Mobile Payments
SPENDING MONEY THE HARD WAY, SINCE 1999.
BY JOSH TURIEL, JH TURIEL & ASSOCIATES INC.
In the beginning, there were credit cards.
There still are.
But they aren’t very secure, and they’re easy to hack and copy.
Magnetic stripes encode card number information and a verification code to ensure the card is
present. In the Dark Ages, they were imprinted by a manual card reader onto a slip that was sent
to the bank.
A code is additionally on the back or front (American Express) to be read/entered in Card Not
Present transactions.
In 1999, the first mobile payments…
A company called Confinity developed a method for using IR transfer to “beam” money from
Palm Pilot to Palm Pilot. The program was called PayPal.
Among a select few, it was a hit. But PDAs never hit the true critical mass necessary to make
handheld payments practical.
Confinity went on to merge with a online banking company called X.com (founded by a guy
named Elon Musk – maybe you’ve heard of him?). The merged company was renamed PayPal,
and the core product pivoted to become an online payments system that wasn’t PDAdependent. They were bought by eBay to provide a payment back-end.
Meanwhile, across the pond
In Europe, the Smart Card was gathering steam. In 1998 they began replacing magnetic stripe
readers and over the last decade have become prevalent in that market.
In the US, Smart Cards are supposed to be standard issue by this coming October. Some banks
are farther along in the transition.
The Smart Card has a chip in the left side of the card, visible to the user, that adds
authentication capabilities to the transaction.
When used with a compatible reader, these cards:
How a Smart Card (chip card) works
In a terminal with only a mag stripe reader, they work the way they always did.
If there’s a chip reader, the card is inserted and the reader makes contact and uses the chip to
create a one-time authentication code that accompanies the transaction. This renders the card
useless for cloned transactions – the code is unique each time and keyed to the chip.
Some of these chip cards can also provide contactless payments. This uses a NFC (Near-Field
Communications) sensor inside the reader to communicate with the card and handle the onetime code generation. This will be key to what comes next.
Basic concept
In all these current mobile payment systems, the transactions are tokenized. Instead of credit
card numbers, the software generates a Device Account Number, and the vendor has a Token
Service Number.
Those are used to create a security code for each transaction, and no credit card number is
stored by either the the retailer, the device, or the vendor.
Much of today’s fraud issues stem from magstripe technology – the information encoded there
is easy to clone, and has no security inherent to it. NFC and chip card payments deal with this
using tokenization.
NFC – opening the door. Thanks, Google.
Google was first to the NFC market with Google Wallet (2011).
Wallet used NFC for communications, but was PIN-based (as Android lacked biometrics support
in the core OS).
Also had dependencies supporting only certain Android phones.
Google Wallet piggybacked off MasterCard PayPass and Visa payWave.
It also supports person-to-person money transfers (via Gmail).
Google Wallet 2.0 – Android Pay
As Android has become more capable, Google Wallet is gradually migrating to a service called
“Android Pay”.
Android Pay supports virtually all Android devices with NFC capabilities, and supports biometrics
(fingerprint readers) when present. It is part of the Android core OS.
However…
Samsung has an issue with that!
Samsung, in an effort to differentiate themselves, developed their own mobile payments system
based on LoopPay. It’s called “Samsung Pay”.
Available starting 9/28, it’s provided on all current-generation Galaxy devices.
Their secret sauce? MST (Magnetic Secure Transmission) – they have a way to generate a signal
that will be picked up by virtually all magstripe readers. Backwards compatibility.
So how did Apple become the leader?
A few reasons:
1: Apple Pay is quite elegant in UI design
2: Apple has a year of building it into both their best-selling phones already
3: People already trust Apple with credit cards
4: The fingerprint reader. Really.
Basically, Apple took ingredients (NFC, biometrics, credit card storage) that were already being
used and combined them. Apple Pay uses NFC terminal compatibility for retail, and hooks into
in-app purchasing neatly.
Fingerprint versus PIN
That was the key differentiator between Apple Pay and Google Wallet. Newer technologies
(Android Pay, Samsung Pay) will eliminate that gap, but Apple was first mover. And first to make
fingerprint recognition easy and standard.
But there’s still an act to play…
Retailers want more info from you
We all know this. Loyalty cards, etc. are incentives. To make that payment loop happen, a big
collaborative led by Walmart developed MCX:
https://en.wikipedia.org/wiki/Merchant_Customer_Exchange
Their product is called CurrentC, and it ties only to debit cards, using QR codes that are scanned from
phone screens to make transactions. Using debit cards = lower interchange fees for retailers.
It’s also not available yet – in test mode now. But it will have ties to loyalty programs and be able to
track receipts – as it’s retailer-driven. This benefits retailers, and could be useful to those who would
rather not keep a loyalty card handy in exchange for a more cumbersome purchase process.
(spoiler alert: they’re doomed)
It’s not all roses
There are still fraud opportunities.
Adding cards to a digital wallet takes two prospective paths:
“Green Path” uses automation to determine if the card is in fact eligible for addition.
“Yellow Path” requires manual verification, usually through call centers. But in many cases the
banks have chosen information to verify that’s easy to spoof (like, for instance, the last four
digits of a SSN).
This human vulnerability means that fraud is still a factor.
And now, some goodies
I have a few pages of charts and diagrams, plus let’s talk about it. Thanks!