DECODING DIGITALPAYMENTS

Methods and Technology Landscape

Santosh S. PotadarSamtosh.potadar@gmail.com

AbstractThe document is an attempt to give insights into digital payments space on the whole. It

describes the different payment scenarios or methods and how the underlying technologyworks.

IntroductionPayments and downstream clearing & settlement is atthe heart of commerce. We have seen evolution ofpayment instruments from bartering, centuries ago, todigital payments in today’s digital era. There has neverbeen so easier access to your money on the go. Theubiquitous mobile phone has already made inroads deepinto this space.

Following is an attempt to decode payments by looking at different payment methods,technologies involved and some of the popular and widely accepted payment solutions revolvingaround mobile payments, digital wallets.This writing is a high level techno functional document that should give some insights into digitalpayments space.

Payment MethodsRemote Payments – Payments that are made from distance where payer and payee are notface to face. Primarily such payments happen through channels like mobile native app wallets,digital wallets over mobile browser or web browser, and through payment gateways that acceptpayment instruments like credit, debit cards, NetBank account, and in some geographies digitalcheques.

Proximity Payments – Payment made where payer and payee are in the vicinity however thepayment card (contactless payment instrument) may be few inches away from acceptingterminal. The payment instrument may also be in direct contact with the accepting terminal e.g.contact cards.

Digital wallets / mobile wallets and cards are one of the key instruments used for payments.However, globally, predominantly mobile payments is on the rise. There are about 6.5 billionmobile subscriptions out of which there are over 5 billion active mobile users. There were about245 million mobile payment users in 2013 and Juniper Research predicts that this number willalmost double to 450 million mobile payment users and according to Statista volume will growto 721 billion dollars by 2017. Australian banks reported that due to their adoption of NFCtechnology the contactless payments increased from 10% to 60% in 2013. According to WorldPayment Report 2014 the mobile payments to grow by 60% in 2015.

Technology Landscape:More or less, be it contact or contactless payment, the ecosystem uses among set of technologiesas shown below. For instance, the mobile payments, a form of contactless payment when usedin proximity scenario, may use NFC, SE, HCE, Tokenization, Cryptography etc in its solutionecosystem driven by specifications like EMVCo.

Different Types of payment chip cards:

The discussion won’t be completewithout the mention of types ofchip cards that are used in day today life.

Payment cards are categorizedinto contact, contactless card anddual interface. The contact chipcards have to come in physicalcontact with accepting terminal.The way card interacts withterminal is governed by the EVMspecifications, which have becomeglobal standard for chip card

technology.

a. What is EMV? – EMV is global set of standards, specifications for credit and debit paymentchip card technology. (Europay, MasterCard, Visa). The specifications are managed by

EMVCo. EMVCo is an organization first established by Europay, MasterCard, and Visa. Theprimary purpose was to globally standardize requirements for interoperability andacceptance of cards by card readers/accepting terminals.

The top reason why EMV cards are so widespread is the fact that it significantly enhances thesecurity in transaction with added functionality in main areas like Card Authentication,Cardholder Authentication and Transaction Authorization, thus reducing the fraudsemanating from counterfeit, and stolen or lost cards.Globally, 32% of transactions are EMV. There are over 2 billion EMV cards in use and morethan 35 million EMV PoS machines deployment around the world.

b. What is EMV Chip? – As shown in the figure the chip is small rectangular micro-controllerprocessing unit embedded in plastic card. One of the features of this chip is there is apayment application resident in the chip. (http://www.smartcardbasics.com/smart-card-types.html)

c. COS Chip Operating SystemThe card operating system is hardware specific firmware that provides basic functionality toapplications like access to on-card memory, authentication and encryption. The COS is asequence of instructions embedded onto ROM of smart card. Most applications make use ofthese instructionsTwo primary types of COS: a) General purpose COS and b) dedicated COS. Dedicated COS hascommands specifically designed for applications. Typically, the issuer has to stick with oneapplication developer, operating system and the chip when they come up with a chip basedcard product like credit card, debit card, travel card with pre-loaded money etc.

However, the trendnow is multi-application cards.JavaCard and MULTOSare the most popularCOSs with the biggermarket exposure.

(Source: http://www.cardwerk.com/smartcards/MULTOS/)

There are many mobile payment solutions out there. The few innovative and disruptive oneslike have been described in following sections.

