MAG Insights

Announcements from the MAG & Featured Articles

MAG Sponsor Spotlight


Mobile Payments 2.0
The new Mobile Payments: Practical, Cheap and Secure

by George Wallner, LoopPay Inc.

Despite powerful support from the major players and huge amounts money spent on it, NFC based mobile payments have not taken off. Now there is a movement to change how mobile payments work, making them simpler, better and cheaper. There are also new technologies that take the pain out of merchants supporting mobile payments.

Magstripe and Smart Cards

For 15 years EMV, a secure smart card technology has been available to the US payments industry. It was ignored because we had a low cost real-time on-line authorization system – the most comprehensive in the world – that kept fraud under control, as long as the card data could be kept secret. Keeping card data secret is not an easy feat, however, as the same card data that needs to remain secret must also be provided in every transaction. As criminals got smarter they were able to steal not only card numbers, but entire card track data. (Of course, requiring a PIN with every card, including credit, would solve most of the security problem, but that is another story…) Interest in the US in EMV is up, and with some justification. 

EMV smart cards provide excellent security against skimming and data theft because they can cryptographically sign the card data (or the entire transaction). This is powerful security as long as the key used to sign transactions remains secure. And with EMV smart cards that has been the case for over 15 years: there have been no reported hacks that resulted in keys being exposed.

Then came contactless cards. The networks built on their highly successful work with EMV and adapted it to contactless cards using Near Field Communications as the interface. The specs were simplified to allow for the limited bandwidth and lower available energy, as well as to speed up transactions. Security, while somewhat simpler, still included a card generated cryptographic signature, called dynamic CVV, that changes with each new transaction. Dynamic CVV provides good security against skimming, counterfeiting and replay fraud, as long as the key used to generate it remains secure.

Mobile Payments 1.0

It was the logical next step to make phones emulate contactless smart cards for mobile payments. It brought mobile under the EMV umbrella, ensuring continuity and compatibility. It allowed the same contactless card reader to also interact with mobile phones in a similar fashion to processing contactless EMV transactions. 

An important line was crossed, however. A smart card is made and provisioned in a secure environment under the control of the card issuer.  A mobile phone is never under the control of the card issuer. Empowering the phone to sign transactions is awesome power that demands serious security. But making a phone secure to the level required is very difficult because a mobile phone, unlike a smart card, is an open environment totally outside the control of the card issuer.

The solution to this security problem became a very complex architecture that included a Secure Element (SE) in each phone (really, a multi function EMV chip), layers of keys and multiple secure applets, trusted intermediaries and a whole web of complex and tenuous relationships. As it turned out, all that resulted in too much friction, costs and limitations, including restrictions on what cards could be loaded into phones. No provision was made for retailer cards, gift cards, etc.  And there still remained the risk of millions of keys in unknown devices that were all able to sign transactions.

Mobile Payments 2.0

Unlike cards, mobile devices are connected. For payments this is a game-changer. Because mobiles are connected they can implement a new approach to security. Their connectivity enables a new architecture, which can reduce the costs, complexity and friction. Instead of containing secret keys to sign transactions like smart cards, mobiles can be loaded over-the-air with tokenized cards. Tokenized cards contain one-time cryptographic signatures (or one-time use keys). These signatures are generated in the Cloud, and each signature is good for only one transaction. Signatures can expire or they can be cancelled without having to cancel the card. When a signature is used up, it is replaced over-the air by a new one from the Cloud. 

Cloud based generation of signatures reduces the security exposure of card issuers. Instead of empowering millions of mobile devices to sign transactions, the devices are loaded with a limited number of signed cards. The signatures of these signed cards are generated in the cloud under the control of the card issuer (or his processor, or Visa and MasterCard). Instead of distributing the means of signing transactions, a cloud based system distributes only the signatures. (Or in case of MasterCard, the keys distributed are good for only one transaction.)

This in turn allows the security demands on the phone to be relaxed. Because it no longer needs to store permanent keys – it no longer emulates a chip card – there is no need for the SE (the "chip") and the secure applets. They are replaced by secure software in the phone, preferably running in a Trusted Zone (like Android KitKat 4.). Because it no longer includes permanent keys, the card provisioning process can be streamlined and some of the intermediaries can be removed, reducing costs and friction. 

As the phone is no longer playing such a critical role in security it can be more open to hold any card.  (Still, with some controls. Cards with financial BIN-s, for example, may only be loaded from a trusted entity.) This will allow retailers to load their own cards, tokenized or not. 

Mobile 2.0 provides another major benefit. It allows security to be decoupled from the interface. In other words, where Mobile 1.0 had NFC intertwined with security, in the new environment any interface can be used independent of security. Retailers will be able to choose the most attractive interface: NFC, BlueTooth Low Energy, 2D Barcodes or Magnetic Transmission.

Magnetic Transmission, called MST, is especially important for retailers. It developed by Loop to take advantage of existing magstripe readers. The technology enables existing magstripe readers and POS software to be used as contactless readers. Loop's MST enables mobile contactless transactions, with all the security of cryptographic signatures and tokenized cards, without costly retailer upgrades. For the first time, retailers do not have to invest in new hardware or software to support mobile payments.

Another benefit of separating the transmission interface from security is that card issuers and networks will be able to change and adapt their security methods to meet new threats without burdening retailers with never-ending changes and upgrades. In the new environment, retailers will no longer be forced to be part of the security solution, and with that could come reduced PCI and infrastructure costs, and reduced liability.
But there is more. Tokenized card data has little fraud value. Their signatures have been used up and they are useless for counterfeiting or replay. Loop also tokenizes the Expiry Date, making stolen card numbers even less useful, especially for Card Not present or e-commerce fraud. Tokenization solves the nasty problem of data protection: tokenized card data has little fraud value and does not likely to become the target of a hacking.

Mobile Payments 2.0 is worthy of retailers' attention. The combination of lower costs, streamlined card provisioning, more open architectures and compatibility with existing retail equipment will make mobile payments much more of a reality. Retailers will be able to support a technology that will let them accept mobile payments, get involved with mobile promotions and marketing, while at the same time promoting better security and reduced liability; all at zero or very low cost. And because Loop's technology is compatible with both small and large retailers, it has a good chance of being broadly adopted by consumers, who want a mobile payment solution that works everywhere.