Geoff Keast, Director, Emerging Financial Markets, ABnote North America, knows a thing or two about payment security. He has gained extensive experience delivering complex card projects (EMV, Transit and Loyalty) with major financial institutions, government departments and blue chip, commercial customers. In 2012, Geoffrey led the implementation of a number of NFC and TSM related projects including the commercial deployment of New Zealand’s first transit NFC application via ABnote’s Trusted Service Manager.
Keast will be speaking on “TSM and NFC Services for Transit Ticketing” at CARTES America, which aligns perfectly with his current role at ABnote North America, leading ABnote North America’s customers and partners into the exciting world of EMV and mobile payments. He has given us a preview of his advice in the interview below.
As the mobile phone has a richer content interface how can you use the device to create new user authentication or card verification methods (CVM) and what is the benefit of this approach?
One of the challenges associated with offline PIN environments for contactless form factors (including NFC) is the clunky user experience when making payment via the contactless interface. As the form factor (card or mobile) is only in “contact” or proximity with the terminal for a small period of time it is not able to fully complete the card verification in time. There has been some discussion in different markets about a “double tap” method but I don’t think this is ideal from a user experience point of view. One of the many wonderful things about using mobile is the customer might be able to complete their CVM up front, by accessing the application and entering a pin to verify themselves (this can be done in either an offline or online acceptance market). A benefit of this approach is that it may reduce the need for the above mentioned “double tap” for offline transactions and an unintended consequence is that it provides the issuer, or perhaps even the merchant to engage with the customer via the mobile phone and offer a unique deal or discount they didn’t have previously and to make this offer prior to the transaction taking place.
What is the best approach to developing key management practices for organizations like transit and retail companies that want to participate in the payments NFC ecosystem but don’t have the expertise when it comes to security?
This is really the role a Trusted Service Manager (TSM) can play. They can use their experience and expertise as it relates to key management activities performed for other companies (mainly banks for example) and apply them to new entrants into the NFC ecosystem. Leveraging what has been done previously, even prior to NFC taking off, this should make it easier for non-payment companies to become involved and ensure the security of their transactions and applications. Key management is best left to experts and not every organization has their own practitioners of key management.
How do you bridge the gap between a great consumer experience and the security of the transaction?
In order to maintain the integrity of the payments ecosystem, security of all parts of the transaction is paramount. It does need to be balanced against ease of use as this is what mobility ultimately offers. I think it’s possible to have both a great user experience and a secure transaction, they are not mutually exclusive. Some of the options I have mentioned above, like CVM on phone allow opportunities to connect better with your customer and allow them to maintain security. I think it’s important that we don’t forget contactless transactions are taking place in many countries around the world already and the security is robust as it follows scheme guidelines. Just because we are using a phone to make payment, the transaction still follows the same set of protocols as for the card world – the form factor is different, what it does provide is a greater chance to connect with consumers and ultimately provide them a more personalized service.
Various options for downloading/provisioning the initial application and how do you make this easy and secure for the user?
There are a number of different methods for provisioning a mobile device, we hear terms like over the air and over the Internet personalization and both are secure methods and shouldn’t be any different for the consumer. How they (or the issuer) initiate the start of the transaction is the more interesting question in my opinion. Currently in the smartcard world the payment application (Visa, MasterCard, Discover, American Express, etc.) come embedded in the chip. It is up to the issuer via their personalization bureau to securely personalize with the users information. Right now there are not many NFC secure elements that have the payment application residing in it, in future I think this will change and it will be a similar model to the one for smartcards mentioned. So how will the user initiate, I think that is ultimately up to the issuer that is driven by consumer demand, a number of options exist, for example:
*via smartposter – by tapping a NFC phone on a poster with an NFC tag this can launch a splash page that begins the customer process to personalize their phone
*via internet/mobile banking – potentially the most secure way of initiating the download as user authentication has already taken place
*via the digital market place like GooglePlay or the app store – if the application is hosted by the issuer then consumers can search and download the application
The responsibility for securing mobile NFC payments and transactions in the mobile infrastructure involves multiple participants, if the proliferation of NFC devices and applications (payment, transit, identity, etc.) is to commence how do we bring all the parties together and who is responsible for doing so?
I don’t believe there will be an overarching organization that will bring all parties together to create an all inclusive NFC ecosystem, organizations will come together based on needs and having business cases that are able to deliver the outcome they need. If this includes partnering with others, i.e. issuers with mobile network operators and trusted service managers, then they will do so based on that need. As NFC enabled devices become more widespread there will be new non-traditional companies and organizations entering the market and creating opportunities for new applications and partnerships. We might see banks join with multiple loyalty partners, as already mentioned with MNO’s and create new and unique opportunities.
Should non-scheme (EMV) issuers be forced to use similar or the same security controls as EMV based payments that are taking place from the same secure element, why or why not?
Enabling NFC for transit, payment, loyalty, gift cards – whatever the application is that uses the secure element needs to be as easy as possible so the uptake can spread. However there needs to be some standard security controls in place so the secure payment piece is protected. Right now there are multi-application cards, ie mifare emulation exists on many payment smart cards and it doesn’t come at the expense of the security of the payment ecosystem. I don’t think non scheme EMV issuers should be forced to use the same security controls as EMV based payments, as long as there can be a logical partioning of the secure element for EMV based payments.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More