By Tim Kirk
An awkward introduction of EMV Chip technology into the U.S. retail credit card payments environment has added a new level of security as well as a new level of complexity to credit card processing for brick and mortar retailers. It may seem that the near simultaneous roll out of smartphone credit card apps adds one more level of confusion, but could credit cards stored in “digital wallets” simplify and expedite your retail sales? These contactless transactions are a type of Near Field Communication (NFC) credit card payment and will be referred to as “NFC payments” for the remainder of this article.
A short history. NFC payments manifested as a contactless, card based payment system introduced at fuel pumps in the late 1990’s. As the technology continued to develop, major credit card issuing banks launched pilot programs beginning in 2006; subsequently, card brands and issuers introduced credit cards embedded with radio frequency identification (RFID) chips. Technology “enthusiasts”—the types who search for security vulnerabilities—discovered a chink in the data security “armor” of RFID embedded payment cards: equipped with inexpensive scanners, scam artists could easily steal cardholder data stored on the RFID chip. To harvest sensitive credit card data a thief with a contactless sensor could merely walk near people carrying RFID embedded cards in their wallets or purses. (See the video on bizNEVADA website.)
While RFID embedded credit cards were still in their test phases, mobile phone producers and service providers had begun development of device based NFC technologies—the term “digital wallet” described their objective; currently, the three major players are Google, Samsung, and Apple. One of the earliest releases was Google Wallet, which is no longer used for credit card transactions; Android Pay is now Google’s mobile credit card payment App. Samsung has also entered the market with Samsung Pay. Both Google and Samsung initially approached mobile payments by working with major retailers to promote acceptance. Apple Pay, partnering with Visa, MasterCard and AMEX in 2013, worked towards development of mobile NFC technologies for use with iOS devices. Officially announced in September 2014, Apple Pay is the most widely accepted form of mobile NFC payments.
Security. Apple Pay, Samsung Pay and Android Pay use similar security enhancements. Cardholders authenticate with their fingerprint. No password is needed; even if someone knows your phone’s pin they cannot authorize payments. (Note: Android Pay will support pin authentication on older devices, but this will be phased out.) Apple Pay and Samsung Pay both enhance security of NFC payments with their own versions of proprietary hardware known as “the secure element.” The secure element adds the factor of dynamic encryption and tokenization from the device. This means that information is converted into a nugget of encoded data before it is sent; because it is dynamic it is good for one transaction—even if it were somehow decrypted the information would be useless. Because of the hardware based secure element, contactless payments can be made wherever NFC transactions are accepted—even if the cardholder is outside digital coverage. Apple Pay and Samsung pay also used sophisticated cloud based encryption and tokenization. Android Pay does not use a hardware based security solution however, all other factors are in effect, including an enhanced, cloud based, dynamic encryption and tokenization process known as Hosted Card Emulation. Android Pay users can perform a limited number of transactions outside coverage areas.
What does this mean when it comes to data security and liability for merchants? In-store purchases using Apple Pay, Samsung Pay, and Android Pay are all classified as “card present transactions;” which means that all three are placed in the same risk category as the insertion of an EMV embedded card into a terminal. NOTE: Neither BizNevada or the author are endorsing or rating the security of these NFC payment applications; the author is stating that payments made using these applications are placed in the same risk pool as other “card present” transactions by VISA, MasterCard and AMEX, and that no additional charges or downgrades are applied.
Convenience. Compared with card present EMV chip transactions, mobile NFC payments are convenient and quick. Customers paying at the register by inserting EMV cards are sometimes confused by the process, removing their cards from the terminal prematurely, which complicates and prolongs the process. Even when payments process according to protocol, EMV transactions seem to take an inordinately long time. According to merchants, there is an increase in the number of cardholders who are now using mobile NFC payment applications because customers find them to be more convenient.
Cost effective? Two more factors that merchants will consider before reconfiguring their payment processing model are, “Will this technology make me more money,” and, “Can I get by without it?” Do you like providing convenience to your customers while simplifying the process for your cashiers? If the answer is “yes,” then that is a “check mark” in the plus column. The imperative to start accepting NFC payments is not currently in a state of high urgency; you can get by without it at this time. If your current terminal is reaching end of life, or if you are considering a change in processors, the next terminal you select should accept EMV and NFC transactions and it should be paired with a pin-pad, which enables merchants to gain the most benefit from both EMV and NFC technologies. The cost of these terminals, with pin-pads, varies from about $200-$600, depending upon manufacturer and model. If you are using, or plan to use a POS system, inquire about when NFC technology will be accepted. Estimates vary regarding when NFC acceptance will become necessary but, due to the proliferation of smartphones and the growing popularity of wearable technology, mobile NFC transactions will become most people’s primary payment option.
Summary. When it comes to accepting NFC payments, there is no downside. There are no data security red flags at this time. They are at least as simple as other “card present” transactions and provide convenience and simplicity for your customers and employees. The adoption of electronic, app based digital wallets will eventually make NFC payments the primary payment method for most cardholders. There is no need to panic and commit to a contract or equipment lease to start accepting NFC payments immediately—it simply has not reached that level of urgency. Contact your payments professional and discuss a sensible plan to update your payment equipment on a reasonable timetable.
Tim Kirk is an account executive with PaidRight; he has been helping merchants establish, grow and manage their revenue streams since 2009.