The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices

 

The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

At last, NDEF

A decade ago I remember writing that one of the problems with QR codes is that there is no security. Some years later I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags (although I did also note that no-one used it) whereas anyone could easily create bogus QR codes.

Well, I might not go so far as to call [QR codes] evil, but they certainly have the potential to enable person or persons unknown to act with evil intent.

From A quick response to the problem | Consult Hyperion

I suggested, in connection with a couple of projects we were working on at the time, that the mobile operators do something about this by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. None of this happened, as I’m sure you are aware and QR codes became popular precisely because any app could read any code anywhere.

The security problem never went away though. I notice in the South China Morning Post that in March 2017 some 90m Yuan was stolen via QR code scams in Guangdong alone (a suspect in the case replaced merchants’ legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans come in via QR. Despite the incredible success of QR there, we need to do better.

Even the man who invented QR codes says that they are an interim technology.

From Never mind the last mile, what about the last millimetre? | Consult Hyperion

Now, also back in the day, I had originally assumed that Apple would add NFC to the iPhone. I was wrong about this for years, so eventually I assumed that they were going to bypass the technology and go to Bluetooth. Yet what I said at the time still holds: NFC is undeniably convenient.

NFC is a convenience technology, and Apple loves convenience

From Quick response | Consult Hyperion

I wasn’t just guessing about this, I was drawing on Consult Hyperion’s early experiences with NFC (remember the Nokia 6131?) of tag reading and writing, including not only the usual payments and ticketing stuff but also such fun applications as getting information about clothes at London Fashion Week. I also noted surveys at the time that showed that NFC generated better results for merchants, but only once consumers could get it working. As my good friend Osama Bedier, then head of Google Wallet, pointed out, this is was some barrier because of the amount of “futz” it took to get NFC working.

But there was another reason that I was so interested in NFC as QR alternative back in this days.  To go back to the security point, I was interested in thestandard for adding digital signatures to NDEFs (the “NFC Signature RTD Technical Specification”) to build a safe tag infrastructure. After hawking this around a few different projects, to general disinterest, I figured that the telcos weren’t interested in using it to deliver secure infrastructure, so I said…

“Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that “…Apple and Google will be further ahead in coordinating value in new networks”

You don’t know ‘jack | Consult Hyperion

Well, well. Tom was right as usual, even if it took a few years for the hand to play out. At WWDC, Apple announced that IOS11 will indeed include the ability to read NDEF data from tags.

“Using Core NFC, you can read Near Field Communication (NFC) tags of types 1 through 5 that contain data in the NFC Data Exchange Format (NDEF).”

via Apple adds support for NFC tags to iPhone 7 and Apple Watch • NFC World

So now, more than a decade after our first NFC experiments, both IOS and Android can read standard tags and action them. I want to make a couple of quick points about this before I head off down to our Hyperlab and see what our developers make of the new toolkit.

First of all, this technology will inevitable be used for triggering in-app payments that work in a very convenient way for consumers. Instead of having to open your Tesco Payqwiq app and then scan a code from the POS, the POS will function as a tag (and remember it can potentially rewrite a dynamic tag on the fly): you can just tap the phone on the POS and the operating system will automatically open the Payqwiq app and route the data to it.

Secondly, since tags are inexpensive, they will be used for a variety of different applications. Tickets for pop concerts, information about products, name badges, all sorts of things that can be read by a phone rather than by a specialist reader, Therefore I expect new standards for NDEF content to spring up. One of my favourite apps, back in the day, was a phone number tag that men could put in their back pocket at a nightclub: admirers could wave their phone in an appropriate area to get the number and send a text message. Here we are trying experiments with different types of clothing (which turned out to have very different NFC-friendly characteristics!) a decade ago.

Lastly, note that NFC tags can be read through packaging. Unlike QR codes that need to be printed on the outside of a box, tags can be inside. Where would this matter? Well, take a current UK example. Cigarettes now have to be in plain packaging. Tobacco companies don’t like this – for obvious brand reasons – but they do have a point: plain packaging makes like easier for counterfeiters. So suppose packs had a cheap tag inside: then your phone could tell you whether you’ve got real Marlboro or a knock off. You download the Marlboro app, then from then on when you tap a pack if the app doesn’t pop up with a big green tick you know you’ve been done. I’ve written about this sort of thing before ( for example, wine and whiskey) so it’s hardly a new idea.

Note, however, that IOS11 also includes ARKit to add augmented reality. So, when you look at your pack of plain cigarettes through your app (after you’ve tapped, so the phone reads the tag and knows that they are real Marlboro) you don’t see plain packaging any more you see… well whatever.

