A website dedicated to contactless payment systems

A recent post on Near Field Communications Group on Linkedin states that Apple is working on some prototype iPhones which have contactless reader. Here’s the full post:

A recent post on Near Field Communications Group on Linkedin states that Apple is working on some prototype iPhones which have contactless reader. Here’s the full post:

Had to share this news. A highly reliable source has informed me that Apple has built some prototypes of the next gen iPhone with an RFID reader built in and they have seen it in action. So its not full NFC but its a start for real service discovery and I’m told that the reaction was very positive that we can expect this in the next gen iPhone. If Apple does it, expect every phone manufacturer and their sister to begin pumping out NFC enabled phones, at least for service discovery and sync. This just reinforces what we knew based on the two seperate patents Apple submited that had the iPhone enabled to read RFID tags. I’m told that the touch project video and the BT SIG’s specs were all driving forces to push this forward as well as other factors. Guess I’ll be touching my iPhone to my Mac to link them together to sync iTunes by next year.

Nokia has been the leader of NFC innovations in the handset world, but if this happens to be true Apple may go far ahead. And at the same time, it will definitely lead to a boom in NFC applications.

According to the post on NFCNews, Nokia release its first NFC handset which holds the NFC application on the SIM card, rather than the handset itself.

Well, let’s go through the concepts first. We can say that the heart of an NFC system is the secure element. Secure element refers to the IC (integrated circuit) which hosts the application, which stores the data and communicates the NFC reader. The data stored in the secure element can be financial balance, cardholder data, ticket contract details (on a transport ticketing application), etc and it’s protected by at least DES or TDES keys. The physical communication layer is actually an antenna attached to the handset. In the first generation NFC handsets, both the secure element and the antenna was integrated into the handset.

The place of the secure element actually directs us to the party who controls what application to install or what application not to! If you define the secure element as the SIM card, that means that the owner of the SIM card -which is the mobile network operator- decides what applications will be installed for using with the contactless interface. Before the introduction of the Single Wire Protocol (SWP), this was almost impossible. And there was no business model, either. Now it’s quite clear. Thanks to ETSI, now there’s a standard for this and I think that this will eventually lead to a SIM-Centric NFC world.

On an NFC event held in Istanbul, Turkey on May 27-28, product manager from Nokia (I can not remember his name, sorry) told that at least half of the Nokia phones would have NFC capability in 2-3 years. (I can not remember the exact figures either, but it was something around this, maybe even more) This means that a lot of people will have a contactless device in their hands -even if they don’t want to- and there will be a huge battle for installing an NFC application on a phone. I asked him if Nokia would have both SIM-Centric and handset-centric phones or not. He responded in a very politically correct manner that the market will decide on this.

Just imagine what can you do with this power: You can top-up your transportation card, use it with your phone, check the balance any time from your phone. You can display the last 2-3 transactions from your phone, which bus or tram did you take last time and how much did it cost. You can even top-up by using your airtime. It opens a whole new world, things are shining on the bright side. And this is all happening by using OTA services provided by the network operator.

However, there is a dark side of course. Third party application owners and developers need to negotiate with the mobile network operators. They can not do anything that the operator is not happy with. Let’s say you have a distribution channel and you have a project for adding NFC support so that people will have the chance to use their NFC enabled phones for downloading content. Well, you need to deal with the operator(s) and try to find a way to find a business case for the operator. Good luck.

Briefly, it seems we will have a SIM-Centric NFC world coming and need to prepare for this.

Access control applications and transportation systems were the “killer applications” that caused the boom in the contactless cards. Access control systems are generally do not require anything more than a unique id, but transportation systems are more complex.

Speaking generally, two products dominate the contactless transportation installations: NXP‘s mifare family and the Calypso family, which are famous from the ISO 14443 Type A and B, by the way. Mifare has been dominant for years, but with the security leak that was imposed by the German CCC has been quite a barrier for Mifare lately. NXP responded with Mifare Plus, which is a product designed for migrating the current systems without changing the card media. I think it’s a very good move.

