We all know that EMV is currently the international standard for payments using smart cards. However, smart cards started before EMV (See Smart Cards - by the way, it is a good read). When I joined Motorola Smart Card Division in 1996, I had some conversations on why Europe did not follow US by using swipe cards. A commonly mentioned reason was that a swipe card was susceptible to skimming fraud and a smart card would be much more secure. This has been proven by the sharp decline of card fraud in Europe since EMV cards were introduced.
But, security was not the only reason that smart cards were introduced in Europe, there was another reason that apparently has been forgotten with time passing-by - the deployment cost of swipe cards in Europe at that time. The international communication cost!
The card payment in essence is a cardholder requesting their card issuer to pay merchant's acquirer (See How credit card payment works for jargons). To honour or to approve such a card payment that the issuer is not with the cardholder in person, the issuer has to make sure the following three basic things:
- The cardholder does indeed have an account with the issuer. That is, the information in the card is genuine or simply, the card is genuine.
- It is really the cardholder who is paying.
- The cardholder is really paying the amount agreed with the merchant. That is the transaction is genuine. Otherwise, the issuer would get into a dispute with the acquirer, causing the payment not to be settled.
To achieve the above for swipe cards, an online security mechanism was established based on telephone network, the only global network of that time. The payment digital information was modulated to be transported over phone lines.
Paying through phone lines was very expensive for merchants in Europe, even domestically. Also, for those who are familiar with telephone switching systems, the establishment a physical connection between a merchant and the paying customer's issuer, incurred a big cost in addition to the transmission cost which was relatively small.
One thought was that if we could build an offline security mechanism for card payment, then a merchant could "collect" payments locally in day time and then send the whole day's payments to a "clearing house" who would in turn sort each payment out to its issuer to settle the payment. This was implemented by smart cards (Bull CP8) and to make a card to be accepted in different countries. To standardise the smart card based payment, EMV cards were introduced.
EMV cards provide offline security. That is, during a transaction, the card issuer does not have to be online to approve the transaction. The card makes decision according to pre-programmed action codes.
Paying through phone lines was very expensive for merchants in Europe, even domestically. Also, for those who are familiar with telephone switching systems, the establishment a physical connection between a merchant and the paying customer's issuer, incurred a big cost in addition to the transmission cost which was relatively small.
One thought was that if we could build an offline security mechanism for card payment, then a merchant could "collect" payments locally in day time and then send the whole day's payments to a "clearing house" who would in turn sort each payment out to its issuer to settle the payment. This was implemented by smart cards (Bull CP8) and to make a card to be accepted in different countries. To standardise the smart card based payment, EMV cards were introduced.
EMV cards provide offline security. That is, during a transaction, the card issuer does not have to be online to approve the transaction. The card makes decision according to pre-programmed action codes.
The #1 above can be implemented by signing a challenge for a card to identify itself, #2 by PIN and #3 by a key to generate a MAC value (as we can see the "Auth Code" on a receipt).
EMV cards not only greatly reduce the card fraud, but also make it possible to provide sufficient security for offline payments. It has been proven a success. None of the alleged attacks has been materialized.
Now, we are kind of at the point of mobile payment. Here, when we talk about mobile payment, we really mean payment with mobile phones at POS (Point of Sale) terminals, not the Internet payment with a mobile phone at home.
Again, just like cards, we facing the topics of online security and offline security. Because the coverage of digital service is not guaranteed on the current wireless network (yes, it is true even a voice service is still available), mobile payment needs to have the capability to offer offline security. This inevitably leads to the similar solutions as smart cards - we embed an SE into a phone and we have products like Apple Pay. This is indeed a contactless smart card with an additional communication protocols. The drawback of this solution is that not every phone can have an SE. Phones are getting cheaper and cheaper with higher and higher performance every day.
If fast digital wireless service is available everywhere, then online security can be implemented on any mobile phone, even very cheap ones, as long as it has a touch screen. Various solutions are available such as HCE (Host Card Simulation) to provide similar user experience as some mobile payment on Android phones. But, QR code based payment schemes, like WeChat Pay and AliPay, will get even more popular.
If all the payment players are online and if wireless networks go very fast with full coverage everywhere, then a IEEE Std 1363.2 based secure payment solution exists with no need of a physical POS terminal. The QS code will be enough.
5G promises to provide high data rate with full coverage to make self-driving cars, VR (Virtual Reality) and smart homes a reality. Mobile payment in 5G era will be very different. One thing can be sure: the requirement of physical security for mobile payment won't be as high as now thanks to the online security.
EMV cards not only greatly reduce the card fraud, but also make it possible to provide sufficient security for offline payments. It has been proven a success. None of the alleged attacks has been materialized.
Now, we are kind of at the point of mobile payment. Here, when we talk about mobile payment, we really mean payment with mobile phones at POS (Point of Sale) terminals, not the Internet payment with a mobile phone at home.
Again, just like cards, we facing the topics of online security and offline security. Because the coverage of digital service is not guaranteed on the current wireless network (yes, it is true even a voice service is still available), mobile payment needs to have the capability to offer offline security. This inevitably leads to the similar solutions as smart cards - we embed an SE into a phone and we have products like Apple Pay. This is indeed a contactless smart card with an additional communication protocols. The drawback of this solution is that not every phone can have an SE. Phones are getting cheaper and cheaper with higher and higher performance every day.
If fast digital wireless service is available everywhere, then online security can be implemented on any mobile phone, even very cheap ones, as long as it has a touch screen. Various solutions are available such as HCE (Host Card Simulation) to provide similar user experience as some mobile payment on Android phones. But, QR code based payment schemes, like WeChat Pay and AliPay, will get even more popular.
If all the payment players are online and if wireless networks go very fast with full coverage everywhere, then a IEEE Std 1363.2 based secure payment solution exists with no need of a physical POS terminal. The QS code will be enough.
5G promises to provide high data rate with full coverage to make self-driving cars, VR (Virtual Reality) and smart homes a reality. Mobile payment in 5G era will be very different. One thing can be sure: the requirement of physical security for mobile payment won't be as high as now thanks to the online security.
No comments:
Post a Comment