Setting the record straight on contactless transactions and terminology
By Jack Jania, senior vice president of strategic alliances, Gemalto
Without singling any party out, I think we can agree that there is a blanketed air of confusion in the mobile industry – a conflation of language, if you will.
Those of us working with this technology day in and day out (myself included) can default to jargon, and media conversations often follow suit as they surmise what specific technology, category of devices, app providers or ecosystem is going to "win." There's an inescapable deluge of acronyms used to describe the technologies that power and secure mobile transactions in particular: NFC, HCE, BLE, RFID, EMV, MST…the list goes on. It's important for us to draw distinctions between terms that are misused or incorrectly interchanged. It's time to set the record straight on exactly what these contactless terms represent, what the technologies do and why there is confusion in the first place.
Let's take a step back to define contactless as data being transmitted across the airwaves via a spectrum of different frequencies or wavelengths that lead to communication protocols. AM/FM radio frequencies, near field communication (NFC), Radio Frequency Identification (RFID) and Bluetooth Low Energy (BLE) all have varying frequencies and are all more or less suited to transfer specific types of data. Those ideal frequency-to-data combinations result in music signals, video signals (even HDTV), payment transactions and asset tracking, among other activities. These communication protocols are like the rules of grammar for transmitting information contactlessly.
In my estimation, much of the confusion stems from RFIDbeing used as a catchall synonym for every flavor of contactless, especially when it comes to payments. It's a common misconception that all contactless technology should be generalized as RFID. To put it in layman's terms, it's similar to how a square can always be called a rectangle but a rectangle cannot necessarily be identified as a square. RFID always fits under the umbrella of contactless, but not every type of contactless is RFID.
Enabling one type of contactless, an RFID system consists of a tag, reader and antenna. Tags can be either active or passive depending on whether the power source sits with the tag (active) or reader (passive). Active tags transmit a findable marker via a process called automatic identification, resulting in a read range of up to 100 meters, roughly across a warehouse. This is what makes active RFID so useful for transmitting data like tracking a shipping crate. Passive RFID still has a range of up to 25 meters, so it's practical for tasks like badged employee building access.
NFC is a more specific subset of RFID that uses the same frequency as high frequency RFID but must communicate within a halo of six inches or so. That's why you'll commonly hear NFC contactless card and mobile payments referred to as "tap and pay" or "tap and go" – you have to almost physically touch the card or device to the point-of-sale (POS) terminal. In that way, "NFC turns the limitations of its operating frequency into a unique feature" that proves valuable for a host of sensitive information-sharing and payment applications.
NFC-ready devices also retain the advantage of serving both as a reader and a tag (unlike standard RFID systems), so it's especially good for peer-to-peer communication or B2C advertising. To that point, it's important to keep in mind that NFC is only a communication protocol, not a security protocol. Still, the proximity requisite inherently makes payments from smartphones, wearables and other NFC-capable form factors more secure, as you have to be so close to the terminal that the runway for signal interception is short. The distance limitation has a positive effect when it comes to establishing boundaries and verifying when and how a transaction can take place, a key differentiator from other forms of contactless communication that are more equipped to handle other types of data.
Even in spite of the NFC proximity safeguard, payments are a particularly sensitive type of data to transfer. Security isn't based on the type of contactless communication; it's based on the way the data is stored. That's why we're realizing that NFC must be paired with Europay MasterCard Visa (EMV), encryption and tokenization security provisions to become a complete, secure package.
RFID and NFC are not representative of all contactless communications or transactions but, as a security protocol, neither is EMV. EMV is a complementary technology to contactless that ensures data involved in payment transactions is dynamic and therefore rendered useless in fraudulent activities. NFC (or another appropriate form of contactless) actually transfers the data, but EMV changes and masks it. When we refine our terminology and acronyms, we need to pay special attention to whether we're clear in our references to communication protocols and their roles versus security protocols and their roles.
The longer that very different forms of contactless and their sister technologies – RFID, NFC, EMV, etc. – are conflated as one whitewashed category, the longer we're going to have trouble conveying to consumers how these technologies work and convincing them that these technologies are adequately protecting their contactless payment experiences. All members of the payments ecosystem, including banks, merchants and payment acquirers, stand to gain from contactless technology and transactions, but the first step is to start talking about contactless terminology both clearly and accurately.