Bringing Mobile Payments to Market for an International Retailer



Similar documents
Apple Pay. Frequently Asked Questions UK Launch

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

Android pay. Frequently asked questions

Apple Pay. Frequently Asked Questions UK

Mobile Near-Field Communications (NFC) Payments

Digital Payment Solutions TSYS Enterprise Tokenization:

Grow with our omni-channel payment processing technologies and merchant services.

How Secure are Contactless Payment Systems?

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

What Merchants Need to Know About EMV

CANADA VS THE USA - THE CONTRAST AND LESSONS FOR MOBILE PAYMENTS

EMV-TT. Now available on Android. White Paper by

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

ACI TOKEN MANAGER FOR MOBILE: TOKEN SERVICE PROVISION, HCE AND EMBEDDED SECURE ELEMENT IN THE CLOUD

The State of Pay. A mobile revolution. semble.co.nz

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

EMV and Small Merchants:

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

Practically Thinking: What Small Merchants Should Know about EMV

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

welcome to liber8:payment

Inside the Mobile Wallet: What It Means for Merchants and Card Issuers

FUTURE PROOF TERMINAL QUICK REFERENCE GUIDE. Review this Quick Reference Guide to. learn how to run a sale, settle your batch

A Solution to the Mobile Wallet Conundrum

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

Card Technology Choices for U.S. Issuers An EMV White Paper

EMV and Restaurants What you need to know! November 19, 2014

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

Payments Transformation - EMV comes to the US

OVERVIEW OF MOBILE PAYMENT LANDSCAPE

OVERVIEW OF MOBILE PAYMENT LANDSCAPE Marianne Crowe Federal Reserve Bank of Boston NEACH September 10, 2014

INTRODUCTION AND HISTORY

The Future of Mobile Payment. Christopher Boone President & CEO, Cimbal Inc. E: chris@cimbal.com T: (650)

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Preparing for EMV chip card acceptance

Best practices for choosing and integrating a mobile payments platform. A GlobalOnePay White Paper

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

EMV in Hotels Observations and Considerations

HCE, Apple Pay The shock of simplifying the NFC? paper

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

WIRECARD FUTURE OF PAYMENTS. MainFirst Insights to Go Web Conference January 22, 2015

Euronet s Contactless Solution

SELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Index. 1-FLYPOS hardware/firmware Technology Overview 2-FLYPOS software architecture 3-Gateway/Acquirer Interface 4-Letters of Approval

MasterCard Contactless Reader v3.0. INTRODUCTION TO MASTERCARD CONTACTLESS READER v3.0

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

HCE and SIM Secure Element:

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

PREPARING FOR THE MIGRATION TO EMV IN

CONTACTLESS INTEROPERABILITY IN TRANSIT

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Credit Card Processing Overview

Beginner s Guide to Point of Sale

A Brand New Checkout Experience

A Brand New Checkout Experience

OpenEdge Research & Development Group April 2015

Best Practices for Integrating Mobile into the Access Control Architecture

Secure your Privacy. jrsys, Inc. All rights reserved.

Significance of Tokenization in Promoting Cloud Based Secure Elements

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Better Security Through Mobile The One-Two Punch Industry Best Practices

American Express Contactless Payments

Better Security Through Mobile The One-Two Punch Industry Best Practices

mobile payment acceptance Solutions Visa security best practices version 3.0

Mobile Payment Solutions: Best Practices and Guidelines

CardControl. Credit Card Processing 101. Overview. Contents

Special Report: Trends in Mobile Payment April 2015

permitting close proximity communication between devices in this case a phone and a terminal.

How To Protect Your Restaurant From A Data Security Breach

Introductions 1 min 4

EMV for U.S. Merchants. Are there good reasons to migrate? WHITE PAPER

Mobile Payments Primer

About Visa paywave for mobile

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

How to connect your D200 using Bluetooth. How to connect your D200 using GPRS (SIM Card)

OpenEdge Research & Development Group April 2015

NFC Application Mobile Payments

The Cost of Compliance

Beyond the Hype: Mobile Payments for Merchants

EMV and Encryption + Tokenization: A Layered Approach to Security

How to connect your D210 using Bluetooth. How to connect your D210 using GPRS (SIM Card)

Contactless Payments with Mobile Wallets. Overview and Technology

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Contactless Payments. Björn Salomon-Sörensen, Account Director - Swedbank November 11, 2015

Latest and Future development of Mobile Payment in Hong Kong

PCI and EMV Compliance Checkup

(

A RE T HE U.S. CHIP RULES ENOUGH?

