NFC for Mobile Payment

This post is the second part of my NFC overview and focuses on how the technology can be used for mobile payment purposes. As said in the first part, mobile payment via NFC builds on the general NFC technology that is also used for other non-payment applications. There is one major one major addition, however:

As the payment software (e.g. from Visa, Mastercard, American Express, a local transportation company, etc.) and the data identifying the user for the payment process is highly sensitive it must not be accessible from the outside to prevent unauthorized monetary transactions or theft of personal information. Consequently, the payment software and the user data have to be stored in a secure area in the mobile device, the ‘secure element’. One approach is to use the SIM card for this purpose as it is already used as a secure storage element for the user’s mobile network subscriber data. Another approach is to include an independent secure element chip in the mobile phone. The banking industry, for example, requires a secure element that complies to the Globalplatform specifications.

When the user places his mobile device on a point of sales (POS) terminal, the terminal then sends a message identifying which payment applications it is compatible with. The mobile device or the user may then select one of the payment applications stored in the secure element to perform the transaction. For performing a payment, the secure element requires two interfaces, one to the NFC chip to be able to exchange messages with the POS terminal and another one to interact with the user. In other words, there must be an application on the mobile device that can be reached by the secure element based payment software so information such as for example the amount to be paid or a PIN input screen can be shown to the user.

Several companies are involved in this value chain. On the one end there is the bank that issues the payment software and the user identification that is to be stored in the secure element. On the other end is the issuer of the secure element which is the mobile network operator in case the SIM is used as the secure element or the device manufacturer or the user himself in case a dedicated chip is used. A tricky aspect in this regard is how the software and information can be securely transferred between the issuer (e.g. the bank) and the secure element which again depends on who is in control of the secure element. Some types of payments such as for example NFC based entry systems to public transportation systems do not require an interaction with the user at the time the device is brought into contact with the NFC based entry system. This is the case for example, when the user buys a weekly or monthly ticket in advance or pre-pays a certain amount of money that is then automatically deducted when the device is swept over an NFC reader at an entry or exit gate. In such cases, however, an application might be supplied by the public transportation provider that interacts with the software application on the secure element so the user can later on access details on the purchases made, i.e. the trips he has made and the amount of money that was deducted from his account.

It should be noted at this point that there is no standardized process for mobile payments so different banks / card issuers will have their own software stored in the secure element. Also, the payment procedures may be different in different parts of the world, so it is not certain that the NFC payment processes used in Europe will be compatible with those in North America. Very interesting further details on NFC and mobile payment processes can be found in this blog entry over here.