Contactless payments – just hype or the real deal

www.consultingsmart.co.uk

By Steve Beecroft

Regulars to this blog, our clients and my peers within the payments industry will know only too well how positive I am towards contactless technology. Having designed and implemented several contactless schemes including NFC I consider myself an advocate of this now fully emerged, technology.

However, like any professional I always look to deliver the the most appropriate guidance to our clients and sometimes that means recommending clients do not to adopt a particular technology. This is something we did through our sporting venues division 'Smart Stadia Ltd, when a football club from West Yorkshire asked for assistance in defining the best next steps in their modernisation project.

Do we regret doing this ...... NO, it was what the client needed but not necessarily what they wanted to hear but is was absolutely the right thing for them. That was back in March this year and I have since had a call from the clubs Chief Executive thanking me for our ethical approach and inviting Smart Stadia Ltd to lead the next phase of their modernisation project for multi-application season ticket. Even if we had not had that call we would still be very happy that we had given appropriate advice that was in the best interests of the client.

It is our unshakable belief that we all need a balanced view, with this in mind I attach below an article on www.mobile-financial.com

Research from Datamonitor, a market analyst firm, suggests that the much hyped contactless payment market may be a long way off from becoming the norm in the UK despite trials by various retailers.

The research* from the independent market analyst has revealed that despite the huge potential market open to contactless payments the economic downturn has delayed issuers other than Barclaycard from investing in the technology as they just haven’t been able to spend money on it. Meanwhile many retailers are not sure yet if contactless is worth the investment.

Gilles Ubaghs, financial analyst at Datamonitor said: “Retailers could likely find the cash if they were convinced it was worthwhile, but many don’t seem sure there is any real point. Essentially it is a catch 22 as many consumers aren’t interested in having a contactless payment card when there are still so few places to use it and retailers don’t want to install the technology as so few people have a card.”

However, Datamonitor does believe that there are promising long term signs that the technology could take off but it won’t be as soon as many analysts predict.

Mr Ubaghs continued “Although contactless payments have been around for nearly 10 years, Barclaycard and London’s Oyster travel card remain the only two high profile companies to offer contactless cards. Investment by other issuers is needed, not only in the technology itself but in educating consumers as well. Consumers will need to be convinced that it is worth their while to use the new technology”

“Importantly, for consumers to be sold on using contactless payments retailers and issuers will need to work together and as this is yet to happen on a large scale. It will be a good deal of time before we’re able to walk into any shop and buy a chocolate bar in the same way as London commuters tap their Oyster cards.”

For the original article click here

Consulting Smart Ltd provide specialist consultancy on the design and deployment of smart card and NFC technologies. For more information on how we can help your organisation realise the full benefits please see www.consultingsmart.co.uk or email us at info@consultingsmart.co.uk

French Minister of Industry Confirms Support for NFC Cities

www.consultingsmart.co.uk

By Dan Balaban

Christian Estrosi, France’s minister of industry, has confirmed government support for three to five more cities to launch NFC services in France next year, following the precommercial NFC launch in Nice this spring.

Estrosi, who spoke at a conference Tuesday in Paris, has called on interested city officials and transit authorities in France to declare their intent to become one of the next tier of cities to host contactless-mobile services.

The additional cities would launch NFC sometime in 2011. Estrosi, who is also mayor of Nice, sees the additional cities as the second phase of what he hopes will be a broad deployment of NFC in France. He believes government help for up to five more cities to launch NFC will encourage other French cities to follow. That could lead to national rollouts in 2012, according to the vision.

The three to five cities are to be announced in December. Frontrunners are the cities of Caen and Strasbourg. Both have played host to multiple NFC trials in the past and city officials in both places have expressed strong interest in the technology. Officials in Bordeaux are also keen for the technology, said observers, and the city is also a favorite. Other cities mentioned are Rennes in Brittany, Marseille, Lyon and Grenoble.

Paris is also in the running, but it seems unlikely NFC will launch in the capital until 2012, although observers do expect some smaller projects in Paris next year. Key will be when STIF, the giant transit authority serving Paris and the surrounding region, acts on its plans to put its Navigo contactless ticketing application on NFC phones. A STIF representative did not attend the conference, which was co-organized by the government-funded NFC coordinating organization, Forum des Services Mobile sans Contact.

Like Nice, the three to five cities are expected to host such NFC services as contactless-mobile ticketing and related service discovery, mobile payment, and applications involving mobile tourism and health care. These services would be delivered by transit operators, banks and other service providers.

It remains to be seen how large the projects will become. In Nice, the country’s three major mobile operators, France Telecom-Orange, SFR and Bouygues, plus a mobile virtual network operator NRJ Mobile, have reportedly put only a little more than 3,000 NFC phones on sale.