Payments Security White Paper

Frequently asked questions - Visa paywave

Merchant Processing. Trends and Truths. Roger Raney TransFirst Regional Sales Manager

Transcription:

Bringing Mobile Payments to Market for an International Retailer

Founded in 2011, Clearbridge Mobile has emerged as a world class studio developing state of the art wearable and mobile wallet / payment solutions. At Clearbridge we go beyond checklists and simple requirements; we strive for the best product. We get to know our clients (their users and needs) and we push the limits of technology and design to achieve an unparalleled connected experience. Clearbridge Mobile has developed applications that have been downloaded and used by millions of users including the world s first Host Card Emulation (HCE) / Near Field Communication (NFC) mobile payment and gift card solution used in 4000+ retail locations. Our services include strategic consulting, UI/UX design, development, QA, and maintenance. Support Strategy Maintenance Design Project Management Mobile Development CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 2

Introduction This white paper will provide an overview of how Clearbridge Mobile brought to market one of the first mobile wallet applications using HCE and Secure Barcode. It will also cover aspects of creating an open loop wallet in the mobile payments industry going forward. NFC is a set of standards that allow devices with a NFC chip to communicate with each other over very short distances (inches vs. feet). HCE is the ability to mimic a physical smart card (gift card, credit card, etc) using a mobile device without using the secure element. NFC using HCE has the ability to create a closed loop tap-to-pay application that can seamlessly communicate with NFC enabled payment terminals. Bringing Cloud Based Mobile Payments to Market Our client, an international retailer with over 4,000 franchised locations required a mobile payment solution that assisted in addressing its operational challenges of long line ups and quick transactions. Simultaneously, our client needed a solution that leveraged its existing infrastructure including point of sale (POS) and payment processor. The solution - a mobile application with mobile payment functionality built using ClearPay. ClearPay is a mobile payment SDK that extends applications into the next generation of mobile payments using Bluetooth Low Energy (BLE) / NFC / and Secure Barcode. In the case of our client, ClearPay was leveraged to build a HCE enabled NFC and Secure Barcode mobile wallet solution. CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 3

The Market is Primed for NFC and HCE Technology The Fastest Way To Pay Whichever solution Clearbridge deployed, we had to ensure it stayed true to our client s operational objective of providing speed and efficiency during check out. One of the quickest methods of payment for our client s customers is the tap & pay infrastructure in place by Visa PayWave and Mastercard PayPass terminals. By developing our client s mobile wallet to leverage PayPass & Paywave NFC terminals, Clearbridge was able to build the quickest transact time mobile payment solution for the client. Android 4.4 NFC NFC Enabled Smartphones Are Readily Available Our client s needs mandated that their mobile wallet solution be available on three major platforms: Blackberry 10, Google Android, and Apple ios. With more than 50% of the North American smartphone market adopting Google Android, and the rollout of Android 4.4 to over 60% of existing Android smartphones, the market was primed and ready for NFC enabled mobile wallets. Blackberry 10 devices come HCE enabled, and in Fall 2013, Google also enabled HCE on devices running Android 4.4. Seeing this opportunity and the rise of Android 4.4 adoption, we demonstrated to our client that more than half of their mobile market already had the technology in their hands. HCE Secure Barcode CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 4

Future Infrastructure - EMV in the U.S As the client continues to grow, they also continue to aggressively penetrate the U.S market. Payment companies in the U.S such as Visa and MasterCard are pushing EMV standard based chip & pin technology. By October 2015, fraudulent liability will shift to retailers who have not adopted EMV technology. Although chip & pin technology differs from contactless payments, historically the two have complimented each other in regards to market adoption. Predicting the contactless payment adoption trend in the U.S, Clearbridge ensured the client s mobile wallet would be future-proof in markets of aggressive growth. 2015 CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 5