Apple Pay How does it work?In October 2014, with the roll out of iPhone 6and 6 plys Apple also launched a payment and adigital wallet service based on NFC, SE (Secureelement) technology. Apple nicely leveragedand integrated the existing passbook, iTunesand Touch ID services into a paymentecosystems that is being adopted at very fast

pace. Apple Pay is being seen as game changers in mobile payments space as it is easier to usefor consumers and easier to set up for merchants. The best innovative part is that there is nointervention of MNOs (mobile network operators) required and it works with existing contactlesspayment terminals like MasterPass, Visa PayWave etc. There is significant reduction incomplexities due to the fact the secure element (SE) is not SIM based but within phone hardwareitself thus nullifying the need for integrating with MNO payment infrastructure. The secureelement is where tokenized information of card credentials stored.Apple has not yet published its Apple Pay implementation details. However based on someresearch and their press release here is how the underlying technology works. Go ahead and feelfree to verify:

1. User adds the card in Passbook or iTunes. Passbook for iPhone will also allow users to useiSight camera to capture card and add information. The default card is generally the firstcard that is added. Apple Pay can be used in remote payment scenario as it can beintegrated with iPhone apps using the APIs. It can also be used in “tap and pay”contactless scenario. The contactless payment only works on iPhone 6 and 6 plus.

2. Apple says that they don’t store any card payment information like PAN or any othercredentials in cloud. So question is how transaction happens if no card details are stored.Here is the innovative part. Apple provisions a Token for the card in the secure element(SE) of the phone. Who gives a Token for card information? How it is provisioned in SE?Well, the way it is done is like this: Once the card is entered manually or through PassbookiSight camera the PAN details are sent over to Apple servers, from there they get sent topayment networks such as mastercard, visa or AMEX. The payment network returnstoken and along with it a token key. Apple Pay is token requester (TR) and paymentnetworks are Tokenization Service Providers (TSP). Payment networks return the tokenonly when a request to card issuer for identification and verification of card is successful.

3. Apple Pay uses EMVCo contactless specification. When user taps the iPhone oncontactless NFC terminal the NFC triggers the SE. The SE in phone generates a dynamiccryptogram using combination of token, token key, amount and other transaction details.This token, dynamic cryptogram and other details are sent to terminal. All this interactionhappens in compliance with EMVco contactless specification.

4. Once the contactless terminal accepts this information the authentication, authorizationprocess kicks in. The terminal sends this data to acquirer for verification. Acquirer passesthis onto payment network. Payment network identifies the data sent as tokenized PANand sends it to its TSP (token service provider) for de-tokenization. The PAN obtainedafter de-tokenization is passed onto issuer for authorization. Issuer does authorizationbased on customer card and account status. After authorization, information flows backto terminal for printing the receipt.

Google Wallet How does it work?Google wallet is a digital/mobile wallet. Google’s aim is to have everything in digital wallet that

you typically keep in your physical wallet: credit,debit cards, loyalty cards, coupons, tickets, giftcards etc.

Google has released 3 version of its walletservice, the latest one being 3.0 which wasreleased along with Android KitKat (4.4). Withthis release Google introduced what it is called aHost Card Emulation technology for mobilepayments. With this release google has officially

ended support for physical device SE in google wallet application.http://www.nfcworld.com/2014/03/17/328326/google-wallet-ends-support-physical-secure-elements/Google has confirmed its move to HCE: “Host card emulation allows Android applications tocommunicate directly over NFC on supported devices with Android 4.4 KitKat. When you tap yourphone to pay, HCE enables Google Wallet to pass transaction information to the point-of-saleterminal to complete your transaction. Devices that are running older operating systems may nolonger support Google Wallet’s tap-and-pay feature”

Google Wallet too is compliant with EMVCo contactless specification therefore like Apple Paythere is no need of Google Wallet specific terminal infrastructure.

What does HCE work?Users add credit, debit cards payment method onto google wallet account either through webinterface or through mobile app. What happens when a card is added to wallet? Where is itstored? Is it really stored anywhere? Yes, unlike ApplePay, Google Wallet stores card details orpayment credentials in their secure cloud servers. Secure cloud is new secure element in thisecosystem. Earlier two versions of Google wallet were solely using device based SE (wither UICC

or embedded device SE or SD card based SE). TheNFC controller based on its “AID routing”mechanism directs the NFC communication toeither HCE or SE.The figure summarizes how NFC controllerredirects the communication from reader toeither SE or to host CPU for HCE transaction.In HCE transaction a host operating system (likeAndroid) and an app running on it is involved. Theapp may have user interface but in turn it uses HCEservice on host operating system. From security

perspective HCE app on host OS does not store any card credentials. Instead, HCE app in real-time or at pre-set frequency connects with cloud before each transaction to fetch a limitedvalidity Token or dynamic data for provisioning into the HCE app. This dynamic data is sent tocontactless terminal when phone is tapped on terminal. This method is called Tokenization withcloud storage. There is also a method, cloud storage without tokenization where actual cardcredentials are retrieved from cloud which are then passed onto contactless terminal during thetransaction. However this method is least secure. Google in March 2015 announced arevamped version of google wallet called AndroidPay.

In a nutshell, Mobile payments will be here to stay with new innovations coming into play day byday. Future looks bright for NFC, contactless payments as it has already gone beyond mobilepayments into payments through wearables. As Internet of Things (IoT) or Internet of Everythingevolves, it could bring in business models that would require payments. This in itself would be animmense untapped opportunity to look forward to.