Contactless Payments White Paper

The Secure Technology Alliance White Paper Contactless Payments: Proposed Implementation Recommendations is an interesting read, not only for what it says but for finding out what’s on the collective mind of the credit card industry.

Here is a quick summary…
<with comments>

About the Secure Technology Alliance
The Secure Technology Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption and widespread application of secure solutions, including smart cards, embedded chip technology, and related hardware and software across a variety of markets including authentication, commerce and Internet of Things (IoT)

<forget all the other shit, Secure Technology Alliance is a credit card EMV promotion society>

2.2 Contactless Acceptance Terminal Considerations
Contactless payments are not new. Contactless payments relying on magnetic stripe data (MSD) have been available since 2005. However, as the U.S. transitions to EMV, some payment networks are no longer recommending contactless MSD solutions. Moreover, some EMV contactless cards are being deployed without contactless MSD support, which can cause interoperability issues or cause a transaction to be terminated and processed using the EMV chip or magnetic stripe.

<contactless MSD is a crappy half-assed stopgap standing in the way of progress that nobody uses except Samsung Pay, get rid of it already>

2.2.4 Recommendations Figure 1. Enabling a Contactless Terminal at the Checkout

• Contactless terminals should be customer-facing
<duh>

• Customers should not need to tell cashiers how they intend to pay
<in a perfect world NFC is EMV contactless exclusively without complications from annoying FeliCa or MIFARE and credit card companies are the de facto treasury departments for all advanced nations of the world>

• The contactless terminal should always be switched on and ready to use; the cashier should not need to switch it on
<WTF, this is a recommendation?>

• The cashier should not need to enter the amount twice; the amount should be automatically displayed on the terminal

<oh I get it now, we’re talking about American cash register infrastructure>

2.3 Cardholder Experience: Different Contactless Form Factors
When performing contactless transactions, consumers already use a variety of form factors—contactless cards, mobile wallets on phones, wearables (such as watches, rings, or key fobs)—and there may be additional options in the future. While the “tapping” procedure to initiate the transaction should be the same regardless of form factor, other consumer behavior may not be consistent, especially when using a wallet on a mobile phone.

<I see, smartphone wallets with their own secure authentication are a problem, contactless credit card things with 4 PINs and meaningless terminal signatures are not a problem>

Transactions initiated using a mobile phone involve a two-step process: first, the wallet is activated (using an authentication method such as a biometric,4 PIN, or pattern); second, the phone is placed in proximity to the POS device for the contactless read.

Generally, however, the authentication mechanism used as the cardholder verification method (CVM) will be the consumer device cardholder verification method (CDCVM). CDCVM uses a mobile phone’s passcode or biometric user authentication to verify the cardholder for a payment transaction, removing the need for the cardholder to enter a PIN or provide a signature. Such use can result in an inconsistent consumer experience; sometimes a cardholder may be required to provide a PIN or signature on the terminal (for example, if the contactless terminal does not support CDCVM) and sometimes no verification will be required. However, as consumers become more familiar with the process and as older terminal functionality is replaced with newer technology, there should be fewer inconsistencies. In addition, note that, at this time, some networks may not support CDCVM with their U.S. common debit AID, which may result in inconsistent consumer experience for debit transactions.

 <blah, blah, blah, in other words credit card companies and payment networks will do as little as possible to clean up their own mess and blame somebody else for their problems, what else is new>

3.3 Contactless POS Infrastructure and Acceptance
Contactless acceptance is a major trend globally, with a significant percentage of POS terminals supporting contactless. The following are some key published market statistics:
• According to Juniper Research18 (Figure 5, Figure 6), 31.6% of all terminals in service in North America are contactless; North America accounts for 19.6% of the global installed base of contactless POS terminals.
• Visa has reported that, as of September 2017, 40% of U.S. face-to-face Visa transactions today occur at contactless-enabled locations, that a growing percentage of merchants are enabling contactless.

<wait a minute, what about that North America 19.6% figure? Contactless POS Terminals in Service as a Proportion of All POS Terminals: Asia: 43.6%, Western Europe: 14.3%, North America: 19.6%, we don’t want to talk about context here do we? Too embarrassing>

And the grand finale:

3.5 Open Loop Contactless Payments in Transit
Transit agencies are moving, or considering moving, to open payments with next generation fare payment systems—that is, credit and debit payments made using contactless EMV devices at transit points of entry (e.g., at fare gates, on buses)— to supplement traditional closed-loop acceptance. As noted in Section 2.5, consumer use of contactless payments for transit can help drive incremental transactions and top-of-wallet status for cards. Issuers contemplating transit as a factor in their contactless decisions should be aware that the specific timing for implementing transit open payments within a given region can have some uncertainty. In addition to the schedule impact of procurement and implementation timeframes, issuers should note that transit agencies interested in open payments may also consider the current state of contactless issuance and other relevant factors in their decision- making process.
Other relevant considerations include the following:
• As the market for open payments in transit is still emerging, the content of the authorization/settlement messages sent from different agency back-end systems may not be consistent.
• Transit merchants may require functionality that addresses transaction times and risk, such as offline data authentication (ODA) and/or deferred (or delayed) authorization.

