- PROJECT HELP
By Thomas Rosteck, vice president and general manager, Infineon's secure mobile and transaction division
After many years of discussion, it seems that the cashless society is becoming a reality, thanks to the rapid growth of mobile payment technologies. However, while early adopters have been keen to use the technology, mobile payment hasn't taken off as rapidly as many analysts expected. Indeed, mobile wallet adoption in the US has actually slowed and surveys indicate that only 13.1 percent of eligible users in the US have tried Apple Pay.
As the general manager of Infineon's Secure Mobile & Transaction business, I believe that building confidence among both consumers and retailers is fundamental to mass-market acceptance of 'proximity' payment. Creating this confidence requires all of those involved in the mobile payment ecosystem to work together, addressing issues that include transactional security and fraud risk, ease-of-use, interoperability between payment infrastructures and across regions and retailer training.
Growth in proximity payments
Clearly, things are on the move in the world of mobile proximity payments. By 2019, for example, forecasts state that there will be over a billion global mobile proximity payment users and that 85 percent of transactions will be NFC based. The total transaction value of mobile proximity payments (both NFC and non-NFC) is expected to grow from $4.77 billion in 2014 to $141.21 billion in 2019.
The rapid growth of NFC is being driven by wider merchant support for NFC across point-of-sale (POS) terminals, helped as the US upgrades to technology that complies with the EMVCo standard. NFC payment implementation is also becoming more flexible due to host card emulation (HCE). Large corporations such as Apple, Google and Samsung are now pushing NFC as the preferred mobile proximity payment interface by developing and marketing NFC payment features on dedicated smart mobile devices.
Confidence is key
Lack of confidence is central to many of the issues surrounding proximity payments. Consumers are aware that almost all IT devices can be hacked these days and therefore tend to shy away from purely software solutions.
Proximity payments involving technology such as contactless smart chip, plus the need for proximity that is fundamental to successful NFC-based transactions, is helping to build confidence. Even so, consumers still have (often groundless) fears when it comes to using new technology. The most common concerns include the possibility of people stealing data just by being close to you, or paying for something inadvertently. Whilst there are technical safeguards in place for these situations, convincing of the consumers is still required to allow adoption to accelerate.
Recent headlines about data breaches in large organizations have not helped boost confidence in security in general. Consumers believe that a significant number of organizations are not fully on top of their game in terms of ownership of payment data, access control, end-to-end encryption and compliance with relevant standards. In addition, as applications reach deeper into our devices and gather more information, sensitive personal or business information such as contact lists, meeting agendas and so on can be exposed.
Consumers also seem concerned over the sheer number of different players in the mobile payments space. And when they are puzzled about where to turn, many choose to stick to what they know best – cash and card.
Technology plays a key role in creating trustworthy proximity payment solutions. Highly secure, tamper-resistant secure elements (SE), for example, have been the standard in Europe for over 20 years. SEs can be thought of as a smart card embedded in a mobile device due to the restricted access and strong encryption. As the SE is bound to each device, the opportunity for wide scale fraud is strictly limited.
Host Card Emulation assumes all devices are vulnerable and restricts sensitive data to cloud based databases. Obviously, the communications have to be very secure - and they are, using keys, tokens, device fingerprinting and transaction risk analysis along with rapidly expiring keys to ensure security. Any risk here is in the authentication, as the HCE uses tokens that are valid for just one transaction and, as a result, token issuing is demanded frequently, in which case, authentication is required each time. Minimising authentication risks while offering ease of use is very difficult without some form of secure hardware support.
NFC plays a large role in building confidence through secure communications. Whereas other technologies are more susceptible to interception, NFC uses the proximity of the payment device and the terminal to exchange secure keys at the start of the transaction, thus providing a far more secure environment by eliminating the possibility of 'man-in-the-middle' data interception.
User and operator experience
Speed and convenience are the goals of every (proximity) transaction. From the consumer side, - transactions can be completed quickly without the need for notes or coins. A study by American Express found contactless transactions to be 63 percent faster than cash and 53 percent faster than a traditional card transaction.
The transaction becomes intuitive; simply touch the card or NFC device to the payment terminal and the payment is made. Higher value payments are always secured by a PIN, yet lower value transactions can be enacted by a simple, yet secure, touch of the payment card or NFC device. And, when paying overseas, language is no longer an issue - the action of simply touching the terminal transcends all borders.
From the operator side, proximity payments reduce costs through operational efficiencies, less need to handle cash and minimizing the potential of damage to the payment device. And it has been seen that transaction values increase when customers pay by card. Furthermore, as cash payments give way to contactless (for reasons ranging from ease of use to fear of mugging), retailers are able to collect big data (though, it should be emphasized, not personally identifiable data) about customer habits allowing them to hone their marketing programs.
Seamless use across regions
The greatest non-technical challenge to proximity payments is the cultural differences that still exist in our highly connected world. Culturally, credit cards are very prevalent in the U.S. and the U.K., yet less so in other markets. Furthermore, the US and many countries in Europe still have some way to go in terms of both chip and pin and contactless options.
As standards develop, transactions made with a subsidiary in one country that has a parent in a different country become easier. ISO/IEC 14443 (Identification cards - Contactless integrated circuit cards - Proximity cards) is an internationally recognized standard that defines the card itself and the transmission protocols for communicating with it. Notably, this forms the basis of the EMV system.
Some of the origins of NFC are in ISO/IEC 14443 and NFC remains compliant with this standard. The NFC Forum takes a leadership role in this industry and develops specifications and test mechanisms to ensure consistent and reliable transactions throughout all three operating modes of NFC.
But what of the future? Clearly, proximity payments will continue to grow as more proximity-capable devices roll out, as operators upgrade terminals and as acceptance grows. The rise of wearable technology will accelerate this trend with consumers not even having to reach into their pockets to pay.
While HCE will continue, we think that SE will retain a mandatory role in assuring the security of proximity payments. The hardware-based solution builds consumer confidence that will never exist in purely software solutions.
And at Infineon we are enabling the move to wearable payment technology with a variety of solutions. One of these is our ISO14443-compliant Boosted NFC Secure Element, which reduces antenna footprint while enhancing the contactless performance. This, in turn, will allow secure transactions to be performed by ever-smaller devices.