The Secure Technology Alliance White Paper Contactless Payments: Proposed Implementation Recommendations is an interesting read, not only for what it says but for finding out what’s on the collective mind of the credit card industry.
Here is a quick summary…
About the Secure Technology Alliance
The Secure Technology Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption and widespread application of secure solutions, including smart cards, embedded chip technology, and related hardware and software across a variety of markets including authentication, commerce and Internet of Things (IoT)
<forget all the other shit, Secure Technology Alliance is a credit card EMV promotion society>
2.2 Contactless Acceptance Terminal Considerations
Contactless payments are not new. Contactless payments relying on magnetic stripe data (MSD) have been available since 2005. However, as the U.S. transitions to EMV, some payment networks are no longer recommending contactless MSD solutions. Moreover, some EMV contactless cards are being deployed without contactless MSD support, which can cause interoperability issues or cause a transaction to be terminated and processed using the EMV chip or magnetic stripe.
<contactless MSD is a crappy half-assed stopgap standing in the way of progress that nobody uses except Samsung Pay, get rid of it already>
2.2.4 Recommendations Figure 1. Enabling a Contactless Terminal at the Checkout
• Contactless terminals should be customer-facing
• Customers should not need to tell cashiers how they intend to pay
<in a perfect world NFC is EMV contactless exclusively without complications from annoying FeliCa or MIFARE and credit card companies are the de facto treasury departments for all advanced nations of the world>
• The contactless terminal should always be switched on and ready to use; the cashier should not need to switch it on
<WTF, this is a recommendation?>
• The cashier should not need to enter the amount twice; the amount should be automatically displayed on the terminal
<oh I get it now, we’re talking about American cash register infrastructure>
2.3 Cardholder Experience: Different Contactless Form Factors
When performing contactless transactions, consumers already use a variety of form factors—contactless cards, mobile wallets on phones, wearables (such as watches, rings, or key fobs)—and there may be additional options in the future. While the “tapping” procedure to initiate the transaction should be the same regardless of form factor, other consumer behavior may not be consistent, especially when using a wallet on a mobile phone.
<I see, smartphone wallets with their own secure authentication are a problem, contactless credit card things with 4 PINs and meaningless terminal signatures are not a problem>
Transactions initiated using a mobile phone involve a two-step process: first, the wallet is activated (using an authentication method such as a biometric,4 PIN, or pattern); second, the phone is placed in proximity to the POS device for the contactless read.
Generally, however, the authentication mechanism used as the cardholder verification method (CVM) will be the consumer device cardholder verification method (CDCVM). CDCVM uses a mobile phone’s passcode or biometric user authentication to verify the cardholder for a payment transaction, removing the need for the cardholder to enter a PIN or provide a signature. Such use can result in an inconsistent consumer experience; sometimes a cardholder may be required to provide a PIN or signature on the terminal (for example, if the contactless terminal does not support CDCVM) and sometimes no verification will be required. However, as consumers become more familiar with the process and as older terminal functionality is replaced with newer technology, there should be fewer inconsistencies. In addition, note that, at this time, some networks may not support CDCVM with their U.S. common debit AID, which may result in inconsistent consumer experience for debit transactions.
<blah, blah, blah, in other words credit card companies and payment networks will do as little as possible to clean up their own mess and blame somebody else for their problems, what else is new>
3.3 Contactless POS Infrastructure and Acceptance
Contactless acceptance is a major trend globally, with a significant percentage of POS terminals supporting contactless. The following are some key published market statistics:
• According to Juniper Research18 (Figure 5, Figure 6), 31.6% of all terminals in service in North America are contactless; North America accounts for 19.6% of the global installed base of contactless POS terminals.
• Visa has reported that, as of September 2017, 40% of U.S. face-to-face Visa transactions today occur at contactless-enabled locations, that a growing percentage of merchants are enabling contactless.
<wait a minute, what about that North America 19.6% figure? Contactless POS Terminals in Service as a Proportion of All POS Terminals: Asia: 43.6%, Western Europe: 14.3%, North America: 19.6%, we don’t want to talk about context here do we? Too embarrassing>
And the grand finale:
3.5 Open Loop Contactless Payments in Transit
Transit agencies are moving, or considering moving, to open payments with next generation fare payment systems—that is, credit and debit payments made using contactless EMV devices at transit points of entry (e.g., at fare gates, on buses)— to supplement traditional closed-loop acceptance. As noted in Section 2.5, consumer use of contactless payments for transit can help drive incremental transactions and top-of-wallet status for cards. Issuers contemplating transit as a factor in their contactless decisions should be aware that the specific timing for implementing transit open payments within a given region can have some uncertainty. In addition to the schedule impact of procurement and implementation timeframes, issuers should note that transit agencies interested in open payments may also consider the current state of contactless issuance and other relevant factors in their decision- making process.
Other relevant considerations include the following:
• As the market for open payments in transit is still emerging, the content of the authorization/settlement messages sent from different agency back-end systems may not be consistent.
• Transit merchants may require functionality that addresses transaction times and risk, such as offline data authentication (ODA) and/or deferred (or delayed) authorization.
<translation: credit card companies are falling over each other to get into transit and
sucker convince transit operators into junking closed ticketing systems. Credit card companies have no interest in ticketing infrastructure outside of skimming their take. Let transit operators spend tax payer money doing all the back-end work and dealing with problems. Let them deal with transit user ire over slow EMV contactless transactions at overcrowded transit gates or when credit cards are de-activated in mid transit.>
What a sweet deal.