<translation: credit card companies are falling over each other to get into transit and sucker convince transit operators into junking closed ticketing systems. Credit card companies have no interest in ticketing infrastructure outside of skimming their take. Let transit operators spend tax payer money doing all the back-end work and dealing with problems. Let them deal with transit user ire over slow EMV contactless transactions at overcrowded transit gates or when credit cards are de-activated in mid transit.>

What a sweet deal.

Advertisements

Value Capture and the Ecosystem of Transit Payment Platforms

AppleInsider Daniel Eran Dilger’s very long editorial Apple Services and the ecosystem of value capture has an interesting bit at the beginning:

The term Value Capture applies to rail and transit operators that are given the rights to develop the land around their stations. America’s intercontinental train routes were developed by railroads that were deeded land along their planned rail lines. These plots were then sold off or developed, capturing some of the value added by the fact that that land was adjacent to the transportation service the railroad had built and was operating.

Today, while most of America’s current transit systems (from Amtrak to BART) are now on the brink of failure and are often in worse shape than what you find in third world countries—despite the high tax subsidies paid to sustain them—there are many examples around the world of public and private transit operators performing extremely well simply because they were given the rights to develop the land around their stations, leading to extremely lucrative revenue sources that sustain their operations and growth while they provide efficient transportation services to the public.

Dilger goes on to explain value capture in the App Store ecosystem but misses important transit connections with Apple Pay:

The most successful value capture transit model in the world is the Suica Transit Platform business model on full display at  Tokyo Station. The shopping experience both inside and outside the transit gate is mind-boggling (the Drip Mania coffee softcream is to die for if you can find it) as is the cash flow. If JR East offered business tours in English the waiting lines would look like the lines at Tokyo Comic Con. It’s very strange that other transit agencies around the world, ahem in the west, ignore studying the Suica Transit Platform business model.

Tokyo Station is the Suica card epicenter for transit (regular trains, Shinkansen, buses), shopping, and other services like vending machines and coin lockers. You can buy Shinkansen tickets on the go on your smartphone. Every single store register has a Suica reader and the payment choice is either cash or plastic credit cards but contactless payment is strictly Suica. That is not a problem because Inbound Apple Pay users can join the Suica fun.

There has been a lot of overblown media hand wringing that Japanese contactless payments usage rates are far below what they are in China and Korea, and the Japanese government hopes to raise contactless payment usage rates to 40% by 2025 over the current 20% rate. This “problem” is remarkably easy to fix: create an open shared mobile transit cloud infrastructure that follows the Japanese Transit IC Card Interoperability model. Get the big Japanese transit cards on mobile that unlock the commuter pass and loyalty point goodies associated with the plastic IC cards, and the problem is solved. It’s that simple.

If that cannot be accomplished the Japanese government could talk JR East into hosting everybody else’s transit card on the Mobile Suica cloud with agreeable terms for big and small players. A concept just like the recently released Apple Pay Mizuho Suica. With all the important transit cards on mobile wallet platforms, contactless payment usage rates in Japan would quickly skyrocket beyond 40%. I guarantee it.

 

MIFARE and Taiwan Transit Coming with iOS 12 Apple Pay?

It’s interesting how different story threads weave together. Taiwan has been running a huge “come visit Taiwan” campaign in Japan the past year or so. Even Mastercard Japan has been in the game highlighting how easy it is for Japanese iPhone users to use Apple Pay when visiting Taiwan. It’s probably the only credit card ad out there that promotes iPhone Apple Pay NFC switching.

I had just run across a Japanese notice put out by the Taiwanese Representative Office in Tokyo announcing that EasyCard and iPass will accept credit card recharge starting in October when a reader contacted me with some interesting NFC switching related EasyCard and iPass tech information: Tokens use FeliCa while IC cards use MIFARE, the NFC chips support both NFC-A and NFC-F as required by NFC certification.

What does it all mean and why is EasyCard and iPass credit card recharge starting in October? The timing certainly fits well with a new Apple iPhone Event but could mean nothing since the announcement is for plastic credit card recharge at a kiosk. From a system standpoint it could mean that Taiwan is getting ready to put EasyCard and iPass on Apple Pay Transit as credit card recharge needs to be in place before hosting a transit card system on a mobile wallet platform.

EasyCard/iPass Apple Pay Transit support requires MIFARE middleware and MIFARE has been a major missing piece so far in Apple Pay. Having that in the iOS 12 official release would open up Apple Pay Transit for native EasyCard and iPass card support. Support for MIFARE transit card systems in Korea, UK, Australia and North America would also be possible but requires the cooperation of local transit operators.