Developing a NFC Tap & Pay Mobile Wallet The systems that were involved in developing our client s mobile wallet included NFC (clientend requesting and sending the card number), POS terminal (client-end for receiving data and transaction processing), Mobile Service Server (back-end responsible for managing the services), and Transaction Process Service (back-end for card transactions and verifications) The transmission protocol used to communicate between the device and POS terminal is ISO14443 ver 4. This standard protocol is proprietary and only available for exclusive members. At the end of the handshake between the terminal and the device, the app responds with the track data. The track data consists of a series of characters associated with magnetic stripe cards that is passed to the POS system for processing. This is the key information passed to the terminal for processing the payment. The details of the byte level data cannot be shared since the format is proprietary. The following pseudocode describes how the NFC communication is implemented: 1 2 3 4 5 6 7 Get NFC Event Get event Type from the NFC event If event Type is ISO14443 ver4 then get the NFC target from the NFC target get incoming data process the incoming data send the response data back to NFC The NFC API provides a card emulator interface and like most of the system services, we are provided libraries, allowing us to listen for all NFC events. If the event type is ISO14443 ver 4 (used by the retailer s gift cards) we initiate the handshake between the device and the terminal. CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 6

Testing With NFC payments, we know whether the NFC handshake passed or failed. Testing to validate that correct data is passed to the terminal and transaction details are correctly updated required lab and instore testing with the client s POS and backend systems. Performing testing with the POS allowed us to uncover use cases of the app that would not typically be discovered during development. The following are examples of the types of tests performed: Challenges An Application ID (AID) allows a NFC Reader to tell a device which emulated card it wants to read. For devices to act as a reader, they must have a registered AID. Hurdles we faced included achieving the desired behaviour of the NFC tool depending on the correct AID in the secure element. The NFC chipsets in the devices mandated by the client were designed by different manufacturers, which created chipset fragmentation. While building the application, the team had to take this into account ensuring that all chipsets and standards were supported for every device. POS Terminal success/failure and application timeouts behaviors Backend and NFC responses for invalid, inactive cards Network offline Tap to Pay NFC success/failure responses Transaction statuses and types (Success/Fail, Purchase, Refund, Reload, Balance, Merging) CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 7

Building a Secure Barcode Payment Securing PDF417 Using Private Key Alongside NFC, our client needed a mobile wallet solution that would be supported by devices without the NFC chip. The solution also needed to reduce time spent in line while delivering a superior mobile experience. Using our ClearPay SDK, we built a secure barcode mobile payment solution which utilizes an encrypted PDF417 linear barcode symbol. PDF417 comes with an insecurity that allows barcodes to be easily created. There is little that can be done to stop a hacker from creating their own barcode from a 16 digit gift card. To combat this, Clearbridge implemented a private key that can be created with each barcode. The private key would be used to authenticate the barcode and cannot be replicated. PDF417 was chosen for the following reasons: The barcode s ability to store more information As a commonly used barcode, PDF417 does not require a license PDF417 has been gaining major popularity amongst POS infrastructures with major retailers, airports and Apple Passbook also utilizing the barcode CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 8

Modifying POS Terminals for Secure Barcode In order to secure the barcode transaction, minor modifications were needed for the POS terminal to handle security. When a transaction is transmitted through PDF417 barcode, the track 2 data is encrypted by the mobile application and decrypted by the electronic funds transfer (EFT) software. Once the EFT software has decrypted the track 2 data, the transaction continues to the necessary payment processor. PDF 417 Transaction Process CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 9

