operators, regulatory authorities, or even to banks for running a mifare based application via mobile phones.

Again; the only missing part is still the lack of handsets with NFC support!