16 November 2009 Comments

 

Techbrief: The future is mobile

Jonathan Hancock, TSYS

Near-field technology is the next major technological development that will impact the lives of banking professionals.  This is poised to increase the volume of low-value contactless transactions, by allowing suitably equipped mobile phones to be used as payment devices or travel cards. Already being tested in the field, the adoption of this application is inevitable. However, while this development makes sense on a number of levels, it raises significant issues concerning both fraud and data security.

The growth of the credit card industry since the first Diners Club card was issued in 1951 has been driven by a product that provides consumers with flexibility, security and convenience for purchases from a huge range of outlets across the globe. However, in recent years, the need for enhanced security to combat increasing levels of fraud has certainly impeded the convenience factor. While the consumer in the UK has grown to accept the need to comply with security checks such as Chip & PIN and input their personal identification number for the majority of purchases, there are always certain instances in which cash is still more convenient. This is a reality of the market that credit and debit card issuers are eager to do away with and technology is now available to help achieve their aims.

The key to ensuring that credit cards are always selected as the most appropriate payment method is by reintroducing the convenience factor. This can be achieved by using a credit or debit card with a contactless chip that can be read while in close proximity, but not necessarily in direct contact with, a point-of-sale device. The transaction can then be processed without the need for the consumer to enter a PIN and wait for authorisation. 

In reality, this would allow consumers to purchase low-value items such as a newspaper or a cup of coffee simply by passing their card over a reader while still in their purse or wallet. The introduction of contactless payments introduces a range of benefits for consumers, retailers and card issuers including speed and ease of use at the point of sale, faster transaction times, increased spending per transaction, lower operational costs, and penetration into the cash payment market.

The technology that enables this form of contactless payment has been widely proven and is currently used globally by major transport networks such as Transport for London and the Mass Transit Railway in Hong Kong. Visa, MasterCard and American Express have all launched contactless payment initiatives. 

In the UK, Barclaycard and RBS are rolling out contactless credit and debit cards and other major issuers are starting to follow suit.  Payment service providers such as TSYS supply the payment systems and infrastructure that allows banks and merchants to transact payments anywhere in the world. TSYS has firsthand experience of mobile and contactless payment technology and will continue to develop its systems and infrastructure to keep pace with advances in mobile and contactless payment technology to ensure that support is available for any player, that wants to deploy or use this technology in the card payment ecosystem. 

Having invested so much time, effort and capital in developing enhanced security systems to combat fraud, some might perceive it to be a backward step to deploy a new payment solution that doesn't use the basics of Chip & PIN. However, contactless payment solutions do use Chip & PIN technology supported by a host of far more sophisticated security techniques that will help reduce fraud even further than is currently possible.

The difference is that consumers are not asked to enter their PIN for every transaction. Currently, contactless card transactions in the UK are generally limited to a maximum of £10 under UK Government guidelines and from time to time the cardholder will be asked to enter their PIN as a security check. This limits the maximum number and value of consecutive contactless transactions that can take place before a PIN is required to verify the user's identity. TSYS Fraud Management welcomes these guidelines, which are designed to tackle fraud associated with mobile phone and contactless payments, and to increase public confidence in this new and developing payments channel. 

It is also worth noting that contactless payments and their processing do not need a cardholder name, and because of the use of a dynamic card verification value, contactless transactions can only be transacted and processed once. This measure prevents the repeat transaction attacks that have been experienced with other transaction types. Therefore contactless payment will always offer much greater levels of consumer protection than cash.

The case for contactless payments can be developed further by utilising a mobile phone or other handheld device as the host for the consumer's payment card.  In this situation the technology is slightly different, deploying a Near Field Communication (NFC) chip. However the device still displays the same characteristics as a contactless credit or debit card with a resident radio frequency chip.

The use of the mobile handset for contactless payments also gives rise to a number of additional benefits through elite functionality, including user-configurable security protection that gives the ability to offer expenditure tracking to aid budgeting and control. In addition to these benefits, it has been suggested by early trials that with the enhanced functionality on their phones, users will take more care of their handsets. In concept-proving trials, users have also said they are less likely to carry wallets or purses with their payment enabled mobile phones, reducing the potential loss from any theft. 

