As consumers become more familiar with Smartphone apps, they increasingly expect their phone to do just about anything and deliver instantaneous services. This has also reduced their reluctance to make mobile payments, finally making commercially viable mobile payment systems a reality.
The potential explosion in the mobile payment market is evident in recent research, including:
53% of smartphones worldwide will be NFC enabled by 2015 (Frost & Sullivan).
The mobile payment industry is forecasted to account for as much as $1 trillion in global transactions by 2015 (Heavy Reading Networks Insider).
In 2016, there will be 448 million m-payment users, in a market worth $617 billion. Asia/Pacific will have the most m-payment users, but Africa will account for the highest revenues (Gartner).
The term ‘Mobile Payment’ has been used for a number of years, but it is not always clear what the term means. In addition to mobile payments, the term ‘contactless payment’ is also used.
A contactless transaction will generally refer to making a payment using short-range technology. For example, with Near-Field Communications (NFC), a mobile device will send a signal to a contactless payment terminal and a transaction will take place. A credit card, or ‘smart card’ can also be used instead of the mobile device. However, mobile payments do not have to be contactless payments and can be done via a smartphone app or SMS.
There are three primary models for mobile payments:
SMS – the consumer sends a payment request via text message and a charge is applied to their phone bill or online wallet.
Direct mobile billing – the consumer selects the mobile billing option on a website’s checkout page and their mobile account is charged.
Mobile web payments - Wireless Application Protocol (WAP) on a mobile phone allows the consumer to use mobile web pages or downloaded apps to make a payment.
Retailers are starting to see a shift in the growth of mobile payments, with a significant early take-up in Japan and South Korea. Consequently, major global retailers are launching products and services focused on mobile payments. For example analyst firm Ovum reports that Starbucks’s prepaid mobile wallet app now accounts for 10 per cent of all its US revenue (Ovum View – ‘There will be no big bang for mobile payments’, Gilles Ubaghs, May 2013).
Ensuring mobile payments are secure
The various forms of mobile payments each operate on different models, making the security compliance requirements more of a challenge.
There are a number of approval bodies which ensure that the correct standards are being applied, and they are also working together towards the goal of global interoperability. For example, EMVCo and the NFC Forum are working together to optimise the development and testing processes of Near Field Communication (NFC)-enabled mobile devices. GlobalPlatform and EMVCo have also aligned their mobile payment certification structure.
The payment application on the mobile device or card is the key focus area to ensure a secure payment. GlobalPlatform, a cross industry and non-profit association, aims to tackle this by developing specifications that promote the secure and interoperable deployment and management of multiple applications on secure technology.
GlobalPlatform also manages, maintains and evolves a compliance programme for secure chips and devices to confirm that products meet the functional requirements and will perform as intended. GlobalPlatform has developed a number of test tools and appointed several qualified laboratories to undertake tests, acting as a registration authority for issuing the compliance trademark to test tools and laboratories, as well as overseeing product certification.
The NFC Forum is a cross industry forum that develops specifications and certification programmes to allow the use of near field communications technology in various applications, including contactless payments.
NFC Forum specifications are based on existing and recognised standards like ISO/IEC 18092 and ISO/IEC 14443-2,3,4, as well as JIS X6319-4. There are implementation specifications that describe the parts of those standards that are relevant for NFC Forum devices, to ensure that compliant devices behave in the most consistent way.
EMVCo LLC was formed in 1999 by Europay, MasterCard and Visa to manage, maintain and enhance the EMV Integrated Circuit Card Specifications for Payment Systems. JCB joined in 2004, followed by American Express in 2009
EMVCo's primary role is to manage, maintain and enhance the EMV Integrated Circuit Card Specifications to ensure interoperability and acceptance of payment system integrated circuit cards on a worldwide basis. It also maintains type approval processes for terminal and card compliance testing, ensuring that a single terminal and card approval process exists.
EMVCo established the Contactless Mobile Payment (CMP) Product Type Approval process in 2012 to create a mechanism to test compliance with the EMV Specifications for mobile payments.
Recognition of compliance with the EMV standard through device certification is issued by EMVCo, following the submission of test results that have been completed by an accredited test house. It also regularly audits the list of accredited laboratories which technology vendors must use to achieve EMVCo’s Type Approval. Both TÜV SÜD Product Service and TÜV SÜD Japan are EMVCo approved test laboratories.
EMV Compliance testing has two levels. EMV Level 1 covers physical, electrical and transport level interfaces, while EMV Level 2, covers payment application selection and credit financial transaction processing.
Level 1 tests consist of:
Pre-validation tests - to ensure that a minimum communication at protocol level can be established in a number of test positions
Analogue Testing - to verify both RF power and the signal interface
Digital Testing - to run a series of protocol tests to ensure digital commands are as per the EMVCo specification
Level 2 testing reviews compliance with the debit/credit application requirements as defined in the EMV Specifications. In order to carry out EMVCo terminal testing, a test tool is required, which comprises a smart card simulator connected to both a PC running the test software suite and to a probe for contact-based technology, or an antenna for contactless. These also provide a number of software libraries to cover specific payment schemes such as:
Expresspay (American Express)
EMV Entry Point (common standard for all payment schemes)
Discover Network (Diners)
First Data Star (US Pin secured debit card network)
After passing common EMVCo tests, the software must be certified by payment brands to comply with proprietary EMV implementations such as Visa VSDC, American Express AEIPS, MasterCard MChip, JCB JSmart, or EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.
Why choose TÜV SÜD
TÜV SÜD is an accredited EMVCo Level 1 and Level 2 testing laboratory with more than 10 years of experience in the payment systems market.
As an independent third-party test and certification body, specialising in innovative products, TÜV SÜD is authorised to carry out testing for payment systems devices against the harmonised debit/credit EMV standards. We offer an unbiased and technically competent service, for a wide range of subsystems and systems, whether involving established technologies, or the latest mobile phone systems.
TÜV SÜD is also appointed by the NFC Forum to validate the quality, reliability, and integrity of the RF Analogue requirements for the test tools that will be used for certification testing.