In the last 3-4 years, we saw that banks are trying to penetrate into the contactless transportation systems. Unfortunately the technology that the banks have -EMV- can not respond to the transportation ticketing requirements. Both Visa and MasterCard are working on this.

On the other hand, I saw a very interesting news on Near Field Communications World.com about GlobalPlatform‘s new task force on transportation systems.

I think this will eventually lead to more standardized schemes in the transport ticketing world. Both NXP and Calypso already have compliant products with GlobalPlatform. But the effort that the GlobalPlatform itself will make more efficient affect, not just on the cards, but the readers and terminals as well. It’s also important in terms of NFC based payment scenarios in the transportation since the GSM world will be using a SIM-centric systems based on GlobalPlatform standards.

When it comes to card business, almost everything is different between US and Europe. US market is huge and very mature. US never migrated to EMV, while Europe has almost completed the migration. (Well mostly)

EMV is the defining point between these two markets. Europe has chosen the card to be the safest and made a huge investment. Now European cards have the ability to process an offline PIN, validate itself to the POS terminal prior to online authorization, generate dynamic signature of each transaction (cryptogram), validate the host system, etc. In the US, POS terminals just read out the mag stripe data and send the transaction to the issuing host for authorization.

In this context, contactless transactions work in the same way. US contactless cards just send the mag stripe data over RF interface instead of the mag stripe reader and everything else is almost the same. However, there’s a slightly different security enhancement which may change the things. Each contactless transaction is sent to host by generating an unique transaction counter, which can not be done in the mag stripe world. Big step.

In Europe, contactless transactions are offline. Visa and MasterCard release specifications for online too, but this was just for compliance with the US network. Offline means the card application needs to authorize the transaction without asking to any central host. To be able to do this, you just need to have a smart application inside the chip which can store some smart decision making data. This is the main difference between Europe and the US.

In the US, contactless only chips can be used without any interaction with the mag stripe. But in Europe, this is simply not possible. The chip needs to be dual interface, meaning that it should work both from contact and the contactless interface.

With the introduction of contactless payments, US market began developing into another era, while for Europe, it was a natural extension to the contact applications. Once again Europe choses the expensive and the safest way while US goes from the opportunistic path.

As a Turkish professional and being already spent 14 years in card business in Turkey, I’d like to summarize the current situation of contactless card market in Turkey.

Turkey has a highly active card business in terms of figures and technology. It is in the top 3 countries in Europe according to Visa EU and MasterCard Europe. Detailed figures of Turkish market is accessible through BKM’s web site.

EMV migration started in Turkey in 1999 and it’s one of the most mature countries in terms of EMV compatible POS/ATM terminals and cards. (Excluding debit cards which are all online PIN based)

So, under these circumstances, the next thing for Turkey was of course contactless business. Almost all major banks already have contactless cards and POS terminals, most of the other banks have projects or plans for contactless.

Contactless reader penetration is also quite impressive. For example, when you go for a coffee in a Starbucks, you will see a contactless card reader attached to the POS terminal. If your bill is less than 35 TL (20 EUR) you have the chance to pay it via your contactless credit card without PIN or signature. Total transaction lasts no more than 30 seconds.

Unlike many other countries, banks own the POS terminals, so the migration was smooth. Current infrastructure did not change, only the external contactless readers have been deployed. OTI and Verifone (Vivotech) covers almost all the market, but Sagem (now Ingenico) has built in contactless readers as well.

Gemalto is the major player in the card vendor market. AustriaCard, E-Kart (G&D) and Oberthur are the followers.

There are a few card personalization offices in Turkey. Plastkart is the exclusive partner of Gemalto, Provus and Bilesim are the other players. Oberthur is also working on its own personalization bureau.

There are also NFC pilot projects from Turkcell with Garanti Bank and Akbank. Turkish Interbank Card Association (BKM) is working on handling the TSM role for NFC.

I think this is a general outline of Turkish contactless card market. There’s whole another story for transportation market, which I’ll cover in another post.