Notwithstanding these benefits, however, security is still the major issue for contactless payments, with huge challenges and additional risks to be addressed. The loss or theft of a NFC-enabled mobile phone poses a similar fraud risk to loss or theft of a credit or debit card. But there are also additional specific risks associated with the technology. Cards and mobile devices need to be configured to prevent unauthorised, fraudulent access using a point-of-sale reader in the street or any other public place. Although contactless cards and NFC-enabled mobile devices only have a range of up to 2cm, it has been demonstrated that card readers can be altered in order to increase the reading range to around 30cm - certainly enough to access someone else's contactless card in a crowded shop or train.

The card processing industry is very aware of these close proximity security issues and is continually developing solutions to prevent unauthorised access. UK Government guidelines will also apply to contactless mobile payments with a maximum transaction value limited to £10 and a recommendation for the device to go online after every tenth payment in order to verify the user's identity. This can be done using the device's inherent properties by using a call centre with automatic number recognition, text messages or keying in a password using the internet.

The guidelines also recommend that there should be a mechanism to remotely disable the payment functionality of a mobile phone should it be lost or stolen. As the liability for unauthorised use of a contactless mobile device currently sits with the card issuer, the ability to receive and act on information about lost or stolen devices promptly is vitally important. For contactless mobile transactions, individual card issuers will be able to change the risk parameters of the periodic security checks for specific groups of customers as appropriate to their own risk model. An additional benefit is the ability for card issuers to remotely disable the contactless payment functionality should a user breach terms and conditions.

A more advanced level of security that is being deployed for contactless mobile transactions builds on the success of the adaptive authentication side of 3D-Secure in reducing card not present (CNP) fraud. Rather than, or as well as, the user choosing a unique alpha-numeric password, the mobile device making the payment can be screened by the point of sale terminal during its first use and a unique master fingerprint produced automatically.  This will be based on a number of factors, including the device's own unique identification number and less easily accessible details such as hardware profile.

The master fingerprint is then automatically associated with the user's card information for future reference. When the device is next used, it is again screened by the merchant and the fingerprint automatically compared with the master fingerprint to ensure that the device is still associated with the correct credit card information. Any mismatch would indicate that the card details have been cloned and transferred to a new device so the transaction would be terminated.

Payment transactions using a NFC-enabled mobile phone are not just limited to £10. Any transaction over the maximum contactless value would be treated in a similar manner to a standard card transaction with appropriate user verification (such as a PIN) required to authorise the transaction. The mobile phone's standard features, such as text messaging, can be used to speed up authorisation or detect fraud. For example, TSYS has developed a security system on behalf of card issuers that automatically sends a text message to a mobile phone requesting verification when a suspicious transaction has been identified. A reply authenticating the transaction will update the account status.  If the cardholder denies the transaction, the payment functionality of the device will be disabled.

While the technology is already available, the development of contactless mobile payments is still at a very early stage of evolution to such an extent that not all stakeholders have yet been identified. Business models and relationships are still being developed and it is still unclear as to how all the players in the value chain will interact.

There is also the pressing need to ensure that existing relationships are not damaged by new developments. Certainly, mobile phone vendors have never been backward in developing and deploying new technology on their devices if it is likely to provide them with a Unique Selling Proposition in the market place.  However, what is less clear is how the devices will be deployed and how the business model will be divided up within the new ecosystem.

The development of contactless cards and NFC mobile phone technology has opened up a range of possibilities that will bring improved convenience to consumers and increased opportunities for the card payment industry. Revenue streams will expand to include small-value transactions, and new revenue streams can be developed by expanding the reach of the contactless credit card. The union of the contactless Barclaycard and TfL's Oyster card to produce the Barclaycard OnePulse is a prime example and one that will achieve increased uptake as Oyster is rolled out on elements of the UK's national rail network. Security and fraud prevention must remain high on the agenda with lessons learned and experience used to ensure that risk is managed effectively. In the UK there is support from all the major stakeholders including Central Government which announced its aspirations of having contactless mobile payments and e-tickets as integral parts of the ticketing arrangements for the 2012 Olympics. With this sort of vision and support behind it, the future of card payments most certainly is mobile.

Jonathan Hancock is senior consultant for fraud management at TSYS