NFC Example

All in all, Apple’s announcement – whether the culmination of a clever plan or a response to Android market share – is a big deal. I found a whole bunch of blank NFC tags in my desk drawer so I’m off to start programming them now.

#Cardmageddon in Woking

Well. How about that. You could have knocked me down with a feather. Blimey. And so on and so forth. Check this out…

 Woking! Contactless!

Yes. It’s true. The Southwest Train ticket machines have finally gone contactless, and only a decade after I first used an NFC phone to pay for something I was able to use an NFC phone to buy a ticket in the machine at Woking station.

Woking! ApplePay!

Now, let’s be clear. Woking is no stranger to contactless. Within the town boundaries, a wallet is an unnecessary accoutrement. I suppose some people might want to use cash, cheques or cards for cultural reasons, much as hipsters insist on using vinyl records, but they no longer need to. Indeed, only yesterday when my good lady wife asked me to pop to the shop to pick up a few baking essentials, I jumped on my bike and set off, never giving a thought to wallets or wads. I had my phone set to Planet Money and that was all I needed.

On the few and far-between days when I am working at our office in Guildford I don’t need a wallet. When I’m working at home I don’t need a wallet. But when I am working in London I do. Or at least, I did. The two hurdles to handset happiness were Arriva buses and Southwest Trains. But a couple of years ago, Arriva launched their mobile app so I don’t need cash for the buses any more. The only remaining barrier was Southwest Trains. But it’s all different now. I bought my train ticket with Apple Pay for the first time today. In Woking station, if nowhere else, it was #cardmageddon.

What? Don’t Southwest Trains have a smartcard you say? Well yes, they do. But you can’t use it to buy tickets online. You have to go to the station and tap it on the ticket machine and then put in your payment card and then tap it again so it’s hardly worth bothering, especially since I need to press the receipt button and wait for a paper receipt anyway.

May 2017 will be as famous as a September 1958 (the Fresno Drop) in the history of the inexorable march to cashlessness. For this is when I went down to Woking station, after a couple of weeks’ globe trotting, to discover that everything had changed. I am living in a new world. The ticket machines at Woking station now have contactless! I can now leave my wallet at home for good!

HCE moves on

In payments, as in so many other fields, Kazakhstan is a beacon to the nations. I notice, for example. that they have recently launched a new tap and pay service that uses host card emulation, or HCE as it is known to us afficionados.

Customers of Kazkommertsbank (KKB) in Kazakhstan can now make host card emulation (HCE) based NFC mobile payments using a new service launched in partnership with Visa.

From Kazakhstan gets HCE payments • NFC World+

An advanced nation. In fact, as I wrote a decade ago…

So here is a picture for Borat to take with him next time he visits America. It’s an EMV terminal.

From Cultural learnings of Kazakhstan for make benefit glorious nation of America

For those of you who think that HCE is old news, I have to tell that you my colleagues at Consult Hyperion have been working on wide variety of HCE products and services and not only for customers in the financial services sector, but also in retail, ticketing and other fields. The ability to conduct transactions with chip and PIN levels of security via mobile devices is useful in many different applications and more and more service providers are taking advantage of it to deliver a better service to card customers. Take a look at what American Express are doing with it now, for example, or what Barclaycard launched earlier in the year. Or, for that matter, what Barclays announced today about using their Android app to withdraw cash from their new contactless ATMs.

What’s more, of course, is that now that the industry is building expertise and obtaining feedback from a number of different operational services in different countries it is a good time to survey the landscape again and have a look at where to go next. I’m very keen to see how it will develop, especially beyond the “traditional” NFC channel. HCE over Bluetooth looks like pretty interesting avenue to explore as well! Anyway, all of this is why I was happy to accept an invitation to chair the HCE Summit in Amsterdam on 24th November and I’ll look forward to seeing you all there at the end of the week.

The user experience will make, or break, mobile payments

Being a keen consumer of baked pastry goods, and having a firm desire to see the pieces of plastic & cardboard in my wallet transferred to my phone, you can understand my excitement when the award-winning Greggs Rewards app was released early in 2014. The app combines the processes of payment, loyalty, and rewards into a single interaction at the point of sale, with a prepaid payment account which can be automatically topped up via credit card or PayPal. In eager anticipation of a tasty lunchtime treat, I therefore ventured out of the office and off to the town centre.