That number could grow based on demand. And a representative of Orange, speaking at the conference Tuesday, confirmed the telco’s plans to sell 500,000 NFC phones in France by the end of 2011.

It’s unclear exactly what type of support the government will offer to the additional cities it selects to host the NFC services. Some funding is likely, along with indirect support.

The French government is also offering grants to some private companies for development work on NFC. Overall, the government, along with French telcos and some service providers have cast France as a leader in NFC technology. The French government also sees NFC as a promising industry for French vendors.

Thanks to NFC Times

Consulting Smart Ltd provide specialist consultancy on the design and deployment of smart card and NFC technologies. For more information on how we can help your organisation realise the full benefits please seewww.consultingsmart.co.ukor email us atinfo@consultingsmart.co.uk

Dutch Banks and Telcos to Move Forward on M-Payment Project

www.consultingsmart.co.uk

By Dan Balaban

Three major Dutch banks and three mobile operators have decided to move forward with planning for an NFC mobile-payment launch in the Netherlands, NFC Times has learned.

The three Dutch banks, Rabobank, ING and ABN Amro; and three telcos, KPN, Vodafone Netherlands and Rabo Mobiel; gave the project the green light at a meeting June 28, following months of discussions, NFC Times has learned. The approval clears a major hurdle for the initiative and means the parties intend to move forward to lay the groundwork for a likely launch sometime in 2011–probably in the latter half of the year, sources told NFC Times.

But the parties are not releasing any details until they announce their plans, expected in a month or two. Representatives from KPN, Rabobank and ING, believed to be the most active members of the group, all issued nearly identical statements to requests for comment from NFC Times about the mobile-payment project.

“We are currently looking into the..................to read the full article click here

Consulting Smart Ltd provide specialist consultancy on the design and deployment of smart card and NFC technologies. For more information on how we can help your organisation realise the full benefits please see www.consultingsmart.co.ukor email us at info@consultingsmart.co.uk

MasterCard Launches MoneySend for the iPhone and iPad

http://www.consultingsmart.co.uk/

New App Allows Users to Receive Card Payments from Anyone

Purchase, NY, June 03, 2010 - MasterCard Worldwide today announced the availability of the MasterCard MoneySendTM service for iPhone and iPad users, a convenient way to transfer money in the United States from person-to person by combining the power of your iPhone or iPad with your banking relationship. MasterCard MoneySend is available for free download at the iPhone App Store.

"MasterCard MoneySend allows users to ‘Send,’ ‘Pay’ or ‘Request Funds’ for a wide range of reasons including the everyday ‘IOU,’ informal services purchased from friends and family, payments to a personal trainer, roommate, babysitter, gardener, housekeeper or repairman," said Joshua Peirez, Chief Innovation Officer, MasterCard Worldwide. "With MoneySend, users avoid the hassle of making payments with cash, check or money orders and collecting funds is as simple as a text message with the ‘Request Funds’ feature of the app."

How it Works
MasterCard MoneySend allows users in the U.S. to send or request money via their iPhone through participating banks and credit unions, or when they create a virtual.....To read the full Press Relaese click here

Consulting Smart Ltd provide specialist consultancy on the design and deployment of smart card and NFC technologies. For more information on how we can help your organisation realise the full benefits please see http://www.consultingsmart.co.uk/ or email us at info@consultingsmart.co.uk

How Pre-paid cashless can significantly improve your profit every year.

www.consultingsmart.co.uk

Almost £30m has been left unused on Oyster pay-as-you-go (PAYG) for at least a year, the BBC has learned.

A total of 16.5m PAYG cards sat idle during the year from April 2009 to April 2010. The average amount on each card was £1.80.

Transport for London (TfL) says no card is deemed as expired and users can always claim the balance back.

The smart cards are used to pay for travel in London. There are plans to roll out similar schemes across the UK.

Oyster cards can be topped up for use on buses, tubes and trains across the capital.

Last year alone, 31,000 PAYG cards were issued and topped up but never subsequently used, even though they held............Click here to read the full article from the BBC News website

Consulting Smart Ltd provide specialist consultancy on the design and deployment of smart card and NFC technologies including PrePaid and other payment applications. For more information on how we can help your organisation realise the full benefits please see www.consultingsmart.co.uk or email us at info@consultingsmart.co.uk

Barclaycard and Orange UK Prepare to Launch NFC

While many doubt that telcos and banks will ever agree on a business model for NFC and complain about the continued lack of phones supporting the technology, two major players in the United Kingdom–Barclaycard and Orange UK–are preparing for a commercial launch.

One of the largest card issuers in the UK, Barclaycard,and the soon-to-be-biggest mobile operator, Orange UK, are expected to begin rolling out NFC by the end of the year. If they hit that mark, it would be one of the first major commercial launches of NFC services worldwide. It could also spur others into action sooner, such as the mobile-payment partnership of UK telco O2 and NatWest bank.

