At a recent industry event, I overhead a discussion about paying contactlessly with Apple Pay that made it obvious to me that the (bank) participants were not at all clear about how the authentication options will work with the contactless no-CVM (“tap and go”) limits set by UK Cards. Naturally, instead of taking the time to explain it to them, I rather selfishly thought “what a great idea for a blog post”. So here we go.
Most contactless terminals today have a £20 transaction limit, which makes sense when you accept contactless cards, which offer no cardholder verification mechanism (CVM). It doesn’t make sense for an Apple Pay transaction which uses biometric cardholder authentication via Touch ID.[From Celent Banking Blog » Apple Pay: welcome to the UK!]
That’s right, it doesn’t. Which is why the CVM can be replaced by the CDCVM if the terminals are running the correct software. Wait, what? CDCVM?
Consumer Device Cardholder Verification Method (CDCVM) is a type of consumer verification method (CVM) supported by the card networks when assessing transactions originating from mobile devices. Verification is used to evaluate whether the person presenting the payment instrument is the legitimate owner of the instrument, and affects where the liability lies for fraudulent transactions.[From Consumer Device Cardholder Verification Method – Apple Support]
CVM, as you will recall, is part of the EMV standard.
The EMV specification allows for a number of different Cardholder Verification Methods (CVMs) and any particular card will have the acceptable CVMs stored on it, in order, by its issuer.[From Signature solution | Consult Hyperion]
Right, so, when you have CDCVM, this is used as the CVM. Are we clear on this. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. I don’t know what the situation in the US is, but in the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.
A new service that lets NFC phone users enter their PIN on their mobile device to confirm a high value transaction is making it possible for UK consumers to make contactless payments valued at more than the current £20 (US$32) transaction limit for the first time.[From High value contactless payments arrive in the UK • NFC World+]
In essence, this means that the £20 (soon to be £30) limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Consumers, as far as I can tell, will have no way of knowing this. I know, for example, that Pret a Manger has updated their software, so when we went off to Pret to film a live item for the BBC Six O’Clock news, Rory Cellan-Jones (the BBC technology correspondent) could have bought more than twenty quids worth of coffee and pastries with a single tap there and then.
He didn’t. But back to the story. Apple Pay uses this infrastructure, so…
For Apple Pay transactions, CDCVM acts in place of other methods of verification when it’s supported by the payment terminal.[From Consumer Device Cardholder Verification Method – Apple Support]
Good. Now, this has a specific implication in the case of Apple Pay, which is that Touch ID (fingerprint authentication) can take the place of entering a PIN or signature at the terminal or entering a passcode on the device for transactions above the contactless limit…..
With Apple Pay, Touch ID or the device passcode can be used as the consumer device verification method, instead of the more traditional methods of PIN, signature for transactions in stores, or 3D Secure for transactions within apps… For Apple Pay contactless EMV transactions, CDCVM is performed and verified entirely on the iOS device (e.g. iPhone 6 and Apple Watch).[From Consumer Device Cardholder Verification Method – Apple Support]
OK, so (just as you would expect) if you have authenticated yourself to your phone, then you can just tap and go even if the transaction is above the contactless no-CVM limits. You don’t have to enter a PIN on the terminal or sign a paper receipt. It seems to me that there are plenty of retail POS situations where this will work very well: you “pre-arm” your Apple Wallet by authentication with TouchID and then tap and go. I was thinking about this in a cab yesterday because that’s an obvious case (as I’ve mentioned before: in the back of cab I tend to be sitting on your wallet but have my phone in my hand).
Black cabs could be legally obliged to accept contactless credit cards, as a new set of proposals are opened up to consultation… The proposal was backed at a meeting last month between TfL, the deputy mayor for transport Isabel Dedring, senior taxi trade representatives and card providers.[From London’s black cabs could be made to offer contactless payments | City A.M.]
So if cabs are made to accept contactless payments and if they use the “high value” terminal software then, at last, things will work properly: open your Apple Wallet, pre-arm the transaction using Touch ID and then when the cab pulls up and your destination, at last, tap and go. None of this will matter to most people, of course, because they will pay using Apple Pay, Google Pay, Samsung Pay and everything else Pay inside Gettaxi, Uber, Hailo or another taxi app.
The issue for the issuer is that they’re worried about how the credential (e.g. Touch ID) is secured on the device. Many aren’t happy with how the biometric marker is stored and then accessed. Making “man in the middle stole your finger print while you tried to pay” – a thing.
It’s solvable, but may need ARM to up their game with TrustZone.
TouchID is more secure than TrustZone. MITM attack is a theoretical possibility. We can be made to reveal ALL of our PINs at a knifepoint – how likely is that and how many of us are concerned about such an eventuality?..