Secure Reload Account Balances Secure reload refers to the ability to replenish the customer s account via the client s mobile application. As our client s customers conduct multiple transactions a week, it was imperative that their account balance reload automatically. Secure Reload Process Developing a secure reload feature is complex as it touches multiple back-end systems and requires Payment Card Industry (PCI) standards compliance. The mobile application itself is not PCI compliant, and therefore cannot store sensitive credit card information. Clearbridge Mobile worked with our client s payment processor to store credit card data in a secure PCI compliant environment. As a result, a user s payment information is never held in the mobile application, but rather is directly sent to the payment processor. Whenever an auto reload request is generated, the mobile app makes a call to the payment processor web service to securely reload the funds. PCI Compliance Handling credit card information raises issues of PCI compliance. Clearbridge faced roadblocks using our client s existing middleware technologies. These middleware technologies were used to plug into the payment processor s web services with the function to transfer gift card data, but did not meet the PCI standards requirements to transfer credit card data. Clearbridge Mobile worked with the payment processor to create web services the mobile application could directly plug into, eliminating the need for non-pci compliant middleware. CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 10

Client Results Clearbridge Mobile was able to deliver the mobile wallet application with a complete UI/UX redesign within 12 weeks. Our client decided on a pilot launch of the mobile application on the Blackberry 10 platform. Within the first 3 months the pilot yielded 30,000 downloads. The following are statistics on customer usage and transactions during the pilot launch: Off-Peak Times Between 750 1000 mobile payment transactions are made each day, equalling to one transaction every two minutes. =25,000 Total Addressable Market ~300,000 ~10% used the app within the first 3 months of pilot! During Peak Times Customers (~30,000) used client s app twice a week (~60,000x) 1750 2000 transactions have been made in a day roughly more than 1 mobile transaction per minute! CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 11

Building an Open Loop Secure Mobile Wallet Using HCE Payment and software industries are now pushing towards building open loop HCE mobile wallets. Google significantly changed the mobile wallet landscape in 2013 with the introduction of HCE in Android 4.4 enabled smartphones. Payment giants such as Visa, MasterCard and EMV have embraced HCE and have released their first documentation on developing mobile wallets. As mobile wallets continue to evolve, Clearbridge Mobile offers insight into technological hurdles that need to be addressed. Securing Card Present Transactions Card Present Transactions (CPT) is where the issuer of the card agrees that the card is present at the time of transaction. CPT carry lower costs and help combat fraud as opposed to Card Not Present (CNP) transactions, which is why they are the preferred type of transaction. Mobile CPT transactions can be secured using the 4 Pin Verification Value (PVV) method - where a code is generated when a user enters their card number into their smartphone. When a mobile transaction takes place - the phone sends Track 2 data. The track 2 data holds the PVV, which is verified by the payment processor as a CPT transaction. There are limitations in place by payment processors that only allow a PVV for a specific card to be created a certain amount of times. This creates a problem when a customer may lose their device, re-install the app, have to re-register their card or any combination, this may end up resulting in the maximum number of PVVs being created. Without the PVV, the card would than be rendered useless for mobile payments. CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 12

Centralizing PVV Storage Centralizing the storage of the PVV in the cloud could essentially resolve limitations, meaning neither the payment processor nor the mobile application will have to re-create it. With PVV cloud storage, regardless of how many times a card is registered or re registered, the PVV for each card remains the same and does not need to be re-created. Mobile Transaction with Tokenization Tokenization Tokenization is the next step to opening the mobile wallet from closed to open loop. Tokenization obscures the 16 digit private account number (PAN) data by masking it as a token so that card information is not sent as plain text. Mobile transactions cannot be conducted without the PAN, however, storing PAN data on mobile devices is a security risk hence the creation of tokens. Tokenization does not transfer track 2 data but rather sends a token to the NFC terminal which is then relayed to the cloud. The cloud decrypts the token, associates it with the right PAN, and sends the PAN data back to the NFC terminal Tokenization Creation, Storage and Validation The concept of tokenization is not new, however in the realm of mobile payments it is relatively nascent. The storage, creation and validation of tokens has yet to be implemented in the market. Clearbridge Mobile foresees banks Trusted Service Managers (TSM) as token generators and validators. CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 13

Company Information NAME Clearbridge Mobile Inc. CHAT 647 361 8401 WRITE sales@clearbridgemobile.com SURF www.clearbridgemobile.com CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 14 CLEARBRIDGE MOBILE Bringing Mobile Payments to Market for an International Retailer 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information