A year ago, Orange and Barclaycard announced plans to eventually launch NFC mobile payment and other services. And they later let it be known their target was 2010 for a rollout. In January, they introduced a contactless cobranded card that customers could tap to pay at retail outlets and receive SMS transaction alerts.

But a year after the partnership announcement, the lineup of NFC phones on the market remains weak, which is an apt description of the UK economy, as well. And no big retail chains in the UK have yet announced they would accept contactless payment from either cards or phones.

However, none of that seems to be standing in the way of an NFC launch this year by the Barclaycard-Orange partnership, with executives of both companies sounding optimistic tones.

According to Dan Salmons, director of global innovations for Barclaycard,..........to continue reading the full article CLICK HERE

Consulting Smart Ltd provide specialist consultancy on the design and deployment of NFC technologies. For more information on how we can help your organisation realise the full benefits of NFC please see www.consultingsmart.co.uk or email Steve Beecroft, Smart Technologies Consultant on sbeecroft@consultingsmart.co.uk

How the Cambridge chip and PIN attack works

Cambridge University researchers have uncovered a major security flaw in chip and PIN, the UK's standard payment card system.

Chip and PIN uses a smartcard with a processor and memory to verify its own identity and that of its owner to a terminal belonging to a merchant. It is based on the EMV — Europay, MasterCard, Visa — protocol, and has been adopted practically universally within the UK for most retail card-based transactions.

The card itself runs part of the protocol on an embedded secure processor, meaning that certain secrets never leave it and are not readable from outside, no matter what.

In use, a chip-and-PIN transaction is started when the cardholder puts their card into a terminal. After verifying the card, the terminal asks for a short personal identification number, and when it receives a valid PIN, the transaction takes place.

There is no need for the card to leave the holder's control, making it very hard for dishonest merchant staff to steal details; and the PIN need be known to nobody but the holder, rendering a lost or stolen card of no use — unless EMV is itself vulnerable.

There are three stages to an EMV transaction: card authentication, cardholder verification and transaction authorisation.

Card authentication
Card authentication starts when the card is put into the terminal. The terminal asks the card for a list of applications it can support — there can be many different applications, with different keys, on one card. The terminal then selects an appropriate application and tells the card which options it wants to run.

Following that, the terminal reads the card details from the chip, which include account numbers, expiry date and information such as which methods of cardholder verification the card supports. There are also various digital signatures available from the card, depending on which variant of the protocol is in use.

Once the card has provided verifiable signed records and appropriate capabilities, the terminal is satisfied with its authenticity, and attention turns to the cardholder.

Cardholder verification
Cardholder verification starts with the card and the terminal negotiating what sort of verification is appropriate. Depending on a number of factors, including the size and nature of the transaction, the terminal picks one method from the Cardholder Verification Method (CVM) list previously provided by the card.

The CVM also specifies what should happen if verification fails: whether the transaction should be aborted or another method tried.

Most cards examined by Cambridge University security researchers in a hacking experiment had only three verification options: PIN, signature or no authentication. In theory, a terminal can tell the merchant to check the signature if the PIN fails; in practice, most failed PIN verifications terminate the transaction.

If PIN is chosen, the terminal asks the cardholder to enter the number. This is sent to the card, which compares it to its internal (and never revealed) PIN.

A match, and the card returns the hexadecimal code 0x9000. A failure, and the card returns 0x63Cn, where 'n' is the number of further attempts possible before the card locks up. However, the terminal does not authenticate that the response itself actually comes from the card it thinks it is talking to.

Transaction authorisation
Transaction authorisation follows. Here, the terminal asks the card to encrypt the transaction details, using various bits of data supplied by the terminal itself. The card can reject the transaction, or it can allow it — in which case, it generates a cryptogram that is sent to the financial institution.

After various checks on the card's validity, the likelihood of the transaction being fraudulent and there being enough credit available for the transaction, the institution sends back a response code telling the terminal and card what to do next, plus another cryptogram. These are sent via the terminal to the card, which checks them for validity.

The terminal then tells the card and the card issuer that the transaction is authorised, and keeps a copy of the transaction. At this point, it normally prints a receipt too, with details of the transaction and the verification method.

The Cambridge researchers' man-in-the-middle attack takes advantage of the fact that the real card does not know which form of verification succeeded, just that the terminal does not think that a PIN verification failed. The terminal does not know that the real card never received a PIN to verify, because the fake card in the middle issued an 0x9000 success code.

The terminal reports success; the real card assumes that was due to a non-PIN verification. Although the card may then report to the terminal that the verification was not via PIN, this is in a format that is not specified in the standard, so the terminal cannot tell.