Apple Pay support of EasyCard and iPass would be great not only for iPhone users in Taiwan but a boon for inbound visitors too just like it is for inbound Apple Pay Suica users.

 

Where will the SE be in Pixel 3?

The Google Pay Japan release was very interesting. Nobody expected Google to ditch HCE-F and simply put an new candy wrapper around the tired UI of the reliable Osaifu Keitai Mobile FeliCa standard that has been around since the dawn of mobile payments. Everybody complained but didn’t bother to ask the essential question: why would Google ditch their own Android API unless they have plans for something else.

Now that Android 9 Pie with Google’s take of the Open Mobile API for NFC payments is going out to all Pixel users, what’s in store for embedded secure elements and Google Pay? Google says that

Android 9 adds an implementation of the GlobalPlatform Open Mobile API to Android. On supported devices, apps can use the OMAPI API to access secure elements (SE) to enable smart card payments and other secure services. A hardware abstraction layer (HAL) provides the underlying API for enumerating the variety of secure elements (eSE, UICC, and others) available.

A variety of SE? For who? For Android OEM’s probably but not Pixel. HCE-F is dead so one assumes the SE on the cloud approach for Google Pixel is probably dead too. We can also assume that the SE on the SIM approach is dead. This leaves eSE on the chip for Google Pixel going forward. If Google is investing in their own IC it makes sense to have their own eSE and implement all the middleware on it (EMV, FeliCa, etc.), just like Apple. In other words will Pixel 3 be Global FeliCa without the Osaifu Keitai architecture.

It’s a great way to differentiate Google Pixel hardware from the Android jungle. This way Google Pixel can do real Global FeliCa and more with Google Pay and leave everybody else struggling with Google Pay lite because they don’t have their own custom eSE and middleware solution or don’t want to license Osaifu Keitai for global Android smartphone models.

If Google chooses this path it might work out well for Pixel but the downside is that Android OEM’s will ignore Google Pay and promote their own digital wallet platforms instead. You can’t have cake and eat it too but Google will always try.

The Big Implications of Apple Pay Mizuho Suica Branding

Apple Pay Branding Model
A diagram of how Mizuho plugs into Suica and how it could work with branding schemes like PASMO

Mizuho Suica for Apple Pay raises questions and fascinating possibilities way beyond yesterday’s announcement. Why now and why only Apple Pay? Is this the first of many Suica branded cards coming to Apple Pay?

The announcement was short, small and caught Japanese IT journalists off guard. Nobody anticipated Apple Pay Suica branding just appearing and working with a wallet app update. It’s slick and in true Apple fashion ‘just works’, but journalists missed important points with huge ramifications:

  • Mizuho Suica only exists as a virtual card hosted on the Mobile Suica Cloud, there is no plastic equivalent
  • DNP provides the Mizuho Wallet app backend

Put together this means the Apple Pay Suica branding vehicle is complete and ready to roll. Almost exactly the model outlined earlier.

The only remaining question is how many other transit companies and banks are going to get on? It’s tempting to think that with another Apple Event approaching, Suica’s eight sisters will join the Apple Pay branding parade: PASMO, ICOCA, TOICA, manaca, Kitaka, SUGOCA, HAYAKAKEN, nimoca. That’s probably a long shot but the vehicle is ready and waiting if they decide to join and time is running out if other transit areas want to benefit from the flood of inbound visitors anticipated for the 2020 Tokyo Olympics.

The Apple Pay Japan strategy of focusing on the stored value Suica transit card more than credit cards has been a tremendous success. Transit truly is the golden uptake path for contactless payments, exactly as the recent and widely regurgitated Juniper Research piece pointed out but everybody seemed to miss that point.

None of the other Japanese transit cards are on mobile but everybody building their own cloud infrastructure is out of the question. If JR East, DNP and Apple can coax the other Japanese transit cards to join the Suica branding scheme that finally offers commuter plans and more for everywhere and not just Tokyo, Apple Pay will easily become the de facto mobile wallet for Japan.

UPDATE 1: the Apple Pay Suica branding program is underway, sources say ‘stay tuned’ for more Apple Pay Japan payments and apps in the near future, September and October are the usual suspects.

UPDATE 2: I think one reason why Japanese journalists missed the virtual only Mizuho Suica point is because the Android Mizuho Wallet App release earlier this year also had virtual cards with one very important difference. Android Mizuho Wallet creates virtual Mizuho QUICPay JCB Debit cards not Suica. Mizuho Debit cards are hosted on the Mizuho system just like their credit cards. Virtual Suica branded cards are hosted on the JR East Mobile Suica Cloud, a completely different system with completely different implications.

UPDATE 3: I hate the blog title and am utterly clueless trying to find a better one that exactly captures why this is an important development.