Mobile Payments: More Secure Than Expected
Smart Card Alliance Says Mobile Chip Payments Make Sense for U.S."Contactless payment today is already being widely used in the U.S. and internationally," Vanderhoof says. "The mobile device takes that physical card and builds that information into the phone, so that the mobile phone becomes the storage device for the payment information." That's how the mobile device could be used to facilitate near-field communication transactions, he says, and push the U.S. closer to EMV.
With 100 million contactless chip cards already in circulation throughout the world, Vanderhoof says it's time for the U.S. payments industry to have a serious discussion about the link between contactless and mobile. During the Mobile Financial Services Forum (#MobileForum) in Arlington, Va., Vanderhoof shared his thoughts about chip-based payments, contactless payments, mobile security and the inevitable move the U.S. will make to EMV.
In this interview, Vanderhoof discusses:
- Contactless plastic-card payments and contactless mobile;
- The inherent security of mobile payments;
- The impact Global Platform technology specifications and security standards will have on mobile transactions.
Vanderhoof is the executive director of the Smart Card Alliance, a not-for-profit, multi-industry association of more than180 member firms working to accelerate the widespread acceptance of smart card technology in North America and Latin America. He came to the alliance in January 2002 and became the executive director in August, 2002. During his tenure as the chief executive, he has directed the transformation of the organization from primarily a networking organization into a diverse, education oriented, international, multi-industry organization that gathers industry stakeholders together to help stimulate the rapid adoption of all forms of smart cards for electronic payments and digital security applications. In December 2008, Randy was named by Security Magazine to the list of the Top 25 Most Influential People in the Security Industry.
Before joining the Smart Card Alliance, he was employed with IBM Global Smart Card Solutions; an international product group supporting IBM's smart card services to its global banking, healthcare, and government industry vertical teams. Previously, he served as on the Executive Board for the Alliance as a corporate member from 1998-2001.
Contactless Payments, Mobile and EMV
TRACY KITTEN: Contactless payments, mobile security and a U.S. move to EMV -- all hot topics in October during the Mobile Financial Services Forum in Arlington, Va. Randy Vanderhoof, executive director of the Smart Card Alliance, shares his thoughts about the future of EMV chip payments and mobile.RANDY VANDERHOOF: Contactless payment today is already being widely used in the U.S. and internationally, and it involves a contactless-chip that is embedded into a piece of plastic that communicates, in a secure way, the payment information to a point-of-sale device. The mobile device takes that physical card and builds that information into the phone, so that the mobile phone becomes the storage device for the payment information. And that is how through the NFC-communication interface the information about the cardholder for that payment transaction moves from the mobile phone to the payment device.
Global Platform Security Specifications
KITTEN: You have talked quite a bit about the Global Platform, a secure channel for mobile. Please help us understand why the Platform is secure and how it works. What makes it different?VANDERHOOF: The mobile industry has for some time been able to develop a system for communicating information from the host mobile operator to the mobile handset used the wide area network that the mobile operator supports. Global Platform, as a technology specifications organization, has looked at the mobile space and defined what security attributes we need to apply to the mobile world, similar to the security attributes that we've applied to the physical world. They've developed a set of specifications for mobile networks that use the same security best practices for moving data in the physical world to moving data through the mobile networks. So, Global Platform has produced a set of specifications that mobile operators and the trusted service managers -- the people who are going to managing the data on behalf of the financial institution - can use when getting payment information into the card and the handheld device that the cardholder will be carrying. That type of communication is able to be done securely by following these established specifications that Global Platform has produced.
KITTEN: Where would an institution go to get more information about Global Platform?
VANDERHOOF: The Global Platform organization is an open industry-standards group, so all of the specifications are publicly available for free. There is no licensing fee or anything. Simply contact the Global Platform organization. Institutions can get that information very easily.
Mobile: A Roadmap to EMV?
KITTEN: Randy, you've talked a lot about the move to EMV in the US. Mobile has been talked about as being a bridge to EMV in the US. You've mentioned that the Smart Card Alliance is working on a roadmap -- something that would basically illustrate how the U.S. might get to EMV. Could you tell us a little bit about that roadmap?VANDERHOOF: The Smart Card Alliance has engaged the stakeholders who are going to be impacted by the evolution of EMV in the United States -- the brands and the issuers, the merchant processors and even the merchants themselves. We are trying to understand all of the variable options that are available to the finance industry for implementation of EMV -- things like whether the EMV transaction will be done through the contactless interface or through a contact interface, similar to Europe and Canada and other countries are doing; or whether the authentication of the transaction is going to be done in an online mode, similar to the way we process mag-stripe transactions today, or in an offline mode, where we actually do the authentication between the card and the terminal. Then we have to make decisions about how the cardholder -- how will he authenticated? Will the cardholder be required to put in a PIN or just rely on a signature, like we do today? These are all decisions that are going to impact each of the other stakeholders.
If mobile is part of this roadmap for EMV, then mobile is going to dictate that some form of contactless interface be required for that EMV implementation. That is going to impact the merchants, who will have to have the capability to accept a contactless communication from an NFC-enabled phone, if they want to participate in a mobile-payment. The same thing applies to the issuers, who are going to be impacted by the cost of the card and determining whether that card is going to be contactless only, contact only or some combination of the two. So, there are lots of decisions that are going to need to be made. All of those decisions are going to impact merchants, processors, acquirers, even consumers; and, therefore, it is important to understand how they all fit together and how they might play out in the market as the industry evolves and moves forward.
KITTEN: This analysis, you expect to come out at the end of the year?
VANDERHOOF: We think by December, we should have the stakeholders together in agreement, in terms of understanding how each will be impacted. We're targeting for the end of this year to have that document available for public consumption.