My first expedition ended in disappointment. In order to perform a transaction the customer opens the app, presses the ‘spend now’ button, and receives a dynamically generated token (an eight digit number) which is to be presented to the POS in the form of a QR code. But… in order to receive the token, I had to have a network connection. Now, whilst there is a very good network connection all the way up to the front door of the store, once through the doors my phone decided to connect to “The Cloud”.  For some reason, my phone has an on-off relationship with “The Cloud” and, it appears, its relationship with this particular hotspot appears to be more ‘off’ than ‘on’.  No matter, I can turn WiFi off. But what’s this? It appears that my mobile network didn’t share my longing for a sausage roll and decided to only let the GPRS signal through the door. It turns out that GPRS, whilst a revelation 15 years ago, does not appear to offer a particularly suitable channel for today’s mobile apps. Unable to obtain a token, I resorted to my plastic card.

Armed with this knowledge, I anticipated a successful second visit. This time, not only did I press the button to obtain the token before I got anywhere near the store, but I also took a screenshot of the QR code just in case. Ready to pay, and having got past the inevitable learning curve for the checkout operator who hadn’t been shown what to do with this new scheme, I was ready to finally scan my code – except that this store didn’t have any scanners at that time. So instead, I had to enter the 8 digit number on the keypad of the card reader. Happily, once the POS had my token, everything else went smoothly. I had redeemed an offer for a free item, paid for the outstanding items, and had a coffee loyalty purchase recorded all in a single interaction.

“But hang on,” I remember thinking, “they already accept contactless cards.  And I have an NFC phone which can talk to their readers. Wouldn’t it be great if the app could do NFC?”

Well, sixteen months later, and Greggs Rewards has now quietly added support for contactless in its Android app. Full of even more excitement than last February (well, I have been waiting for two years to pay for something by NFC) I headed out.

Having informed the operator that I would be paying with my phone, I was interested to note that she enabled the terminal for ‘card’ payment and not ‘rewards’ payment. Having seen that the app requires at least Android 4.4, and so concluding that it must be using Host Card Emulation (HCE), I was hopeful that this meant that it was seamlessly integrated into the ‘normal’ payment process.

Alas, the terminal was actually expecting a payment card and so the transaction failed. The operator told me that, when I had waved my phone at her, she had automatically assumed it was a contactless payment (which, as an aside, is actually good news for this month’s Apple Pay launch.)  It turns out that trying to integrate everything into a more seamless experience means impacting the existing card payment certifications, so for now they’re stuck with having to tell the POS what type of payment it should be expecting in advance.

Using the rewards app, even over contactless, still requires the operator to press the a special “rewards” button on the POS. This she did, and the contactless reader was ready to read my phone, the barcode reader was ready to scan my QR, and the terminal was ready for me to type in the number.

Unfortunately, this was the moment my phone decided it no longer wanted to play. With me having accidentally switched apps, on re-opening the Greggs app it decided it needed to connect back ‘home’ again. Because I hadn’t disabled WiFi, I was at the mercy of my phone’s long-term “It’s Complicated” relationship with The Cloud and so unable to provide the token. After disabling the WiFi, restarting the app (which for some reason was complaining that the 4G connection my phone now had was ‘too slow’), inwardly cringing at the complaints from the lengthening queue behind, and ignoring my colleague’s offer to just hand over some cash to get us out of there, I finally performed my first real world NFC transaction and was the proud owner of a free doughnut.

So what can we take away from all this?  Firstly, the mobile app must not rely on hardware or OS services that are not absolutely critical. Reliance on network connections is understandable for e-commerce, or for refreshing the app content, but for a POS transaction the app must be able to work without one – even if it is using dynamic tokens. The card schemes have already worked this out and catered for it in their HCE specifications.

Secondly, the payment experience must be seamless. It is frustrating to be a customer trying to explain a company’s mobile offering to the checkout operator, especially when the payment terminals are adorned with collateral advertising that very scheme. “Why,” I ask wearing the hat of a less well-informed member of the public, “can the till not work out for itself what payment method is being presented to it?  I don’t know about payment certifications and the resulting workarounds; I only care that the process is more complicated than it seems it should be.”

Only those of us with an unnatural interest in mobile payments (or a hearty appetite for pasties) will put up with a poor user experience more than once.  Normal people will give up and uninstall the app if it doesn’t work flawlessly; the people waiting in the resulting queue – such as the woman behind me who observed that “this is ridiculous” are unlikely to try it even that once.

NFC isn’t a game in Japan. No, wait…

Dgwb blog white border

I was in a meeting earlier in the week where someone said that even with ApplePay, the US is far behind Japan in mobile payments, so I thought I’d do a quick update on Japan which, as for the US, we label a “special case” in our analysis of the market: we can learn from it, but it doesn’t tell us anything about how other markets might develop. As it happens, the Japanese market has just taken an odd turn.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.